网络爬虫-h5支付encrypt_msg参数逆向

仅供研究学习使用。

网络爬虫-h5支付encrypt_msg参数逆向_第1张图片
网络爬虫-h5支付encrypt_msg参数逆向_第2张图片
我们的目的是从这个接口中拿到最终的支付链接。 可以看到
v1/r/1450000490/mobile_save
这个接口中的参数非常的多
我们可以逐一排查 最终可以发现

openid, openkey 为用户登录后参数(需手动添加)

session_token, web_token, anti_auto_script_token_id 为静态html返回,可以手动或用node去获取

其中比较关键的参数就是encrypt_msg,这个为校验参数,缺失或者验证失败的话,则会返回系统繁忙,如下图

网络爬虫-h5支付encrypt_msg参数逆向_第3张图片

首先我们先全局搜索encrypt_msg这个参数

网络爬虫-h5支付encrypt_msg参数逆向_第4张图片

可以简单先猜测它是一个aes加密(实际上不是),仅仅是简单的障眼法而已

如果写过滑块的童鞋应该就会比较了解这块的算法 xmidas

function _0x13963a() {
            var _0x21b15a = '';
            try {
                for (var _0x45eecd = [_0x4c5f('0x386') + 'Heigh' + 't', 'avail' + _0x4c5f('0x323'), 'color' + 'Depth', _0x4c5f('0x214') + _0x4c5f('0x1e') + 'h', _0x4c5f('0x150') + _0x4c5f('0xcb'), _0x4c5f('0x150') + _0x4c5f('0x35f'), _0x4c5f('0x362') + 't', _0x4c5f('0x336'), _0x4c5f('0x365') + _0x4c5f('0xc6') + 'I', 'logic' + _0x4c5f('0x2f2') + 'I', 'pixel' + _0x4c5f('0x2e'), _0x4c5f('0xd4') + 'eInte' + 'rval'], _0x19dc5e = 0x52 * -0x67 + -0x1 * -0x16d3 + 0xa2b * 0x1; _0x19dc5e < _0x45eecd[_0x4c5f('0x8e') + 'h']; _0x19dc5e++) {
                    var _0x1e98fc = _0x45eecd[_0x19dc5e];
                    void (-0x17d0 + 0x1 * -0xaa7 + 0x2277) !== window[_0x4c5f('0x3ac') + 'n'][_0x1e98fc] && (_0x21b15a += window[_0x4c5f('0x3ac') + 'n'][_0x1e98fc]);
                }
            } catch (_0x4b288a) {}
            return _0x59528b(_0x21b15a);
        }
        var _0x21ace1 = _0x16a64c[_0x4c5f('0x189') + _0x4c5f('0x38a') + _0x4c5f('0x359')]
            , _0x259597 = !!_0x21ace1;
        function _0x3a0788() {
            if (_0x259597)
                return _0x21ace1;
            _0x259597 = !(0x1c4a + 0x1c2a + -0x3874 * 0x1);
            try {
                var _0x4ef4bc = []
                    , _0x5da87a = [_0x4c5f('0x14e') + _0x4c5f('0x3c2'), _0x4c5f('0x2ae') + _0x4c5f('0x1f7'), _0x4c5f('0x1f7')]
                    , _0x3fa725 = ['Andal' + _0x4c5f('0x206') + 'o', _0x4c5f('0x1c6'), _0x4c5f('0x1c6') + _0x4c5f('0x127') + 'k', _0x4c5f('0x1c6') + '\x20Hebr' + 'ew', _0x4c5f('0x1c6') + '\x20MT', _0x4c5f('0x1c6') + '\x20Narr' + 'ow', _0x4c5f('0x1c6') + _0x4c5f('0x74') + _0x4c5f('0x39e') + _0x4c5f('0x379') + 'd', _0x4c5f('0x1c6') + _0x4c5f('0x40') + _0x4c5f('0xd8') + 'S', _0x4c5f('0x1e0') + _0x4c5f('0x115') + _0x4c5f('0x15b') + 'Sans\x20' + 'Mono', 'Book\x20' + _0x4c5f('0x23f') + 'ua', _0x4c5f('0x263') + 'an\x20Ol' + _0x4c5f('0x19a') + 