Straw's B1og.

数美滑块登录校验

字数统计: 3.7k阅读时长: 21 min
2025/03/12

数美滑块登录校验

前言

最近在研究各大厂商app的登录算法时,发现很多厂商用的都是数美的登录验证,于是对其展开了逆向研究。

1

抓包

因为这个还在迭代更新,我们以最新的184版本为例子

智能验证码体验_图片验证码_数美科技

2

几次发包下来发现会改变的只有tb,tm,ly,rid。于是只要研究这两个就行

rid可以在发送第一次请求的时候返回,可以直接获取。

3

通过请求调用发现整个加密逻辑基本上写在了这个js里面

JS逆向

4

进去发现是一个ob混淆过的js,用字符串形式查找相关加密函数,锁定了加密段。

继续跟进调试发现

5

继续研究是否有DES魔改,混淆过的DES根本看不出来,想办法去混淆

6

有一个很好用的反ob混淆的工具,因为js代码可以虚拟执行,反混淆起来不是特别难,这里的工具能应对绝大多数基础的ob混淆。

Obfuscator.io Deobfuscator

7

反混淆后查看对应段代码,并在github上找到对应js写的des加密代码,进行比对

8

contact-form-7-to-database-extension/des.js at fd4ebfd7e04ac0d06287ff9076a5350c145a403b · mdsimpson/contact-form-7-to-database-extension · GitHub

于是只要通过动态调试获取每次加密的时候对应的固定密钥就行(密钥会随着版本改变)

还原

得到了加密过程与密钥,我们尝试对发包数据进行还原,来理解每个名称被混淆了的数据的含义。

tb:滑动长度
tm:滑动轨迹
ly:滑动时间

于是我们通过opencv识图读出滑动长度,然后通过随机伪造滑动轨迹以及滑动时间,最后进行加密发包,就可以通过校验。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
def get_distance(fg, bg):
    """
    计算滑动距离
    """
    # 将二进制数据解码成 OpenCV 图像
    target = cv2.imdecode(np.frombuffer(fg, np.uint8), cv2.IMREAD_COLOR)
    template = cv2.imdecode(np.frombuffer(bg, np.uint8), cv2.IMREAD_COLOR)

    # 进行模板匹配
    result = cv2.matchTemplate(target, template, cv2.TM_CCORR_NORMED)

    # 获取最大匹配值的位置
    _, _, _, max_loc = cv2.minMaxLoc(result)

    # 滑动距离(X 轴位移)
    distance = max_loc[0]

    return distance
 
def get_trajectory_1(distance):
    '''
    # 滑动轨迹模拟、上下的抖动
    :param distance:
    :return:
    '''
    ge = []
    ge.append([0, 0, 0])
    for i in range(10):
        x = 0
        y = random.randint(-1, 1)
        t = 100 * (i + 1) + random.randint(0, 2)
        ge.append([x, y, t])
    for items in ge[1:-5]:
        items[0] = distance // 2
    for items in ge[-5:-1]:
        items[0] = distance + random.randint(1, 4)
    ge[-1][0] = distance
    return ge, ge[-1][2]

(主要内容在代码里面)

9

代码

代码中间的python调用了js的des加密函数,虽然是标准ECB模式,但是还是秉持还原,使用了他的js源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
import requests
import json
from urllib.parse import urlparse
import os
import random
import cv2
import numpy as np
import execjs
from urllib.parse import urlencode

def download_image(url, save_path):
    try:
        response = requests.get(url, stream=True)
        response.raise_for_status()
        
        with open(save_path, 'wb') as f:
            for chunk in response.iter_content(chunk_size=8192):
                f.write(chunk)
        print(f"图片已保存到: {save_path}")
        
    except requests.exceptions.RequestException as e:
        print(f"请求失败: {e}")
    except IOError as e:
        print(f"文件写入失败: {e}")

def get_image_name(url):
    parsed_url = urlparse(url)
    path = parsed_url.path
    filename = os.path.basename(path)
    return filename

def get_distance(fg, bg):
    """
    计算滑动距离
    """
    # 将二进制数据解码成 OpenCV 图像
    target = cv2.imdecode(np.frombuffer(fg, np.uint8), cv2.IMREAD_COLOR)
    template = cv2.imdecode(np.frombuffer(bg, np.uint8), cv2.IMREAD_COLOR)

