No more nonsense!

  1. Tools used

1.ie browser (version 9 or above)

2.httpwatch (both Chinese and English are available)

3.js debugging tools

Target website: http://xz.189.cn/sso/LoginServlet Telecom 189 login

  1. Packet capture:

  2. Clear the website’s cookies and cache before capturing packets.

  3. Turn on the packet capture tool before opening the page (otherwise the encrypted js will not be captured)

  4. Determine which one is our login submission package

  5. Analyze packet capture data:

  1. IE’s F12 developer tools are used here.

  2. Find our password keyword password passWord

  3. Continue to trace the function called encryptedString for encryption

4.encryptedString We also need to know what the two parameters of this function are and continue to look for the key.

  1. Then I have enough parameters for encryption. The next step is debugging. Someone here will ask, aren’t there two parameters? What about the other s? Through the function, we know that s is the pwd that encrypts the password. By calling the function if, we can know that pwd is our password passWord.

  2. Next, copy the calling function and debug it in the developer tools first. It requires two parameters: key and s.

  3. There is no problem debugging in IE, then debug it in the js debugging tool.

  4. Copy the secret js and key of 3 RSAs and call the bodyRSA() function. The parameter is the password. We found that it is an object and there is no way to call it directly. If you continue to call it, the tool will hang.

  5. Here is the difficulty of RSA. It needs to be rewritten, otherwise our Yi language will not be able to call it.

  6. Copy the rewritten function to the debugging tool as before, or call the bodyrsa() function

Finally found that we succeeded

Because I don’t have a telecommunications phone number, I can’t write a complete cookie operation login. Looking forward to the next issue!