雪王 type__1286 参数逆向分析教学文档<\/h1>

一、前言<\/h2>
本文详细分析某雪冰城小程序和App中的`type_1286<\/code>加密参数生成过程。该参数是领取免单券接口的重要加密参数，随着平台安全升级而新增。<\/p>`

二、调试环境搭建<\/h2>
1. APP端调试WebView<\/h3>
所需工具<\/strong>：<\/p>

XP模块或LSPosed框架<\/li>
WebView调试模块<\/li>
<\/ul>
步骤<\/strong>：<\/p>

在模拟器中安装Magisk和LSPosed<\/li>
导入WebView模块并选择目标APP<\/li>
重启模拟器<\/li>
在Chrome浏览器访问chrome:\/\/inspect\/#devices<\/code><\/li>
若设备未显示，多次执行adb devices<\/code>直到设备出现<\/li>
点击"inspect"进入调试界面<\/li>
<\/ol>
2. 小程序端调试WebView<\/h3>
步骤<\/strong>：<\/p>

USB连接手机并开启调试模式<\/li>
微信访问http:\/\/debugxweb.qq.com\/?inspector=true<\/code>验证可用性<\/li>
在微信中打开目标小程序页面<\/li>
Chrome访问chrome:\/\/inspect\/#devices<\/code>（需翻墙）<\/li>
等待页面加载后点击"inspect"<\/li>
<\/ol>
三、抓包分析<\/h2>
进入免单界面点击领取，观察开发者工具中的网络请求，主要加密参数：<\/p>

URL中的type_1286<\/code><\/li>
提交内容中的sign<\/code><\/li>
<\/ul>
四、逆向分析type_1286参数<\/h2>
1. 参数定位<\/h3>
在点击确认时观察调用堆栈，发现关键代码：<\/p>
var<\/span> UL<\/span> =<\/span> UE<\/span>['Fu'<\/span>](this<\/span>[oA<\/span>(P7<\/span>.a<\/span>)][-<\/span>0x190d<\/span> +<\/span> -<\/span>0x20e9<\/span> +<\/span> 0x39f7<\/span>])
<\/span><\/span>UL<\/span> =<\/span> F0<\/span>[oA<\/span>(P7<\/span>.A<\/span>)](UH<\/span>, UL<\/span>, UV<\/span>)
<\/span><\/span><\/code><\/pre>2. 加密流程分析<\/h3>
加密最终通过F6<\/code>函数生成：<\/p>
(g<\/span> +=<\/span> N<\/span>), 
<\/span><\/span>(N<\/span> =<\/span> F<\/span>[UJ<\/span>(mS<\/span>.F<\/span>)](F<\/span>[UJ<\/span>(mS<\/span>.Y<\/span>)](F<\/span>[UJ<\/span>(mS<\/span>.U<\/span>)](F<\/span>[UJ<\/span>(mS<\/span>.a<\/span>)](F<\/span>[UJ<\/span>(mS<\/span>.A<\/span>)](M<\/span>[UJ<\/span>(mS<\/span>.D<\/span>)](g<\/span>)0xfbf<\/span> +<\/span> 0x9<\/span> *<\/span> -<\/span>0x189<\/span> +<\/span> 0x16<\/span> *<\/span> 0x158<\/span>, m<\/span>['n'<\/span>new<\/span> Date()[UJ<\/span>(mS<\/span>.o<\/span>)1<\/span>'), 
<\/span><\/span><\/span>g = E['<\/span>FU<\/span>']['<\/span>ua<\/span>'](N, !(0xbb4 + 0x1a49 * -0x1 + 0xe95)), 
<\/span><\/span><\/span>N = {}), 
<\/span><\/span><\/span>(N[M['<\/span>F7<\/span>'](L[UJ(mS.i)])] = g, 
<\/span><\/span><\/span>L[UJ(mS.y)] = (-0x2ff + 0xbe5 + -0x8e6, H['<\/span>Fa<\/span>'])(L[UJ(mS.y)], N), 
<\/span><\/span><\/span>(0x3 * 0xe5 + -0x614 + 0x1 * 0x365, H['<\/span>FY<\/span>'<\/span>])(L<\/span>))
<\/span><\/span><\/code><\/pre>简化后流程：<\/p>

