Flowww's blog
js逆向学习
Flow
  2025-10-14   2025-10-14  

看到一篇文章,介绍一个网站有关卡适合入门js逆向,一直想学的知识点,于是就跟着做了

第一关

简单来说就是遍历每一页数据,得到数据最后求和,用代码解决

这个最基础的,我的解法就是curl格式复制请求,然后有网站可以直接转成py代码,做简单修改就可以了

最后的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

cookies = {

}
all_num = []
for i in range(1,21):
    params = {
        'page': f'{i}',
    }
    response = requests.get('https://www.mashangpa.com/api/problem-detail/1/data/', params=params, cookies=cookies)
    data = response.json()
    if "current_array" in data:
        all_num.extend(data["current_array"])
    else:
        print("no data")
print(sum(all_num))

后面两三关都差不多,改一些header即可

第四关

来到第四关,开始需要结合js,可以看到发送请求除了page参数,还需要一个sign

思路是找哪里有sign出现

主要是这一句

1
window.token = window.md5("tuling" + timestamp + pageNumber)

要看md5()函数是哪一个,往上看到这个

在两个return都下断点,然后看具体调用了哪一个,主要是第二个return,用到了l和h函数,直接往上看,具体函数内容,都在js文件里面了

具体不去分析里面的内容,直接复制使用就行,所以sign是

1
const sign = window.md5("tuling" + timestamp + pageNumber)

还缺一个timestamp

1
const timestamp = new Date().getTime()

然后传参,再包装成一个函数

1
2
3
4
function getsign(pageNumber){
    const timestamp = new Date().getTime()
    const sign = window.md5("tuling" + timestamp + pageNumber)
}

可以在前台console测试看效果

1
2
3
4
5
6
function getsign(pageNumber){
    const timestamp = new Date().getTime()
    const sign = window.md5("tuling" + timestamp + pageNumber)
    return(sign)
}
console.log(getsign(1))

如果写到python调用js需要用到exectjs的包

1.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
window = this, function (n) {
    function r(n, r) {
        var t = (65535 & n) + (65535 & r);
        return (n >> 16) + (r >> 16) + (t >> 16) << 16 | 65535 & t
    }

    function t(n, t, o, u, e, c) {
        return r(function (n, r) {
            return n << e | n >>> 32 - e
        }(r(r(t, n), r(u, c))), o)
    }

    function o(n, r, o, u, e, c, f) {
        return t(r & o | ~r & u, n, r, e, c, f)
    }

    function u(n, r, o, u, e, c, f) {
        return t(r & u | o & ~u, n, r, e, c, f)
    }

    function e(n, r, o, u, e, c, f) {
        return t(r ^ o ^ u, n, r, e, c, f)
    }

    function c(n, r, o, u, e, c, f) {
        return t(o ^ (r | ~u), n, r, e, c, f)
    }

