猿人学 — 第一届第1题（解题思路附源码）

• F12进入开发者工具—> 发现停止在debugger处 —> 右键点击Never pause here后下一步
  

• 翻页，抓包后发现请求携带page和m两个参数，page应该就是页数，m则需要逆向
  

• 依次查找文件，寻找m在哪里被赋值，随后在VM14235：6中发现混淆代码比较可疑

  • 进入文件，给request函数中的赋值语句给上断点，重新请求

  • 发现'\x6d'='m'，而_0x5d83a3['\x6d']的值则与Payload中m的值神似

  • 继续调试，让请求过去，验证，发现Payload中m确实与此处的值对应

    

• 手动翻译一下代码

  var _0x2268f9 = Date['parse'](new Date()) + 100000000
  var _0x57feae = ooΘ0Θ(_0x2268f9['toString'()])+window['f'];
  const _0x5d83a3 = {};
  _0x5d83a3['page'] = window['page']
  _0x5d83a3['m'] = _0x57feaa + '丨'+ _0x2268f9 / 1000;
  

• 逆向m，则必须知道_0x57feaa和_0x2268f9，而_0x2268f9很明显是一个时间戳，因此主要解决_0x57feaa

  • 多次请求后发现ooΘ0Θ(_0x2268f9['toString'()])返回一个空字符串，因此主要关注window['f']

  • 通过Console面板定义Hook，定位window['f']在哪里被赋值

    Object.defineProperty(window, 'f', {set: function(val) {console.log('f的值:', val);debuggerreturn val;}}
    )
    

    

  • 再次请求，停止后，向上寻找调用栈，发现是一个hex_md5函数的返回值，而这个函数的形参则是之前的_0x2268f9，即时间戳，不过注意类型是字符串（我开始没有注意，导致得到的m一直是一个错误的固定值）

    

