某润选房小程序逆向分析教学文档<\/h1>

1. 前言<\/h2>
本文详细讲解某润选房小程序的逆向分析过程，重点分析两个关键加密参数`ssdp<\/code>和saleSignature<\/code>的生成算法。通过本教程，你将学习到微信小程序逆向的基本流程、常见加密算法的识别与逆向方法。<\/p>`

2. 准备工作<\/h2>
2.1 微信开发者工具注入<\/h3>

下载微信开发者工具注入程序(WechatOpenDevTools.exe)<\/li>
确保微信版本为3.9.10.19_x64，小程序版本为8555<\/li>
删除微信缓存文件夹：

AppData\Roaming\Tencent\WeChat\XPlugin\Plugins<\/code><\/li>
AppData\Roaming\Tencent\WeChat\web\WeChatApp<\/code><\/li>
<\/ul>
<\/li>
执行注入命令：WechatOpenDevTools.exe -all<\/code><\/li>
<\/ol>
2.2 抓包分析<\/h3>

打开开发者工具(DevTools)<\/li>
观察网络请求，发现关键接口\/ssdp<\/code><\/li>
识别出两个加密参数：

URL中的ssed<\/code>参数<\/li>
请求头中的saleSignature<\/code>参数<\/li>
<\/ul>
<\/li>
<\/ol>
3. ssdp参数逆向分析<\/h2>
3.1 定位加密位置<\/h3>

全局搜索ssdp<\/code>，定位到d5c5.js<\/code>文件<\/li>
在相关位置下断点，观察参数生成过程<\/li>
<\/ol>
3.2 参数生成流程<\/h3>
var<\/span> u<\/span> =<\/span> this<\/span>,
<\/span><\/span>    _<\/span> =<\/span> Date.now<\/span>(),
<\/span><\/span>    S<\/span> =<\/span> this<\/span>,
<\/span><\/span>    D<\/span> =<\/span> this<\/span>.getTimeDate<\/span>(),
<\/span><\/span>    f<\/span> =<\/span> e<\/span> +<\/span> "&Api_Version=1.0&App_ID="<\/span>.concat<\/span>(this<\/span>.globalData<\/span>.appid<\/span>, "&App_Sub_ID="<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.getSsdpApp_Sub_ID<\/span>, "&App_Token="<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.App_Token_code<\/span>, "&App_Version=1.0&Divice_ID="<\/span>).concat<\/span>(wx<\/span>.getStorageSync<\/span>("user_flag"<\/span>), "&Divice_Version=wxapp&OS_Version=8.0.6&Partner_ID="<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.getSsdpPartner_ID<\/span>);
<\/span><\/span>
<\/span><\/span>"post"<\/span> ==<\/span> n<\/span> &&<\/span> (f<\/span> +=<\/span> "&REQUEST_DATA="<\/span>.concat<\/span>(JSON<\/span>.stringify<\/span>(s<\/span>), "&Time_Stamp="<\/span>).concat<\/span>(D<\/span>, "&User_Token=&"<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.getSsdpApp_key<\/span>)),
<\/span><\/span>"post"<\/span> !=<\/span> n<\/span> &&<\/span> (f<\/span> +=<\/span> "&Time_Stamp="<\/span>.concat<\/span>(D<\/span>, "&User_Token=&"<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.getSsdpApp_key<\/span>));
<\/span><\/span>
<\/span><\/span>var<\/span> A<\/span> =<\/span> c<\/span>(f<\/span>).toUpperCase<\/span>(),
<\/span><\/span>    b<\/span> =<\/span> this<\/span>.base64_encode<\/span>(e<\/span> +<\/span> "&Api_Version=1.0&App_ID="<\/span>.concat<\/span>(this<\/span>.globalData<\/span>.appid<\/span>, "&App_Sub_ID="<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.getSsdpApp_Sub_ID<\/span>, "&App_Token="<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.App_Token_code<\/span>, "&App_Version=1.0&Divice_ID="<\/span>).concat<\/span>(wx<\/span>.getStorageSync<\/span>("user_flag"<\/span>), "&Divice_Version=wxapp&OS_Version=8.0.6&Partner_ID="<\/span>).concat<\/span>(this<\/span>.globalData<\/span>.getSsdpPartner_ID<\/span>, "&Time_Stamp="<\/span>).concat<\/span>(D<\/span>, "&User_Token=&Sign="<\/span>).concat<\/span>(A<\/span>))
<\/span><\/span><\/code><\/pre>3.3 复现代码<\/h3>
function<\/span> md5Encrypt<\/span>(data<\/span>) {
<\/span><\/span>    const<\/span> hash<\/span> =<\/span> crypto<\/span>.createHash<\/span>('md5'<\/span>);
<\/span><\/span>    hash<\/span>.update<\/span>(data<\/span>);
<\/span><\/span>    return<\/span> hash<\/span>.digest<\/span>('hex'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> get_url<\/span>() {
<\/span><\/span>    Divice_ID<\/span> =<\/span> "设备号"<\/span> \/\/ 从抓包获取
<\/span><\/span><\/span><\/span>    e<\/span> =<\/span> "Api_ID=crland.isale.nsc.searchProjectList"<\/span>;
<\/span><\/span>    D<\/span> =<\/span> getTimeDate<\/span>();
<\/span><\/span>    f<\/span> =<\/span> e<\/span> +<\/span> "&Api_Version=1.0&App_ID="<\/span>.concat<\/span>("wx948ef9858f04f6e9"<\/span>, "&App_Sub_ID="<\/span>).concat<\/span>("0005000502QF"<\/span>, "&App_Token="<\/span>).concat<\/span>("2af3061a-fa3d-4ac2-8456-56546a8daaa9"<\/span>, "&App_Version=1.0&Divice_ID="<\/span>).concat<\/span>(Divice_ID<\/span>, "&Divice_Version=wxapp&OS_Version=8.0.6&Partner_ID="<\/span>).concat<\/span>("00050000"<\/span>);
<\/span><\/span>    var<\/span> A<\/span> =<\/span> md5Encrypt<\/span>(f<\/span>).toUpperCase<\/span>()
<\/span><\/span>    b<\/span> =<\/span> btoa<\/span>(e<\/span> +<\/span> "&Api_Version=1.0&App_ID="<\/span>.concat<\/span>("wx948ef9858f04f6e9"<\/span>, "&App_Sub_ID="<\/span>).concat<\/span>("0005000502QF"<\/span>, "&App_Token="<\/span>).concat<\/span>("2af3061a-fa3d-4ac2-8456-56546a8daaa9"<\/span>, "&App_Version=1.0&Divice_ID="<\/span>).concat<\/span>(Divice_ID<\/span>, "&Divice_Version=wxapp&OS_Version=8.0.6&Partner_ID="<\/span>).concat<\/span>("00050000"<\/span>, "&Time_Stamp="<\/span>).concat<\/span>(D<\/span>, "&User_Token=&Sign="<\/span>).concat<\/span>(A<\/span>))
<\/span><\/span>    return<\/span> b<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. saleSignature参数逆向分析<\/h2>
4.1 定位加密位置<\/h3>

