WebSocket与Webpack逆向分析实战教程<\/h1>

1. 前言与目标<\/h2>

本教程将详细分析某赚网的WebSocket协议与Webpack打包技术的逆向过程，帮助读者掌握以下技能：<\/p>

WebSocket协议的分析方法<\/li>
Webpack打包模块的逆向技巧<\/li>
加密参数的定位与还原<\/li>

Python实现WebSocket通信<\/li> <\/ul>

逆向目标<\/strong>：某赚网的WebSocket实时订单数据接口（已脱敏处理）<\/p>

2. WebSocket协议基础<\/h2>
2.1 WebSocket与HTTP对比<\/h3>

特性<\/th> HTTP<\/th> WebSocket<\/th> <\/tr> <\/thead>

协议类型<\/td> 无状态请求-响应协议<\/td> 全双工通信协议<\/td> <\/tr>
通信方式<\/td> 单向通信<\/td> 双向通信<\/td> <\/tr>
连接持久性<\/td> 短连接（可Keep-Alive）<\/td> 长连接<\/td> <\/tr>
连接建立<\/td> 每次请求新建连接<\/td> 通过HTTP升级建立后保持<\/td> <\/tr>
适用场景<\/td> 传统网页请求<\/td> 实时数据推送<\/td> <\/tr> <\/tbody> <\/table>
2.2 WebSocket握手过程<\/h3>
客户端请求头关键字段<\/strong>：<\/p>
Upgrade: websocket Sec-WebSocket-Key: [Base64编码的16字节随机字符串] <\/code><\/pre> 服务器响应关键字段<\/strong>：<\/p> HTTP\/1.1 101 Switching Protocols Connection: Upgrade Upgrade: websocket Sec-WebSocket-Accept: [计算后的密钥] <\/code><\/pre> Sec-WebSocket-Accept计算方式：<\/p> 将客户端提供的Sec-WebSocket-Key与固定字符串"258EAFA5-E914-47DA-95CA-C5AB0DC85B11"拼接<\/li> 取SHA-1哈希值<\/li> 进行Base64编码<\/li> <\/ol> 3. 逆向分析过程<\/h2> 3.1 抓包分析<\/h3> 进入订单列表页，发现数据不断刷新<\/li> 识别出两个关键接口： \/GetPendingOrderStatus<\/code>：HTTP接口，不断下发密文数据（非目标）<\/li> \/api\/market<\/code>：WebSocket接口，实时传输订单数据<\/li> <\/ul> <\/li> <\/ol> 3.2 WebSocket流程分析<\/h3> 连接初始化<\/strong>：通过initWebSocket<\/code>函数建立连接<\/li> 连接建立<\/strong>：websocketonopen<\/code>事件触发<\/li> 关键加密点<\/strong>：连接建立时发送y.a.encryptDes(r()(t))<\/code>加密数据<\/li> <\/ol> 3.3 Webpack模块分析<\/h3> 目标网站使用Webpack打包，关键模块为u46b<\/code>（实际模块名可能有空格等特殊字符）<\/p> Webpack分发器分析<\/strong>：<\/p> window.webpackJsonp<\/span> =<\/span> function<\/span>(c<\/span>, b<\/span>, n<\/span>) { <\/span><\/span> \/\/ 模块加载逻辑 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>模块提取技巧<\/strong>：<\/p> 在分发器处断点调试<\/li> 修改分发器代码自动导出所有模块：<\/li> <\/ol> window.code<\/span> =<\/span> ''<\/span>; <\/span><\/span>a<\/span>=<\/span>function<\/span> (c<\/span>) { <\/span><\/span> if<\/span> (f<\/span>[c<\/span>]) return<\/span> f<\/span>[c<\/span>].exports<\/span>; <\/span><\/span> var<\/span> d<\/span> =<\/span> f<\/span>[c<\/span>] =<\/span> { i<\/span>:<\/span> c<\/span>, l<\/span>:<\/span> !<\/span>1<\/span>, exports<\/span>:<\/span> {} }; <\/span><\/span> console<\/span>.log<\/span>(c<\/span>) <\/span><\/span> window.code<\/span> +=<\/span> c<\/span> +<\/span> ':'<\/span> +<\/span> e<\/span>[c<\/span>] +<\/span> ',\r\n'<\/span> <\/span><\/span> return<\/span> e<\/span>[c<\/span>].call<\/span>(d<\/span>.exports<\/span>, d<\/span>, d<\/span>.exports<\/span>, a<\/span>), d<\/span>.l<\/span> =<\/span> !<\/span>0<\/span>, d<\/span>.exports<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p> 模块名可能存在不规范命名（如包含空格）<\/li> 直接引用可能导致语法错误，需要适当处理<\/li> <\/ul> 3.4 加密参数分析<\/h3> 加密函数定位：y.a.encryptDes<\/code><\/li> 加密方式：DES加密<\/li> 参数构造：r()(t)<\/code>生成待加密数据<\/li> <\/ol> 4. Python实现WebSocket通信<\/h2> 4.1 基础WebSocket连接<\/h3> import<\/span> websocket <\/span><\/span> <\/span><\/span># 创建连接<\/span> <\/span><\/span>ws =<\/span> websocket.<\/span>WebSocket() <\/span><\/span>ws.