    function f(n, t) {
        var f, i, a, h, g;
        n[t >> 5] |= 128 << t % 32, n[14 + (t + 64 >>> 9 << 4)] = t;
        var l = 1732584193, d = -271733879, v = -1732584194, C = 271733878;
        for (f = 0; f < n.length; f += 16) d = c(d = c(d = c(d = c(d = e(d = e(d = e(d = e(d = u(d = u(d = u(d = u(d = o(d = o(d = o(d = o(a = d, v = o(h = v, C = o(g = C, l = o(i = l, d, v, C, n[f], 7, -680876936), d, v, n[f + 1], 12, -389564586), l, d, n[f + 2], 17, 606105819), C, l, n[f + 3], 22, -1044525330), v = o(v, C = o(C, l = o(l, d, v, C, n[f + 4], 7, -176418897), d, v, n[f + 5], 12, 1200080426), l, d, n[f + 6], 17, -1473231341), C, l, n[f + 7], 22, -45705983), v = o(v, C = o(C, l = o(l, d, v, C, n[f + 8], 7, 1770035416), d, v, n[f + 9], 12, -1958414417), l, d, n[f + 10], 17, -42063), C, l, n[f + 11], 22, -1990404162), v = o(v, C = o(C, l = o(l, d, v, C, n[f + 12], 7, 1804603682), d, v, n[f + 13], 12, -40341101), l, d, n[f + 14], 17, -1502002290), C, l, n[f + 15], 22, 1236535329), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 1], 5, -165796510), d, v, n[f + 6], 9, -1069501632), l, d, n[f + 11], 14, 643717713), C, l, n[f], 20, -373897302), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 5], 5, -701558691), d, v, n[f + 10], 9, 38016083), l, d, n[f + 15], 14, -660478335), C, l, n[f + 4], 20, -405537848), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 9], 5, 568446438), d, v, n[f + 14], 9, -1019803690), l, d, n[f + 3], 14, -187363961), C, l, n[f + 8], 20, 1163531501), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 13], 5, -1444681467), d, v, n[f + 2], 9, -51403784), l, d, n[f + 7], 14, 1735328473), C, l, n[f + 12], 20, -1926607734), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 5], 4, -378558), d, v, n[f + 8], 11, -2022574463), l, d, n[f + 11], 16, 1839030562), C, l, n[f + 14], 23, -35309556), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 1], 4, -1530992060), d, v, n[f + 4], 11, 1272893353), l, d, n[f + 7], 16, -155497632), C, l, n[f + 10], 23, -1094730640), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 13], 4, 681279174), d, v, n[f], 11, -358537222), l, d, n[f + 3], 16, -722521979), C, l, n[f + 6], 23, 76029189), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 9], 4, -640364487), d, v, n[f + 12], 11, -421815835), l, d, n[f + 15], 16, 530742520), C, l, n[f + 2], 23, -995338651), v = c(v, C = c(C, l = c(l, d, v, C, n[f], 6, -198630844), d, v, n[f + 7], 10, 1126891415), l, d, n[f + 14], 15, -1416354905), C, l, n[f + 5], 21, -57434055), v = c(v, C = c(C, l = c(l, d, v, C, n[f + 12], 6, 1700485571), d, v, n[f + 3], 10, -1894986606), l, d, n[f + 10], 15, -1051523), C, l, n[f + 1], 21, -2054922799), v = c(v, C = c(C, l = c(l, d, v, C, n[f + 8], 6, 1873313359), d, v, n[f + 15], 10, -30611744), l, d, n[f + 6], 15, -1560198380), C, l, n[f + 13], 21, 1309151649), v = c(v, C = c(C, l = c(l, d, v, C, n[f + 4], 6, -145523070), d, v, n[f + 11], 10, -1120210379), l, d, n[f + 2], 15, 718787259), C, l, n[f + 9], 21, -343485551), l = r(l, i), d = r(d, a), v = r(v, h), C = r(C, g);
        return [l, d, v, C]
    }

    function i(n) {
        var r, t = "", o = 32 * n.length;
        for (r = 0; r < o; r += 8) t += String.fromCharCode(n[r >> 5] >>> r % 32 & 255);
        return t
    }

    function a(n) {
        var r, t = [];
        for (t[(n.length >> 2) - 1] = void 0, r = 0; r < t.length; r += 1) t[r] = 0;
        var o = 8 * n.length;
        for (r = 0; r < o; r += 8) t[r >> 5] |= (255 & n.charCodeAt(r / 8)) << r % 32;
        return t
    }

    function h(n) {
        var r, t, o = "0123456789abcdef", u = "";
        for (t = 0; t < n.length; t += 1) r = n.charCodeAt(t), u += o.charAt(r >>> 4 & 15) + o.charAt(15 & r);
        return u
    }

    function g(n) {
        return unescape(encodeURIComponent(n))
    }

    function l(n) {
        return function (n) {
            return i(f(a(n), 8 * n.length))
        }(g(n))
    }

    function d(n, r) {
        return function (n, r) {
            var t, o, u = a(n), e = [], c = [];
            for (e[15] = c[15] = void 0, 16 < u.length && (u = f(u, 8 * n.length)), t = 0; t < 16; t += 1) e[t] = 909522486 ^ u[t], c[t] = 1549556828 ^ u[t];
            return o = f(e.concat(a(r)), 512 + 8 * r.length), i(f(c.concat(o), 640))
        }(g(n), g(r))
    }

    window.md5 = function (n, r, t) {
        return r ? t ? d(r, n) : function (n, r) {
            return h(d(n, r))
        }(r, n) : t ? l(n) : function (n) {
            return h(l(n))
        }(n)
    }
}();

function getsign(pageNumber)
{
    const timestamp = new Date().getTime()
    const sign = window.md5("tuling" + timestamp + pageNumber)
    return{
        "sign" : sign,
       "timestamp":timestamp
    }
}

