实战登陆口Js逆向分析教学文档<\/h1>

0x00 前言<\/h2>

本文详细讲解如何对登陆接口进行Js逆向分析，涉及AES+SM3加密算法的逆向过程。通过本教程，您将学习到：<\/p>

如何定位前端加密逻辑<\/li>
如何设置断点进行调试<\/li>
如何分析加密函数调用链<\/li>

如何逆向AES和SM3算法实现<\/li> <\/ol>

0x01 踩点阶段<\/h2>

1. 基础登陆页面分析<\/h3>

首先访问目标网站，观察以下特征：<\/p>

所有未授权访问都会被重定向到\/login界面<\/li>

检查页面源代码中的JavaScript文件<\/li> <\/ul>

2. JS文件分析技巧<\/h3>

在JS文件中寻找以下关键信息：<\/p>

硬编码的用户名或密码<\/li>
加密函数定义（AES、SM3、RSA等）<\/li>
接口调用逻辑<\/li>

参数生成方式<\/li> <\/ul>

发现<\/strong>：在JS文件中找到了用户名列表，这可以作为爆破的起点<\/p>

3. 抓包分析<\/h3>
使用Burp Suite或浏览器开发者工具抓取登录请求，观察：<\/p>

请求参数是否加密<\/li>
是否有签名参数（如sign）<\/li>
请求头特殊字段<\/li> <\/ul>
示例请求特征<\/strong>：<\/p>
POST \/login { "postdata": "加密数据", "sign": "xxxxxx", "ywid": "api.base.check.xxxxxx" } <\/code><\/pre> 0x02 断点设置技巧<\/h2> 1. XHR请求断点<\/h3> 适用场景<\/strong>：当参数被混淆或难以直接定位时<\/p> 设置方法<\/strong>：<\/p> 在Chrome开发者工具中打开Sources面板<\/li> 在右侧XHR Breakpoints中添加断点条件<\/li> 例如对接口路径包含"ApiServlet"的请求设置断点<\/li> <\/ol> 优点<\/strong>：不需要预先知道加密参数缺点<\/strong>：需要跟踪调用堆栈<\/p> 2. 关键词断点<\/h3> 常用关键词<\/strong>：<\/p> AES\/Des\/RSA\/SM3<\/li> encrypt\/decrypt<\/li> sign\/signature<\/li> 接口唯一标识（如ywid参数值）<\/li> <\/ul> 设置方法<\/strong>：<\/p> 在Sources面板中全局搜索关键词<\/li> 找到相关函数后直接设置断点<\/li> <\/ol> 0x03 加密逻辑分析<\/h2> 1. 定位加密函数<\/h3> 通过断点调试发现：<\/p> 用户名和密码都经过函数o<\/code>处理<\/li> 数据以JSON格式传输<\/li> postdata中包含加密后的用户名和密码<\/li> <\/ul> 2. 函数调用链分析<\/h3> 步骤<\/strong>：<\/p> 进入函数o<\/code>的断点<\/li> 使用Step Into逐步跟踪<\/li> 观察参数变化和返回值<\/li> 记录加密过程中的关键操作<\/li> <\/ol> 发现<\/strong>：<\/p> 用户名sjry<\/code>和密码gt3mm<\/code>都经过多层加密<\/li> 最终组合成postdata发送<\/li> <\/ul> 0x04 AES+SM3算法逆向<\/h2> 1. AES加密分析<\/h3> 定位方法<\/strong>：<\/p> 搜索"CryptoJS.AES"<\/li> 查找encrypt\/decrypt调用<\/li> 跟踪密钥生成逻辑<\/li> <\/ul> 关键参数<\/strong>：<\/p> 密钥（可能硬编码或动态生成）<\/li> 加密模式（CBC\/ECB等）<\/li> 填充方式（PKCS7等）<\/li> IV向量（如果有）<\/li> <\/ul> 2. SM3哈希算法分析<\/h3> 特征<\/strong>：<\/p> 国密算法<\/li> 输出长度为256位<\/li> 常用于生成签名<\/li> <\/ul> 定位方法<\/strong>：<\/p> 搜索"SM3"或"国密"<\/li> 查找摘要生成逻辑<\/li> 通常用于sign参数生成<\/li> <\/ul> 3. 加密流程还原<\/h3> 通过分析得出典型加密流程：<\/p> 用户名\/密码分别AES加密<\/li> 组合加密结果生成中间字符串<\/li> 使用SM3生成签名<\/li> 构造最终POST数据<\/li> <\/ol> 0x05 实战复现<\/h2> 1. 提取加密函数<\/h3> 从JS中找到核心加密函数，例如：<\/p> function<\/span> o<\/span>(data<\/span>) { <\/span><\/span> var<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("硬编码密钥"<\/span>); <\/span><\/span> var<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("硬编码IV"<\/span>); <\/span><\/span> var<\/span> encrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(data<\/span>, key<\/span>, { <\/span><\/span> iv<\/span>:<\/span> iv<\/span>, <\/span><\/span> mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>, <\/span><\/span> padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span> <\/span><\/span> }); <\/span><\/span> return<\/span> encrypted<\/span>.toString<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 构造Python等价实现<\/h3> 使用pycryptodome实现相同逻辑：<\/p> from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad <\/span><\/span>import<\/span> binascii <\/span><\/span> <\/span><\/span>def<\/span> aes_encrypt<\/span>(data): <\/span><\/span> key =<\/span> b<\/span>'硬编码密钥'<\/span>.