Shulou(Shulou.com)06/03 Report--

Webpack js encryption code how to buckle, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Today's website

AHR0cHM6Ly93d3cuZ205OS5jb20v

This website comes from the technical exchange group of salted fish.

Originally, I was curious about what website could not be matched with Reres to see if there were any new anti-climbing measures.

The result of the analysis is not, but after all the analysis, I wrote an article. The encryption of this website uses webpack, so I easily analyze how to buckle it.

The same sentence: if there is no need to buckle the general algorithm, refer directly to the encryption library and don't find trouble for yourself.

Encrypted location

Know that encryption is the password used for login, so find the login request directly and locate the encryption parameter password clearly.

There are two ways to locate:

1. Retrieve password parameter positioning

2. Direct traceability in network according to the js listed in initator

In the second way, enter the breakpoint first, and then click login again to enter the breakpoint.

Debug a few more times and find the location below.

S = (new Date) .getTime ()

R = g.encode (t.password, s)

P = {... password: r,}

According to the pseudocode above, you can see that the g.encode method is where we are now.

Continue with the breakpoint, and then request, you can see the following logic

It's almost done. The public key of rsa encryption is on the above setPublicKey. Use the general encryption guide package to reproduce the encryption. The whole process ends here.

Encryption analysis

Since I said at the beginning to take a look at the webpack used here, let's take a look at it briefly.

Let's take a look at the characteristics of webpack here.

Copy all the code here into the editor and shrink the parentheses

The whole structure is pseudo code like this.

! function (x) {

Xxxxx

} ([

Function xxx

Function xxxx

Function xxxxx

])

Is it the same as the pseudo code above?

In addition to the structure, the most important thing for webpack is that he also has a method loader. After loading, when analyzing webpack encryption, you will often see calls like xxx (90) and xxx ['xxxx']. When you buckle the code, you feel that the code is all nesting dolls.

His module loader is usually at the top of the code, and some websites split the code into other js files.

Like ours, this website is at the top.

He first defines an empty s, and then makes a judgment in n to see if there is anything in s [t]. If so, he will not enter the following logic.

So this module loader will not go back in after the website is loaded.

So in the logic of our analysis, we will see that a streasr (3) has been loaded.

It won't stop at this position under the breakpoint.

You need to put a breakpoint on and off the module loader now, and then refresh the website, and it will stop.

Click on the echo of I [3] and you can see where the code of streasr (3) is.

How to buckle webpack

1. The original code has a loader. We also get a loader.

2. Define your own module list by imitating the pseudo code above.

Here, the content of the module list is the encryption logic code that the encryption parameters pass through. Dig it out and put it in.

Put it in the red box in the code.

3. Withholding the code will not report an error, and then derive the corresponding method and use it one by one according to the encryption logic.

After reading the above, do you know how to buckle the js encryption code of webpack? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.