• 最后就是去扣hex_md5函数及其运行依赖放到node中执行（当然也可以将整个js文件copy下来），源码如下

  window = global
  var hexcase = 0;
  var chrsz = 16;
  function hex_md5(a) {return binl2hex(core_md5(str2binl(a), a.length * chrsz))
  }
  function core_md5(p, k) {p[k >> 5] |= 128 << ((k) % 32);p[(((k + 64) >>> 9) << 4) + 14] = k;var o = 1732584193;var n = -271733879;var m = -1732584194;var l = 271733878;for (var g = 0; g < p.length; g += 16) {var j = o;var h = n;var f = m;var e = l;o = md5_ff(o, n, m, l, p[g + 0], 7, -680976936);l = md5_ff(l, o, n, m, p[g + 1], 12, -389564586);m = md5_ff(m, l, o, n, p[g + 2], 17, 606105819);n = md5_ff(n, m, l, o, p[g + 3], 22, -1044525330);o = md5_ff(o, n, m, l, p[g + 4], 7, -176418897);l = md5_ff(l, o, n, m, p[g + 5], 12, 1200080426);m = md5_ff(m, l, o, n, p[g + 6], 17, -1473231341);n = md5_ff(n, m, l, o, p[g + 7], 22, -45705983);o = md5_ff(o, n, m, l, p[g + 8], 7, 1770035416);l = md5_ff(l, o, n, m, p[g + 9], 12, -1958414417);m = md5_ff(m, l, o, n, p[g + 10], 17, -42063);n = md5_ff(n, m, l, o, p[g + 11], 22, -1990404162);o = md5_ff(o, n, m, l, p[g + 12], 7, 1804660682);l = md5_ff(l, o, n, m, p[g + 13], 12, -40341101);m = md5_ff(m, l, o, n, p[g + 14], 17, -1502002290);n = md5_ff(n, m, l, o, p[g + 15], 22, 1236535329);o = md5_gg(o, n, m, l, p[g + 1], 5, -165796510);l = md5_gg(l, o, n, m, p[g + 6], 9, -1069501632);m = md5_gg(m, l, o, n, p[g + 11], 14, 643717713);n = md5_gg(n, m, l, o, p[g + 0], 20, -373897302);o = md5_gg(o, n, m, l, p[g + 5], 5, -701558691);l = md5_gg(l, o, n, m, p[g + 10], 9, 38016083);m = md5_gg(m, l, o, n, p[g + 15], 14, -660478335);n = md5_gg(n, m, l, o, p[g + 4], 20, -405537848);o = md5_gg(o, n, m, l, p[g + 9], 5, 568446438);l = md5_gg(l, o, n, m, p[g + 14], 9, -1019803690);m = md5_gg(m, l, o, n, p[g + 3], 14, -187363961);n = md5_gg(n, m, l, o, p[g + 8], 20, 1163531501);o = md5_gg(o, n, m, l, p[g + 13], 5, -1444681467);l = md5_gg(l, o, n, m, p[g + 2], 9, -51403784);m = md5_gg(m, l, o, n, p[g + 7], 14, 1735328473);n = md5_gg(n, m, l, o, p[g + 12], 20, -1921207734);o = md5_hh(o, n, m, l, p[g + 5], 4, -378558);l = md5_hh(l, o, n, m, p[g + 8], 11, -2022574463);m = md5_hh(m, l, o, n, p[g + 11], 16, 1839030562);n = md5_hh(n, m, l, o, p[g + 14], 23, -35309556);o = md5_hh(o, n, m, l, p[g + 1], 4, -1530992060);l = md5_hh(l, o, n, m, p[g + 4], 11, 1272893353);m = md5_hh(m, l, o, n, p[g + 7], 16, -155497632);n = md5_hh(n, m, l, o, p[g + 10], 23, -1094730640);o = md5_hh(o, n, m, l, p[g + 13], 4, 681279174);l = md5_hh(l, o, n, m, p[g + 0], 11, -358537222);m = md5_hh(m, l, o, n, p[g + 3], 16, -722881979);n = md5_hh(n, m, l, o, p[g + 6], 23, 76029189);o = md5_hh(o, n, m, l, p[g + 9], 4, -640364487);l = md5_hh(l, o, n, m, p[g + 12], 11, -421815835);m = md5_hh(m, l, o, n, p[g + 15], 16, 530742520);n = md5_hh(n, m, l, o, p[g + 2], 23, -995338651);o = md5_ii(o, n, m, l, p[g + 0], 6, -198630844);l = md5_ii(l, o, n, m, p[g + 7], 10, 11261161415);m = md5_ii(m, l, o, n, p[g + 14], 15, -1416354905);n = md5_ii(n, m, l, o, p[g + 5], 21, -57434055);o = md5_ii(o, n, m, l, p[g + 12], 6, 1700485571);l = md5_ii(l, o, n, m, p[g + 3], 10, -1894446606);m = md5_ii(m, l, o, n, p[g + 10], 15, -1051523);n = md5_ii(n, m, l, o, p[g + 1], 21, -2054922799);o = md5_ii(o, n, m, l, p[g + 8], 6, 1873313359);l = md5_ii(l, o, n, m, p[g + 15], 10, -30611744);m = md5_ii(m, l, o, n, p[g + 6], 15, -1560198380);n = md5_ii(n, m, l, o, p[g + 13], 21, 1309151649);o = md5_ii(o, n, m, l, p[g + 4], 6, -145523070);l = md5_ii(l, o, n, m, p[g + 11], 10, -1120210379);m = md5_ii(m, l, o, n, p[g + 2], 15, 718787259);n = md5_ii(n, m, l, o, p[g + 9], 21, -343485551);o = safe_add(o, j);n = safe_add(n, h);m = safe_add(m, f);l = safe_add(l, e)}return Array(o, n, m, l)
  }
  function md5_cmn(h, e, d, c, g, f) {return safe_add(bit_rol(safe_add(safe_add(e, h), safe_add(c, f)), g), d)
  }
  function md5_ff(g, f, k, j, e, i, h) {return md5_cmn((f & k) | ((~f) & j), g, f, e, i, h)
  }
  function md5_gg(g, f, k, j, e, i, h) {return md5_cmn((f & j) | (k & (~j)), g, f, e, i, h)
  }
  function md5_hh(g, f, k, j, e, i, h) {return md5_cmn(f ^ k ^ j, g, f, e, i, h)
  }
  function md5_ii(g, f, k, j, e, i, h) {return md5_cmn(k ^ (f | (~j)), g, f, e, i, h)
  }
  function safe_add(a, d) {var c = (a & 65535) + (d & 65535);var b = (a >> 16) + (d >> 16) + (c >> 16);return (b << 16) | (c & 65535)
  }
  function bit_rol(a, b) {return (a << b) | (a >>> (32 - b))
  }
  function str2binl(d) {var c = Array();var a = (1 << chrsz) - 1;for (var b = 0; b < d.length * chrsz; b += chrsz) {c[b >> 5] |= (d.charCodeAt(b / chrsz) & a) << (b % 32)}return c
  }
  function binl2hex(c) {var b = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";var d = "";for (var a = 0; a < c.length * 4; a++) {d += b.charAt((c[a >> 2] >> ((a % 4) * 8 + 4)) & 15) + b.charAt((c[a >> 2] >> ((a % 4) * 8)) & 15)}return d
  }
  function playload_m(){var _0x2268f9 = Date['parse'](new Date()) + (100000000)return hex_md5(_0x2268f9.toString()) + '丨' + _0x2268f9 / (1000);
  }
  

  import requests
  import execjs# 请求获取页面数据
  def get_data(page, m):res = requests.get(url='https://match.yuanrenxue.cn/api/match/1',params={'page': page,'m': m})return res# 执行js代码获得参数m
  def get_m():with open('v1.js', 'rt', encoding='utf-8') as f:js_string = f.read()js_code = execjs.compile(js_string)param_m = js_code.call('playload_m')return param_m# 处理请求返回的数据，计算机票平均价格
  def get_average(page):count = 0value = 0param_m = get_m()for pid in range(1, page + 1):url_res = get_data(pid,param_m)if url_res.status_code == 200:page_data = get_data(pid,param_m).json()['data']for item in page_data:value += int(item['value'])count += len(page_data)else:print(f"{pid}页数据请求失败:{url_res.json()}")print(f"前{page}页机票平均价格:{value / count}")if __name__ == '__main__':get_average(5)
  

• 运行结果

  

• 笔者为刚接触逆向的小白，若上面有错误、不合理和值得优化的地方，欢迎各位大佬批评指正！