Giter Site home page Giter Site logo

rs-reverse's Introduction

该项目为瑞数加密的逆向研究,代码开发基于网站:https://wcjs.sbj.cnipa.gov.cn/sgtmi

研究包括动态代码生成原理及动态cookie生成原理。

作者最新开源项目(补环境框架sdenv)推荐:sdenv

0. 声明

该项目下代码仅用于个人学习、研究或欣赏。通过使用该仓库相关代码产生的风险与仓库代码作者无关!

该项目的研究网站仅做参考,项目不鼓励直接请求该研究网站,算法逆向研究请直接使用example目录下的样例文件,如:node main.js makecookie(默认为最新版本代码)。

1. 博客文章

  1. 瑞数vmp-代码格式化后无法正常运行原因分析
  2. 瑞数vmp-动态代码生成原理
  3. 补环境-document.all的c++方案

2. 瑞数算法还原

npx rs-reverse *与在当前目录下运行node main.js *相对应, 当然也支持npm全局安装(npm install -g rs-reverse),npm全局安装后也可以直接使用命令rs-reverse

如npx运行的包不是最新的,可以加上-p参数后执行如:npx -p rs-reverse@latest rs-reverse makecookie,非官方源可能存在版本不同步问题,建议拉取时使用官方源:--registry=https://registry.npmjs.org

npm包不能保证最新代码,最新代码以仓库代码为准!

2.1. makecode子命令

执行子命令makecode生成动态代码, 可以传入包含$_ts.nsd$_ts.cd的文本文件或者直接给url让程序自己去拿,命令示例:

  1. npx方式:npx rs-reverse makecode
  2. 文件方式:node main.js makecode

命令后不接参数则从example文件中取

 $ npx rs-reverse makecode -h
rs-reverse makecode

接收ts.json文件生成immucfg、ts、ts-full文件,如果传入的是url则还会生成html、主代
码、动态代码文件,还可通过-j命令接收多个$_ts.l__处理的文件url并生成该js文件及解
密后的js文件。

**`-j`参数需要注意,链接地址必须带上查询参数,不带的话返回的是未经过瑞数处理的文件,可以从浏览器控制台查看带参数的完整地址,如果待解密的js文件存在多个时,为了保证结果中变量名与瑞数解析的变量名一致,需要按浏览器的解析顺序依序传入(因为变量名存在复用逻辑)。**

Options:
  -h             显示帮助信息                                          [boolean]
  -f, --file     含有nsd, cd值的json文件                                [string]
  -l, --level    日志打印等级,参考log4js,默认为info                   [string]
  -u, --url      瑞数返回204状态码的请求地址                            [string]
  -a, --adapt    已经做了适配的网站名称,不传则为cnipa                  [string]
  -j, --jsurls   $_ts.__l方法执行的js文件链接(必须带上查询参数),多个时需要按顺
                 序传入,如:-j "https://host/chunk.js?4VGu1xaT=a728b2" -j
                 "https://host/app.js?4VGu1xaT=a728b2"                   [array]
  -v, --version  显示版本号

调用示例:

 $ npx rs-reverse makecode -u https://wcjs.sbj.cnipa.gov.cn/sgtmi -j 'https://wcjs.sbj.cnipa.gov.cn/js/chunk-vendors.66e24864.js?查询参数' -j 'https://wcjs.sbj.cnipa.gov.cn/js/app.9f7a91c9.js?查询参数'

  url方式提取的ts:output/makecode/ts.json
  url方式提取的静态文本:output/makecode/immucfg.json
  程序生成的ts:output/makecode/ts-full.json
  url方式提取的html代码:output/makecode/sgtmi.html
  url方式提取的javascript代码:output/makecode/cCdzB9ZjDFks.a728b22.js
  cCdzB9ZjDFks.a728b22.js生成的动态代码:output/makecode/cCdzB9ZjDFks.a728b22-dynamic.js
  url方式提取的javascript代码:output/makecode/chunk-vendors.66e24864.js
  chunk-vendors.66e24864.js生成的解密代码:output/makecode/chunk-vendors.66e24864-decrypt.js
  url方式提取的javascript代码:output/makecode/app.9f7a91c9.js
  app.9f7a91c9.js生成的解密代码:output/makecode/app.9f7a91c9-decrypt.js

