Shulou(Shulou.com)06/02 Report--

This article is to share with you about the process of password encryption analysis of X-pen network in Python. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Logical Analysis of Parameter encryption

First grab the package and look at the parameters of this analysis [figure 1-1]

The value of this parameter looks like Base64. Let's search for the parameter name before we jump to conclusions.

Some readers are obsessed with searching password = or password: whether it is a waste of time to search twice, it is not as convenient and quick to search password directly.

Salted fish search in this way out of their own habits, there are many ways to locate the encrypted location, you can try not to be limited to the search parameters, such as: Js Hook,XHR breakpoint, etc., as long as it is comfortable.

After searching for the parameter name password: locate 3 suspected encrypted locations in a file. [figure 1-2]

Figure 1-2

There are two ways to determine the encryption location:

Put a breakpoint on all the search results and refresh it again to see which breakpoint you enter.

Read the context and analyze the general code logic

Let's try the first one, hit the breakpoint and re-initiate the request, and we can see that the success is broken. [figure 1-3]

The this.password here is the test password, and what we need to analyze is what the logic of the this.encrypt looks like.

Figure 1-3

We enter the this.encrypt function and find the familiar RSA encryption flag this.publicKey [figure 1-4]

Figure 1-4

Search the file for publicKey again, and you can see that this variable has been declared in the file [figure 1-5]

Figure 1-5

Continue to look at the logic inside the function and find that what is entered is the file of the encrypted logic. [figure 1-6]

Figure 1-6

After analyzing the whole process, we can find the previous part of passing parameters, which we can skip in the Python call. As long as we pass publicKey and plaintext password to the Js encryption logic in [figure 1-6], we can realize the password encryption logic of this website. Since it is so simple, let's try it.

Code implementation of parameter encryption

Following the above analysis, we directly copied all the code shown in the screenshot [figure 1-6].

Then add some of our own logic to the editor like this [figure 2-1].

Figure 2-1

Note: the first 939 lines are copied Js file code

Try to run it and see if there is an error.

Run the error message, window is undefine [figure 2-2]. In this case, we can try to add the declaration of window to the code.

Figure 2-2var window = {}

Run again to see, here again prompt {} is not a function, [figure 2-3] to the novice friends here a little panic, do not know how to deal with.

Figure 2-3

A more convenient way to deal with it is to add! directly before (function (av)) {. It's as simple as that.

For specific usage, apply Baidu here:

Use parentheses to wrap the definition function body, and the parser will call the definition function as a function expression. In other words, anything that can turn a function into a function expression can make the parser call the definition function correctly. And! Is one of them, and +-| | all have such features.

Continue debugging, this time the prompt becomes navigator is not defined [figure 2-4]

Figure 2-4

With the last experience, we added the declaration navigator to the code.

Var navigator = {}

Run it again and get the encrypted result. [figure 2-5]

Figure 2-5 summary

This encryption is relatively simple RSA encryption, using the public key contained in the file to encrypt the value of the password, and the Js code has not been confused, suitable for beginners to increase the feel.

The above is the process of password encryption analysis of X-pen network in Python, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.