'le', 'Calib' + 'ri', _0x4c5f('0x33a') + 'ia', _0x4c5f('0x33a') + _0x4c5f('0x3c9') + 'th', _0x4c5f('0x243') + 'ry', _0x4c5f('0x243') + _0x4c5f('0x2bf') + _0x4c5f('0xb2'), _0x4c5f('0x243') + _0x4c5f('0x174') + _0x4c5f('0x1c4') + _0x4c5f('0x34b'), 'Comic' + _0x4c5f('0x36a'), 'Comic' + _0x4c5f('0x36a') + '\x20MS', _0x4c5f('0x12') + 'las', _0x4c5f('0x1cd') + 'er', _0x4c5f('0x1cd') + _0x4c5f('0x179') + 'w', 'Garam' + _0x4c5f('0x269'), _0x4c5f('0x77') + 'a', 'Georg' + 'ia', _0x4c5f('0x15f') + _0x4c5f('0x1bc'), _0x4c5f('0x15f') + 'tica\x20' + _0x4c5f('0x2a3'), _0x4c5f('0x53') + 't', _0x4c5f('0x3a') + 'a\x20Bri' + _0x4c5f('0x1b0'), _0x4c5f('0x3a') + _0x4c5f('0x2fa') + _0x4c5f('0x368') + _0x4c5f('0x50'), 'Lucid' + _0x4c5f('0x3d3') + 'sole', _0x4c5f('0x3a') + _0x4c5f('0x59'), _0x4c5f('0x30f') + _0x4c5f('0x31e') + 'NDE', _0x4c5f('0x3a') + _0x4c5f('0x168') + _0x4c5f('0x3cc') + _0x4c5f('0x37c'), _0x4c5f('0x3a') + _0x4c5f('0x254') + 's', _0x4c5f('0x3a') + _0x4c5f('0x254') + _0x4c5f('0x2a5') + 'ewrit' + 'er', _0x4c5f('0x3a') + 'a\x20San' + _0x4c5f('0x28b') + _0x4c5f('0x1f5'), 'Micro' + _0x4c5f('0x12e') + _0x4c5f('0x3b2') + _0x4c5f('0x137'), _0x4c5f('0x102') + 'o', _0x4c5f('0x2d5') + _0x4c5f('0x1cc') + _0x4c5f('0x217') + 'a', _0x4c5f('0x256') + 'thic', _0x4c5f('0x293') + _0x4c5f('0x63'), _0x4c5f('0x388') + _0x4c5f('0x303'), _0x4c5f('0x364') + _0x4c5f('0x2cb') + _0x4c5f('0xb') + _0x4c5f('0x1d5') + 'rif', _0x4c5f('0xa0') + _0x4c5f('0x1d5') + _0x4c5f('0x14c'), _0x4c5f('0x22e') + _0x4c5f('0x14c'), _0x4c5f('0x120') + 'D', _0x4c5f('0x120') + _0x4c5f('0x1db'), _0x4c5f('0x35b') + 'ino', 'Palat' + _0x4c5f('0x222') + _0x4c5f('0xf8') + 'pe', 'Segoe' + _0x4c5f('0x2ea') + 't', _0x4c5f('0x121') + _0x4c5f('0x201') + 'pt', 'Segoe' + _0x4c5f('0x212'), _0x4c5f('0x121') + _0x4c5f('0x186') + 'ight', _0x4c5f('0x121') + _0x4c5f('0xe9') + _0x4c5f('0x375') + 'ld', _0x4c5f('0x121') + _0x4c5f('0xe9') + _0x4c5f('0x29'), _0x4c5f('0x2f9') + 'a', 'Times', _0x4c5f('0xfd') + _0x4c5f('0x57') + _0x4c5f('0x136'), _0x4c5f('0xfd') + _0x4c5f('0x57') + _0x4c5f('0x136') + _0x4c5f('0x87'), _0x4c5f('0x3b6') + 'chet\x20' + 'MS', _0x4c5f('0xe1') + 'na', _0x4c5f('0x25a') + _0x4c5f('0x24d'), _0x4c5f('0x25a') + _0x4c5f('0xa2') + '2', _0x4c5f('0x25a') + 'ings\x20' + '3'];
                if (document['fonts'] && document[_0x4c5f('0x3ab')][_0x4c5f('0x3')])
                    try {
                        for (var _0x1a4872 = 0x9e0 + 0x23cf + -0x2daf, _0x1c034b = _0x3fa725['lengt' + 'h']; _0x1a4872 < _0x1c034b; _0x1a4872++)