    # 进行模板匹配
    result = cv2.matchTemplate(target, template, cv2.TM_CCORR_NORMED)

    # 获取最大匹配值的位置
    _, _, _, max_loc = cv2.minMaxLoc(result)

    # 滑动距离(X 轴位移)
    distance = max_loc[0]

    return distance
 
def get_trajectory_1(distance):
    '''
    # 滑动轨迹模拟、上下的抖动
    :param distance:
    :return:
    '''
    ge = []
    ge.append([0, 0, 0])
    for i in range(10):
        x = 0
        y = random.randint(-1, 1)
        t = 100 * (i + 1) + random.randint(0, 2)
        ge.append([x, y, t])
    for items in ge[1:-5]:
        items[0] = distance // 2
    for items in ge[-5:-1]:
        items[0] = distance + random.randint(1, 4)
    ge[-1][0] = distance
    return ge, ge[-1][2]

url = "https://captcha1.fengkongcloud.cn/ca/v1/register?rversion=1.0.4&data=%7B%7D&sdkver=1.1.3&appId=default&organization=d6tpAY1oV0Kv5jRSgxQr&channel=DEFAULT&model=slide&captchaUuid=20250305105115Bm57raYJCRpc55zYYE&lang=zh-cn&callback=sm_1741164621240"
response = requests.get(url)
print(response.text)
print()
text=response.text.split('(', 1)[1].rstrip(')')
data = json.loads(text)
detail = data['detail']

rid = detail['rid']
fg = "https://castatic.fengkongcloud.cn"+detail['fg']
fg_name=get_image_name(fg)
bg = "https://castatic.fengkongcloud.cn"+detail['bg']
bg_name=get_image_name(bg)
print(f"rid: {rid}")
print(f"fg: {fg}")
print(f"bg: {bg}")

download_image(fg,fg_name)
download_image(bg,bg_name)

with open(fg_name, "rb") as f:
    fg_data = f.read()
with open(bg_name, "rb") as f:
    bg_data = f.read()
distance = get_distance(fg_data, bg_data)
# print(distance)
# print(get_trajectory_1(distance//2))
tb=round((distance//2)/300,2)
tm,ly=get_trajectory_1(distance//2)


#des加密
with open("des.js", "r",encoding="utf-8") as f:
    js_code = f.read()
ctx = execjs.compile(js_code)
print(tb)

tm_f= "[{}]".format(
    ",".join(
        "[{}]".format(",".join(map(str, sublist)))
        for sublist in tm
    )
)
print(tm_f)
print(ly)
tb = ctx.call("des","59fcff86",str(tb),1,0)
tm = ctx.call("des","0569c403",tm_f,1,0)
ly = ctx.call("des","65986a6b",str(ly),1,0)
print()

print("tb:"+tb)
print("tm:"+tm)
print("ly:"+ly)
print()

params = {
"protocol": "184",
"rversion": "1.0.4",
"wz": "ufdT5h7SVes",
"sdkver": "1.1.3",
"ostype": "web",
"callback": "sm_1741168009359",
"captchaUuid": "20250319154825Jwyse6rxSRbxbBRtCa",
"organization": "d6tpAY1oV0Kv5jRSgxQr",
"fc": "2VKLJM6OJCc=",
"uc": "b8IY1XIB1iA=",
"og": "IxbGpVfruz0=",
"jp": "Wq4jwGqOHYM=",
"aj": "Z8JptdSbQHg=",
"dj": "7SnISxDhfjI=",
"gp": "7kP9OL4ZRNU=",
"sy": "lN908/15DcI=",
"tb": tb,
"tm": tm,
"ly": ly,
"rid":rid
}
query_string = urlencode(params, safe='')
base_url = "https://captcha1.fengkongcloud.cn/ca/v2/fverify?"
url2=f"{base_url}{query_string}"
print(url2)
print()
print(requests.get(url2).text)