2.2. makecookie子命令

执行子命令makecookie生成cookie, 调用方式与makecode类型,调用示例:

  1. npx方式:npx rs-reverse makecookie
  2. 文件方式:node main.js makecookie

该命令首先会执行makecode子命令拿到完整的$_ts值,再运行makecookie的还原算法生成cookie。

 $ npx rs-reverse makecookie -h
rs-reverse makecookie

生成cookie值并打印

Options:
  -h             显示帮助信息                                          [boolean]
  -f, --file     含有nsd, cd值的json文件                                [string]
  -l, --level    日志打印等级,参考log4js,默认为info                   [string]
  -u, --url      瑞数返回204状态码的请求地址                            [string]
  -a, --adapt    已经做了适配的网站名称,不传则为cnipa                  [string]
  -v, --version  显示版本号                                            [boolean]

调用示例:

 $ npx rs-reverse makecookie -u https://wcjs.sbj.cnipa.gov.cn/sgtmi

  存在meta-content值:n5fQ9G1lGvUzfS_yMHx30yYAbp2_NDZI 解析结果:/sgtmi

  Cookie值: 0yk64LrpoFnc8Wi4Mmu_rijgRRoC2SHY1bQlR2_QZ805_CqRd1uOgGRnlEvHvXSoQuwkx_fwn4iQnPDFrQigm1b4GnD61Pf9vU5XKtJtAWIoWeG_22OLiccUwGjI0lQaJ_jaYIBFygNsPSPf_0GnJyT1umFrFgAkAoqh1s0G9IDE1uPEM3PV8M1J.wbKdSgMLg8T3bGD5w2sHHohKfnwsT7bMNbb8xbjSxsn8qb8AvY0
  Cookie长: 236

2.3. makecode-high子命令

执行子命令makecode-high生成网站代码,解码两次请求返回的网站代码(功能涵盖makecode子命令),调用示例:

  1. npx方式:npx rs-reverse makecode-high -u url
  2. 文件方式:node main.js makecode-high -u url

该命令第一次请求生成cookie带入第二次请求,将两次请求返回的加密代码及动态代码解码后保存到output/makecode-high目录中,和makecode命令区别为该命令只提供-u方式执行!

需要注意的是,请避免连续执行该命令以免触发风控报错,报错如:

makecode-high风控报错

 $ npx rs-reverse makecode-high -h
rs-reverse makecode-high

解码两次请求返回的网站代码(功能涵盖makecode子命令)

Options:
  -h             显示帮助信息                                          [boolean]
  -l, --level    日志打印等级,参考log4js,默认为info                   [string]
  -u, --url      瑞数返回204状态码的请求地址                 [string] [required]
  -a, --adapt    已经做了适配的网站名称,不传则为cnipa                  [string]
  -v, --version  显示版本号                                            [boolean]

Examples:
  rs-reverse makecode-high -u http://url/path

调用示例:

 $ npx rs-reverse makecode-high -u https://wcjs.sbj.cnipa.gov.cn/sgtmi

第1次请求:

  url方式提取的ts:output/makecode-high/first/ts.json
  url方式提取的静态文本:output/makecode-high/first/immucfg.json
  程序生成的ts:output/makecode-high/first/ts-full.json
  url方式提取的javascript代码:output/makecode-high/first/cCdzB9ZjDFks.a728b22.js
  url方式提取的html代码:output/makecode-high/first/sgtmi.html
  cCdzB9ZjDFks.a728b22.js生成的动态代码:output/makecode-high/first/cCdzB9ZjDFks.a728b22-dynamic.js