最后的py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import json
import execjs
import requests

cookies = {
    
}

headers = {
    
}
with open('/Users/lingtian/Downloads/js逆向/4.js',encoding='utf-8') as f:
    js_code = execjs.compile(f.read())
all_num = []
for i in range(1,21):
    result = js_code.call('getsign', i) # 在python里面调用js
    sign = result['sign']
    timestamp = result['timestamp']
    params = {
        'page': f'{i}',
        'sign': f'{sign}',
        '_ts': f'{timestamp}',
    }

    response = requests.get('https://www.mashangpa.com/api/problem-detail/4/data/', params=params, cookies=cookies,headers=headers)
    data = json.loads(response.text)
    if 'current_array' in data:
        num = data['current_array']
        all_num.extend((num))
    else:
        print("no data")
print(sum(all_num))

运行就能得到结果

第五关

这次的变成post里面的参数xl,继续尝试在js里面查找

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
function loadPage(pageNumber) {
    var csrfTokenInput = document.querySelector('input[name="csrfmiddlewaretoken"]');
    const timestamp = new Date().getTime();
    const params = {
        page: pageNumber,
        _ts: timestamp,
    };
    const jsonString = JSON.stringify(params);
    let encryptedQuery = encrypt(jsonString);
    fetch(`/api/problem-detail/${problemId}/data/`, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({xl: encryptedQuery})
    })
        .then(response => response.json())
        .then(data => updatePageContent(data))
        .catch(error => console.error('Error fetching problem details:', error));
}

往上找到encrypt函数

整体看也是有很多复杂的函数,还带有混淆,解决思路直接复制代码就行

1
2
3
4
5
6
7
8
9
10
function getxl(pageNumber){
    const timestamp = new Date().getTime();
    const params = {
        page: pageNumber,
        _ts: timestamp,
    };
    const jsonString = JSON.stringify(params);
    let encryptedQuery = encrypt(jsonString);
    return encryptedQuery
}

然后encrypt相关代码直接复制就行,然后里面用到一个CryptoJS,需要保存crypto-js.js到本地,然后在js文件里面导入

1
const CryptoJS = require("/Users/lingtian/Downloads/js逆向/crypto-js");

最后成功运行,能够生成xl的值,第五关直接在第四关的基础上改一下就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
for i in range(1,21):
    result = js_code.call('getxl', i) # 在python里面调用js
    params = {
        'xl':f'{result}'
    }
    response = requests.post('https://www.mashangpa.com/api/problem-detail/5/data/', json=params, cookies=cookies,headers=headers)
    data = json.loads(response.text)
    if 'current_array' in data:
        num = data['current_array']
        all_num.extend((num))
    else:
        print("no data")
print(sum(all_num))

js文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
const _0x38addf = _0x66a7;
const CryptoJS = require("/Users/lingtian/Downloads/js逆向/crypto-js");

function _0x66a7(_0x7461a9, _0x14ffcc) {
    const _0x4f0d09 = _0x4f0d();
    return _0x66a7 = function (_0x66a780, _0x2abc15) {
        _0x66a780 = _0x66a780 - 0xc5;
        let _0x477d8f = _0x4f0d09[_0x66a780];
        return _0x477d8f;
    }, _0x66a7(_0x7461a9, _0x14ffcc);
}

