Pay attention to wechat public number: K brother reptile, QQ exchange group: 808574309, continue to share crawler advanced, JS/ Android reverse technology and other goods!

The statement

All content in this article is only for learning and communication, packet capture content, sensitive website, data interface have been desensitized processing, strictly prohibited for commercial use and illegal use, otherwise all the consequences are unrelated to the author, if there is infringement, please contact me immediately delete!

Reverse the target

  • Target: KW music search parameter

  • Homepage: aHR0cDovL3d3dy5rdXdvLmNuLw = =

  • Interface: aHR0cDovL3d3dy5rdXdvLmNuL2FwaS93d3cvc2VhcmNoL3NlYXJjaE11c2ljQnlrZXlXb3Jk

  • ReqId: 15C31270-32E8-11EC-A637-0b779CE474E4 reqId: 15C31270-32E8-11EC-A637-0b779CE474e4

The reverse goal of this article is to search the interface parameter reqId. Note that this parameter is not required. The main purpose of this article is to introduce the separated WebPack, that is, how to rewrite webpack when the module loader and the module are not in the same JS file. And how to rewrite WebPack in a non-IIFE (call function expressions immediately, self-executing functions) way. This article is an extension of the previous article:

  • Crawler reverse foundation, understand JavaScript modular programming Webpack
  • Webpack rewrite actual combat, G a game RSA encryption

The reverse process

Caught analysis

Came to the search page, search search songs, casually caught to aHR0cDovL3d3dy5rdXdvLmNuL2FwaS93d3cvc2VhcmNoL3NlYXJjaE11c2ljQnlrZXlXb3Jk of interface classes, GET request, Query String Parameters has a reqId encryption parameter, as shown below:

Parameters of the reverse

A direct global search for reqId has four results in the app.4eedc3a.js file, as shown below:

Var r = c()(); var r = c(); var r = c(); Var n = c()(); Both are obtained by c()(). We try to bury breakpoints at these two positions and search again. It can be found that the breakpoint is successfully broken, and the value of C ()() is the value of reqId, as shown below:

Let’s go ahead and see where c comes from, and we can see the logic:

var l = n(109)
  , c = n.n(l)
var r = c()();
Copy the code

N is a method in Runtime.d5e801D.js, as shown in the following figure:

Function d(n){} is a webpack module loader, and e contains all webpack modules. Function d(n){} is a webpack module loader.

At the end of the file, you can see the “] “symbol. This means that all webpack modules are wrapped in an array, so this 109 means that this function is the 109th function. As shown below:

C = n.n(l), n.n(l), d.n (l), d.n (l), d.n (l), d.n (l)

So to sum up the logic, statement L = n(109), using the module loader, loads the 109th function, returns the value assigned to L, and c = n.n(L) calls the module loader’s n method, returns the value assigned to C, and then executes c()() to get the value of reqId.

Webpack rewrite

In the previous article, Brother K has introduced the rewriting method of Webpack. In this case, Brother K will introduce three methods, which can also be divided into two kinds. One is IIFE (immediate call function expression, self-executing function), but the parameters passed, that is, the module format, is divided into array and dictionary. The second is the non-IIFE approach, which is more conventional and seems a little easier to understand. You can use VSCode and other tools to fold up all the code, so you can see the different structure of the code under different rewriting methods.

From the previous analysis, we know that d.n is used in the module loader, and d.d and d.o are also used in the actual debugging, so they should be deducted together.

