JS逆向实战案例3——某房地产响应DES解密

说明：仅供学习使用，请勿用于非法用途，若有侵权，请联系博主删除

作者：zhu6201976

一、 反爬分析

url：aHR0cHM6Ly93d3cubHpmY2p5cy5jb20vd3Nwc3Avc3diL2ZpbmRfcXlsYkJ5UGFnZQ==

访问url，返回开发商列表信息，需求：获取所有开发商列表数据。

尝试抓包，得到的响应是这样的：

很明显，响应被加密了。加密字符串长度6000多，暂时看不出大概属于哪种加密算法。

从抓包可以看到，这是一个xhr请求，由Ajax发起。深刻理解BS架构数据交互流程：

加载html 加载js --> js初始化 --> 用户操作事件(DOM断点) --> 调用js --> 明文数据 --> 加密函数 -->密文数据 --> xhr send --> 接收数据 --> 解密函数 --> 刷新页面

也就是说，客户端发起请求，服务端返回响应(加密)，但是在浏览器页面上，展示的是明文数据。而响应体，却是加密的。说明在这中间，客户端应该有一个响应解密函数。我们需要将这个解密函数定位出来。

那怎么快速定位呢？

可以从上边BS架构数据交互流程着手，理论上说，我们只要在这条链路上任意节点断下来(解密函数前)，然后往下执行，最终都可以定位到解密函数位置。但是我们现在需要快速定位，需要将断点断在解密函数上或上一个节点。

怎么定位到解密函数上或上一个节点呢？

此处我们用xhr异步断点，具体步骤如下：

打开浏览器开发者选项 --> 点击Sources面板 --> XHR/fetch BreakPoints --> url contains --> 输入xhr url关键词?find_qylbByPage --> 确定 --> 再次刷新页面 --> 浏览器将在xhr.send关键节点断下来，如图所示：

此时断点处在?BS架构数据交互流程?中的 xhr send 节点，我们需要往下执行，直到解密响应函数位置。当然，我们此时也可以逐一分析调用栈，更快地定位解密函数位置：

显然，strDec函数就是响应解密函数！它传入了服务端返回的key和三个参数：firstKey,secondKey,thirdKey。这三个参数的值是写死的。

剩下的就是进一步跟进strDec函数的具体实现。它处在des.js文件中，整个JS文件1000行左右，是DES对称加密的变种。尝试扣取整个JS文件，直接尝试调用。