第2次请求:

  url方式提取的ts:output/makecode-high/second/ts.json
  url方式提取的静态文本:output/makecode-high/second/immucfg.json
  程序生成的ts:output/makecode-high/second/ts-full.json
  url方式提取的javascript代码:output/makecode-high/second/cCdzB9ZjDFks.a728b22.js
  url方式提取的html代码:output/makecode-high/second/sgtmi.html
  cCdzB9ZjDFks.a728b22.js生成的动态代码:output/makecode-high/second/cCdzB9ZjDFks.a728b22-dynamic.js
  url方式提取的javascript代码:output/makecode-high/second/chunk-vendors.66e24864.js
  url方式提取的javascript代码:output/makecode-high/second/app.9f7a91c9.js
  chunk-vendors.66e24864.js生成的解密代码:output/makecode-high/second/chunk-vendors.66e24864-decrypt.js
  app.9f7a91c9.js生成的解密代码:output/makecode-high/second/app.9f7a91c9-decrypt.js

2.4. exec子命令

exec子命令用于开发中或者演示时使用。命令示例:

  1. npx方式:npx rs-reverse exec -c 'gv.cp2'
  2. 文件方式:node main.js exec -c 'gv.cp2'
 $ npx rs-reverse exec -h
rs-reverse exec

直接运行代码,用于开发及演示时使用

Options:
  -h             显示帮助信息                                          [boolean]
  -l, --level    日志打印等级,参考log4js,默认为info                   [string]
  -c, --code     要运行的代码,如:gv.cp2,即打印cp2的值     [string] [required]
  -v, --version  显示版本号                                            [boolean]

Examples:
  rs-reverse exec -c 'code string'

调用示例:

 $ npx rs-reverse exec -c '+ascii2string(gv.keys[21])'

  输入:+ascii2string(gv.keys[21])
  输出:1718026159

3. 其它

3.1. 网站兼容与适配

适配文件配置在目录./src/adapt/下,已完成兼容配置:

网站 名称 makecode makecookie makecode-high 适配版本 是否逆向验证
商标网 cnipa 👌 👌 👌 - Y
瑞数官网 riversecurity 👌 👌 N 版本1 N

以瑞数官网实例如:npx rs-reverse makecookie -u https://www.riversecurity.com/resources.shtml -a riversecurity

具体配置说明请看文档:./src/adapt/README.md

3.2. 静态文本

当使用本地方式生成动态代码或者cookie时需要预先配置静态文本,远程方式由于会动态解析,因此远程方式不需要配置,静态文本配置文件:./src/config/immucfg_v*.json,里面包含cp0cp2globalText1globalText2globalText3等静态文本字段,您可以通过远程命令动态生成,如通过makecode命令加远程网址-u https://wcjs.sbj.cnipa.gov.cn/sgtmi,执行后生成文件./output/makecode_input_immucfg.json即为静态文本配置文件。

3.3. 可变配置项

配置文件地址:./src/config/index.js,在网站版本更新后需要修改该文件下配置文件以达到继续适配,配置项说明如下

3.3.1. keynameNum

该配置项用于控制变量名数组生成数量,即$_ts.cp[1]的值,具体原理请看前面博客文章,该值会在每次网站更新后发生变动,可以通过查看js文件,搜索\n\n\n\n,在搜索结果后面不远处就可以找到,如:

  1. 代码_$hn=_$f2(0,806,_$at(_$_q))中的806 图片1
  2. 代码_$k$=_$cg(0,829,_$ef(_$_V))中的829 图片2

3.3.2. offsetConst

动态代码中生成8位解密用的偏移值数组使用,主要是里面的键值是任务数组中的值了,由于瑞数的任务树是打包时动态生成,且值为任务树中最顶层任务生成,不好获取,因此写死,键值可以在gv.r2mka('0-0').task中找到,也可以通过动态代码执行报错获取键值。