In the module part, we already know that module 109 was called, but observing the code of 109, we found that module 202 and 203 were also called, so we need to copy these three modules. When we copy, we first run to the module loader breakpoint, because E stores all modules. So we can call e[109], e[202], e[203] directly in the Console to output, and then click to jump to the original function, and then copy it, as shown in the picture below:

IIFE pass an array

In the previous article, I have introduced the rewriting method of IIFE. Similarly, we first define a global variable, such as var kuwo; Kuwo = d, kuwo = d, kuwo = d, kuwo = d, kuwo = d, kuwo = d Therefore, change the corresponding 109, 202, 203 to 0, 1, 2 when calling the module. The complete code is as follows:

var kuwo;

!function (e){
    var t = {};

    function d(n) {
        if (t[n]) return t[n].exports;
        var r = t[n] = {
            i: n,
            l:!1.exports: {}};return e[n].call(r.exports, r, r.exports, d),
            r.l = !0,
            r.exports
    }

    d.n = function (e) {
        var n = e && e.__esModule ?
            function () {
                return e.default
            } :
            function () {
                return e
            };
        return d.d(n, "a", n),
            n
    },
    d.d = function (e, n, r) {
            d.o(e, n) || Object.defineProperty(e, n, {
                enumerable:!0.get: r
            })
        },
    d.o = function (object, e) {
            return Object.prototype.hasOwnProperty.call(object, e)
        }

    kuwo = d
}([
    function (t, e, n) {
        var r, o, l = n(1),
            c = n(2),
            h = 0,
            d = 0;
        t.exports = function (t, e, n) {
            var i = e && n || 0,
                b = e || [],
                f = (t = t || {}).node || r,
                v = void 0! == t.clockseq ? t.clockseq : o;if (null == f || null == v) {
                var m = l();
                null == f && (f = r = [1 | m[0], m[1], m[2], m[3], m[4], m[5]]),
                null == v && (v = o = 16383 & (m[6] < <8 | m[7))}var y = void 0! == t.msecs ? t.msecs : (new Date).getTime(),
                w = void 0! == t.nsecs ? t.nsecs : d +1,
                dt = y - h + (w - d) / 1e4;
            if (dt < 0 && void 0 === t.clockseq && (v = v + 1 & 16383), (dt < 0 || y > h) && void 0 === t.nsecs && (w = 0), w >= 1e4) throw new Error("uuid.v1(): Can't create more than 10M uuids/sec");
            h = y,
                d = w,
                o = v;
            var x = (1e4 * (268435455 & (y += 122192928e5)) + w) % 4294967296;
            b[i++] = x >>> 24 & 255,
                b[i++] = x >>> 16 & 255,
                b[i++] = x >>> 8 & 255,
                b[i++] = 255 & x;
            var _ = y / 4294967296 * 1e4 & 268435455;
            b[i++] = _ >>> 8 & 255,
                b[i++] = 255 & _,
                b[i++] = _ >>> 24 & 15 | 16,
                b[i++] = _ >>> 16 & 255,
                b[i++] = v >>> 8 | 128,
                b[i++] = 255 & v;
            for (var A = 0; A < 6; ++A) b[i + A] = f[A];
            return e || c(b)
        }
    },
    function (t, e) {
        var n = "undefined"! =typeof crypto && crypto.getRandomValues && crypto.getRandomValues.bind(crypto) || "undefined"! =typeof msCrypto && "function"= =typeof window.msCrypto.getRandomValues && msCrypto.getRandomValues.bind(msCrypto);
        if (n) {
            var r = new Uint8Array(16);
            t.exports = function () {
                return n(r),
                    r
            }
        } else {
            var o = new Array(16);
            t.exports = function () {
                for (var t, i = 0; i < 16; i++) 0= = (3 & i) && (t = 4294967296 * Math.random()),
                    o[i] = t >>> ((3 & i) << 3) & 255;
                return o
            }
        }
    },
    function (t, e) {
        for (var n = [], i = 0; i < 256; ++i) n[i] = (i + 256).toString(16).substr(1);
        t.exports = function (t, e) {
            var i = e || 0,
                r = n;
            return [r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]]].join("")}}])function getReqId() {
    var l = kuwo(0),
        c = kuwo.n(l),
        r = c()()
    return r
}