<\/span>ljust(16<\/span>, b<\/span>'<\/span>\0<\/span>'<\/span>)[:16<\/span>] # 确保16字节<\/span> <\/span><\/span> iv =<\/span> b<\/span>'硬编码IV'<\/span>.<\/span>ljust(16<\/span>, b<\/span>'<\/span>\0<\/span>'<\/span>)[:16<\/span>] <\/span><\/span> cipher =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, iv) <\/span><\/span> padded_data =<\/span> pad(data.<\/span>encode(), AES.<\/span>block_size) <\/span><\/span> encrypted =<\/span> cipher.<\/span>encrypt(padded_data) <\/span><\/span> return<\/span> binascii.<\/span>hexlify(encrypted).<\/span>decode() <\/span><\/span><\/code><\/pre>3. SM3签名实现<\/h3> 使用gmssl库实现SM3：<\/p> from<\/span> gmssl import<\/span> sm3 <\/span><\/span> <\/span><\/span>def<\/span> sm3_hash<\/span>(data): <\/span><\/span> sm3_crypt =<\/span> sm3.<\/span>sm3() <\/span><\/span> sm3_crypt.<\/span>update(data.<\/span>encode()) <\/span><\/span> return<\/span> sm3_crypt.<\/span>hexdigest() <\/span><\/span><\/code><\/pre>0x06 自动化脚本<\/h2> 1. 完整登录流程实现<\/h3> import<\/span> requests <\/span><\/span>import<\/span> json <\/span><\/span> <\/span><\/span>def<\/span> login<\/span>(username, password): <\/span><\/span> # 1. AES加密用户名和密码<\/span> <\/span><\/span> enc_username =<\/span> aes_encrypt(username) <\/span><\/span> enc_password =<\/span> aes_encrypt(password) <\/span><\/span> <\/span><\/span> # 2. 构造请求数据<\/span> <\/span><\/span> postdata =<\/span> { <\/span><\/span> "user"<\/span>: enc_username, <\/span><\/span> "pass"<\/span>: enc_password <\/span><\/span> } <\/span><\/span> json_data =<\/span> json.<\/span>dumps(postdata) <\/span><\/span> <\/span><\/span> # 3. 生成SM3签名<\/span> <\/span><\/span> sign =<\/span> sm3_hash(json_data +<\/span> "固定盐值"<\/span>) <\/span><\/span> <\/span><\/span> # 4. 发送请求<\/span> <\/span><\/span> headers =<\/span> { <\/span><\/span> "Content-Type"<\/span>: "application\/json"<\/span>, <\/span><\/span> "X-Sign"<\/span>: sign <\/span><\/span> } <\/span><\/span> response =<\/span> requests.<\/span>post("https:\/\/target.com\/login"<\/span>, <\/span><\/span> data=<\/span>json_data, <\/span><\/span> headers=<\/span>headers) <\/span><\/span> return<\/span> response.<\/span>json() <\/span><\/span><\/code><\/pre>0x07 防御建议<\/h2> 为防止此类逆向分析，建议：<\/p> 避免在前端硬编码密钥<\/li> 使用动态密钥或密钥派生函数<\/li> 增加代码混淆<\/li> 使用WebAssembly实现核心加密<\/li> 添加时间戳和一次性随机数防御重放攻击<\/li> <\/ol> 0x08 总结<\/h2> 本教程详细讲解了：<\/p> 从JS文件中寻找加密线索的方法<\/li> 断点调试技巧<\/li> AES和SM3算法的逆向分析<\/li> Python实现等价加密逻辑<\/li> 完整自动化登录脚本编写<\/li> <\/ol> 通过系统性的分析，即使面对复杂的加密逻辑也能逐步破解，最终实现自动化登录。<\/p>