os.remove(fg_name)
os.remove(bg_name)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
function des (key, message, encrypt, mode, iv) {
    //declaring this locally speeds things up a bit
    var spfunction1 = new Array (0x1010400,0,0x10000,0x1010404,0x1010004,0x10404,0x4,0x10000,0x400,0x1010400,0x1010404,0x400,0x1000404,0x1010004,0x1000000,0x4,0x404,0x1000400,0x1000400,0x10400,0x10400,0x1010000,0x1010000,0x1000404,0x10004,0x1000004,0x1000004,0x10004,0,0x404,0x10404,0x1000000,0x10000,0x1010404,0x4,0x1010000,0x1010400,0x1000000,0x1000000,0x400,0x1010004,0x10000,0x10400,0x1000004,0x400,0x4,0x1000404,0x10404,0x1010404,0x10004,0x1010000,0x1000404,0x1000004,0x404,0x10404,0x1010400,0x404,0x1000400,0x1000400,0,0x10004,0x10400,0,0x1010004);
    var spfunction2 = new Array (0x80108020,0x80008000,0x8000,0x108020,0x100000,0x20,0x80100020,0x80008020,0x80000020,0x80108020,0x80108000,0x80000000,0x80008000,0x100000,0x20,0x80100020,0x108000,0x100020,0x80008020,0,0x80000000,0x8000,0x108020,0x80100000,0x100020,0x80000020,0,0x108000,0x8020,0x80108000,0x80100000,0x8020,0,0x108020,0x80100020,0x100000,0x80008020,0x80100000,0x80108000,0x8000,0x80100000,0x80008000,0x20,0x80108020,0x108020,0x20,0x8000,0x80000000,0x8020,0x80108000,0x100000,0x80000020,0x100020,0x80008020,0x80000020,0x100020,0x108000,0,0x80008000,0x8020,0x80000000,0x80100020,0x80108020,0x108000);
    var spfunction3 = new Array (0x208,0x8020200,0,0x8020008,0x8000200,0,0x20208,0x8000200,0x20008,0x8000008,0x8000008,0x20000,0x8020208,0x20008,0x8020000,0x208,0x8000000,0x8,0x8020200,0x200,0x20200,0x8020000,0x8020008,0x20208,0x8000208,0x20200,0x20000,0x8000208,0x8,0x8020208,0x200,0x8000000,0x8020200,0x8000000,0x20008,0x208,0x20000,0x8020200,0x8000200,0,0x200,0x20008,0x8020208,0x8000200,0x8000008,0x200,0,0x8020008,0x8000208,0x20000,0x8000000,0x8020208,0x8,0x20208,0x20200,0x8000008,0x8020000,0x8000208,0x208,0x8020000,0x20208,0x8,0x8020008,0x20200);
    var spfunction4 = new Array (0x802001,0x2081,0x2081,0x80,0x802080,0x800081,0x800001,0x2001,0,0x802000,0x802000,0x802081,0x81,0,0x800080,0x800001,0x1,0x2000,0x800000,0x802001,0x80,0x800000,0x2001,0x2080,0x800081,0x1,0x2080,0x800080,0x2000,0x802080,0x802081,0x81,0x800080,0x800001,0x802000,0x802081,0x81,0,0,0x802000,0x2080,0x800080,0x800081,0x1,0x802001,0x2081,0x2081,0x80,0x802081,0x81,0x1,0x2000,0x800001,0x2001,0x802080,0x800081,0x2001,0x2080,0x800000,0x802001,0x80,0x800000,0x2000,0x802080);
    var spfunction5 = new Array (0x100,0x2080100,0x2080000,0x42000100,0x80000,0x100,0x40000000,0x2080000,0x40080100,0x80000,0x2000100,0x40080100,0x42000100,0x42080000,0x80100,0x40000000,0x2000000,0x40080000,0x40080000,0,0x40000100,0x42080100,0x42080100,0x2000100,0x42080000,0x40000100,0,0x42000000,0x2080100,0x2000000,0x42000000,0x80100,0x80000,0x42000100,0x100,0x2000000,0x40000000,0x2080000,0x42000100,0x40080100,0x2000100,0x40000000,0x42080000,0x2080100,0x40080100,0x100,0x2000000,0x42080000,0x42080100,0x80100,0x42000000,0x42080100,0x2080000,0,0x40080000,0x42000000,0x80100,0x2000100,0x40000100,0x80000,0,0x40080000,0x2080100,0x40000100);
    var spfunction6 = new Array (0x20000010,0x20400000,0x4000,0x20404010,0x20400000,0x10,0x20404010,0x400000,0x20004000,0x404010,0x400000,0x20000010,0x400010,0x20004000,0x20000000,0x4010,0,0x400010,0x20004010,0x4000,0x404000,0x20004010,0x10,0x20400010,0x20400010,0,0x404010,0x20404000,0x4010,0x404000,0x20404000,0x20000000,0x20004000,0x10,0x20400010,0x404000,0x20404010,0x400000,0x4010,0x20000010,0x400000,0x20004000,0x20000000,0x4010,0x20000010,0x20404010,0x404000,0x20400000,0x404010,0x20404000,0,0x20400010,0x10,0x4000,0x20400000,0x404010,0x4000,0x400010,0x20004010,0,0x20404000,0x20000000,0x400010,0x20004010);
    var spfunction7 = new Array (0x200000,0x4200002,0x4000802,0,0x800,0x4000802,0x200802,0x4200800,0x4200802,0x200000,0,0x4000002,0x2,0x4000000,0x4200002,0x802,0x4000800,0x200802,0x200002,0x4000800,0x4000002,0x4200000,0x4200800,0x200002,0x4200000,0x800,0x802,0x4200802,0x200800,0x2,0x4000000,0x200800,0x4000000,0x200800,0x200000,0x4000802,0x4000802,0x4200002,0x4200002,0x2,0x200002,0x4000000,0x4000800,0x200000,0x4200800,0x802,0x200802,0x4200800,0x802,0x4000002,0x4200802,0x4200000,0x200800,0,0x2,0x4200802,0,0x200802,0x4200000,0x800,0x4000002,0x4000800,0x800,0x200002);
    var spfunction8 = new Array (0x10001040,0x1000,0x40000,0x10041040,0x10000000,0x10001040,0x40,0x10000000,0x40040,0x10040000,0x10041040,0x41000,0x10041000,0x41040,0x1000,0x40,0x10040000,0x10000040,0x10001000,0x1040,0x41000,0x40040,0x10040040,0x10041000,0x1040,0,0,0x10040040,0x10000040,0x10001000,0x41040,0x40000,0x41040,0x40000,0x10041000,0x1000,0x40,0x10040040,0x1000,0x41040,0x10001000,0x40,0x10000040,0x10040000,0x10040040,0x10000000,0x40000,0x10001040,0,0x10041040,0x40040,0x10000040,0x10040000,0x10001000,0x10001040,0,0x10041040,0x41000,0x41000,0x1040,0x1040,0x40040,0x10000000,0x10041000);
  
