This article is participating in Python Theme Month. See the link for details

Today ready to climb the web page, encountered “JS reverse AES encryption” reverse climb. Like this:

Params and encSecKey are needed when sending a request to get data, but these two parameters are encrypted by JS reverse AES.

Since encountered this situation, then Brother Chen will teach you how to solve this kind of reverse crawling (JS reverse AES encryption)

01 Web Page Analysis

Before we start to analyze THE JS reverse AES encryption, let’s briefly introduce the content to crawl: download some cloud suppression music. The process of obtaining the real playing address m4A of the song involves JS reverse AES encryption.

Click Play to view captured data packets in the browser, as shown below:

View response data:

You can see that the url field stores the real play address, put it in the browser to open:

You can see that the song plays normally, indicating that the real playing address of the song is correct.

The only thing that has changed is data, which contains two parameters (params and encSecKey). According to My experience, these parameters are probably encrypted by JS, and must be related to the address of the song (browser page address, non-real play address).

02 JS reverse process

Now that we know that these two parameters are js reverse encryption, we can directly search which JS file these two parameters exist in.

Search for 5 js, then check to see which JS both parameters are present in, which happens to be in the first JS.

You can see that params corresponds to encText, encSecKey corresponds to encSecKey. EncText and encSecKey come from bUE3x, and bUE3x comes from window.asrsea.

Var bUE3x = window. Asrsea (JSON. Stringify (i3x), bsf6Z ([" tears ", "strong"]), bsf6Z (WS0x. Md), bsf6Z ([" love ", "girl," "panic", taking the cloud suppression "laugh"]));Copy the code

Continue searching for window.asrsea

You can see that window.asrsea comes from d, which is a function that returns h assigned to window.asrsea. Here we give d the break point.

Click refresh and replay

As you can see, function D needs to pass in four parameters. After analyzing multiple songs, analysis parameters E, f, and G remain unchanged. The only change is the ID in parameter D.

This id happens to be the ID of the song

Music.163.com/#/song?id=4…

Function D receives four arguments, creates a dictionary H (to hold variables), and then calls function A, where we continue to give function A the break point.

Refresh the page

Function A’s function is to generate a random number of 16. The following is the final parameter value of function A after running, where C is the return value, so we can consider C to be a fixed value (which is also randomly generated anyway).

a: 16
b: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
c: "z2Ggtvz5ZIsiKO5F"
Copy the code

Now that we’ve solved function A, let’s move on to function D.

function d(d, e, f, g) {
        var h = {}
          , i = a(16);
        return h.encText = b(d, g),
        h.encText = b(h.encText, i),
        h.encSecKey = c(i, e, f),
        h
}
Copy the code

AES encryption is then performed twice (function B is executed twice)

function b(a, b) {
        var c = CryptoJS.enc.Utf8.parse(b)
          , d = CryptoJS.enc.Utf8.parse("0102030405060708")
          , e = CryptoJS.enc.Utf8.parse(a)
          , f = CryptoJS.AES.encrypt(e, c, {
            iv: d,
            mode: CryptoJS.mode.CBC
        });
        return f.toString()
}
Copy the code

You need to pass in parameters A and b, which are actually parameters D and g in function D, parameter G is fixed, parameter D we just analyzed.

At the beginning of the analysis of the two JS reverse parameters (params and encSecKey) parmas we have already clear encryption process (encText is params).

So let’s keep going with d

h.encSecKey = c(i, e, f),
Copy the code

EncSecKey is obtained from function C, which looks like this:

function c(a, b, c) { var d, e; Return setMaxDigits(131), //131 => n hex digits /2+3 d = new RSAKeyPair(b,"",c), e = encryptedString(d, a)}Copy the code

Function C: Generates the encSecKey value through RSA encryption.

OK, JS reverse encryption analysis of the process is completed.

03 summary

Chen Elder brother in this article mainly explained the “JS reverse AES encryption” reverse crawling, and to a cloud suppression to obtain the song real broadcast address as an example to actual combat demonstration analysis.