// console.log(getReqId())
Copy the code

IIFE the dictionary

For the same IIFE, if we pass the dictionary composed of 109, 202 and 203 modules into IIFE, the keys will be named 109, 202 and 203 in turn, and the values will be the corresponding functions. Then when calling the corresponding functions, we can directly take the key names, such as var c = n(203). Var c = n(“f203”) var c = n(“f203”)

var kuwo;

!function(e) {
	var t = {};

	function d(n) {
		if (t[n]) return t[n].exports;
		var r = t[n] = {
			i: n,
			l:!1.exports: {}};return e[n].call(r.exports, r, r.exports, d),
		r.l = !0,
		r.exports
	}

	d.n = function(e) {
		var n = e && e.__esModule ?
		function() {
			return e.
		default} :function() {
			return e
		};
		return d.d(n, "a", n),
		n
	},
	d.d = function(e, n, r) {
		d.o(e, n) || Object.defineProperty(e, n, {
			enumerable:!0.get: r
		})
	},
	d.o = function(object, e) {
		return Object.prototype.hasOwnProperty.call(object, e)
	}

    kuwo = d
} ({
	109 : function(t, e, n) {
		var r, o, l = n(202),
		c = n(203),
		h = 0,
		d = 0;
		t.exports = function(t, e, n) {
			var i = e && n || 0,
			b = e || [],
			f = (t = t || {}).node || r,
			v = void 0! == t.clockseq ? t.clockseq: o;if (null == f || null == v) {
				var m = l();
				null == f && (f = r = [1 | m[0], m[1], m[2], m[3], m[4], m[5]]),
				null == v && (v = o = 16383 & (m[6] < <8 | m[7))}var y = void 0! == t.msecs ? t.msecs: (new Date).getTime(),
			w = void 0! == t.nsecs ? t.nsecs: d +1,
			dt = y - h + (w - d) / 1e4;
			if (dt < 0 && void 0 === t.clockseq && (v = v + 1 & 16383), (dt < 0 || y > h) && void 0 === t.nsecs && (w = 0), w >= 1e4) throw new Error("uuid.v1(): Can't create more than 10M uuids/sec");
			h = y,
			d = w,
			o = v;
			var x = (1e4 * (268435455 & (y += 122192928e5)) + w) % 4294967296;
			b[i++] = x >>> 24 & 255,
			b[i++] = x >>> 16 & 255,
			b[i++] = x >>> 8 & 255,
			b[i++] = 255 & x;
			var _ = y / 4294967296 * 1e4 & 268435455;
			b[i++] = _ >>> 8 & 255,
			b[i++] = 255 & _,
			b[i++] = _ >>> 24 & 15 | 16,
			b[i++] = _ >>> 16 & 255,
			b[i++] = v >>> 8 | 128,
			b[i++] = 255 & v;
			for (var A = 0; A < 6; ++A) b[i + A] = f[A];
			return e || c(b)
		}
	},
	202 : function(t, e) {
		var n = "undefined"! =typeof crypto && crypto.getRandomValues && crypto.getRandomValues.bind(crypto) || "undefined"! =typeof msCrypto && "function"= =typeof window.msCrypto.getRandomValues && msCrypto.getRandomValues.bind(msCrypto);
		if (n) {
			var r = new Uint8Array(16);
			t.exports = function() {
				return n(r),
				r
			}  
		} else {
			var o = new Array(16);
			t.exports = function() {
				for (var t, i = 0; i < 16; i++) 0= = (3 & i) && (t = 4294967296 * Math.random()),
				o[i] = t >>> ((3 & i) << 3) & 255;
				return o
			}
		}
	},
	203 : function(t, e) {
		for (var n = [], i = 0; i < 256; ++i) n[i] = (i + 256).toString(16).substr(1);
		t.exports = function(t, e) {
			var i = e || 0,
			r = n;
			return [r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]]].join("")}}})function getReqId() {
	var l = kuwo(109),
	c = kuwo.n(l),
	r = c()()
    return r
}