(function (_0x59b24b, _0x16d38a) {
    const _0x3e5f1c = _0x66a7, _0x14ae46 = _0x59b24b();
    while (!![]) {
        try {
            const _0x5e1110 = parseInt(_0x3e5f1c(0xca)) / 0x1 + -parseInt(_0x3e5f1c(0xd4)) / 0x2 * (-parseInt(_0x3e5f1c(0xd5)) / 0x3) + parseInt(_0x3e5f1c(0xc8)) / 0x4 + -parseInt(_0x3e5f1c(0xcc)) / 0x5 * (-parseInt(_0x3e5f1c(0xd0)) / 0x6) + -parseInt(_0x3e5f1c(0xd3)) / 0x7 + -parseInt(_0x3e5f1c(0xcd)) / 0x8 + -parseInt(_0x3e5f1c(0xcf)) / 0x9;
            if (_0x5e1110 === _0x16d38a) break; else _0x14ae46['push'](_0x14ae46['shift']());
        } catch (_0x4fbd75) {
            _0x14ae46['push'](_0x14ae46['shift']());
        }
    }
}(_0x4f0d, 0x897b4), dd = {'a': CryptoJS});
let key = dd['a'][_0x38addf(0xd6)][_0x38addf(0xc7)][_0x38addf(0xc9)](_0x38addf(0xce)),
    iv = dd['a'][_0x38addf(0xd6)]['Utf8'][_0x38addf(0xc9)]('0123456789ABCDEF');

function _0x4f0d() {
    const _0x341c37 = ['2440720SaQcQw', 'jo8j9wGw%6HbxfFn', '9735516pjwmiO', '68862pbatqQ', 'mode', 'AES', '1923264HnviQd', '36906bPsIrd', '12hEJHOd', 'enc', 'pad', 'encrypt', 'Hex', 'Utf8', '689460JbShaf', 'parse', '957060HmuxSn', 'toString', '445UZKyxv'];
    _0x4f0d = function () {
        return _0x341c37;
    };
    return _0x4f0d();
}

function encrypt(_0x277028) {
    const _0x4d843e = _0x38addf;
    let _0x2703a2 = dd['a'][_0x4d843e(0xd6)]['Utf8']['parse'](_0x277028),
        _0x50fcf0 = dd['a'][_0x4d843e(0xd2)][_0x4d843e(0xc5)](_0x2703a2, key, {
            'mode': dd['a'][_0x4d843e(0xd1)]['CBC'],
            'padding': dd['a'][_0x4d843e(0xd7)]['Pkcs7'],
            'iv': iv
        });
    return _0x50fcf0['ciphertext'][_0x4d843e(0xcb)](CryptoJS[_0x4d843e(0xd6)][_0x4d843e(0xc6)]);
}


function getxl(pageNumber){
    const timestamp = new Date().getTime();
    const params = {
        page: pageNumber,
        _ts: timestamp,
    };
    const jsonString = JSON.stringify(params);
    let encryptedQuery = encrypt(jsonString);
    return encryptedQuery
}

第六关

这次请求包只有参数page=1,很简单,但是从响应包看数据是被加密的,而前端看是有解密的

直接从js里面看,会对t参数的内容进行xxxxoooo函数处理,最后再输出到前端,那么直接用一样的函数节目不就好了?

看起来是可行的,继续把js代码搬到本地

后面我才注意到请求里面请求header也带参数hhh,需要js算出来,继续复刻前面的手法

1
2
3
fetch(`/api/problem-detail/${problemId}/data/?${queryString}`, {
        headers: hhh,
   }

而hhh由S函数算出来的

1
2
3
4
5
6
7
8
function s() {
    window.ttt = new Date().getTime();
    window.token = window.xxoo("sssssbbbbb" + ttt)
    window.hhh = {
        s: window.token,
        tt: window.ttt,
    }
}

所以写了一个

1
2
3
4
5
6
function gethhh()
{
    const timestamp = new Date().getTime()
    const token = xxoo("sssssbbbbb" + timestamp);
    return {"S":token,"Tt":timestamp.toString()}
}

