mtgsig1.2
{
"a1": "1.2", //固定
"a2": 1726748343771,//动态时间戳
"a3": "1726748343765IYKMICE60e593ce0a815b08d658526270cd17d61109",//dfpid 可以是本地生成也可以调用接口获取
"a4": "fc356f4601dbbe96466f35fc96bedb019dd20df60b6cd6f7", //主要是 根据a5以及a2 计算的
"a5": "2ohsLgJ7DxhtwN7JtbONiSBFHMQt4mOSynPKZLHfngwgphG9+Q5xI8yU0FQhUrVdNriqlWcpb/nJwe38ZgiwMkH/SbMGALMFsjrRDgppIY+8a6dDK8UbspFgziGjimpuu3f5TSAX0/+6/4vplMTtUUGEznboNeeYhAH/nkKu+GvXWTRgoybIhqtd+VqZEXo6On4MwilUyvmyb94Z8c==",//动态计算
"a6": "w1.3mXfL0E7kY0vxmPMhOYVTS5941ZVd88cFU66CfEMRCfEPp8/ToIdfmbF26A+XtFh0TwsWNCNSSupQo5tdpge5i5lsaC32nb0C3btafLo/PuJPFLCky3p+Dsm6diHyHwcqBJOgZmwdfp7zpMUBJ+avPcnog0DmvSy2DVaND3nl8AkVfEpKrub8bh2Xxkiyf1LfSXrBIoSSOiRstNijOGGCuUqaovytT1Fb3s8/9eSf37vMSK4bar9zMY2kuiM7WX2++YSbceNwxPIVKl1aoKbRyR0nIbTnhR3d9lLMF6s7cwkxSEPL6zpsOAXMI3UTT+KQTCpyWvTkKhTjcITXpnY/xUBYdw+fbk1xxamMRr+LHwNVEAAuObH+Q2HA8jAM7ZzuZb3tKOnt+t1jV3gq3Iw0X//0Is4nm7zNeijNprI9DXyIlfV2/TwJIx39C7oybQbn",//动态计算
"a7": "wx4fa555703dced95c", //固定 小程序APPID
"x0": 3,//固定
"d1": "6e0071681d625034fbd32d4b40b9607b" //动态md5 前面的 所有参数的md5
}
解密a5步骤(加密就省略了 guardjs里面就有)
1、base64解密(注意 这里base64采用的非标base64) 不能用标准base64解密
2、转换为byte数组 分割数组 分别为2个 第一个数组 0-16 第二个数组16-结尾
3、编码 代码为 可以直接扣 加密算法 固定的。e为第一个数组 0-16 c为第二个数组16-结尾
var x = function(e, c) {
for (var t, f, r = [], d = Function.prototype.call, o = 93; ; ){
switch (a[o++]) {
case 0:
r.push(b);
continue;
case 1:
var i = r[r.length - 1];
continue;
case 2:
r.push(t);
continue;
case 3:
b[i] = r[r.length - 1];
continue;
case 5:
r.push((function(e, c, t) {
for (var f, r, d = [], o = Function.prototype.call, i = 59; ; )
switch (a[i++]) {
case 0:
d.push(t);
continue;
case 1:
return;
case 2:
d.push(s);
continue;
case 3:
d.push(null);
continue;
case 4:
d.pop();
continue;
case 5:
d.push((r = (r + e[f = (f + 1) % 256]) % 256,
c = e[f],
e[f] = e[r],
e[r] = c,
u[n(87)](t[b] ^ e[(e[f] + e[r]) % 256])));
continue;
case 6:
var b = d.pop();
continue;
case 8:
d[d.length - 3] = o.call(d[d.length - 3], d[d.length - 2], d[d.length - 1]);
continue;
case 9:
d.push(u);
continue;
case 10:
d.push(a[i++]);
continue;
case 12:
d.length -= 2;
continue;
case 13:
f = d.pop();
continue;
case 14:
r = d.pop();
continue;
case 16:
d.push(b);
continue;
case 19:
d.push(n);
continue;
case 20:
return d.pop();
case 21:
var u = d.pop();
continue;
case 23:
var s = d.pop();
continue;
case 24:
!d.pop() && (i += 5);
continue;
case 26:
d.push(b++);
continue;
case 28:
i -= 10;
continue;
case 29:
d[d.length - 2] = d[d.length - 2] < d[d.length - 1];
continue;
case 31:
d[d.length - 0] = [];