    //create the 16 or 48 subkeys we will need
    var keys = des_createKeys (key);
    var m=0, i, j, temp, temp2, right1, right2, left, right, looping;
    var cbcleft, cbcleft2, cbcright, cbcright2
    var endloop, loopinc;
    var len = message.length;
    var chunk = 0;
    //set up the loops for single and triple des
    var iterations = keys.length == 32 ? 3 : 9; //single or triple des
    if (iterations == 3) {looping = encrypt ? new Array (0, 32, 2) : new Array (30, -2, -2);}
    else {looping = encrypt ? new Array (0, 32, 2, 62, 30, -2, 64, 96, 2) : new Array (94, 62, -2, 32, 64, 2, 30, -2, -2);}
  
    message += "\0\0\0\0\0\0\0\0"; //pad the message out with null bytes
    //store the result here
    result = "";
    tempresult = "";
  
    if (mode == 1) { //CBC mode
      cbcleft = (iv.charCodeAt(m++) << 24) | (iv.charCodeAt(m++) << 16) | (iv.charCodeAt(m++) << 8) | iv.charCodeAt(m++);
      cbcright = (iv.charCodeAt(m++) << 24) | (iv.charCodeAt(m++) << 16) | (iv.charCodeAt(m++) << 8) | iv.charCodeAt(m++);
      m=0;
    }
  