然后再python里面调用,最后update到header里面就行

最后写出py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
all_num = []
for i in range(1,21):
    hhh = js_code.call('gethhh')
    headers.update(hhh)
    params = {
        'page':i
    }
    response = requests.get('https://www.mashangpa.com/api/problem-detail/6/data/', params=params, cookies=cookies,headers=headers)
    data = response.json()
    result = js_code.call('xxxxoooo',data['t'])
    result = json.loads(result)
    if "current_array" in result:
        all_num.extend(result['current_array'])
    else:
        print("no data")
print(all_num)
print(sum(all_num))

js文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
const CryptoJS = require("/Users/lingtian/Downloads/js逆向/crypto-js");
window = this, function (n) {
    function r(n, r) {
        var t = (65535 & n) + (65535 & r);
        return (n >> 16) + (r >> 16) + (t >> 16) << 16 | 65535 & t
    }

    function t(n, t, o, u, e, c) {
        return r(function (n, r) {
            return n << e | n >>> 32 - e
        }(r(r(t, n), r(u, c))), o)
    }

    function o(n, r, o, u, e, c, f) {
        return t(r & o | ~r & u, n, r, e, c, f)
    }

    function u(n, r, o, u, e, c, f) {
        return t(r & u | o & ~u, n, r, e, c, f)
    }

    function e(n, r, o, u, e, c, f) {
        return t(r ^ o ^ u, n, r, e, c, f)
    }

    function c(n, r, o, u, e, c, f) {
        return t(o ^ (r | ~u), n, r, e, c, f)
    }

    function f(n, t) {
        var f, i, a, h, g;
        n[t >> 5] |= 128 << t % 32, n[14 + (t + 64 >>> 9 << 4)] = t;
        var l = 1732584193, d = -271733879, v = -1732584194, C = 271733878;
        for (f = 0; f < n.length; f += 16) d = c(d = c(d = c(d = c(d = e(d = e(d = e(d = e(d = u(d = u(d = u(d = u(d = o(d = o(d = o(d = o(a = d, v = o(h = v, C = o(g = C, l = o(i = l, d, v, C, n[f], 7, -680876936), d, v, n[f + 1], 12, -389564586), l, d, n[f + 2], 17, 606105819), C, l, n[f + 3], 22, -1044525330), v = o(v, C = o(C, l = o(l, d, v, C, n[f + 4], 7, -176418897), d, v, n[f + 5], 12, 1200080426), l, d, n[f + 6], 17, -1473231341), C, l, n[f + 7], 22, -45705983), v = o(v, C = o(C, l = o(l, d, v, C, n[f + 8], 7, 1770035416), d, v, n[f + 9], 12, -1958414417), l, d, n[f + 10], 17, -42063), C, l, n[f + 11], 22, -1990404162), v = o(v, C = o(C, l = o(l, d, v, C, n[f + 12], 7, 1804603682), d, v, n[f + 13], 12, -40341101), l, d, n[f + 14], 17, -1502002290), C, l, n[f + 15], 22, 1236535329), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 1], 5, -165796510), d, v, n[f + 6], 9, -1069501632), l, d, n[f + 11], 14, 643717713), C, l, n[f], 20, -373897302), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 5], 5, -701558691), d, v, n[f + 10], 9, 38016083), l, d, n[f + 15], 14, -660478335), C, l, n[f + 4], 20, -405537848), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 9], 5, 568446438), d, v, n[f + 14], 9, -1019803690), l, d, n[f + 3], 14, -187363961), C, l, n[f + 8], 20, 1163531501), v = u(v, C = u(C, l = u(l, d, v, C, n[f + 13], 5, -1444681467), d, v, n[f + 2], 9, -51403784), l, d, n[f + 7], 14, 1735328473), C, l, n[f + 12], 20, -1926607734), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 5], 4, -378558), d, v, n[f + 8], 11, -2022574463), l, d, n[f + 11], 16, 1839030562), C, l, n[f + 14], 23, -35309556), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 1], 4, -1530992060), d, v, n[f + 4], 11, 1272893353), l, d, n[f + 7], 16, -155497632), C, l, n[f + 10], 23, -1094730640), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 13], 4, 681279174), d, v, n[f], 11, -358537222), l, d, n[f + 3], 16, -722521979), C, l, n[f + 6], 23, 76029189), v = e(v, C = e(C, l = e(l, d, v, C, n[f + 9], 4, -640364487), d, v, n[f + 12], 11, -421815835), l, d, n[f + 15], 16, 530742520), C, l, n[f + 2], 23, -995338651), v = c(v, C = c(C, l = c(l, d, v, C, n[f], 6, -198630844), d, v, n[f + 7], 10, 1126891415), l, d, n[f + 14], 15, -1416354905), C, l, n[f + 5], 21, -57434055), v = c(v, C = c(C, l = c(l, d, v, C, n[f + 12], 6, 1700485571), d, v, n[f + 3], 10, -1894986606), l, d, n[f + 10], 15, -1051523), C, l, n[f + 1], 21, -2054922799), v = c(v, C = c(C, l = c(l, d, v, C, n[f + 8], 6, 1873313359), d, v, n[f + 15], 10, -30611744), l, d, n[f + 6], 15, -1560198380), C, l, n[f + 13], 21, 1309151649), v = c(v, C = c(C, l = c(l, d, v, C, n[f + 4], 6, -145523070), d, v, n[f + 11], 10, -1120210379), l, d, n[f + 2], 15, 718787259), C, l, n[f + 9], 21, -343485551), l = r(l, i), d = r(d, a), v = r(v, h), C = r(C, g);
        return [l, d, v, C]
    }

