图灵码上爬第5题：屠龙刀--爬虫逆向

 别问我，问我就是小菜鸡记录下学习成果，哈哈哈哈

第五题其实跟第四题的逻辑差不多，只不过加了点简单混淆的代码

题目：

请求参数经过特殊处理，适合JavaScript逆向入门练习

思路：

首先打开开发者工具，抓包查看请求

可以看到有一个xl加密参数，使用搜索大法

搜到了一个，那说明就是这个了，断点断住，直接进去看加密函数，然后你就会发现一坨xx

明显可以看出来这是被混淆过后的代码，我们解混淆看看。

就是一个标准的AES算法+CBC模式+Pkcs7填充

js代码

const CryptoJS=require('crypto-js');
const _0x38addf = _0x66a7;function _0x66a7(_0x7461a9, _0x14ffcc) {const _0x4f0d09 = _0x4f0d();return _0x66a7 = function (_0x66a780, _0x2abc15) {_0x66a780 = _0x66a780 - 0xc5;let _0x477d8f = _0x4f0d09[_0x66a780];return _0x477d8f;}, _0x66a7(_0x7461a9, _0x14ffcc);
}(function (_0x59b24b, _0x16d38a) {const _0x3e5f1c = _0x66a7, _0x14ae46 = _0x59b24b();while (!![]) {try {const _0x5e1110 = parseInt(_0x3e5f1c(0xca)) / 0x1 + -parseInt(_0x3e5f1c(0xd4)) / 0x2 * (-parseInt(_0x3e5f1c(0xd5)) / 0x3) + parseInt(_0x3e5f1c(0xc8)) / 0x4 + -parseInt(_0x3e5f1c(0xcc)) / 0x5 * (-parseInt(_0x3e5f1c(0xd0)) / 0x6) + -parseInt(_0x3e5f1c(0xd3)) / 0x7 + -parseInt(_0x3e5f1c(0xcd)) / 0x8 + -parseInt(_0x3e5f1c(0xcf)) / 0x9;if (_0x5e1110 === _0x16d38a) break; else _0x14ae46['push'](_0x14ae46['shift']());} catch (_0x4fbd75) {_0x14ae46['push'](_0x14ae46['shift']());}}
}(_0x4f0d, 0x897b4), dd = {'a': CryptoJS});
let key = dd['a'][_0x38addf(0xd6)][_0x38addf(0xc7)][_0x38addf(0xc9)](_0x38addf(0xce)),iv = dd['a'][_0x38addf(0xd6)]['Utf8'][_0x38addf(0xc9)]('0123456789ABCDEF');function _0x4f0d() {const _0x341c37 = ['2440720SaQcQw', 'jo8j9wGw%6HbxfFn', '9735516pjwmiO', '68862pbatqQ', 'mode', 'AES', '1923264HnviQd', '36906bPsIrd', '12hEJHOd', 'enc', 'pad', 'encrypt', 'Hex', 'Utf8', '689460JbShaf', 'parse', '957060HmuxSn', 'toString', '445UZKyxv'];_0x4f0d = function () {return _0x341c37;};return _0x4f0d();
}function encrypt(_0x277028) {const _0x4d843e = _0x38addf;let _0x2703a2 = dd['a'][_0x4d843e(0xd6)]['Utf8']['parse'](_0x277028),_0x50fcf0 = dd['a'][_0x4d843e(0xd2)][_0x4d843e(0xc5)](_0x2703a2, key, {'mode': dd['a'][_0x4d843e(0xd1)]['CBC'],'padding': dd['a'][_0x4d843e(0xd7)]['Pkcs7'],'iv': iv});return _0x50fcf0['ciphertext'][_0x4d843e(0xcb)](CryptoJS[_0x4d843e(0xd6)][_0x4d843e(0xc6)]);
}function loadPage(pageNumber) {const timestamp = new Date().getTime();const params = {page: pageNumber,_ts: timestamp,};const jsonString = JSON.stringify(params);let encryptedQuery = encrypt(jsonString);return encryptedQuery}console.log(loadPage(1))

python代码

import requests
import execjs
cookies = {自己cookie
}headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36',
}num=0
for li in range(1,21):with open('5.js','r',encoding='utf-8')as f:js_code=f.read()xl=execjs.compile(js_code).call('loadPage',li)json_data = {'xl': xl,}response = requests.post('https://www.mashangpa.com/api/problem-detail/5/data/', cookies=cookies, headers=headers, json=json_data)print(response.json()['current_array'])num+=sum(response.json()['current_array'])
print(num)