    //loop through each 64 bit chunk of the message
    while (m < len) {
      left = (message.charCodeAt(m++) << 24) | (message.charCodeAt(m++) << 16) | (message.charCodeAt(m++) << 8) | message.charCodeAt(m++);
      right = (message.charCodeAt(m++) << 24) | (message.charCodeAt(m++) << 16) | (message.charCodeAt(m++) << 8) | message.charCodeAt(m++);
  
      //for Cipher Block Chaining mode, xor the message with the previous result
      if (mode == 1) {if (encrypt) {left ^= cbcleft; right ^= cbcright;} else {cbcleft2 = cbcleft; cbcright2 = cbcright; cbcleft = left; cbcright = right;}}
  
      //first each 64 but chunk of the message must be permuted according to IP
      temp = ((left >>> 4) ^ right) & 0x0f0f0f0f; right ^= temp; left ^= (temp << 4);
      temp = ((left >>> 16) ^ right) & 0x0000ffff; right ^= temp; left ^= (temp << 16);
      temp = ((right >>> 2) ^ left) & 0x33333333; left ^= temp; right ^= (temp << 2);
      temp = ((right >>> 8) ^ left) & 0x00ff00ff; left ^= temp; right ^= (temp << 8);
      temp = ((left >>> 1) ^ right) & 0x55555555; right ^= temp; left ^= (temp << 1);
  
      left = ((left << 1) | (left >>> 31)); 
      right = ((right << 1) | (right >>> 31)); 
  
      //do this either 1 or 3 times for each chunk of the message
      for (j=0; j<iterations; j+=3) {
        endloop = looping[j+1];
        loopinc = looping[j+2];
        //now go through and perform the encryption or decryption  
        for (i=looping[j]; i!=endloop; i+=loopinc) { //for efficiency
          right1 = right ^ keys[i]; 
          right2 = ((right >>> 4) | (right << 28)) ^ keys[i+1];
          //the result is attained by passing these bytes through the S selection functions
          temp = left;
          left = right;
          right = temp ^ (spfunction2[(right1 >>> 24) & 0x3f] | spfunction4[(right1 >>> 16) & 0x3f]
                | spfunction6[(right1 >>>  8) & 0x3f] | spfunction8[right1 & 0x3f]
                | spfunction1[(right2 >>> 24) & 0x3f] | spfunction3[(right2 >>> 16) & 0x3f]
                | spfunction5[(right2 >>>  8) & 0x3f] | spfunction7[right2 & 0x3f]);
        }
        temp = left; left = right; right = temp; //unreverse left and right
      } //for either 1 or 3 iterations
  
      //move then each one bit to the right
      left = ((left >>> 1) | (left << 31)); 
      right = ((right >>> 1) | (right << 31)); 
  
      //now perform IP-1, which is IP in the opposite direction
      temp = ((left >>> 1) ^ right) & 0x55555555; right ^= temp; left ^= (temp << 1);
      temp = ((right >>> 8) ^ left) & 0x00ff00ff; left ^= temp; right ^= (temp << 8);
      temp = ((right >>> 2) ^ left) & 0x33333333; left ^= temp; right ^= (temp << 2);
      temp = ((left >>> 16) ^ right) & 0x0000ffff; right ^= temp; left ^= (temp << 16);
      temp = ((left >>> 4) ^ right) & 0x0f0f0f0f; right ^= temp; left ^= (temp << 4);
  
      //for Cipher Block Chaining mode, xor the message with the previous result
      if (mode == 1) {if (encrypt) {cbcleft = left; cbcright = right;} else {left ^= cbcleft2; right ^= cbcright2;}}
      tempresult += String.fromCharCode ((left>>>24), ((left>>>16) & 0xff), ((left>>>8) & 0xff), (left & 0xff), (right>>>24), ((right>>>16) & 0xff), ((right>>>8) & 0xff), (right & 0xff));
  
      chunk += 8;
      if (chunk == 512) {result += tempresult; tempresult = ""; chunk = 0;}
    } //for every 8 characters, or 64 bits in the message
  