<\/span>connect("wss:\/\/example.com"<\/span>) <\/span><\/span> <\/span><\/span># 发送数据<\/span> <\/span><\/span>ws.<\/span>send("加密数据"<\/span>) <\/span><\/span> <\/span><\/span># 接收数据<\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> response =<\/span> ws.<\/span>recv() <\/span><\/span> if<\/span> response: <\/span><\/span> print(response) <\/span><\/span> else<\/span>: <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>4.2 完整实现方案<\/h3> import<\/span> execjs <\/span><\/span>import<\/span> asyncio <\/span><\/span>import<\/span> websockets <\/span><\/span>from<\/span> loguru import<\/span> logger <\/span><\/span> <\/span><\/span># 加载JS加密代码<\/span> <\/span><\/span>with<\/span> open('pack.js'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> js =<\/span> f.<\/span>read().<\/span>decode() <\/span><\/span>ctx =<\/span> execjs.<\/span>compile(js) <\/span><\/span> <\/span><\/span>def<\/span> des_decrypt<\/span>(word): <\/span><\/span> """DES解密函数"""<\/span> <\/span><\/span> return<\/span> ctx.<\/span>call('des_decrypt'<\/span>, word) <\/span><\/span> <\/span><\/span>def<\/span> des_encrypt<\/span>(word): <\/span><\/span> """DES加密函数"""<\/span> <\/span><\/span> return<\/span> ctx.<\/span>call('des_encrypt'<\/span>, word) <\/span><\/span> <\/span><\/span>async<\/span> def<\/span> main<\/span>(): <\/span><\/span> url =<\/span> "ws:\/\/脱敏处理"<\/span> <\/span><\/span> headers =<\/span> {} # 可添加必要的请求头<\/span> <\/span><\/span> <\/span><\/span> async<\/span> with<\/span> websockets.<\/span>connect(url, extra_headers=<\/span>headers.<\/span>items()) as<\/span> websocket: <\/span><\/span> # 构造并发送加密消息<\/span> <\/span><\/span> encrypt_msg =<\/span> des_encrypt("待加密数据"<\/span>) <\/span><\/span> await<\/span> websocket.<\/span>send(encrypt_msg) <\/span><\/span> <\/span><\/span> # 持续接收数据<\/span> <\/span><\/span> while<\/span> True<\/span>: <\/span><\/span> response =<\/span> await<\/span> websocket.<\/span>recv() <\/span><\/span> logger.<\/span>success(f<\/span>"密文:<\/span>{<\/span>response}<\/span>,明文:<\/span>{<\/span>des_decrypt(response)}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>asyncio.<\/span>get_event_loop().<\/span>run_until_complete(main()) <\/span><\/span><\/code><\/pre>4.3 关键验证点<\/h3> 加密验证<\/strong>：错误的send参数会导致：<\/p> 服务器响应间隔变长<\/li> 返回数据内容固定不变<\/li> 无法获取实时订单列表<\/li> <\/ul> <\/li> 正确响应特征<\/strong>：<\/p> 数据推送频率正常<\/li> 返回的订单数据实时更新<\/li> <\/ul> <\/li> <\/ol> 5. 总结与技巧<\/h2> 5.1 WebSocket逆向要点<\/h3> 通过Chrome开发者工具的WS标签过滤WebSocket流量<\/li> 关注initWebSocket<\/code>和websocketonopen<\/code>等关键函数<\/li> 分析连接建立时发送的初始数据<\/li> <\/ol> 5.2 Webpack逆向技巧<\/h3> 模块定位<\/strong>：<\/p> 在分发器处断点调试<\/li> 通过控制台输出特定模块内容：e["u46b "]<\/code><\/li> <\/ul> <\/li> 模块导出<\/strong>：<\/p> 修改分发器自动导出所有模块<\/li> 处理特殊命名的模块<\/li> <\/ul> <\/li> 加密分析<\/strong>：<\/p> 关注encryptDes<\/code>等加密函数调用<\/li> 确保所有依赖模块完整导出<\/li> <\/ul> <\/li> <\/ol> 5.3 调试技巧<\/h3> 使用console.log<\/code>输出关键变量<\/li> 通过window.xxx = yyy<\/code>将内部函数暴露到全局<\/li> 分步验证加密函数的正确性<\/li> <\/ol> 通过本教程，读者可以掌握WebSocket协议与Webpack打包技术的逆向分析方法，并能够独立完成类似网站的逆向工程。<\/p>

