[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

Time:2022-1-15

Focus on official account dry cargo WeChat public: K brother crawler, keep sharing crawler advance, JS/ Android reverse technology dry goods!

statement

All contents in this article are for learning and communication only. The packet capturing content, sensitive website and data interface have been desensitized. It is strictly prohibited to use them for commercial and illegal purposes, otherwise all the consequences have nothing to do with the author. If there is infringement, please contact me and delete them immediately!

Reverse target

  • Target: an easy payment password encryption
  • Home page:aHR0cHM6Ly9lcGF5LjE2My5jb20vaDVDYXNoaWVyL2JlZm9yZS12YWxpZGF0aW9u
  • Interface:aHR0cHM6Ly9lcGF5LjE2My5jb20vY2FzaGllci9tL3NlY3VyaXR5L3ZlcmlmeVBheUl0ZW1z
  • Reverse parameter: form data:"shortPayPassword":"ZY4iJQkXwvhMwlw2hvpZQ9T%2Fc1S7wRfcfQrpe6bmnlA3hy5PJTJqeYY%2Bj372D70i"

Reverse process

The reverse material in this issue comes from the help of a group friend in brother K’s reptile exchange group:

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

Packet capture analysis

The link sent by fans is a treasure Pavilion platform, a purchase link for a game character. The purchase method is an easy payment. The reverse object is the payment password encrypted during purchase. It should be noted that the interface should be set to mobile phone mode, click payment, come to the password input page, enter a 6-digit password casually, click OK, and grab the package to find that the payment password is encrypted, As shown in the figure below:

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

Parameter inversion

Directly search the keyword shortpaypassword, which can be found in common e94aeed9. JS, as shown in the following figure:

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

The point is this sentenceObject(n.b)(Object(c.MD5)(this.input).toString(), e), print each part in the console in turn and observe its meaning.

  • (this.input).toString(): clear text password;
  • e: a string. The generated place cannot be found before or after. You can directly search this string and find that it is the peenseed value returned through an interface;
  • Object(c.MD5): one way is to look at the name and know that it is MD5. The result obtained by passing in the password is indeed MD5;
  • Object(n.b): it is a s method and needs further follow-up analysis.

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

Generally speaking, the MD5 value and E value of the password are passed into the s method together. Continue to look at the s function, as shown in the following figure:

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES

Obviously, AES is encrypted. The MD5 value of the password is the object to be encrypted, peenseed is the key, and the IV offset is 0123456789012345. The final encryption result is also URL encoded. You can directly import the crypto JS encryption package and pass in the corresponding value. The code is as follows:

//Crypto JS module reference
var CryptoJS = require('crypto-js')

function getEncryptedPassword(password, peEnSeed) {
    var pwd = CryptoJS.enc.Utf8.parse(CryptoJS.MD5(password));
    var key = CryptoJS.enc.Utf8.parse(peEnSeed);
    var iv = CryptoJS.enc.Utf8.parse("0123456789012345");
    var encrypted = CryptoJS.AES.encrypt(pwd, key, {
        iv: iv,
        mode: CryptoJS.mode.CBC,
        padding: CryptoJS.pad.Pkcs7
    });

    return pwd ? key ? encodeURIComponent(encrypted.toString()) : pwd : ""
}

//Test sample
var password = "123456"
var peEnSeed = "2F63CCD861E4397F1C2181006904BAB2"
console.log(getEncryptedPassword(password, peEnSeed))

// ZY4iJQkXwvhMwlw2hvpZQ9T%2Fc1S7wRfcfQrpe6bmnlA3hy5PJTJqeYY%2Bj372D70i

[JS reverse hundred examples] encryption analysis of an easy payment password MD5 + AES