3.3.3. codemap

瑞数主体循环方法生成的配置文件,用于动态代码使用。

3.3.3. immucfg

该项为版本固定值,当网站未更新时值是不会变的,当需要配置时可以通过makecode -u url方式动态生成,如执行:node main.js makecode -u https://wcjs.sbj.cnipa.gov.cn/sgtmi后生成的output/makecode_input_immucfg.json文件。

4. 技术交流

加作者微信进技术交流群: howduudu_tech(备注rs-reverse)

订阅号会定期发表技术文章:码功

rs-reverse's People

Contributors

pysunday avatar zhenxianluo avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

yyscbg tanglch troublesunyc bigeyedmonster crackercat ecalose 434944696 prince-cool alading241 quantstu xvhuan 286844626 sy11coder 123456789zws shuaibibobo stealdivinepower zxined polestar-hf chenpython bigharvest eyzhiqiu wjjh luopeixiong 532457220 rgwww bytebuff ntrashh shuhu2015 huaerxiela a568972484 dongfangbeimu natpacket zx-2021 dux-python zhouboboya eatmoremeat cxapython dwyanelee weifeng2 deemoascii georgejzzz losenineai esword618 qianyin123 heckerstone ibcjacky 463563466 crewcutbro boomzjh onetwo1 heisyj zjw505104341 ngiokweng 122933615 c-racker heartsmoking chengcct ggsimida-cw chenkai00 mr-xiaolei xizike bolin-l miaokela aisino2008 lihongvst pztpzsapp xg3512 wuyanghai kirinsir a81608882 ice-a dingiangyi printf172 lamchi-joo ovtan hearttosunshine fancyzll ibabij nicaicaii victory-volunteer lllllllhhhhh uotogk cilame zzhangjian ppwang06 1769782410 lorhua soulahan 1165544520 meteor-nb waystreamer driphub guanfoxyier roryxiang lbatsoft baronboygirl hjnhng greenjoson voscall selang

rs-reverse's Issues

编译报错

  1. 使用命令 单独js文件
    const documentAll = require('./getDocumentAll.node')
    报错信息如下
    Error: getDocumentAll.node is not a valid Win32 application.
    Node.js v20.11.0

  2. 使用命令
    node node_modules/.bin/jest ./test/documentAll-addon.test.js
    basedir=$(dirname "$(echo "$0" | sed -e 's,\,/,g')")
    ^^^^^^^

    SyntaxError: missing ) after argument list
    at internalCompileFunction (node:internal/vm:77:18)
    at wrapSafe (node:internal/modules/cjs/loader:1288:20)
    at Module._compile (node:internal/modules/cjs/loader:1340:27)
    at Module._extensions..js (node:internal/modules/cjs/loader:1435:10)
    at Module.load (node:internal/modules/cjs/loader:1207:32)
    at Module._load (node:internal/modules/cjs/loader:1023:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:135:12)
    at node:internal/main/run_main_module:28:49

Node.js v20.11.0

本人环境
Windows 11 家庭中文版 64 位
nodejs Node.js v20.11.0

瑞数vmp网站征集

可以给出使用瑞数vmp的网站,用于验证和适配!
瑞数vmp应该就是瑞数6,可以自行搜索瑞数哪一代的判断,根据网站顺序验证与适配。

执行命令出错

D:\Test\test\rs>npx rs-reverse makecode -u http://wcjs.sbj.cnipa.gov.cn/sgtmi
C:\Users\12817\AppData\Local\npm-cache_npx\8d44cd73943023ee\node_modules\module-alias\index.js:184
throw new Error('Unable to find package.json in any of:\n[' + pathString + ']')
^