特性<\/th>	HTTP<\/th>	WebSocket<\/th> <\/tr> <\/thead>
协议类型<\/td>	无状态请求-响应协议<\/td>	全双工通信协议<\/td> <\/tr>
通信方式<\/td>	单向通信<\/td>	双向通信<\/td> <\/tr>
连接持久性<\/td>	短连接（可Keep-Alive）<\/td>	长连接<\/td> <\/tr>
连接建立<\/td>	每次请求新建连接<\/td>	通过HTTP升级建立后保持<\/td> <\/tr>
适用场景<\/td>	传统网页请求<\/td>	实时数据推送<\/td> <\/tr> <\/tbody> <\/table> 2.2 WebSocket握手过程<\/h3> 客户端请求头关键字段<\/strong>：<\/p> Upgrade: websocket Sec-WebSocket-Key: [Base64编码的16字节随机字符串] <\/code><\/pre> 服务器响应关键字段<\/strong>：<\/p> HTTP\/1.1 101 Switching Protocols Connection: Upgrade Upgrade: websocket Sec-WebSocket-Accept: [计算后的密钥] <\/code><\/pre> Sec-WebSocket-Accept计算方式：<\/p> 将客户端提供的Sec-WebSocket-Key与固定字符串"258EAFA5-E914-47DA-95CA-C5AB0DC85B11"拼接<\/li> 取SHA-1哈希值<\/li> 进行Base64编码<\/li> <\/ol> 3. 逆向分析过程<\/h2> 3.1 抓包分析<\/h3> 进入订单列表页，发现数据不断刷新<\/li> 识别出两个关键接口： \/GetPendingOrderStatus<\/code>：HTTP接口，不断下发密文数据（非目标）<\/li> \/api\/market<\/code>：WebSocket接口，实时传输订单数据<\/li> <\/ul> <\/li> <\/ol> 3.2 WebSocket流程分析<\/h3> 连接初始化<\/strong>：通过initWebSocket<\/code>函数建立连接<\/li> 连接建立<\/strong>：websocketonopen<\/code>事件触发<\/li> 关键加密点<\/strong>：连接建立时发送y.a.encryptDes(r()(t))<\/code>加密数据<\/li> <\/ol> 3.3 Webpack模块分析<\/h3> 目标网站使用Webpack打包，关键模块为u46b<\/code>（实际模块名可能有空格等特殊字符）<\/p> Webpack分发器分析<\/strong>：<\/p> window.webpackJsonp<\/span> =<\/span> function<\/span>(c<\/span>, b<\/span>, n<\/span>) { <\/span><\/span> \/\/ 模块加载逻辑 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>模块提取技巧<\/strong>：<\/p> 在分发器处断点调试<\/li> 修改分发器代码自动导出所有模块：<\/li> <\/ol> window.code<\/span> =<\/span> ''<\/span>; <\/span><\/span>a<\/span>=<\/span>function<\/span> (c<\/span>) { <\/span><\/span> if<\/span> (f<\/span>[c<\/span>]) return<\/span> f<\/span>[c<\/span>].exports<\/span>; <\/span><\/span> var<\/span> d<\/span> =<\/span> f<\/span>[c<\/span>] =<\/span> { i<\/span>:<\/span> c<\/span>, l<\/span>:<\/span> !<\/span>1<\/span>, exports<\/span>:<\/span> {} }; <\/span><\/span> console<\/span>.log<\/span>(c<\/span>) <\/span><\/span> window.code<\/span> +=<\/span> c<\/span> +<\/span> ':'<\/span> +<\/span> e<\/span>[c<\/span>] +<\/span> ',\r\n'<\/span> <\/span><\/span> return<\/span> e<\/span>[c<\/span>].call<\/span>(d<\/span>.exports<\/span>, d<\/span>, d<\/span>.exports<\/span>, a<\/span>), d<\/span>.l<\/span> =<\/span> !<\/span>0<\/span>, d<\/span>.exports<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p> 模块名可能存在不规范命名（如包含空格）<\/li> 直接引用可能导致语法错误，需要适当处理<\/li> <\/ul> 3.4 加密参数分析<\/h3> 加密函数定位：y.a.encryptDes<\/code><\/li> 加密方式：DES加密<\/li> 参数构造：r()(t)<\/code>生成待加密数据<\/li> <\/ol> 4. Python实现WebSocket通信<\/h2> 4.1 基础WebSocket连接<\/h3> import<\/span> websocket <\/span><\/span> <\/span><\/span># 创建连接<\/span> <\/span><\/span>ws =<\/span> websocket.<\/span>WebSocket() <\/span><\/span>ws.<\/span>connect("wss:\/\/example.com"<\/span>) <\/span><\/span> <\/span><\/span># 发送数据<\/span> <\/span><\/span>ws.