全局搜索saleSignature<\/code>，定位到d5c5.js<\/code><\/li>
发现生成逻辑：var k = r.doEncrypt(T, p, 1)<\/code><\/li>
T<\/code>的生成：T = i(I.toUpperCase())<\/code>，其中i<\/code>是MD5函数<\/li>
<\/ol>
4.2 doEncrypt函数分析<\/h3>

doEncrypt<\/code>是一个导出函数，属于webpack打包模块<\/li>
定位到utils\/sm-crypto.js<\/code>模块<\/li>
该模块实现了类似RSA的非对称加密算法<\/li>
<\/ol>
4.3 扣取算法<\/h3>

将整个加密模块复制到单独文件<\/li>
修改为自执行函数<\/li>
将分发器导出到全局<\/li>
<\/ol>
\/\/ 导出加密模块到全局
<\/span><\/span><\/span><\/span>window.kk<\/span> =<\/span> function<\/span>(t<\/span>) {
<\/span><\/span>    return<\/span> e<\/span>[t<\/span>]
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>4.4 算法复现<\/h3>
\/\/ 公钥
<\/span><\/span><\/span><\/span>p<\/span> =<\/span> "04a337dc634bddbbfbcae9d30470663fb5e221feab40239f1675a0b2d9d42e46413a0adfa4868c963aebb39d7ec89073885eccd011e0f96d5fe434be98734d9993"<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用公钥生成临时密钥对
<\/span><\/span><\/span><\/span>window.kk<\/span>(3<\/span>).doPublicKey<\/span>(p<\/span>)
<\/span><\/span>
<\/span><\/span>\/\/ 加密
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(window.kk<\/span>(3<\/span>).doEncrypt<\/span>("f5ef7eb5653944f8eef04891b195171b"<\/span>, p<\/span>, 1<\/span>))
<\/span><\/span><\/code><\/pre>4.5 调试技巧<\/h3>

与浏览器联调，比较中间变量<\/li>
重点关注o<\/code>和i<\/code>两个32位数组的生成<\/li>
发现需要在加密前先调用doPublicKey<\/code>初始化密钥对<\/li>
<\/ol>
5. 完整逆向流程总结<\/h2>

环境准备<\/strong>：注入开发者工具，配置正确微信版本<\/li>
抓包分析<\/strong>：识别关键接口和加密参数<\/li>
定位加密<\/strong>：全局搜索关键参数，下断点调试<\/li>
算法分析<\/strong>：

ssdp<\/code>：参数拼接+MD5+Base64<\/li>
saleSignature<\/code>：参数拼接+MD5+非对称加密<\/li>
<\/ul>
<\/li>
算法复现<\/strong>：

扣取关键JS代码<\/li>
补全依赖环境<\/li>
联调验证结果<\/li>
<\/ul>
<\/li>
结果验证<\/strong>：与浏览器生成结果比对，确保一致<\/li>
<\/ol>
6. 注意事项<\/h2>

本文仅供学习交流，严禁用于商业用途和非法用途<\/li>
实际逆向时参数可能有所不同，需要根据具体情况调整<\/li>
小程序更新可能导致逆向方法失效，需要持续跟进<\/li>
逆向过程中可能遇到反调试，需要相应应对策略<\/li>
<\/ol>
通过本教程，你应该已经掌握了微信小程序逆向的基本方法和思路，特别是对常见加密算法的识别和逆向技巧。在实际应用中，需要根据具体场景灵活运用这些技术。<\/p>

某润选房小程序逆向分析教学文档<\/h1>

1. 前言<\/h2> 本文详细讲解某润选房小程序的逆向分析过程，重点分析两个关键加密参数ssdp<\/code>和saleSignature<\/code>的生成算法。通过本教程，你将学习到微信小程序逆向的基本流程、常见加密算法的识别与逆向方法。<\/p>

3. ssdp参数逆向分析<\/h2>

4. saleSignature参数逆向分析<\/h2>

1. 前言<\/h2>
本文详细讲解某润选房小程序的逆向分析过程，重点分析两个关键加密参数`ssdp<\/code>和saleSignature<\/code>的生成算法。通过本教程，你将学习到微信小程序逆向的基本流程、常见加密算法的识别与逆向方法。<\/p>`