17xx物流查询平台last-event-id参数逆向分析教学文档<\/h1>

一、逆向目标<\/h2>
目标：分析17xx物流查询平台的`last-event-id<\/code>参数生成机制<\/p>`
`网站：aHR0cHM6Ly93d3cuMTd0cmFjay5uZXQvemgtY24=<\/code> (已脱敏)<\/p>`

二、调试准备<\/h2>
1. 反调试处理<\/h3>
网站使用了debugger反调试技术，主要特征：<\/p>

使用了ob混淆的JavaScript代码<\/li>
包含检测代码格式化、debugger的函数<\/li>
<\/ul>
2. 反混淆工具<\/h3>
推荐使用以下工具进行反混淆：<\/p>

v_jstools<\/strong> - GitHub仓库: https:\/\/github.com\/cilame\/v_jstools<\/li>
AST Explorer<\/strong> - 在线分析工具: https:\/\/astexplorer.net<\/li>
<\/ol>
3. 代码替换工具<\/h3>
使用ReRes<\/strong>工具进行代码替换：<\/p>

GitHub地址: https:\/\/github.com\/annnhan\/ReRes<\/li>
配置规则替换混淆代码为反混淆后的代码<\/li>
<\/ul>
三、参数定位与分析<\/h2>
1. 参数位置<\/h3>
通过搜索last-event-id<\/code>可定位到参数生成代码位于反混淆后的文件中。<\/p>
2. 关键依赖<\/h3>

