python實現愛奇藝登陸的密碼RSA加密
阿新 • • 發佈:2019-01-03
分析愛奇藝登陸post引數中的password
email:12345678911 passwd:028d4c1305a6a9baaed3947bade99d4205337fdcabef59b6f7b073f11a220339768b359fd8c8999b934fbf008ee75b9435f23741d3e9251cab8358de6cfde4ac agenttype:1 __NEW:1 checkExist:1 piccode: lang: ptid:01010021010000000000 verifyPhone:1 area_code:86 dfp:a02851d93263354fe2b7f9a1527421045236d10ea384ea0fd798f87000c2f3afac envinfo:eyJqbiI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS82My4wLjMyMzkuMjYgU2FmYXJpLzUzNy4zNiBDb3JlLzEuNjMuNjc4OC40MDAgUVFCcm93c2VyLzEwLjMuMjg2NC40MDAiLCJjbSI6InpoLUNOIiwiZ3UiOjI0LCJ1ZiI6MSwianIiOlsxMzY2LDc2OF0sImRpIjpbMTM2Niw3MjhdLCJ6cCI6LTQ4MCwidWgiOjEsInNoIjoxLCJoZSI6MSwiem8iOjEsInJ2IjoidW5rbm93biIsIm54IjoiV2luMzIiLCJpdyI6InVua25vd24iLCJxbSI6WyJDaHJvbWl1bSBQREYgUGx1Z2luOjpQb3J0YWJsZSBEb2N1bWVudCBGb3JtYXQ6OmFwcGxpY2F0aW9uL3gtZ29vZ2xlLWNocm9tZS1wZGZ+cGRmIiwiQ2hyb21pdW0gUERGIFZpZXdlcjo6OjphcHBsaWNhdGlvbi9wZGZ+cGRmIiwiTmF0aXZlIENsaWVudDo6OjphcHBsaWNhdGlvbi94LW5hY2x+LGFwcGxpY2F0aW9uL3gtcG5hY2x+IiwiU2hvY2t3YXZlIEZsYXNoOjpTaG9ja3dhdmUgRmxhc2ggMjcuOSByOTo6YXBwbGljYXRpb24veC1zaG9ja3dhdmUtZmxhc2h+c3dmLGFwcGxpY2F0aW9uL2Z1dHVyZXNwbGFzaH5zcGwiLCJXaWRldmluZSBDb250ZW50IERlY3J5cHRpb24gTW9kdWxlOjpFbmFibGVzIFdpZGV2aW5lIGxpY2Vuc2VzIGZvciBwbGF5YmFjayBvZiBIVE1MIGF1ZGlvL3ZpZGVvIGNvbnRlbnQuICh2ZXJzaW9uOiAxLjQuOC4xMDI5KTo6YXBwbGljYXRpb24veC1wcGFwaS13aWRldmluZS1jZG1+Il0sIndyIjoiYzNjOWM3MTdjNzkwODJhZGJlM2YxNDQwNjU3NjVkZWEiLCJ3ZyI6ImI1ZDZkMzY1MmQwZTNkYmI3MDc4YTMzY2JiOWYzZDY0IiwiZmsiOmZhbHNlLCJyZyI6ZmFsc2UsInh5IjpmYWxzZSwiam0iOmZhbHNlLCJiYSI6ZmFsc2UsInRtIjpbMCxmYWxzZSxmYWxzZV0sImF1Ijp0cnVlLCJtaSI6IjZjMmY3ZTNhLTQzMTUtZDkzYi1jZjYxLWIxYWI1MThiOTFmMyIsImNsIjoiUENXRUIiLCJzdiI6IjEuMCIsImpnIjoiYzhjNTQ0Nzk0MTNmZDAyY2NmMzM0MDk3YjVmNWVlODYiLCJmaCI6ImV1anRmbjlqd3BucTltejJ3OWpqcTFvdiIsImlmbSI6W3RydWUsNDYwLDQyMCwiaHR0cHM6Ly93d3cuaXFpeWkuY29tLyJdLCJleCI6IiIsImR2Ijoib24iLCJwdiI6ZmFsc2V9
全域性查詢password綜合分析得到下面傳送請求的js
methods: { send: function(e, t) { var i = this; e = e || {}, e.passwd && (e.passwd = r.rsaFun(e.passwd)), s.getEnvAndDfp(function(a) { "A00000" == a.code ? (e.dfp = a.data.dfp, e.envinfo = a.data.env) : (e.dfp = "", e.envinfo = ""), i._remoteInterface.send({ ifname: "login", param: e, domain: o }, function(e) { t && t(e) }) }) },
可以知道e.passwd = r.rsaFun(e.passwd)
密碼是RSA非對稱加密方式,繼續查詢r.rsaFun得到下面函式:
rsaFun: function(e) { var t = "ab86b6371b5318aaa1d3c9e612a9f1264f372323c8c0f19875b5fc3b3fd3afcc1e5bec527aa94bfa85bffc157e4245aebda05389a5357b75115ac94f074aefcd" , n = "10001" , a = Q.crypto.rsa.RSAUtils.getKeyPair(n, "", t) , i = Q.crypto.rsa.RSAUtils.encryptedString(a, encodeURIComponent(e)).replace(/s/g, "-"); return i }
可以得到公鑰和偏移量,再繼續查詢getKeyPair,可得到加密函式