    //return the result as an array
    return btoa(result + tempresult);
  } //end of des
  
  
  
  //des_createKeys
  //this takes as input a 64 bit key (even though only 56 bits are used)
  //as an array of 2 integers, and returns 16 48 bit keys
  function des_createKeys (key) {
    //declaring this locally speeds things up a bit
    pc2bytes0  = new Array (0,0x4,0x20000000,0x20000004,0x10000,0x10004,0x20010000,0x20010004,0x200,0x204,0x20000200,0x20000204,0x10200,0x10204,0x20010200,0x20010204);
    pc2bytes1  = new Array (0,0x1,0x100000,0x100001,0x4000000,0x4000001,0x4100000,0x4100001,0x100,0x101,0x100100,0x100101,0x4000100,0x4000101,0x4100100,0x4100101);
    pc2bytes2  = new Array (0,0x8,0x800,0x808,0x1000000,0x1000008,0x1000800,0x1000808,0,0x8,0x800,0x808,0x1000000,0x1000008,0x1000800,0x1000808);
    pc2bytes3  = new Array (0,0x200000,0x8000000,0x8200000,0x2000,0x202000,0x8002000,0x8202000,0x20000,0x220000,0x8020000,0x8220000,0x22000,0x222000,0x8022000,0x8222000);
    pc2bytes4  = new Array (0,0x40000,0x10,0x40010,0,0x40000,0x10,0x40010,0x1000,0x41000,0x1010,0x41010,0x1000,0x41000,0x1010,0x41010);
    pc2bytes5  = new Array (0,0x400,0x20,0x420,0,0x400,0x20,0x420,0x2000000,0x2000400,0x2000020,0x2000420,0x2000000,0x2000400,0x2000020,0x2000420);
    pc2bytes6  = new Array (0,0x10000000,0x80000,0x10080000,0x2,0x10000002,0x80002,0x10080002,0,0x10000000,0x80000,0x10080000,0x2,0x10000002,0x80002,0x10080002);
    pc2bytes7  = new Array (0,0x10000,0x800,0x10800,0x20000000,0x20010000,0x20000800,0x20010800,0x20000,0x30000,0x20800,0x30800,0x20020000,0x20030000,0x20020800,0x20030800);
    pc2bytes8  = new Array (0,0x40000,0,0x40000,0x2,0x40002,0x2,0x40002,0x2000000,0x2040000,0x2000000,0x2040000,0x2000002,0x2040002,0x2000002,0x2040002);
    pc2bytes9  = new Array (0,0x10000000,0x8,0x10000008,0,0x10000000,0x8,0x10000008,0x400,0x10000400,0x408,0x10000408,0x400,0x10000400,0x408,0x10000408);
    pc2bytes10 = new Array (0,0x20,0,0x20,0x100000,0x100020,0x100000,0x100020,0x2000,0x2020,0x2000,0x2020,0x102000,0x102020,0x102000,0x102020);
    pc2bytes11 = new Array (0,0x1000000,0x200,0x1000200,0x200000,0x1200000,0x200200,0x1200200,0x4000000,0x5000000,0x4000200,0x5000200,0x4200000,0x5200000,0x4200200,0x5200200);
    pc2bytes12 = new Array (0,0x1000,0x8000000,0x8001000,0x80000,0x81000,0x8080000,0x8081000,0x10,0x1010,0x8000010,0x8001010,0x80010,0x81010,0x8080010,0x8081010);
    pc2bytes13 = new Array (0,0x4,0x100,0x104,0,0x4,0x100,0x104,0x1,0x5,0x101,0x105,0x1,0x5,0x101,0x105);
  