拼接参数：g = L["FW"] + L["hash"]<\/code><\/li>
生成中间值：N = (((((sig(g)0)new Date()["getTime"1')<\/code><\/li>
最终加密：E['FU']['ua'](N, !0)<\/code><\/li>
<\/ol>
3. 关键函数分析<\/h3>
(1) sig函数<\/h4>
function<\/span> sig<\/span>(L<\/span>) {
<\/span><\/span>    for<\/span> (var<\/span> N<\/span> =<\/span> 0<\/span>, g<\/span> =<\/span> encodeURIComponent(L<\/span>), B<\/span> =<\/span> 0<\/span>; B<\/span> <<\/span> g<\/span>["length"<\/span>]; B<\/span>++<\/span>)
<\/span><\/span>        N<\/span> =<\/span> ((((N<\/span> <<<\/span> 7<\/span>) -<\/span> N<\/span>) +<\/span> 398<\/span>) +<\/span> g<\/span>["charCodeAt"<\/span>](B<\/span>)), N<\/span> |=<\/span> 0<\/span>;
<\/span><\/span>    return<\/span> N<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>(2) ua函数<\/h4>
function<\/span> ua<\/span>(E<\/span>, H<\/span>) {
<\/span><\/span>    var<\/span> W<\/span> =<\/span> ["3"<\/span>, "4"<\/span>, "2"<\/span>, "1"<\/span>, "0"<\/span>], P<\/span> =<\/span> 0<\/span>;
<\/span><\/span>    while<\/span> (true<\/span>) {
<\/span><\/span>        switch<\/span> (W<\/span>[P<\/span>++<\/span>]) {
<\/span><\/span>            case<\/span> '0'<\/span>:<\/span>
<\/span><\/span>                switch<\/span> (M<\/span>["length"<\/span>] %<\/span> 4<\/span>) {
<\/span><\/span>                    default<\/span>:<\/span> case<\/span> 0<\/span>:<\/span> return<\/span> M<\/span>;
<\/span><\/span>                    case<\/span> 1<\/span>:<\/span> return<\/span> (M<\/span> +<\/span> '==='<\/span>);
<\/span><\/span>                    case<\/span> 2<\/span>:<\/span> return<\/span> (M<\/span> +<\/span> '=='<\/span>);
<\/span><\/span>                    case<\/span> 3<\/span>:<\/span> return<\/span> (M<\/span> +<\/span> '='<\/span>);
<\/span><\/span>                }
<\/span><\/span>            case<\/span> '1'<\/span>:<\/span>
<\/span><\/span>                if<\/span> (H<\/span>) return<\/span> M<\/span>;
<\/span><\/span>                continue<\/span>;
<\/span><\/span>            case<\/span> '2'<\/span>:<\/span>
<\/span><\/span>                var<\/span> M<\/span> =<\/span> uu<\/span>(E<\/span>, 6<\/span>, function<\/span>(L<\/span>) {
<\/span><\/span>                    return<\/span> V<\/span>["uGGDj"<\/span>].charAt<\/span>(L<\/span>);
<\/span><\/span>                });
<\/span><\/span>                continue<\/span>;
<\/span><\/span>            case<\/span> '3'<\/span>:<\/span>
<\/span><\/span>                var<\/span> K<\/span> =<\/span> {};
<\/span><\/span>                K<\/span>["uGGDj"<\/span>] =<\/span> "DGi0YA7BemWnQjCl4+bR3f8SKIF9tUz\/xhr2oEOgPpac=61ZqwTudLkM5vHyNXsVJ"<\/span>;
<\/span><\/span>                var<\/span> V<\/span> =<\/span> K<\/span>;
<\/span><\/span>                continue<\/span>;
<\/span><\/span>            case<\/span> '4'<\/span>:<\/span>
<\/span><\/span>                if<\/span> (null<\/span> ===<\/span> E<\/span>) return<\/span> ''<\/span>;
<\/span><\/span>                continue<\/span>;
<\/span><\/span>        }
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>(3) uu函数<\/h4>
\/\/ 复杂混淆代码，涉及base64编码转换
<\/span><\/span><\/span><\/code><\/pre>(4) 解密函数F3<\/h4>
F3<\/span> =<\/span> function<\/span>(a<\/span>, A<\/span>) {
<\/span><\/span>    a<\/span> =<\/span> a<\/span> -<\/span> (-<\/span>0x256c<\/span> +<\/span> -<\/span>0x23<\/span> *<\/span> -<\/span>0x67<\/span> +<\/span> -<\/span>0x17f3<\/span> *<\/span> -<\/span>0x1<\/span>);
<\/span><\/span>    var<\/span> r<\/span> =<\/span> U<\/span>[a<\/span>];
<\/span><\/span>    var<\/span> o<\/span> =<\/span> U<\/span>[0x1b<\/span> *<\/span> 0xd3<\/span> +<\/span> -<\/span>0x2<\/span> *<\/span> -<\/span>0x1189<\/span> +<\/span> 0xb77<\/span> *<\/span> -<\/span>0x5<\/span>],
<\/span><\/span>        n<\/span> =<\/span> a<\/span> +<\/span> o<\/span>,
<\/span><\/span>        i<\/span> =<\/span> F<\/span>[n<\/span>];
<\/span><\/span>    r<\/span> =<\/span> i<\/span>;
<\/span><\/span>    return<\/span> r<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、实现方案<\/h2>
1. 补环境方案<\/h3>
步骤<\/strong>：<\/p>