Error: Unable to find package.json in any of:
[C:\Users\12817\AppData\Local\npm-cache_npx\8d44cd73943023ee\node_modules\rs-reverse\package.json]
at init (C:\Users\12817\AppData\Local\npm-cache_npx\8d44cd73943023ee\node_modules\module-alias\index.js:184:11)
at Object. (C:\Users\12817\AppData\Local\npm-cache_npx\8d44cd73943023ee\node_modules\rs-reverse\main.js:3:24)
at Module._compile (node:internal/modules/cjs/loader:1105:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Module._load (node:internal/modules/cjs/loader:827:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
at node:internal/main/run_main_module:17:47

Node.js v18.0.0
Windows10平台

自己想添加一个网站 怎么适配呀

D:\Data\Workspace\Download\rs-reverse-main-02>node main.js makecookie -u http://mt1.wfdsjls.com:9908/Login.html
ERROR rs-reverse - Error: 请确保url与适配器匹配, 当前已适配:cnipa、riversecurity、wfdsjls
at module.exports (D:\Data\Workspace\Download\rs-reverse-main-02\src\adapt\index.js:15:46)
at commandHandler (D:\Data\Workspace\Download\rs-reverse-main-02\main.js:72:32)
at D:\Data\Workspace\Download\rs-reverse-main-02\node_modules\yargs\build\index.cjs:1:8993
at j (D:\Data\Workspace\Download\rs-reverse-main-02\node_modules\yargs\build\index.cjs:1:4956)
at _.handleValidationAndGetResult (D:\Data\Workspace\Download\rs-reverse-main-02\node_modules\yargs\build\index.cjs:1:8962)
at D:\Data\Workspace\Download\rs-reverse-main-02\node_modules\yargs\build\index.cjs:1:9551

网址:https://cpquery.cponline.cnipa.gov.cn,出现 ssl 证书错误

➜ npx -p rs-reverse@latest --registry=https://registry.npmjs.org rs-reverse makecode -u https://cpquery.cponline.cnipa.gov.cn

node:internal/process/promises:289
triggerUncaughtException(err, true /* fromPromise /);
^
RequestError: Error: unable to verify the first certificate
at new RequestError (C:\Users\spider\AppData\Local\npm-cache_npx\ee3ad623c772fe40\node_modules\request-promise-core\lib\errors.js:14:15)
at plumbing.callback (C:\Users\spider\AppData\Local\npm-cache_npx\ee3ad623c772fe40\node_modules\request-promise-core\lib\plumbing.js:87:29)
at Request.RP$callback [as _callback] (C:\Users\spider\AppData\Local\npm-cache_npx\ee3ad623c772fe40\node_modules\request-promise-core\lib\plumbing.js:46:31)
at self.callback (C:\Users\spider\AppData\Local\npm-cache_npx\ee3ad623c772fe40\node_modules\request\request.js:185:22)
at Request.emit (node:events:518:28)
at Request.onRequestError (C:\Users\spider\AppData\Local\npm-cache_npx\ee3ad623c772fe40\node_modules\request\request.js:877:8)
at ClientRequest.emit (node:events:518:28)
at TLSSocket.socketErrorListener (node:_http_client:495:9)
at TLSSocket.emit (node:events:518:28)
at emitErrorNT (node:internal/streams/destroy:169:8)
at emitErrorCloseNT (node:internal/streams/destroy:128:3)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
cause: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:518:28)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
},
error: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:518:28)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
},
options: {
jar: RequestJar {
_jar: CookieJar {
enableLooseMode: true,
store: MemoryCookieStore { idx: {} }
}
},
gzip: true,
uri: 'https://cpquery.cponline.cnipa.gov.cn',
resolveWithFullResponse: true,
simple: false,
headers: {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36',
Connection: 'keep-alive',
Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br, zstd',
'Accept-Language': 'zh-CN,zh;q=0.9'
},
callback: [Function: RP$callback],
transform: undefined,
transform2xxOnly: false
},
response: undefined
}

Node.js v20.11.1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.