信用中国【国密SM2、SM4加解密】逆向算法分析
网址:aHR0cHM6Ly9jcmVkaXQuaGQuZ292LmNuL3h5eHhncy8=
点击加载更多可以看到请求相关的加密参数和返回的字节数据 请求的加密参数有nonceStr、queryContent、sign
请求参数分析
直接搜nonceStr
可以看到是uuid随机字符串
e = {"appId": "27IGtFrNFDc","signType": "SM2","encryptType": "SM4","appSignPrivateKey": "7faa61bb9051707ad9d9d2c417d61e038a3af871a61c8da534a9061ac1e51c32","appSignPublicKey": "040f5940c99c46ee9e438487c6a41d880b93f0804ea0e5ef53a062bb08203fc2a675b3d2b7a9aeb1862bb1b8fa5d17a40e300cbbe9a470ee3bf89b4ccb1c899719","encryptKey": "dbb78b8b64d640bb130255c69e959973","platformPublicKey": "0475ed079f423c14c6cc2fec93ce296cefc96c4be11af343c3f654f99140f8d6861589308929156ae62a74955c8bb2f4af540a45c7d1208f2ca61b264b4f383e27"
}
i = 'param=&page=2&size=10'
queryContent = sm4.encrypt(i, e.encryptKey)
queryContent 是SM4加密 ‘param=&page=2&size=10’
e对象是密钥相关信息,都是固定的,i中的page是从0开始的
sign值是将请求参数n按照键排序,再拼接成字符串
n = {"version": "1.0","appId": "27IGtFrNFDc","signType": "SM2","encryptType": "SM4","nonceStr": "1524e22536d347c082c2a9e77d12839f","timestamp": 1745648864934,"queryContent": "88e7484b6bd56df73e4672337fa76bde31244ee277cc8ef5d7df2e4ad5afd7b9"
}'appId=27IGtFrNFDc&encryptType=SM4&nonceStr=1524e22536d347c082c2a9e77d12839f&queryContent=88e7484b6bd56df73e4672337fa76bde31244ee277cc8ef5d7df2e4ad5afd7b9&signType=SM2×tamp=1745648864934&version=1.0'
然后再将拼接的字符串进行SM2加密,SM2加密返回的结果是随机的
然后再将SM2加密得到的结果经过Zi()方法加密
这里用到了Yi()方法,就是把十六进制转为十进制
响应字节分析
有加密就有解密 直接搜decrypt(
可以猜,是和SM2或者SM4相关的解密,所以在这三个地方断点
在这里断住,就是SM4解密
function decryptByteArr(data){var r = Buffer.from(data).buffer, n = new DataView(r), i = new Uint8Array(r), s = {}, a = 40;D = ['body', 'code', 'message', 'nonceStr', 'requestId', 'subCode', 'subMessage', 'signed']D.forEach((function(t, e) {var r = n.getInt32(4 * e);s[t] = i.subarray(a, a + r),a += r}));c = sm4.decrypt(function(t) {if (!(t instanceof Uint8Array))throw new Error("Invalid Uint8Array");for (var e = "", r = 0; r < t.length; r++) {var n = t[r].toString(16);1 === n.length && (n = "0" + n),e += n}return e}(s.body), e.encryptKey, {output: "string"});return JSON.parse(c);
}