二、扣取代码，模拟执行

扣取的关键JS代码：

// 补充 des.js 代码

var data = '0AA5DE07B0DC77420D3F581B900D99FA72014D62D43553919882C8475F2BACCE732F788574E8E11563522E9822D68F18E50399E7ED7781919126D3B0F5C87270354E0560E39FD4A1DD95AE96231AAB53A3438BA3F3415E86E90F9CFD714D456D46446DEA5BEDF409D57732B10FE80BF3E0EA3DF207BE4526DEF9D2D08C2331B9D20A4F62061C5766C9C9BCC7643A1EF0A92D677155282F5B54E5A23F59EFA45DD94F52DD118E8B3819E47044F90208E5A7DF782494A7D6C463823C2EEA037AA93F8037A4FDCD1418DB43C8DF622F7B569243D13F1AC950CBD161E229F27A124B176207834FDD7141163133076FEA27D3B751F0E2F5A1197FD113D7E8320676427B434F5C1ECC46B51D46597E44F605B3BE2695F674C4683E57017AC95EE57A9B5CCB37418E404393675618DC24D9D6570781CA7566DF44E71D41B244172696EF0F61923D459660BA8A4BC3AFF71AFB8A4E0DB984676036E2949D50808145A6955C3E7C65814F235E7190DF8604B7DCBBC64D5C461E08908868A92270DD8D0500FB8CC5631F1DB4B48C7B4D3DE6E0B20B2DD0E062C57A5A8236CBEDA96B1134DB09534F4CB48E57D6EB3FED7C7CD589BCE1BF4E019B10FF01A8CD592F5533A872468D0B887BE630AC45408AE922E9211CC4C8261E14AF6DDB09534F4CB48E57D6217AB93D3E8E1ADF7ED1A9E69241D34F9FCB784A1D2BA8DFA8C002B6B2CB25A40781CA7566DF44E71D41B244172696EF9243D13F1AC950CB86693DE0AF50F92151BC90B588EC76B326F3E06AD8BBADAA113E5F74FF75D57276A7110B341533E00AD86BA5004B27378EB4A55453D97160C64D5C461E089088F50CB7C11A40FADF19E47044F90208E5A7DF782494A7D6C49649EF445BD6291B910813AF1D9FB05CDB43C8DF622F7B569243D13F1AC950CB551AE8B7AA48176DF5FEE0062F0E3C88D060F2FA6EDBB7FCC2AD8DA5DCCE2BEF2D95E9076F52AEC69EE0225D7706CADA09534F4CB48E57D6FE29F76B39024D01C1875E218F671F66CE18E5AEF94CEBD1A892B720EA4354A810764D99E0A577CDE5E3B9D18770013257FDD4942BB31711A046B67FB076FAB5E933A0BDDDCC7C062C27C43529E00BCE2762773BA3A26F8069F328596026BB50294A7588404B9E6249D39F69B0A5A4869CEF984C126B43FCF5FEE0062F0E3C886F3D7E9FED6816EBB53553CD81DF5E391CF284D3F21E2AC04A0F244764553109F22B62ED483697C939F875A97CC35D0A89A45481C0751C4E55AE298707EE77F467E1F48CAF3713FDF63D4DC9617585F58947B36BADF2E7FCF0A0DB97240531C6B2491E548EA85C089BC7AAA20CCDDCF2E0EA3DF207BE4526DEF9D2D08C2331B9D20A4F62061C576675A1D631D29CBF05A046B67FB076FAB5E933A0BDDDCC7C062C27C43529E00BCE2762773BA3A26F80DBE7110C4067A6FE3AEF7AC4E20E8CCE8947B36BADF2E7FCF0A0DB97240531C67C5EED79EBD717DC52062178BB0EE941E2BBA3294AF35F57294A7588404B9E62E56B494D5A455B8D25FDF48FEE4F6714FB02B4B5F1F53BBA9454ADC991B465BE2387F8054687C5AA2D95E9076F52AEC69EE0225D7706CADA09534F4CB48E57D6FE29F76B39024D01C1875E218F671F66F43F9BE5F8EFA429A892B720EA4354A810764D99E0A577CDE5E3B9D1877001321AA40BDFBD1C08BEA046B67FB076FAB5E933A0BDDDCC7C062C27C43529E00BCE2762773BA3A26F801BF5A039CA6F0D3B294A7588404B9E6249D39F69B0A5A4869CEF984C126B43FCF5FEE0062F0E3C886F3D7E9FED6816EB8E3DA8B2C284995941B788DBE4BE957E4A0F244764553109F22B62ED483697C9166C6D85A469BF0C3DF4602AC3831A4B1D17A37CD6354A4D2D95E9076F52AEC69EE0225D7706CADA09534F4CB48E57D6FE29F76B39024D01C1875E218F671F66AA99A07368746D97A892B720EA4354A810764D99E0A577CDE5E3B9D1877001322BD77015F163759CA046B67FB076FAB5E933A0BDDDCC7C062C27C43529E00BCE2762773BA3A26F80EED29AE23D634857294A7588404B9E6249D39F69B0A5A4869CEF984C126B43FCD3D31543153B1AA06F3D7E9FED6816EBD7AA64FB8F65A60D41B788DBE4BE957E4A0F24476455310932B563F8F3AC67B9873AFC3EB65CBEAF5A2E62579CECDAB5AF0FBF307F8048E82D95E9076F52AEC69EE0225D7706CADA09534F4CB48E57D6FE29F76B39024D01C1875E218F671F66A421F41C7805752CA892B720EA4354A810764D99E0A577CDE5E3B9D1877001320390C12302A5269DA046B67FB076FAB5E933A0BDDDCC7C062C27C43529E00BCE2762773BA3A26F808E5C4D05D2C09D1D3AEF7AC4E20E8CCE8947B36BADF2E7FCF0A0DB97240531C62545C32912A46CEC52062178BB0EE941E20FB22DC327DEFC294A7588