搭建代理环境捕获所有环境检测<\/li>
补全检测到的环境变量和方法<\/li>
导出F6函数并调用<\/li>
<\/ol>
关键点<\/strong>：<\/p>

需要补全约400行环境检测代码<\/li>
主要检测createElement<\/code>及相关属性<\/li>
最终导出加密函数并调用<\/li>
<\/ul>
2. 算法还原方案<\/h3>
方案一：<\/h4>

分析并还原sig函数<\/li>
分析并还原ua函数<\/li>
分析并还原uu函数<\/li>
完整扣取解密函数F3<\/li>
整合所有函数生成最终参数<\/li>
<\/ol>
方案二（针对解密函数不完整）：<\/h4>

收集所有解密失败的字符串<\/li>
创建映射表KKK<\/li>
使用Proxy拦截解密函数调用<\/li>
<\/ol>
const<\/span> kk_handler<\/span> =<\/span> {
<\/span><\/span>    apply<\/span>:<\/span> function<\/span>(target<\/span>, thisArg<\/span>, argumentsList<\/span>) {
<\/span><\/span>        let<\/span> result<\/span> =<\/span> target<\/span>(...argumentsList<\/span>);
<\/span><\/span>        if<\/span> (result<\/span> ===<\/span> undefined<\/span> &&<\/span> argumentsList<\/span> in<\/span> KKK<\/span>) {
<\/span><\/span>            return<\/span> KKK<\/span>[argumentsList<\/span>];
<\/span><\/span>        }
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span>F3<\/span> =<\/span> new<\/span> Proxy(F3<\/span>, kk_handler<\/span>);
<\/span><\/span><\/code><\/pre>六、总结<\/h2>


type_1286<\/code>参数生成流程：<\/p>

拼接原始参数<\/li>
通过sig函数计算哈希<\/li>
结合时间戳生成中间值<\/li>
通过ua函数进行最终编码<\/li>
<\/ul>
<\/li>

逆向难点：<\/p>

重度OB混淆<\/li>
多层环境检测<\/li>
动态生成的解密函数<\/li>
<\/ul>
<\/li>

解决方案选择：<\/p>

补环境方案代码量大但直接<\/li>
算法还原方案更简洁但需要深入分析<\/li>
<\/ul>
<\/li>

完整实现约需8000行代码（补环境）或几百行（算法还原）<\/p>
<\/li>
<\/ol>
雪王 type__1286 参数逆向分析教学文档<\/h1>

一、前言<\/h2> 本文详细分析某雪冰城小程序和App中的type_1286<\/code>加密参数生成过程。该参数是领取免单券接口的重要加密参数，随着平台安全升级而新增。<\/p>

四、逆向分析type_1286参数<\/h2>

3. 关键函数分析<\/h3>

五、实现方案<\/h2>

2. 算法还原方案<\/h3>

一、前言<\/h2>
本文详细分析某雪冰城小程序和App中的`type_1286<\/code>加密参数生成过程。该参数是领取免单券接口的重要加密参数，随着平台安全升级而新增。<\/p>`