    //how many iterations (1 for des, 3 for triple des)
    var iterations = key.length >= 24 ? 3 : 1;
    //stores the return keys
    var keys = new Array (32 * iterations);
    //now define the left shifts which need to be done
    var shifts = new Array (0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0);
    //other variables
    var lefttemp, righttemp, m=0, n=0, temp;
  
    for (var j=0; j<iterations; j++) { //either 1 or 3 iterations
      left = (key.charCodeAt(m++) << 24) | (key.charCodeAt(m++) << 16) | (key.charCodeAt(m++) << 8) | key.charCodeAt(m++);
      right = (key.charCodeAt(m++) << 24) | (key.charCodeAt(m++) << 16) | (key.charCodeAt(m++) << 8) | key.charCodeAt(m++);
  
      temp = ((left >>> 4) ^ right) & 0x0f0f0f0f; right ^= temp; left ^= (temp << 4);
      temp = ((right >>> -16) ^ left) & 0x0000ffff; left ^= temp; right ^= (temp << -16);
      temp = ((left >>> 2) ^ right) & 0x33333333; right ^= temp; left ^= (temp << 2);
      temp = ((right >>> -16) ^ left) & 0x0000ffff; left ^= temp; right ^= (temp << -16);
      temp = ((left >>> 1) ^ right) & 0x55555555; right ^= temp; left ^= (temp << 1);
      temp = ((right >>> 8) ^ left) & 0x00ff00ff; left ^= temp; right ^= (temp << 8);
      temp = ((left >>> 1) ^ right) & 0x55555555; right ^= temp; left ^= (temp << 1);
  
      //the right side needs to be shifted and to get the last four bits of the left side
      temp = (left << 8) | ((right >>> 20) & 0x000000f0);
      //left needs to be put upside down
      left = (right << 24) | ((right << 8) & 0xff0000) | ((right >>> 8) & 0xff00) | ((right >>> 24) & 0xf0);
      right = temp;
  
      //now go through and perform these shifts on the left and right keys
      for (i=0; i < shifts.length; i++) {
        //shift the keys either one or two bits to the left
        if (shifts[i]) {left = (left << 2) | (left >>> 26); right = (right << 2) | (right >>> 26);}
        else {left = (left << 1) | (left >>> 27); right = (right << 1) | (right >>> 27);}
        left &= 0xfffffff0; right &= 0xfffffff0;
  
        //now apply PC-2, in such a way that E is easier when encrypting or decrypting
        //this conversion will look like PC-2 except only the last 6 bits of each byte are used
        //rather than 48 consecutive bits and the order of lines will be according to 
        //how the S selection functions will be applied: S2, S4, S6, S8, S1, S3, S5, S7
        lefttemp = pc2bytes0[left >>> 28] | pc2bytes1[(left >>> 24) & 0xf]
                | pc2bytes2[(left >>> 20) & 0xf] | pc2bytes3[(left >>> 16) & 0xf]
                | pc2bytes4[(left >>> 12) & 0xf] | pc2bytes5[(left >>> 8) & 0xf]
                | pc2bytes6[(left >>> 4) & 0xf];
        righttemp = pc2bytes7[right >>> 28] | pc2bytes8[(right >>> 24) & 0xf]
                  | pc2bytes9[(right >>> 20) & 0xf] | pc2bytes10[(right >>> 16) & 0xf]
                  | pc2bytes11[(right >>> 12) & 0xf] | pc2bytes12[(right >>> 8) & 0xf]
                  | pc2bytes13[(right >>> 4) & 0xf];
        temp = ((righttemp >>> 16) ^ lefttemp) & 0x0000ffff; 
        keys[n++] = lefttemp ^ temp; keys[n++] = righttemp ^ (temp << 16);
      }
    } //for each iterations
    //return the keys we've created
    return keys;
  } //end of des_createKeys

原文作者:Straw

原文链接:https://straw-233.github.io/2025/03/12/%E6%95%B0%E7%BE%8E%E6%BB%91%E5%9D%97%E7%99%BB%E5%BD%95%E6%A0%A1%E9%AA%8C/

发表日期:March 12th 2025, 2:36:24 pm

更新日期:March 30th 2025, 8:44:52 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 数美滑块登录校验
    1. 1.1. 前言
    2. 1.2. 抓包
    3. 1.3. JS逆向
    4. 1.4. 还原
    5. 1.5. 代码
Total : 24
2023
Invalid date
Invalid date
Invalid date
Invalid date
2024
Invalid date
Invalid date
Invalid date
Invalid date