_0x308754 = YQ.configs.md5<\/code> 来自首页HTML中<\/li>
请求需要携带cookie值_yq_bid<\/code>，且必须与生成last-event-id<\/code>中的_yq_bid<\/code>一致<\/li>
<\/ul>
四、核心算法解析<\/h2>
1. 主要函数说明<\/h3>
a. _0x5879b4<\/code> - 哈希计算函数<\/h4>
function<\/span> _0x5879b4<\/span>(_0x56b807<\/span>, _0x3603af<\/span>) {
<\/span><\/span>  var<\/span> _0x2f5b4a<\/span> =<\/span> 1315423911<\/span> ^<\/span> _0x3603af<\/span> <<<\/span> 16<\/span>;
<\/span><\/span>  var<\/span> _0x4844e9<\/span>;
<\/span><\/span>  var<\/span> _0x4d42c4<\/span>;
<\/span><\/span>  for<\/span> (_0x4844e9<\/span> =<\/span> _0x56b807<\/span>.length<\/span> -<\/span> 1<\/span>; _0x4844e9<\/span> >=<\/span> 0<\/span>; _0x4844e9<\/span>--<\/span>) {
<\/span><\/span>      _0x4d42c4<\/span> =<\/span> _0x56b807<\/span>.charCodeAt<\/span>(_0x4844e9<\/span>);
<\/span><\/span>      _0x2f5b4a<\/span> ^=<\/span> (_0x2f5b4a<\/span> <<<\/span> 5<\/span>) +<\/span> _0x4d42c4<\/span> +<\/span> (_0x2f5b4a<\/span> >><\/span> 2<\/span>);
<\/span><\/span>  }
<\/span><\/span>  return<\/span> _0x4243f2<\/span>(4<\/span>), Math.abs<\/span>(_0x2f5b4a<\/span> &<\/span> 2147483647<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>b. _0x1d212e<\/code> - 另一种哈希算法<\/h4>
function<\/span> _0x1d212e<\/span>(_0x3ffdba<\/span>) {
<\/span><\/span>  if<\/span> (!<\/span>_0x3ffdba<\/span>)
<\/span><\/span>      return<\/span> 0<\/span>;
<\/span><\/span>  var<\/span> _0x9920fa<\/span> =<\/span> 5381<\/span>;
<\/span><\/span>  var<\/span> _0x55570f<\/span> =<\/span> _0x3ffdba<\/span>.length<\/span>;
<\/span><\/span>  while<\/span> (_0x55570f<\/span>) {
<\/span><\/span>      _0x9920fa<\/span> =<\/span> _0x9920fa<\/span> *<\/span> 33<\/span> ^<\/span> _0x3ffdba<\/span>.charCodeAt<\/span>(--<\/span>_0x55570f<\/span>);
<\/span><\/span>  }
<\/span><\/span>  return<\/span> _0x9920fa<\/span> >>><\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>c. _0x39b7cc<\/code> - 字符串反转<\/h4>
function<\/span> _0x39b7cc<\/span>(_0x18dcad<\/span>) {
<\/span><\/span>  return<\/span> _0x18dcad<\/span>.split<\/span>(""<\/span>).reverse<\/span>().join<\/span>(""<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>d. _0x402770<\/code> - 字符串转16进制<\/h4>
function<\/span> _0x402770<\/span>(_0x1e4f12<\/span>) {
<\/span><\/span>  var<\/span> _0x3bcbe3<\/span> =<\/span> ""<\/span>;
<\/span><\/span>  for<\/span> (var<\/span> _0x5f5a6c<\/span> =<\/span> 0<\/span>; _0x5f5a6c<\/span> <<\/span> _0x1e4f12<\/span>.length<\/span>; _0x5f5a6c<\/span>++<\/span>) {
<\/span><\/span>      if<\/span> (_0x3bcbe3<\/span> ==<\/span> ""<\/span>)
<\/span><\/span>          _0x3bcbe3<\/span> =<\/span> _0x1e4f12<\/span>.charCodeAt<\/span>(_0x5f5a6c<\/span>).toString<\/span>(16<\/span>);
<\/span><\/span>      else<\/span>
<\/span><\/span>          _0x3bcbe3<\/span> +=<\/span> _0x1e4f12<\/span>.charCodeAt<\/span>(_0x5f5a6c<\/span>).toString<\/span>(16<\/span>);
<\/span><\/span>  }
<\/span><\/span>  return<\/span> _0x3bcbe3<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>e. createGUID<\/code> - 生成唯一ID<\/h4>
function<\/span> createGUID<\/span>(e<\/span>, t<\/span>) {
<\/span><\/span>  var<\/span> o<\/span> =<\/span> (new<\/span> Date).getTime<\/span>();
<\/span><\/span>  return<\/span> (e<\/span> ||<\/span> "G-xxxxxxxxxxxxxxxx"<\/span>).replace<\/span>(t<\/span> ||<\/span> \/[xy]\/g<\/span>, function<\/span>(e<\/span>) {
<\/span><\/span>      var<\/span> t<\/span> =<\/span> (o<\/span> +<\/span> 16<\/span> *<\/span> Math.random<\/span>()) %<\/span> 16<\/span> |<\/span> 0<\/span>;
<\/span><\/span>      return<\/span> ("x"<\/span> ==<\/span> e<\/span> ?<\/span> t<\/span> :<\/span> 7<\/span> &<\/span> t<\/span> |<\/span> 8<\/span>).toString<\/span>(16<\/span>).toUpperCase<\/span>()
<\/span><\/span>  })
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. last-event-id<\/code>生成主函数<\/h3>
function<\/span> get_last_event_id<\/span>(_0x19d69d<\/span>, YQ_md5<\/span>){
<\/span><\/span>  _yq_bid<\/span> =<\/span> createGUID<\/span>();
<\/span><\/span>  _0x4566f3<\/span> =<\/span> undefined<\/span>;
<\/span><\/span>  _0x59789d<\/span>(_0x19d69d<\/span>, _0x19d69d<\/span>.length<\/span>, !!<\/span>[])
<\/span><\/span>  _0x6de72e<\/span> =<\/span> _0x187331<\/span>(43<\/span>)
<\/span><\/span>  
<\/span><\/span>  var<\/span> _0x5d4d80<\/span> =<\/span> "yq-"<\/span>;
<\/span><\/span>  _0x58ecad<\/span> =<\/span> _0x6de72e<\/span>;
<\/span><\/span>  
<\/span><\/span>  \/\/ 指纹信息
<\/span><\/span><\/span><\/span>  cancas_fp<\/span> =<\/span> '24\r\nzh-CN\r\n-480\r\n1067x1707\r\ndata:image\/png;base64,...'<\/span>;
<\/span><\/span>  
<\/span><\/span>  var<\/span> _0x2b62a6<\/span> =<\/span> _0x1d212e<\/span>(cancas_fp<\/span>);
<\/span><\/span>  var<\/span> _0x5d74a6<\/span> =<\/span> _0x1d212e<\/span>(_0x4566f3<\/span>);
<\/span><\/span>  
<\/span><\/span>  if<\/span> (_0x6de72e<\/span> ==<\/span> 0<\/span>)
<\/span><\/span>    _0x5d4d80<\/span> +=<\/span> "random"<\/span>;
<\/span><\/span>  else<\/span> {
<\/span><\/span>    _0x5d4d80<\/span> =<\/span> "dropdown-menu-footer yq-user-footer clearfix"<\/span>;
<\/span><\/span>  }
<\/span><\/span>  
<\/span><\/span>  _0x269b49<\/span> =<\/span> _yq_bid<\/span>;
<\/span><\/span>  _0x5d4d80<\/span> =<\/span> _0x269b49<\/span>;
<\/span><\/span>  
<\/span><\/span>  (_0x58ecad<\/span> =<\/span> _0x58ecad<\/span> *<\/span> 50<\/span>, _0x5d4d80<\/span> false<\/span> 0x2b62a6<\/span> 0x6de72e<\/span> 0x58ecad<\/span>);
<\/span><\/span>  
<\/span><\/span>  _0x5d4d80<\/span> =<\/span> Date.now<\/span>().toString<\/span>(16<\/span>) +<\/span> "\/11\/"<\/span> +<\/span> true<\/span> +<\/span> "\/"<\/span> +<\/span> 
<\/span><\/span>              new<\/span> Date().getTimezoneOffset<\/span>().toString<\/span>(0x2b62a6<\/span> +<\/span> "\/"<\/span> +<\/span> YQ_md5<\/span> +<\/span> 0x5d74a6<\/span>;
<\/span><\/span>  
<\/span><\/span>  _0x59789d<\/span>(_0x5d4d80<\/span>, _0x6de72e<\/span>);
<\/span><\/span>  _0x5d4d80<\/span> =<\/span> _0x402770<\/span>(_0x39b7cc<\/span>(_0x5d4d80<\/span>));
<\/span><\/span>  _0x199099<\/span>[0<\/span>] =<\/span> _0x5d4d80<\/span>;
<\/span><\/span>  
<\/span><\/span>  return<\/span> [_0x199099<\/span>.join<\/span>(""<\/span>), _yq_bid<\/span>];
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、关键点总结<\/h2>


