标签:oba enc too turn cli ptr number can message
1. url: http://mail.yw.gov.cn/
2. target:登录js
3. 简单分析:
寻找加密js:
3.1 直接寻找加密的参数p是不好找的,所以我们试着去寻找一些更明显的参数
3.2 然后我们直接去找“pp”参数,找到这里,打上断点去调试,一步步执行下去看看:
3.3 经过上面的步骤,我们不难发现,加密js就在下面不远处。。
3.4 这下就很清晰了,具体细节大家可自行调试,把加密的js 抠出来,运行即可。
js:
navigator = {}; var dbits; var canary = 0xdeadbeefcafe; var j_lm = ((canary & 0xffffff) == 0xefcafe); function BigInteger(d, e, f) { if (d != null) if ("number" == typeof d) this.fromNumber(d, e, f); else if (e == null && "string" != typeof d) this.fromString(d, 256); else this.fromString(d, e); } function nbi() { return new BigInteger(null); } function am1(b, h, g, d, a, e) { while (--e >= 0) { var f = h * this[b++] + g[d] + a; a = Math.floor(f / 0x4000000); g[d++] = f & 0x3ffffff; } return a; } function am2(d, p, o, e, a, k) { var r = p & 0x7fff, q = p >> 15; while (--k >= 0) { var f = this[d] & 0x7fff; var b = this[d++] >> 15; var g = q * f + b * r; f = r * f + ((g & 0x7fff) << 15) + o[e] + (a & 0x3fffffff); a = (f >>> 30) + (g >>> 15) + q * b + (a >>> 30); o[e++] = f & 0x3fffffff; } return a; } function am3(d, p, o, e, a, k) { var r = p & 0x3fff, q = p >> 14; while (--k >= 0) { var f = this[d] & 0x3fff; var b = this[d++] >> 14; var g = q * f + b * r; f = r * f + ((g & 0x3fff) << 14) + o[e] + a; a = (f >> 28) + (g >> 14) + q * b; o[e++] = f & 0xfffffff; } return a; } if (j_lm && (navigator.appName == "Microsoft Internet Explorer")) { BigInteger.prototype.am = am2; dbits = 30; } else if (j_lm && (navigator.appName != "Netscape")) { BigInteger.prototype.am = am1; dbits = 26; } else { BigInteger.prototype.am = am3; dbits = 28; } BigInteger.prototype.DB = dbits; BigInteger.prototype.DM = ((1 << dbits) - 1); BigInteger.prototype.DV = (1 << dbits); var BI_FP = 52; BigInteger.prototype.FV = Math.pow(2, BI_FP); BigInteger.prototype.F1 = BI_FP - dbits; BigInteger.prototype.F2 = 2 * dbits - BI_FP; var BI_RM = "0123456789abcdefghijklmnopqrstuvwxyz"; var BI_RC = new Array(); var rr, vv; rr = "0".charCodeAt(0); for (vv = 0; vv <= 9; ++vv) BI_RC[rr++] = vv; rr = "a".charCodeAt(0); for (vv = 10; vv < 36; ++vv) BI_RC[rr++] = vv; rr = "A".charCodeAt(0); for (vv = 10; vv < 36; ++vv) BI_RC[rr++] = vv; function int2char(a) { return BI_RM.charAt(a); } function intAt(d, b) { var a = BI_RC[d.charCodeAt(b)]; return (a == null) ? -1 : a; } function bnpCopyTo(b) { for (var a = this.t - 1; a >= 0; --a) b[a] = this[a]; b.t = this.t; b.s = this.s; } function bnpFromInt(a) { this.t = 1; this.s = (a < 0) ? -1 : 0; if (a > 0) this[0] = a; else if (a < -1) this[0] = a + DV; else this.t = 0; } function nbv(a) { var b = nbi(); b.fromInt(a); return b; } function bnpFromString(f, a) { var d; if (a == 16) d = 4; else if (a == 8) d = 3; else if (a == 256) d = 8; else if (a == 2) d = 1; else if (a == 32) d = 5; else if (a == 4) d = 2; else { this.fromRadix(f, a); return; } this.t = 0; this.s = 0; var c = f.length, e = false, g = 0; while (--c >= 0) { var h = (d == 8) ? f[c] & 0xff: intAt(f, c); if (h < 0) { if (f.charAt(c) == "-") e = true; continue; } e = false; if (g == 0) this[this.t++] = h; else if (g + d > this.DB) { this[this.t - 1] |= (h & ((1 << (this.DB - g)) - 1)) << g; this[this.t++] = (h >> (this.DB - g)); } else this[this.t - 1] |= h << g; g += d; if (g >= this.DB) g -= this.DB; } if (d == 8 && (f[0] & 0x80) != 0) { this.s = -1; if (g > 0) this[this.t - 1] |= ((1 << (this.DB - g)) - 1) << g; } this.clamp(); if (e) BigInteger.ZERO.subTo(this, this); } function bnpClamp() { var a = this.s & this.DM; while (this.t > 0 && this[this.t - 1] == a)--this.t; } function bnToString(a) { if (this.s < 0) return "-" + this.negate().toString(a); var f; if (a == 16) f = 4; else if (a == 8) f = 3; else if (a == 2) f = 1; else if (a == 32) f = 5; else if (a == 4) f = 2; else return this.toRadix(a); var g = (1 << f) - 1, c, h = false, l = "", e = this.t; var j = this.DB - (e * this.DB) % f; if (e-->0) { if (j < this.DB && (c = this[e] >> j) > 0) { h = true; l = int2char(c); } while (e >= 0) { if (j < f) { c = (this[e] & ((1 << j) - 1)) << (f - j); c |= this[--e] >> (j += this.DB - f); } else { c = (this[e] >> (j -= f)) & g; if (j <= 0) { j += this.DB; --e; } } if (c > 0) h = true; if (h) l += int2char(c); } } return h ? l: "0"; } function bnNegate() { var a = nbi(); BigInteger.ZERO.subTo(this, a); return a; } function bnAbs() { return (this.s < 0) ? this.negate() : this; } function bnCompareTo(b) { var d = this.s - b.s; if (d != 0) return d; var c = this.t; d = c - b.t; if (d != 0) return d; while (--c >= 0) if ((d = this[c] - b[c]) != 0) return d; return 0; } function nbits(c) { var a = 1, b; if ((b = c >>> 16) != 0) { c = b; a += 16; } if ((b = c >> 8) != 0) { c = b; a += 8; } if ((b = c >> 4) != 0) { c = b; a += 4; } if ((b = c >> 2) != 0) { c = b; a += 2; } if ((b = c >> 1) != 0) { c = b; a += 1; } return a; } function bnBitLength() { if (this.t <= 0) return 0; return this.DB * (this.t - 1) + nbits(this[this.t - 1] ^ (this.s & this.DM)); } function bnpDLShiftTo(b, c) { var a; for (a = this.t - 1; a >= 0; --a) c[a + b] = this[a]; for (a = b - 1; a >= 0; --a) c[a] = 0; c.t = this.t + b; c.s = this.s; } function bnpDRShiftTo(b, c) { for (var a = b; a < this.t; ++a) c[a - b] = this[a]; c.t = Math.max(this.t - b, 0); c.s = this.s; } function bnpLShiftTo(h, j) { var b = h % this.DB; var e = this.DB - b; var a = (1 << e) - 1; var f = Math.floor(h / this.DB), d = (this.s << b) & this.DM, g; for (g = this.t - 1; g >= 0; --g) { j[g + f + 1] = (this[g] >> e) | d; d = (this[g] & a) << b; } for (g = f - 1; g >= 0; --g) j[g] = 0; j[f] = d; j.t = this.t + f + 1; j.s = this.s; j.clamp(); } function bnpRShiftTo(f, g) { g.s = this.s; var d = Math.floor(f / this.DB); if (d >= this.t) { g.t = 0; return; } var b = f % this.DB; var c = this.DB - b; var a = (1 << b) - 1; g[0] = this[d] >> b; for (var e = d + 1; e < this.t; ++e) { g[e - d - 1] |= (this[e] & a) << c; g[e - d] = this[e] >> b; } if (b > 0) g[this.t - d - 1] |= (this.s & a) << c; g.t = this.t - d; g.clamp(); } function bnpSubTo(b, g) { var e = 0, d = 0, f = Math.min(b.t, this.t); while (e < f) { d += this[e] - b[e]; g[e++] = d & this.DM; d >>= this.DB; } if (b.t < this.t) { d -= b.s; while (e < this.t) { d += this[e]; g[e++] = d & this.DM; d >>= this.DB; } d += this.s; } else { d += this.s; while (e < b.t) { d -= b[e]; g[e++] = d & this.DM; d >>= this.DB; } d -= b.s; } g.s = (d < 0) ? -1 : 0; if (d < -1) g[e++] = this.DV + d; else if (d > 0) g[e++] = d; g.t = e; g.clamp(); } function bnpMultiplyTo(b, d) { var e = this.abs(), f = b.abs(); var c = e.t; d.t = c + f.t; while (--c >= 0) d[c] = 0; for (c = 0; c < f.t; ++c) d[c + e.t] = e.am(0, f[c], d, c, 0, e.t); d.s = 0; d.clamp(); if (this.s != b.s) BigInteger.ZERO.subTo(d, d); } function bnpSquareTo(d) { var e = this.abs(); var b = d.t = 2 * e.t; while (--b >= 0) d[b] = 0; for (b = 0; b < e.t - 1; ++b) { var a = e.am(b, e[b], d, 2 * b, 0, 1); if ((d[b + e.t] += e.am(b + 1, 2 * e[b], d, 2 * b + 1, a, e.t - b - 1)) >= e.DV) { d[b + e.t] -= e.DV; d[b + e.t + 1] = 1; } } if (d.t > 0) d[d.t - 1] += e.am(b, e[b], d, 2 * b, 0, 1); d.s = 0; d.clamp(); } function bnpDivRemTo(g, o, s) { var l = g.abs(); if (l.t <= 0) return; var n = this.abs(); if (n.t < l.t) { if (o != null) o.fromInt(0); if (s != null) this.copyTo(s); return; } if (s == null) s = nbi(); var x = nbi(), w = this.s, h = g.s; var k = this.DB - nbits(l[l.t - 1]); if (k > 0) { l.lShiftTo(k, x); n.lShiftTo(k, s); } else { l.copyTo(x); n.copyTo(s); } var B = x.t; var A = x[B - 1]; if (A == 0) return; var C = A * (1 << this.F1) + ((B > 1) ? x[B - 2] >> this.F2: 0); var a = this.FV / C, b = (1 << this.F1) / C, c = 1 << this.F2; var d = s.t, f = d - B, u = (o == null) ? nbi() : o; x.dlShiftTo(f, u); if (s.compareTo(u) >= 0) { s[s.t++] = 1; s.subTo(u, s); } BigInteger.ONE.dlShiftTo(B, u); u.subTo(x, x); while (x.t < B) x[x.t++] = 0; while (--f >= 0) { var p = (s[--d] == A) ? this.DM: Math.floor(s[d] * a + (s[d - 1] + c) * b); if ((s[d] += x.am(0, p, s, f, 0, B)) < p) { x.dlShiftTo(f, u); s.subTo(u, s); while (s[d] < --p) s.subTo(u, s); } } if (o != null) { s.drShiftTo(B, o); if (w != h) BigInteger.ZERO.subTo(o, o); } s.t = B; s.clamp(); if (k > 0) s.rShiftTo(k, s); if (w < 0) BigInteger.ZERO.subTo(s, s); } function bnMod(b) { var c = nbi(); this.abs().divRemTo(b, null, c); if (this.s < 0 && c.compareTo(BigInteger.ZERO) > 0) b.subTo(c, c); return c; } function Classic(a) { this.m = a; } function cConvert(a) { if (a.s < 0 || a.compareTo(this.m) >= 0) return a.mod(this.m); else return a; } function cRevert(a) { return a; } function