continue;
case 32:
d[d.length - 2] = d[d.length - 2][d[d.length - 1]]
}
}
));
continue;
case 6:
r.push((f = (f + b[i] + e[i % e[n(84)]] + 31) % 256,
t = b[i],
b[i] = b[f],
b[f] = t));
continue;
case 7:
return r.pop();
case 8:
r.pop();
continue;
case 9:
o -= 12;
continue;
case 11:
r[r.length - 2] = r[r.length - 2] < r[r.length - 1];
continue;
case 13:
r.push(i);
continue;
case 14:
r[r.length - 5] = d.call(r[r.length - 5], r[r.length - 4], r[r.length - 3], r[r.length - 2], r[r.length - 1]);
continue;
case 16:
r[r.length - 0] = [];
continue;
case 17:
r.push(i++);
continue;
case 18:
!r.pop() && (o += 6);
continue;
case 20:
r.push(a[o++]);
continue;
case 21:
r.length -= 4;
continue;
case 22:
!r.pop() && (o += 5);
continue;
case 23:
f = r.pop();
continue;
case 31:
r.push(c);
continue;
case 32:
o -= 11;
continue;
case 33:
var b = r.pop();
continue;
case 35:
return;
case 40:
r.push(null);
continue;
case 43:
i = r.pop()
}
}
}
4、String.fromCharCode把编码的结果 转换为字符串 即是 a5的明文
解密后 明文为
{
"b7": 1726748343,//时间戳
"b1": {
"miniProgram": {
"appId": "wx4fa555703dced95c",
"envVersion": "release",
"version": "1.4.7"
}
},
"b8": 1,//随机 实际加密的时候 是自增的一个变量
"b2": "page/index/index"
}
a6解密
替换掉 w1.3 前缀 固定的值 替换后 为base64加密值
1、标准base64解密
2、2个秘钥差不多的参数 算法
function a() {
for (var e, a = [n(100), n(101)], c = [], t = 0; t < a[n(84)]; t++) {
e = "";
for (var f = a[t], r = f[n(84)], d = parseInt(n(104) + f[n(105)](0, 2)), o = 2; o < r; o += 2) {
var i = parseInt(n(104) + f[n(107)](o) + f[n(107)](o + 1));
e += String[n(109)](i ^ d)
}
c[n(87)](e)
}
return c
}
codes.utf8string.toBits(a()[0]) key
codes.utf8string.toBits(a()[1]) iv
调用aes cbc算法 解密 前面的base64之后的数据
解密后结果 转换为Uint8Array
调用zlib.gunzipSync 解压缩数据
调用TextDecoder 解码后的数据 即是明文
["wx4fa555703dced95c", "1726748343765IYKMICE60e593ce0a815b08d658526270cd17d61109", 1726748343765, "1.7.2", "1726748343765IYKMICE60e593ce0a815b08d658526270cd17d61109", [null, true, ["getBatteryInfo:ok", true, 100], null, null, -1, false, "microsoft", 0.5, true, null, null, 1.5, true, "getSystemInfo:ok", 15, "zh_CN", "{\"path\":\"page/index/index\",\"scene\":1256}", true, true, null, true, "microsoft", "wifi", null, true, null, null, 1.5, "windows", [0, 414, 0, 736, 414, 736], 736, null, 414, "3.5.6", 0, "Windows 11 x64", "3.9.11", true, null, 736, 414, null], 1726748344, [0, 1, 1, 0, 4], "d4b28699f0dc473791a393c05739ab9109"]
如有侵权请联系 wx 17607109181 删除
标签:case,1.2,加解密,pop,push,length,continue,纯算,null From: https://blog.csdn.net/lengyue520520/article/details/142368995