var c = function(a, b) { function c(a) { var b = f , c = b.biDivideByRadixPower(a, this.k - 1) , d = b.biMultiply(c, this.mu) , e = b.biDivideByRadixPower(d, this.k + 1) , g = b.biModuloByRadixPower(a, this.k + 1) , h = b.biMultiply(e, this.modulus) , i = b.biModuloByRadixPower(h, this.k + 1) , j = b.biSubtract(g, i); j.isNeg && (j = b.biAdd(j, this.bkplus1)); for (var k = b.biCompare(j, this.modulus) >= 0; k; ) j = b.biSubtract(j, this.modulus), k = b.biCompare(j, this.modulus) >= 0; return j } function d(a, b) { var c = f.biMultiply(a, b); return this.modulo(c) } function e(a, b) { var c = new t; c.digits[0] = 1; for (var d = a, e = b; ; ) { if (0 != (1 & e.digits[0]) && (c = this.multiplyMod(c, d)), e = f.biShiftRight(e, 1), 0 == e.digits[0] && 0 == f.biHighIndex(e)) break; d = this.multiplyMod(d, d) } return c } var f, g = {}; "undefined" == typeof g.RSAUtils && (f = g.RSAUtils = {}); var h, k, l, m, n = 16, o = n, p = 65536, q = p >>> 1, r = p * p, s = p - 1, t = g.BigInt = function(a) { this.digits = "boolean" == typeof a && a === !0 ? null : k.slice(0), this.isNeg = !1 } ; f.setMaxDigits = function(a) { h = a, k = new Array(h); for (var b = 0; b < k.length; b++) k[b] = 0; l = new t, m = new t, m.digits[0] = 1 } , f.setMaxDigits(20); var u = 15; f.biFromNumber = function(a) { var b = new t; b.isNeg = 0 > a, a = Math.abs(a); for (var c = 0; a > 0; ) b.digits[c++] = a & s, a = Math.floor(a / p); return b } ; var v = f.biFromNumber(1e15); f.biFromDecimal = function(a) { for (var b, c = "-" == a.charAt(0), d = c ? 1 : 0; d < a.length && "0" == a.charAt(d); ) ++d; 字數超限,有刪除 f.encryptedString = function(a, b) { for (var c = [], d = b.length, e = 0; d > e; ) c[e] = b.charCodeAt(e), e++; for (; 0 != c.length % a.chunkSize; ) c[e++] = 0; var g, h, i, j = c.length, k = ""; for (e = 0; j > e; e += a.chunkSize) { for (i = new t, g = 0, h = e; h < e + a.chunkSize; ++g) i.digits[g] = c[h++], i.digits[g] += c[h++] << 8; var l = a.barrett.powMod(i, a.e) , m = 16 == a.radix ? f.biToHex(l) : f.biToString(l, a.radix); k += m + " " } return k.substring(0, k.length - 1) } , f.decryptedString = function(a, b) { var c, d, e, g = b.split(" "), h = ""; for (c = 0; c < g.length; ++c) { var i; for (i = 16 == a.radix ? f.biFromHex(g[c]) : f.biFromString(g[c], a.radix), e = a.barrett.powMod(i, a.d), d = 0; d <= f.biHighIndex(e); ++d) h += String.fromCharCode(255 & e.digits[d], e.digits[d] >> 8) } return 0 == h.charCodeAt(h.length - 1) && (h = h.substring(0, h.length - 1)), h } , f.setMaxDigits(130), b[a] = g }(a, b);
對其進行除錯改寫
var b = {}; var a = {}; function c(a) { var b = f, c = b.biDivideByRadixPower(a, this.k - 1), d = b.biMultiply(c, this.mu), e = b.biDivideByRadixPower(d, this.k + 1), g = b.biModuloByRadixPower(a, this.k + 1), h = b.biMultiply(e, this.modulus), i = b.biModuloByRadixPower(h, this.k + 1), j = b.biSubtract(g, i); j.isNeg && (j = b.biAdd(j, this.bkplus1)); for (var k = b.biCompare(j, this.modulus) >= 0; k;) j = b.biSubtract(j, this.modulus), k = b.biCompare(j, this.modulus) >= 0; return j } function