指纹信息<\/strong>：使用了canvas指纹，包含：<\/p>

屏幕颜色深度<\/li>
语言设置<\/li>
时区偏移<\/li>
屏幕分辨率<\/li>
canvas图像数据<\/li>
<\/ul>
<\/li>

随机数生成<\/strong>：<\/p>

使用_0x187331(43)<\/code>生成随机数<\/li>
乘以50作为时间戳的一部分<\/li>
<\/ul>
<\/li>

GUID生成<\/strong>：<\/p>

使用createGUID<\/code>函数生成_yq_bid<\/code><\/li>
必须与请求cookie中的_yq_bid<\/code>一致<\/li>
<\/ul>
<\/li>

哈希计算<\/strong>：<\/p>

对指纹信息进行哈希计算(_0x1d212e<\/code>)<\/li>
对部分参数进行哈希计算(_0x5879b4<\/code>)<\/li>
<\/ul>
<\/li>

最终拼接<\/strong>：<\/p>

包含时间戳(16进制)<\/li>
固定值"11"<\/li>
布尔值true<\/li>
时区偏移<\/li>
MD5值<\/li>
反转字符串并转为16进制<\/li>
<\/ul>
<\/li>
<\/ol>
六、实现流程<\/h2>

生成_yq_bid<\/code> (GUID格式)<\/li>
获取canvas指纹信息<\/li>
对指纹信息进行哈希计算<\/li>
生成随机数并处理<\/li>
拼接时间戳、时区等参数<\/li>
对拼接结果进行反转和16进制转换<\/li>
将各部分结果组合成最终last-event-id<\/code><\/li>
<\/ol>
七、验证示例<\/h2>
console<\/span>.log<\/span>(get_last_event_id<\/span>(
<\/span><\/span>  '{"data":[{"num":"LZ025387152CN","fc":0,"sc":0}],"guid":"","timeZoneOffset":-480}'<\/span>, 
<\/span><\/span>  '22c342b'<\/span>
<\/span><\/span>));
<\/span><\/span><\/code><\/pre>输出格式为数组，包含：<\/p>

生成的last-event-id<\/code><\/li>
_yq_bid<\/code>值(需设置为cookie)<\/li>
<\/ol>
八、注意事项<\/h2>

cookie一致性<\/strong>：_yq_bid<\/code>必须与生成的last-event-id<\/code>中的一致<\/li>
指纹信息<\/strong>：canvas指纹需要模拟真实浏览器环境<\/li>
时间戳<\/strong>：使用当前时间，转换为16进制<\/li>
时区偏移<\/strong>：需要获取客户端的时区偏移量<\/li>
MD5值<\/strong>：来自YQ.configs.md5<\/code>，需从首页HTML中提取<\/li>
<\/ol>

17xx物流查询平台last-event-id参数逆向分析教学文档<\/h1>

一、逆向目标<\/h2> 目标：分析17xx物流查询平台的last-event-id<\/code>参数生成机制<\/p> 网站：aHR0cHM6Ly93d3cuMTd0cmFjay5uZXQvemgtY24=<\/code> (已脱敏)<\/p>

三、参数定位与分析<\/h2>

1. 参数位置<\/h3> 通过搜索last-event-id<\/code>可定位到参数生成代码位于反混淆后的文件中。<\/p>

四、核心算法解析<\/h2>

1. 主要函数说明<\/h3>

一、逆向目标<\/h2>
目标：分析17xx物流查询平台的`last-event-id<\/code>参数生成机制<\/p>`
`网站：aHR0cHM6Ly93d3cuMTd0cmFjay5uZXQvemgtY24=<\/code> (已脱敏)<\/p>`

1. 参数位置<\/h3>
通过搜索`last-event-id<\/code>可定位到参数生成代码位于反混淆后的文件中。<\/p>`