    function i(n) {
        var r, t = "", o = 32 * n.length;
        for (r = 0; r < o; r += 8) t += String.fromCharCode(n[r >> 5] >>> r % 32 & 255);
        return t
    }

    function a(n) {
        var r, t = [];
        for (t[(n.length >> 2) - 1] = void 0, r = 0; r < t.length; r += 1) t[r] = 0;
        var o = 8 * n.length;
        for (r = 0; r < o; r += 8) t[r >> 5] |= (255 & n.charCodeAt(r / 8)) << r % 32;
        return t
    }

    function h(n) {
        var r, t, o = "0123456789abcdef", u = "";
        for (t = 0; t < n.length; t += 1) r = n.charCodeAt(t), u += o.charAt(r >>> 4 & 15) + o.charAt(15 & r);
        return u
    }

    function g(n) {
        return unescape(encodeURIComponent(n))
    }

    function l(n) {
        return function (n) {
            return i(f(a(n), 8 * n.length))
        }(g(n))
    }

    function d(n, r) {
        return function (n, r) {
            var t, o, u = a(n), e = [], c = [];
            for (e[15] = c[15] = void 0, 16 < u.length && (u = f(u, 8 * n.length)), t = 0; t < 16; t += 1) e[t] = 909522486 ^ u[t], c[t] = 1549556828 ^ u[t];
            return o = f(e.concat(a(r)), 512 + 8 * r.length), i(f(c.concat(o), 640))
        }(g(n), g(r))
    }

    window.xxoo = function (n, r, t) {
        return r ? t ? d(r, n) : function (n, r) {
            return h(d(n, r))
        }(r, n) : t ? l(n) : function (n) {
            return h(l(n))
        }(n)
    }
}();

dd = {
    a: CryptoJS
}
let kkkk = dd.a.enc.Utf8.parse("xxxxxxxxoooooooo");
let iiii = dd.a.enc.Utf8.parse("0123456789ABCDEF");

function s() {
    window.ttt = new Date().getTime();
    window.token = window.xxoo("sssssbbbbb" + ttt)
    window.hhh = {
        s: window.token,
        tt: window.ttt,
    }
}

function gethhh()
{
    const timestamp = new Date().getTime()
    const token = xxoo("sssssbbbbb" + timestamp);
    return {"S":token,"Tt":timestamp.toString()}
}

function xxxxoooo(encryptedHex) {
    let enccc = dd.a.enc.Hex.parse(encryptedHex);
    let deccc = dd.a.AES["decr" + "ypt"]({ciphertext: enccc}, kkkk, {
        mode: dd.a.mode.CBC,
        padding: dd.a.pad.Pkcs7,
        iv: iiii,
    });
    return deccc.toString(dd.a.enc.Utf8);
}

第七关好复杂,先写到这吧,已经知道了前面1-6已经了解了js逆向的大概了。。。

 评论
评论插件加载失败
正在加载评论插件
  1. 1. 第一关
  2. 2. 第四关
  3. 3. 第五关
  4. 4. 第六关
© 2020 - 2025    Flow
由 Hexo 驱动 & 主题 Keep
  1. 1. 第一关
  2. 2. 第四关
  3. 3. 第五关
  4. 4. 第六关