<\/span>send("加密数据"<\/span>) <\/span><\/span> <\/span><\/span># 接收数据<\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> response =<\/span> ws.<\/span>recv() <\/span><\/span> if<\/span> response: <\/span><\/span> print(response) <\/span><\/span> else<\/span>: <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>4.2 完整实现方案<\/h3> import<\/span> execjs <\/span><\/span>import<\/span> asyncio <\/span><\/span>import<\/span> websockets <\/span><\/span>from<\/span> loguru import<\/span> logger <\/span><\/span> <\/span><\/span># 加载JS加密代码<\/span> <\/span><\/span>with<\/span> open('pack.js'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> js =<\/span> f.<\/span>read().<\/span>decode() <\/span><\/span>ctx =<\/span> execjs.<\/span>compile(js) <\/span><\/span> <\/span><\/span>def<\/span> des_decrypt<\/span>(word): <\/span><\/span> """DES解密函数"""<\/span> <\/span><\/span> return<\/span> ctx.<\/span>call('des_decrypt'<\/span>, word) <\/span><\/span> <\/span><\/span>def<\/span> des_encrypt<\/span>(word): <\/span><\/span> """DES加密函数"""<\/span> <\/span><\/span> return<\/span> ctx.<\/span>call('des_encrypt'<\/span>, word) <\/span><\/span> <\/span><\/span>async<\/span> def<\/span> main<\/span>(): <\/span><\/span> url =<\/span> "ws:\/\/脱敏处理"<\/span> <\/span><\/span> headers =<\/span> {} # 可添加必要的请求头<\/span> <\/span><\/span> <\/span><\/span> async<\/span> with<\/span> websockets.<\/span>connect(url, extra_headers=<\/span>headers.<\/span>items()) as<\/span> websocket: <\/span><\/span> # 构造并发送加密消息<\/span> <\/span><\/span> encrypt_msg =<\/span> des_encrypt("待加密数据"<\/span>) <\/span><\/span> await<\/span> websocket.<\/span>send(encrypt_msg) <\/span><\/span> <\/span><\/span> # 持续接收数据<\/span> <\/span><\/span> while<\/span> True<\/span>: <\/span><\/span> response =<\/span> await<\/span> websocket.<\/span>recv() <\/span><\/span> logger.<\/span>success(f<\/span>"密文:<\/span>{<\/span>response}<\/span>,明文:<\/span>{<\/span>des_decrypt(response)}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>asyncio.<\/span>get_event_loop().<\/span>run_until_complete(main()) <\/span><\/span><\/code><\/pre>4.3 关键验证点<\/h3> 加密验证<\/strong>：错误的send参数会导致：<\/p> 服务器响应间隔变长<\/li> 返回数据内容固定不变<\/li> 无法获取实时订单列表<\/li> <\/ul> <\/li> 正确响应特征<\/strong>：<\/p> 数据推送频率正常<\/li> 返回的订单数据实时更新<\/li> <\/ul> <\/li> <\/ol> 5. 总结与技巧<\/h2> 5.1 WebSocket逆向要点<\/h3> 通过Chrome开发者工具的WS标签过滤WebSocket流量<\/li> 关注initWebSocket<\/code>和websocketonopen<\/code>等关键函数<\/li> 分析连接建立时发送的初始数据<\/li> <\/ol> 5.2 Webpack逆向技巧<\/h3> 模块定位<\/strong>：<\/p> 在分发器处断点调试<\/li> 通过控制台输出特定模块内容：e["u46b "]<\/code><\/li> <\/ul> <\/li> 模块导出<\/strong>：<\/p> 修改分发器自动导出所有模块<\/li> 处理特殊命名的模块<\/li> <\/ul> <\/li> 加密分析<\/strong>：<\/p> 关注encryptDes<\/code>等加密函数调用<\/li> 确保所有依赖模块完整导出<\/li> <\/ul> <\/li> <\/ol> 5.3 调试技巧<\/h3> 使用console.log<\/code>输出关键变量<\/li> 通过window.xxx = yyy<\/code>将内部函数暴露到全局<\/li> 分步验证加密函数的正确性<\/li> <\/ol> 通过本教程，读者可以掌握WebSocket协议与Webpack打包技术的逆向分析方法，并能够独立完成类似网站的逆向工程。<\/p>