【逆向】国家能源局gm2-优快云博客

本文链接：https://blog.youkuaiyun.com/weixin_44781464/article/details/146505509

网站分析

目标网站

aHR0cHM6Ly96enh5Lm5lYS5nb3YuY24vZ2F0ZXdheS9pbnF1aXJ5UHVibGljaHR0cDovanojL2dhdGV3YXkvbWVzc2FnZT9jdXJyZW50PTEmc2l6ZT0xMCZ0b3RhbD0xMTUwNzE

请求分析

在这里插入图片描述
发现网站更改响应体加密需要进行解密操作

下断点

随便怎么下断都能跟过去我简单说几种着急的直接搜索 JSON.parse(r[“sm2”].doDecrypt(n, s)) 或者直接去看最后解密的代码

常规下断

在这里插入图片描述

XHR

在这里插入图片描述

DOM断点

在这里插入图片描述
选中节点直接右键下断

直接搜

在这里插入图片描述
然后一个一个打断点看能不能断住吧

**几种方法都能跟过去直接搜索最简单，其他的因为有很多异步操作记得单步去跟 **

逆向分析

在这里插入图片描述
跟到这个位置发现了关键字gm2 基本确定了加密方式单步进去确定就是gm2

node执行祈祷别魔改

使用node库发现最后没有魔改就是正常的gm2 并且成功拿到结果
在这里插入图片描述

完整代码

// 使用了第三方库 记得安装一下
npm install sm-crypto

const sm2 = require('sm-crypto').sm2

const privateKey = '密钥'、
const cipherText = '密文'

// 解密操作（假设密文是16进制字符串）
const decrypted = sm2.doDecrypt(
  cipherText,
  privateKey,
  {
    inputEncoding: 'hex', // 输入编码（根据实际情况选hex/base64）
    outputEncoding: 'utf8' // 输出编码
  }
)

console.log('解密结果:', decrypted)

硬抠代码

function m(t, e) {
    p = [
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        0,
        1,
        2,
        3,
        4,
        5,
        6,
        7,
        8,
        9,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        10,
        11,
        12,
        13,
        14,
        15,
        16,
        17,
        18,
        19,
        20,
        21,
        22,
        23,
        24,
        25,
        26,
        27,
        28,
        29,
        30,
        31,
        32,
        33,
        34,
        35,
        null,
        null,
        null,
        null,
        null,
        null,
        10,
        11,
        12,
        13,
        14,
        15,
        16,
        17,
        18,
        19,
        20,
        21,
        22,
        23,
        24,
        25,
        26,
        27,
        28,
        29,
        30,
        31,
        32,
        33,
        34,
        35
    ]
    var n = p[t.charCodeAt(e)];
    return null == n ? -1 : n
}

function w() {
    var t = this.s & this.DM;
    while (this.t > 0 && this[this.t - 1] == t)
        --this.t
}

function iii(t, e) {
    var n;
    if (16 == e)
        n = 4;
    else if (8 == e)
        n = 3;
    else if (256 == e)
        n = 8;
    else if (2 == e)
        n = 1;
    else if (32 == e)
        n = 5;
    else {
        if (4 != e)
            return void this.fromRadix(t, e);
        n = 2
    }
    this.t = 0,
        this.s = 0;
    DB = 28
    var i = t.length
        , o = !1
        , a = 0;
    while (--i >= 0) {
        var s = 8 == n ? 255 & t[i] : m(t, i);
        s < 0 ? "-" == t.charAt(i) && (o = !0) : (o = !1,
            0 == a ? this[this.t++] = s : a + n > DB ? (this[this.t - 1] |= (s & (1 << DB - a) - 1) << a,
                this[this.t++] = s >> DB - a) : this[this.t - 1] |= s << a,
            a += n,
        a >= DB && (a -= DB))
    }
    8 == n && 0 != (128 & t[0]) && (this.s = -1,
    a > 0 && (this[this.t - 1] |= (1 << DB - a) - 1 << a)),
        w(),
    o && r.ZERO.subTo(this, this)
}

function v(t, e) {
    return t.length >= e ? t : new Array(e - t.length + 1).join("0") + t
}



a = {
    hexToArray: function (t) {
        const e = [];
        let n = t.length;
        n % 2 !== 0 && (t = v(t, n + 1)),
            n = t.length;
        for (let i = 0; i < n; i += 2)
            e.push(parseInt(t.substr(i, 2), 16));
        return e
    },
    leftPad: function (t, e) {
        return t.length >= e ? t : new Array(e - t.length + 1).join("0") + t
    },
    arrayToHex: function (t) {
        return t.map(t => (t = t.toString(16),
            1 === t.length ? "0" + t : t)).join("")
    },
    arrayToUtf8: function (t) {
        const e = [];
        let n = 0;
        for (let r = 0; r < 2 * t.length; r += 2)
            e[r >>> 3] |= parseInt(t[n], 10) << 24 - r % 8 * 4,
                n++;
        try {
            const n = [];
            for (let i = 0; i < t.length; i++) {
                const t = e[i >>> 2] >>> 24 - i % 4 * 8 & 255;
                n.push(String.fromCharCode(t))
            }
            return decodeURIComponent(escape(n.join("")))
        } catch (i) {
            throw new Error("Malformed UTF-8 data")
        }
    },
}


function d(t, e, n = 1, {output: r = "string"} = {}) {
    e = new iii(e, 16);
    h = 0;
    let o = t.substr(128, 64)
        , l = t.substr(192);
    n === h && (o = t.substr(t.length - 64),
        l = t.substr(128, t.length - 128 - 64));
    const u = a.hexToArray(l)
        // , c = a.getGlobalCurve().decodePointHex("04" + t.substr(0, 128))
        ,c = ec.keyFromPublic("04" + t.substr(0, 128), 'hex').getPublic()
        // , f = c.multiply(e)
        , f = c.mul(e)
        , d = a.hexToArray(a.leftPad(f.getX().toBigInteger().toRadix(16), 64))
        , p = a.hexToArray(a.leftPad(f.getY().toBigInteger().toRadix(16), 64));
    let v = 1
        , m = 0
        , g = [];
    const y = [].concat(d, p)
        , b = () => {
            g = s([...y, v >> 24 & 255, v >> 16 & 255, v >> 8 & 255, 255 & v]),
                v++,
                m = 0
        }
    ;
    b();
    for (let i = 0, a = u.length; i < a; i++)
        m === g.length && b(),
            u[i] ^= 255 & g[m++];
    const _ = a.arrayToHex(s([].concat(d, u, p)));
    return _ === o.toLowerCase() ? "array" === r ? u : a.arrayToUtf8(u) : "array" === r ? [] : ""
}