                            !function(_0x2c80c7) {
                                try {
                                    return document[_0x4c5f('0x3ab')][_0x4c5f('0x3')]('12px\x20' + _0x2c80c7);
                                } catch (_0x32d0f2) {
                                    return !(0x17 * -0xdb + -0x165a * -0x1 + 0x12 * -0x26);
                                }
                            }(_0x3fa725[_0x1a4872]) || _0x4ef4bc['push'](('0' + _0x1a4872)[_0x4c5f('0xe0')](-(0x1930 * -0x1 + -0x915 + 0xb6d * 0x3)));
                        var _0x19bd36 = _0x4ef4bc[_0x4c5f('0x106')](';');
                        return _0x16a64c[_0x4c5f('0x189') + _0x4c5f('0x38a') + _0x4c5f('0x359')] = _0x21ace1 = _0x3d8b3d(_0x19bd36),
                            _0x21ace1;
                    } catch (_0x282811) {}
                var _0x8b1c7e = document[_0x4c5f('0x1ab')] || document[_0x4c5f('0x1a7') + _0x4c5f('0xda') + 'sByTa' + _0x4c5f('0x25e')](_0x4c5f('0x1ab'))[0x1 * -0x1213 + 0x1a8 * -0x10 + 0x2c93]
                    , _0x448b22 = document[_0x4c5f('0x3e') + _0x4c5f('0x3b5') + _0x4c5f('0xb1')]('div')
                    , _0x157d22 = document['creat' + _0x4c5f('0x3b5') + 'ent'](_0x4c5f('0x21d'))
                    , _0x2a8a71 = {}
                    , _0x1cfe2e = {}
                    , _0x5bd96c = function() {
                    var _0x317ae3 = document['creat' + _0x4c5f('0x3b5') + 'ent'](_0x4c5f('0x21a'));
                    return _0x317ae3[_0x4c5f('0x10e')][_0x4c5f('0x5c') + _0x4c5f('0x1ec')] = _0x4c5f('0x345') + 'ute',
                        _0x317ae3[_0x4c5f('0x10e')][_0x4c5f('0x1eb')] = _0x4c5f('0x2fe') + 'px',
                        _0x317ae3['style'][_0x4c5f('0x1fa') + 'ize'] = '72px',
                        _0x317ae3['style']['lineH' + _0x4c5f('0x153')] = _0x4c5f('0x335') + 'l',
                        _0x317ae3[_0x4c5f('0xee') + 'HTML'] = _0x4c5f('0x37a') + _0x4c5f('0x37a') + _0x4c5f('0x27d'),
                        _0x317ae3;
                }

我们用node来运行这些混淆的代码,聪明点的童鞋可以想到用jsdom来补环境,如果我们对速度的要求不是非常高,那么是可以采用这种方式的。

在这里插入图片描述
网络爬虫-h5支付encrypt_msg参数逆向_第5张图片

网络爬虫-h5支付encrypt_msg参数逆向_第6张图片

最终我们还可以发现这个接口中对部分参数实际上没有强验证,比如r这个随机数,uuid这个随机生成数,accessToken等

最终附上调试成功图

网络爬虫-h5支付encrypt_msg参数逆向_第7张图片
网络爬虫-h5支付encrypt_msg参数逆向_第8张图片


Ending

如有权益问题可以发私信联系我删除

联系方式: 442891187

你可能感兴趣的:(MySpider,爬虫,encrypt_msg,js逆向,xmidas算法)