d(a, b) { var c = f.biMultiply(a, b); return this.modulo(c) } function e(a, b) { var c = new t; c.digits[0] = 1; for (var d = a, e = b;;) { if (0 != (1 & e.digits[0]) && (c = this.multiplyMod(c, d)), e = f.biShiftRight(e, 1), 0 == e.digits[0] && 0 == f.biHighIndex(e)) break; d = this.multiplyMod(d, d) } return c } f.biDivide = function(a, b) { return f.biDivideModulo(a, b)[0] }, f.biModulo = function(a, b) { return f.biDivideModulo(a, b)[1] }, f.biMultiplyMod = function(a, b, c) { return f.biModulo(f.biMultiply(a, b), c) }, f.biPow = function(a, b) { for (var c = m, d = a;;) { if (0 != (1 & b) && (c = f.biMultiply(c, d)), b >>= 1, 0 == b) break; d = f.biMultiply(d, d) } return c }, f.biPowMod = function(a, b, c) { for (var d = m, e = a, g = b;;) { if (0 != (1 & g.digits[0]) && (d = f.biMultiplyMod(d, e, c)), g = f.biShiftRight(g, 1), 0 == g.digits[0] && 0 == f.biHighIndex(g)) break; e = f.biMultiplyMod(e, e, c) } return d }, g.BarrettMu = function(a) { this.modulus = f.biCopy(a), this.k = f.biHighIndex(this.modulus) + 1; var b = new t; b.digits[2 * this.k] = 1, this.mu = f.biDivide(b, this.modulus), this.bkplus1 = new t, this.bkplus1.digits[this.k + 1] = 1, this.modulo = c, this.multiplyMod = d, this.powMod = e }; var A = function(a, b, c) { var d = f; this.e = d.biFromHex(a), this.d = d.biFromHex(b), this.m = d.biFromHex(c), this.chunkSize = 2 * d.biHighIndex(this.m), this.radix = 16, this.barrett = new g.BarrettMu(this.m) }; f.getKeyPair = function(a, b, c) { return new A(a, b, c) }, "undefined" == typeof g.twoDigit && (g.twoDigit = function(a) { return (10 > a ? "0" : "") + String(a) }), f.encryptedString = function(a, b) { for (var c = [], d = b.length, e = 0; d > e;) c[e] = b.charCodeAt(e), e++; for (; 0 != c.length % a.chunkSize;) c[e++] = 0; var g, h, i, j = c.length, k = ""; for (e = 0; j > e; e += a.chunkSize) { for (i = new t, g = 0, h = e; h < e + a.chunkSize; ++g) i.digits[g] = c[h++], i.digits[g] += c[h++] << 8; var l = a.barrett.powMod(i, a.e), m = 16 == a.radix ? f.biToHex(l) : f.biToString(l, a.radix); k += m + " " } return k.substring(0, k.length - 1) }, f.decryptedString = function(a, b) { var c, d, e, g = b.split(" "), h = ""; for (c = 0; c < g.length; ++c) { var i; for (i = 16 == a.radix ? f.biFromHex(g[c]) : f.biFromString(g[c], a.radix), e = a.barrett.powMod(i, a.d), d = 0; d <= f.biHighIndex(e); ++d) h += String.fromCharCode(255 & e.digits[d], e.digits[d] >> 8) } return 0 == h.charCodeAt(h.length - 1) && (h = h.substring(0, h.length - 1)), h }, f.setMaxDigits(130), b[a] = g function getpwd(e) { var t = "ab86b6371b5318aaa1d3c9e612a9f1264f372323c8c0f19875b5fc3b3fd3afcc1e5bec527aa94bfa85bffc157e4245aebda05389a5357b75115ac94f074aefcd", n = "10001", a = f.getKeyPair(n, "", t), i = f.encryptedString(a, encodeURIComponent(e)).replace(/s/g, "-"); return i };
簡化了呼叫方式,測試一下getpwd(666666)
返回結果和傳遞的值一致