// console.log(getReqId())
Copy the code

Non-iife regular rewriting

Through the analysis of the front, we already know webpack module loader, e contains all modules, then define a global variable module loader to export, and, in turn, calls the inside of the e module, actually also can not use the IIFE way, just like our regular function call, the first use of the three modules, Function d(n){} function d(n){} function d(n){} function d(n){} function d(n){} function d(n){} function d(n){} The complete code is as follows:

var f109 = function(t, e, n) {
	var r, o, l = n(1),
	c = n(2),
	h = 0,
	d = 0;
	t.exports = function(t, e, n) {
		var i = e && n || 0,
		b = e || [],
		f = (t = t || {}).node || r,
		v = void 0! == t.clockseq ? t.clockseq: o;if (null == f || null == v) {
			var m = l();
			null == f && (f = r = [1 | m[0], m[1], m[2], m[3], m[4], m[5]]),
			null == v && (v = o = 16383 & (m[6] < <8 | m[7))}var y = void 0! == t.msecs ? t.msecs: (new Date).getTime(),
		w = void 0! == t.nsecs ? t.nsecs: d +1,
		dt = y - h + (w - d) / 1e4;
		if (dt < 0 && void 0 === t.clockseq && (v = v + 1 & 16383), (dt < 0 || y > h) && void 0 === t.nsecs && (w = 0), w >= 1e4) throw new Error("uuid.v1(): Can't create more than 10M uuids/sec");
		h = y,
		d = w,
		o = v;
		var x = (1e4 * (268435455 & (y += 122192928e5)) + w) % 4294967296;
		b[i++] = x >>> 24 & 255,
		b[i++] = x >>> 16 & 255,
		b[i++] = x >>> 8 & 255,
		b[i++] = 255 & x;
		var _ = y / 4294967296 * 1e4 & 268435455;
		b[i++] = _ >>> 8 & 255,
		b[i++] = 255 & _,
		b[i++] = _ >>> 24 & 15 | 16,
		b[i++] = _ >>> 16 & 255,
		b[i++] = v >>> 8 | 128,
		b[i++] = 255 & v;
		for (var A = 0; A < 6; ++A) b[i + A] = f[A];
		return e || c(b)
	}
};
var f202 = function(t, e) {
	var n = "undefined"! =typeof crypto && crypto.getRandomValues && crypto.getRandomValues.bind(crypto) || "undefined"! =typeof msCrypto && "function"= =typeof window.msCrypto.getRandomValues && msCrypto.getRandomValues.bind(msCrypto);
	if (n) {
		var r = new Uint8Array(16);
		t.exports = function() {
			return n(r),
			r
		}
	} else {
		var o = new Array(16);
		t.exports = function() {
			for (var t, i = 0; i < 16; i++) 0= = (3 & i) && (t = 4294967296 * Math.random()),
			o[i] = t >>> ((3 & i) << 3) & 255;
			return o
		}
	}
};
var f203 = function(t, e) {
	for (var n = [], i = 0; i < 256; ++i) n[i] = (i + 256).toString(16).substr(1);
	t.exports = function(t, e) {
		var i = e || 0,
		r = n;
		return [r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]]].join("")}};var e = [f109, f202, f203];

function d(n) {
	var t = {};
	if (t[n]) return t[n].exports;
	var r = t[n] = {
		i: n,
		l:!1.exports: {}};return e[n].call(r.exports, r, r.exports, d),
	r.l = !0,
	r.exports
}

d.n = function(e) {
	var n = e && e.__esModule ?
	function() {
		return e.
	default} :function() {
		return e
	};
	return d.d(n, "a", n),
	n
},
d.d = function(e, n, r) {
	d.o(e, n) || Object.defineProperty(e, n, {
		enumerable:!0.get: r
	})
},
d.o = function(object, e) {
	return Object.prototype.hasOwnProperty.call(object, e)
};

function getReqId() {
	var l = d(0),
		c = d.n(l),
		r = c()()
    return r
}

// console.log(getReqId())
Copy the code