From d92e5a73be14ecce757a3d9d6d5baf0a5797ee22 Mon Sep 17 00:00:00 2001
From: liyf <git@gitlab.ersoft.cn>
Date: Thu, 5 Jan 2023 16:05:58 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E4=B8=BA=E6=9C=80=E5=90=8E?=
 =?UTF-8?q?=E6=9B=B4=E6=96=B0=E4=BA=8E:=202023-03-28=20=E4=B8=80=E5=93=81?=
 =?UTF-8?q?=E5=A8=81=E5=AE=A2=EF=BC=8C=E7=99=BB=E5=BD=95=E6=8E=A5=E5=8F=A3?=
 =?UTF-8?q?=E5=8F=82=E6=95=B0=20`signature`=20=E7=9A=84=E7=A0=B4=E8=A7=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 readme.MD        |   2 +
 ypwk/__init__.py |   4 ++
 ypwk/demo.js     | 117 +++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 ypwk/__init__.py
 create mode 100644 ypwk/demo.js

diff --git a/readme.MD b/readme.MD
index be6f97b..aa3a510 100644
--- a/readme.MD
+++ b/readme.MD
@@ -1,4 +1,5 @@
 ### <font color=red size=5>PS: 本项目仅供学习交流，严禁用于任何商业和非法用途，非本人使用而产生的纠纷与一切后果均与本人无关。如有侵权，可联系本人删除（微信: `wojiaoliyf`）！</font>
+
 ***
 
 ### 关于js逆向的参数定位技巧及无限debugger绕过
@@ -105,6 +106,7 @@ MyToken  | [链接](https://www.mytokencap.com/)  |  [点击跳转](https://blog
 猎聘  |  [链接](https://www.liepin.com/zhaopin/?inputFrom=www_index&workYearCode=0&key=&scene=input&ckId=cei1lxwcgvjwp0v613z0tdqvn0ziea1b&dq=)  |  [点击跳转](liepin/demo.js)  |  [liepin](liepin)
 阿里文学  |  [链接](https://www.aliwx.com.cn/reader?bid=6813923&cid=674174)  |    |  [aliwx](aliwx)
 当乐网  |  [链接](https://oauth.d.cn/auth/goLogin.html)  |  [点击跳转](oauth/demo.js)  |  [oauth](oauth)
+一品威客  |  [链接](https://www.epwk.com/login.html)  |  [点击跳转](ypwk/demo.js)  |  [ypwk](ypwk)
 
 ***
 
diff --git a/ypwk/__init__.py b/ypwk/__init__.py
new file mode 100644
index 0000000..b684973
--- /dev/null
+++ b/ypwk/__init__.py
@@ -0,0 +1,4 @@
+# _*_ coding: utf-8 _*_
+# @Date:  3:35 下午
+# @File: __init__.py.py
+# @Author: liyf
diff --git a/ypwk/demo.js b/ypwk/demo.js
new file mode 100644
index 0000000..dbd9e86
--- /dev/null
+++ b/ypwk/demo.js
@@ -0,0 +1,117 @@
+/*
+* 一品威客（https://www.epwk.com/login.html）登录破解
+* 接口：https://www.epwk.com/api/epwk/v1/user/login
+    - post请求
+    - 参数以明文的形式传递
+      - data = {
+            'username': '账号',
+            'password': '明文密码',
+            'code': '',
+            'hdn_refer': '',
+        }
+* 破解参数：请求头中的Signature的值
+* todo 思路如下：
+* 全局搜索 `Signature`，很容易定位到加密位置
+* 下断点，重新请求，然后跟进去代码，可以定位到关键的加密函数，如下
+    ```
+    var data = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {}
+      , e = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : "a75846eb4ac490420ac63db46d2a03bf"
+      , r = e + d(data) + d(t) + e;
+    return r = f(r),
+        r = m(r)
+     ```
+
+* 经过两次加密，首先经过md5加密，r = f(r)，其中f函数实现对参数r进行md5加密
+* 其次经过 `AES-CBC-Pkcs7` 模式加密，k和iv都能获取到。
+    ```
+    return function(data) {
+        return c.a.AES.encrypt(data, l.key, {
+            iv: l.iv,
+            mode: c.a.mode.CBC,
+            padding: c.a.pad.Pkcs7
+        }).toString()
+    }(data)
+    ```
+* 最终得到Signature的值
+*/
+
+var CryptoJS = require('crypto-js');
+
+var d = function (t) {
+        var e = "";
+        return Object.keys(t).sort().forEach((function (r) {
+                e += r + ("object" === n_a(t[r]) ? JSON.stringify(t[r], (function (t, e) {
+                        return "number" == typeof e && (e = String(e)),
+                            e
+                    }
+                )).replace(/\//g, "\\/") : t[r])
+            }
+        )),
+            e
+    },
+    f = function (data) {
+        return CryptoJS.MD5(data).toString()
+    },
+    l_t = {
+        key: CryptoJS.enc.Utf8.parse("fX@VyCQVvpdj8RCa"),
+        iv: CryptoJS.enc.Utf8.parse(function (t) {
+            for (var e = "", i = 0; i < t.length - 1; i += 2) {
+                var r = parseInt(t[i] + "" + t[i + 1], 16);
+                e += String.fromCharCode(r)
+            }
+            return e
+        }("00000000000000000000000000000000"))
+    },
+    m = function (data) {
+        return function (data) {
+            return CryptoJS.AES.encrypt(data, l_t.key, {
+                iv: l_t.iv,
+                mode: CryptoJS.mode.CBC,
+                padding: CryptoJS.pad.Pkcs7
+            }).toString()
+        }(data)
+    };
+
+function n_a(e) {
+    return typeof e
+}
+
+function h_e() {
+    var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : 5;
+    return Math.random().toString(36).substring(3, 3 + e)
+}
+
+function get_signature(ts) {
+    var l = {
+            "i": false,
+            "j": false,
+            "h": true,
+            "d": "prod",
+            "a": "https://s1.weikeimg.com/_nuxt/",
+            "e": "https://im2.epwitkey.com",
+            "b": "4ac490420ac63db4",
+            "c": "a75846eb4ac490420ac63db46d2a03bf",
+            "f": "af9f93d4530c6167",
+            "g": "c93ce713af9f93d4530c6167b78a3871"
+        },
+        t = {
+            "App-Ver": "",
+            "Os-Ver": "",
+            "Device-Ver": "",
+            Imei: "",
+            "Access-Token": "",
+            Timestemp: ts,
+            NonceStr: "".concat(ts).concat(h_e()),
+            "App-Id": l.j ? l.f : l.b,
+            "Device-Os": "web"
+        };
+    var data = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {}
+        , e = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : "a75846eb4ac490420ac63db46d2a03bf"
+        , r = e + d(data) + d(t) + e
+        , r = f(r),
+        r = m(r);
+    return {signature: r, params: t}
+}
+
+var ts = parseInt((new Date).getTime() / 1e3);
+console.log(get_signature(ts))
\ No newline at end of file