cReduce(a) { a.divRemTo(this.m, null, a); } function cMulTo(b, c, a) { b.multiplyTo(c, a); this.reduce(a); } function cSqrTo(b, a) { b.squareTo(a); this.reduce(a); } Classic.prototype.convert = cConvert; Classic.prototype.revert = cRevert; Classic.prototype.reduce = cReduce; Classic.prototype.mulTo = cMulTo; Classic.prototype.sqrTo = cSqrTo; function bnpInvDigit() { if (this.t < 1) return 0; var a = this[0]; if ((a & 1) == 0) return 0; var b = a & 3; b = (b * (2 - (a & 0xf) * b)) & 0xf; b = (b * (2 - (a & 0xff) * b)) & 0xff; b = (b * (2 - (((a & 0xffff) * b) & 0xffff))) & 0xffff; b = (b * (2 - a * b % this.DV)) % this.DV; return (b > 0) ? this.DV - b: -b; } function Montgomery(a) { this.m = a; this.mp = a.invDigit(); this.mpl = this.mp & 0x7fff; this.mph = this.mp >> 15; this.um = (1 << (a.DB - 15)) - 1; this.mt2 = 2 * a.t; } function montConvert(b) { var a = nbi(); b.abs().dlShiftTo(this.m.t, a); a.divRemTo(this.m, null, a); if (b.s < 0 && a.compareTo(BigInteger.ZERO) > 0) this.m.subTo(a, a); return a; } function montRevert(b) { var a = nbi(); b.copyTo(a); this.reduce(a); return a; } function montReduce(d) { while (d.t <= this.mt2) d[d.t++] = 0; for (var a = 0; a < this.m.t; ++a) { var b = d[a] & 0x7fff; var c = (b * this.mpl + (((b * this.mph + (d[a] >> 15) * this.mpl) & this.um) << 15)) & d.DM; b = a + this.m.t; d[b] += this.m.am(0, c, d, a, 0, this.m.t); while (d[b] >= d.DV) { d[b] -= d.DV; d[++b]++; } } d.clamp(); d.drShiftTo(this.m.t, d); if (d.compareTo(this.m) >= 0) d.subTo(this.m, d); } function montSqrTo(b, a) { b.squareTo(a); this.reduce(a); } function montMulTo(b, c, a) { b.multiplyTo(c, a); this.reduce(a); } Montgomery.prototype.convert = montConvert; Montgomery.prototype.revert = montRevert; Montgomery.prototype.reduce = montReduce; Montgomery.prototype.mulTo = montMulTo; Montgomery.prototype.sqrTo = montSqrTo; function bnpIsEven() { return ((this.t > 0) ? (this[0] & 1) : this.s) == 0; } function bnpExp(a, j) { if (a > 0xffffffff || a < 1) return BigInteger.ONE; var d = nbi(), f = nbi(), b = j.convert(this), c = nbits(a) - 1; b.copyTo(d); while (--c >= 0) { j.sqrTo(d, f); if ((a & (1 << c)) > 0) j.mulTo(f, b, d); else { var h = d; d = f; f = h; } } return j.revert(d); } function bnModPowInt(a, b) { var c; if (a < 256 || b.isEven()) c = new Classic(b); else c = new Montgomery(b); return this.exp(a, c); } BigInteger.prototype.copyTo = bnpCopyTo; BigInteger.prototype.fromInt = bnpFromInt; BigInteger.prototype.fromString = bnpFromString; BigInteger.prototype.clamp = bnpClamp; BigInteger.prototype.dlShiftTo = bnpDLShiftTo; BigInteger.prototype.drShiftTo = bnpDRShiftTo; BigInteger.prototype.lShiftTo = bnpLShiftTo; BigInteger.prototype.rShiftTo = bnpRShiftTo; BigInteger.prototype.subTo = bnpSubTo; BigInteger.prototype.multiplyTo = bnpMultiplyTo; BigInteger.prototype.squareTo = bnpSquareTo; BigInteger.prototype.divRemTo = bnpDivRemTo; BigInteger.prototype.invDigit = bnpInvDigit; BigInteger.prototype.isEven = bnpIsEven; BigInteger.prototype.exp = bnpExp; BigInteger.prototype.toString = bnToString; BigInteger.prototype.negate = bnNegate; BigInteger.prototype.abs = bnAbs; BigInteger.prototype.compareTo = bnCompareTo; BigInteger.prototype.bitLength = bnBitLength; BigInteger.prototype.mod = bnMod; BigInteger.prototype.modPowInt = bnModPowInt; BigInteger.ZERO = nbv(0); BigInteger.ONE = nbv(1); function Arcfour() { this.i = 0; this.j = 0; this.S = new Array(); } function ARC4init(c) { var a, b, d; for (a = 0; a < 256; ++a) this.S[a] = a; b = 0; for (a = 0; a < 256; ++a) { b = (b + this.S[a] + c[a % c.length]) & 255; d = this.S[a]; this.S[a] = this.S[b]; this.S[b] = d; } this.i = 0; this.j = 0; } function ARC4next() { var a; this.i = (this.i + 1) & 255; this.j = (this.j + this.S[this.i]) & 255; a = this.S[this.i]; this.S[this.i] = this.S[this.j]; this.S[this.j] = a; return this.S[(a + this.S[this.i]) & 255]; } Arcfour.prototype.init = ARC4init; Arcfour.prototype.next = ARC4next; function prng_newstate() { return new Arcfour(); } var rng_psize = 256; var rng_state; var rng_pool; var rng_pptr; function rng_seed_int(a) { rng_pool[rng_pptr++] ^= a & 255; rng_pool[rng_pptr++] ^= (a >> 8) & 255; rng_pool[rng_pptr++] ^= (a >> 16) & 255; rng_pool[rng_pptr++] ^= (a >> 24) & 255; if (rng_pptr >= rng_psize) rng_pptr -= rng_psize; } function rng_seed_time() { rng_seed_int(new Date().getTime()); } if (rng_pool == null) { rng_pool = new Array(); rng_pptr = 0; var t; if (navigator.appName == "Netscape" && navigator.appVersion < "5" && window.crypto) { var z = window.crypto.random(32); for (t = 0; t < z.length; ++t) rng_pool[rng_pptr++] = z.charCodeAt(t) & 255; } while (rng_pptr < rng_psize) { t = Math.floor(65536 * Math.random()); rng_pool[rng_pptr++] = t >>> 8; rng_pool[rng_pptr++] = t & 255; } rng_pptr = 0; rng_seed_time(); } function rng_get_byte() { if (rng_state == null) { rng_seed_time(); rng_state = prng_newstate(); rng_state.init(rng_pool); for (rng_pptr = 0; rng_pptr < rng_pool.length; ++rng_pptr) rng_pool[rng_pptr] = 0; rng_pptr = 0; } return rng_state.next(); } function rng_get_bytes(a) { var b; for (b = 0; b < a.length; ++b) a[b] = rng_get_byte(); } function SecureRandom() {} SecureRandom.prototype.nextBytes = rng_get_bytes; function parseBigInt(b, a) { return new BigInteger(b, a); } function linebrk(d, b) { var c = ""; var a = 0; while (a + b < d.length) { c += d.substring(a, a + b) + "\n"; a += b; } return c + d.substring(a, d.length); } function byte2Hex(a) { if (a < 0x10) return "0" + a.toString(16); else return a.toString(16); } function pkcs1pad2(e, c) { if (c < e.length + 11) { alert("Message too long for RSA"); return null; } var a = new Array(); var b = e.length - 1; while (b >= 0 && c > 0) a[--c] = e.charCodeAt(b--); a[--c] = 0; var d = new SecureRandom(); var f = new Array(); while (c > 2) { f[0] = 0; while (f[0] == 0) d.nextBytes(f); a[--c] = f[0]; } a[--c] = 2; a[--c] = 0; return new BigInteger(a); } function RSAKey() { this.n = null; this.e = 0; this.d = null; this.p = null; this.q = null; this.dmp1 = null; this.dmq1 = null; this.coeff = null; } function RSASetPublic(b, a) { if (b != null && a != null && b.length > 0 && a.length > 0) { this.n = parseBigInt(b, 16); this.e = parseInt(a, 16); } else alert("Invalid RSA public key"); } function RSADoPublic(a) { return a.modPowInt(this.e, this.n); } function RSAEncrypt(e) { var d = pkcs1pad2(e, (this.n.bitLength() + 7) >> 3); if (d == null) return null; var a = this.doPublic(d); if (a == null) return null; var b = a.toString(16); if ((b.length & 1) == 0) return b; else return "0" + b; } RSAKey.prototype.doPublic = RSADoPublic; RSAKey.prototype.setPublic = RSASetPublic; RSAKey.prototype.encrypt = RSAEncrypt; var b64map = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var b64pad = "="; function hex2b64(b) { var d; var a; var e = ""; for (d = 0; d + 3 <= b.length; d += 3) { a = parseInt(b.substring(d, d + 3), 16); e += b64map.charAt(a >> 6) + b64map.charAt(a & 63); } if (d + 1 == b.length) { a = parseInt(b.substring(d, d + 1), 16); e += b64map.charAt(a << 2); } else if (d + 2 == b.length) { a = parseInt(b.substring(d, d + 2), 16); e += b64map.charAt(a >> 2) + b64map.charAt((a & 3) << 4); } while ((e.length & 3) > 0) e += b64pad; return e; } function b64tohex(d) { var c = ""; var a; var b = 0; var e; for (a = 0; a < d.length; ++a) { if (d.charAt(a) == b64pad) break; v = b64map.indexOf(d.charAt(a)); if (v < 0) continue; if (b == 0) { c += int2char(v >> 2); e = v & 3; b = 1; } else if (b == 1) { c += int2char((e << 2) | (v >> 4)); e = v & 0xf; b = 2; } else if (b == 2) { c += int2char(e); c += int2char(v >> 2); e = v & 3; b = 3; } else { c += int2char((e << 2) | (v >> 4)); c += int2char(v & 0xf); b = 0; } } if (b == 1) c += int2char(e << 2); return c; } function b64toBA(e) { var c = b64tohex(e); var d; var b = new Array(); for (d = 0; 2 * d < c.length; ++d) { b[d] = parseInt(c.substring(2 * d, 2 * d + 2), 16); } return b; } function safeauth_js() {} function getPwd(pwd) { var PublicKey = "CF87D7B4C864F4842F1D337491A48FFF54B73A17300E8E42FA365420393AC0346AE55D8AFAD975DFA175FAF0106CBA81AF1DDE4ACEC284DAC6ED9A0D8FEB1CC070733C58213EFFED46529C54CEA06D774E3CC7E073346AEBD6C66FC973F299EB74738E400B22B1E7CDC54E71AED059D228DFEB5B29C530FF341502AE56DDCFE9"; var RSA = new RSAKey(); RSA.setPublic(PublicKey, "10001"); var PublicTs = "1578280046"; var Res = RSA.encrypt(pwd + ‘\n‘ + PublicTs + ‘\n‘); return hex2b64(Res); }
结果:
思路就是这样,不去用python做登录测试了。
标签:oba enc too turn cli ptr number can message
原文地址:https://www.cnblogs.com/zrmw/p/12155434.html