404B9E62E56B494D5A455B8D19667C2AD9B885D9F763CFFAD370BCAD1AF468D4C4725C6A692CA482DD0D8DAF0781CA7566DF44E71D41B244172696EF9243D13F1AC950CB86693DE0AF50F92151BC90B588EC76B353BE2DDE6B5C1A8F113E5F74FF75D57276A7110B341533E00FC3CA52511B7AD297232C2791FE9194C64D5C461E089088F50CB7C11A40FADF19E47044F90208E5A7DF782494A7D6C4D65C39B84C4397AD1B2724D4BEE652DEDB43C8DF622F7B569243D13F1AC950CB551AE8B7AA48176DF5FEE0062F0E3C8824C746A325DA8D9D4613B94DBB44F07FC4C8261E14AF6DDB09534F4CB48E57D6E7F7CEE46C46238DCB62CD7517F4F2B29E529C1355A9892767E1F48CAF3713FDF63D4DC9617585F58947B36BADF2E7FCF0A0DB97240531C6B2491E548EA85C084971C2EE9CD073FFE0EA3DF207BE4526DEF9D2D08C2331B9D20A4F62061C576658D4CBBC7D4645FEDD7F7D2DEAC193C4391ABEEC6F62A09C19E47044F90208E5A7DF782494A7D6C49345A052EA2A7443E239FBC5B8ABF184DB43C8DF622F7B569243D13F1AC950CB551AE8B7AA48176DF5FEE0062F0E3C88810468D098B78CB462B6D00EF339BFA01BF4CCE7064A08067B434F5C1ECC46B51D46597E44F605B37E82443D7A90F0D7A5EF7B06B28445A2FEAEDE6EF990432AE90F9CFD714D456D46446DEA5BEDF4099CEF984C126B43FCB5D20011DDDAA0023C83B6611BF32D432D5DF2B6521EE7C04E0DB984676036E2AD259E7F72F76C96441AFDF9E6F1CACC8ED9769D5B93AAA57996C78F54786C36AF26449410E18E19676C3541BBB499A595303C5A2296E512F2D37360C93AD6BC36CBEDA96B1134DB09534F4CB48E57D6EC3EE4E69D3E80DC82599DF315BA1D0FFDD16AC8EEFBFF8D0D5AFB27181F67987B434F5C1ECC46B51D46597E44F605B374F592D330EDE64A7B8B2F34428678DD2A82DC47459A2BEBFEAEDE6EF990432AE90F9CFD714D456D46446DEA5BEDF4099CEF984C126B43FCB5D20011DDDAA0023C83B6611BF32D4341B788DBE4BE957E4E0DB984676036E2949D50808145A695E03FF7CFC6256296DD7F7D2DEAC193C4150D83DA681EB62268A92270DD8D0500FB8CC5631F1DB4B48C7B4D3DE6E0B20B1D37B6EE0CF397D63AEF7AC4E20E8CCE8947B36BADF2E7FCF0A0DB97240531C62545C32912A46CEC52062178BB0EE941EA9D1E38968BB71DEF4E13AD1AF327CC2E16AFF8A6CB26984A0F244764553109F22B62ED483697C939F875A97CC35D0A53CE691A48D55920E6FD9AC49F9C1B3D67E1F48CAF3713FDF63D4DC9617585F58947B36BADF2E7FCF0A0DB97240531C6B2491E548EA85C0860DEF5CCA234F9BAE0EA3DF207BE4526DEF9D2D08C2331B9D20A4F62061C57660D8AC90FBE261E8BDD7F7D2DEAC193C4391ABEEC6F62A09C19E47044F90208E5A7DF782494A7D6C4A90F15757CCAEFFA294A7588404B9E6249D39F69B0A5A4869CEF984C126B43FCF5FEE0062F0E3C886F3D7E9FED6816EB901FAB2EA842C15841B788DBE4BE957E4A0F244764553109F22B62ED483697C939F875A97CC35D0AA11B565FB9A3656CE25B1B6524EBE46A67E1F48CAF3713FDF63D4DC9617585F58947B36BADF2E7FCF0A0DB97240531C6B2491E548EA85C0870F13C68B99DC9EFE0EA3DF207BE4526DEF9D2D08C2331B9D20A4F62061C57668316955E3B35C416A046B67FB076FAB5E933A0BDDDCC7C062C27C43529E00BCE2762773BA3A26F80CBE13DE4F05F38FC294A7588404B9E6249D39F69B0A5A4869CEF984C126B43FCF5FEE0062F0E3C886F3D7E9FED6816EB7F4BCEA0FDC13E68D80B904A118B818D76ACB621F39B227EC4C8261E14AF6DDB09534F4CB48E57D6217AB93D3E8E1ADFA86C437A6F237B83303B4463F2A377CBFEAEDE6EF990432AE90F9CFD714D456D46446DEA5BEDF4099CEF984C126B43FCB5D20011DDDAA002F5C78E2EB54484DA1CF284D3F21E2AC04E0DB984676036E2AD259E7F72F76C96DC655863ABBD6F4E8ED9769D5B93AAA52E1D90B7799164D3EB909AD95F7F879B2C27C43529E00BCE2762773BA3A26F8079F9949619DB1365294A7588404B9E6249D39F69B0A5A4869CEF984C126B43FCF5FEE0062F0E3C886F3D7E9FED6816EB79E08D62934B6FD5DC322E27A4D855DA76ACB621F39B227EC4C8261E14AF6DDB09534F4CB48E57D6217AB93D3E8E1ADF167B2C7EF054E3A033857073E60456AB593FB1E3F81AF3B0';
var firstKey = 'huin@liuou';
var secondKey = 'liu0133xin';
var thirdKey = '0772';
var ret = strDec(data, firstKey, secondKey, thirdKey);
console.log(ret);

JS执行结果：

三、 完整代码

项目已开源，请访问github获取，期待你的一键三连、star、交流。

github项目地址：GitHub - zhu6201976/lzfcjys20240112: JS逆向实战案例3——某房地产响应DES解密

项目运行完整截图：