1. url： http://mail.yw.gov.cn/

2. target：登录js

3. 简单分析：

寻找加密js：

3.1 直接寻找加密的参数p是不好找的，所以我们试着去寻找一些更明显的参数

3.2 然后我们直接去找“pp”参数，找到这里，打上断点去调试，一步步执行下去看看：

 3.3 经过上面的步骤，我们不难发现，加密js就在下面不远处。。

 3.4 这下就很清晰了，具体细节大家可自行调试，把加密的js 抠出来，运行即可。

js：

navigator = {};var dbits;var canary = 0xdeadbeefcafe;var j_lm = ((canary & 0xffffff) == 0xefcafe);function BigInteger(d, e, f) {if (d != null) if ("number" == typeof d) this.fromNumber(d, e, f);else if (e == null && "string" != typeof d) this.fromString(d, 256);else this.fromString(d, e);}function nbi() {return new BigInteger(null);}function am1(b, h, g, d, a, e) {while (--e >= 0) { var f = h * this[b++] + g[d] + a; a = Math.floor(f / 0x4000000); g[d++] = f & 0x3ffffff;}return a;}function am2(d, p, o, e, a, k) {var r = p & 0x7fff,q = p >> 15;while (--k >= 0) { var f = this[d] & 0x7fff; var b = this[d++] >> 15; var g = q * f + b * r; f = r * f + ((g & 0x7fff) << 15) + o[e] + (a & 0x3fffffff); a = (f >>> 30) + (g >>> 15) + q * b + (a >>> 30); o[e++] = f & 0x3fffffff;}return a;}function am3(d, p, o, e, a, k) {var r = p & 0x3fff,q = p >> 14;while (--k >= 0) { var f = this[d] & 0x3fff; var b = this[d++] >> 14; var g = q * f + b * r; f = r * f + ((g & 0x3fff) << 14) + o[e] + a; a = (f >> 28) + (g >> 14) + q * b; o[e++] = f & 0xfffffff;}return a;}if (j_lm && (navigator.appName == "Microsoft Internet Explorer")) {BigInteger.prototype.am = am2;dbits = 30;} else if (j_lm && (navigator.appName != "Netscape")) {BigInteger.prototype.am = am1;dbits = 26;} else {BigInteger.prototype.am = am3;dbits = 28;}BigInteger.prototype.DB = dbits;BigInteger.prototype.DM = ((1 << dbits) - 1);BigInteger.prototype.DV = (1 << dbits);var BI_FP = 52;BigInteger.prototype.FV = Math.pow(2, BI_FP);BigInteger.prototype.F1 = BI_FP - dbits;BigInteger.prototype.F2 = 2 * dbits - BI_FP;var BI_RM = "0123456789abcdefghijklmnopqrstuvwxyz";var BI_RC = new Array();var rr, vv;rr = "0".charCodeAt(0);for (vv = 0; vv <= 9; ++vv) BI_RC[rr++] = vv;rr = "a".charCodeAt(0);for (vv = 10; vv < 36; ++vv) BI_RC[rr++] = vv;rr = "A".charCodeAt(0);for (vv = 10; vv < 36; ++vv) BI_RC[rr++] = vv;function int2char(a) {return BI_RM.charAt(a);}function intAt(d, b) {var a = BI_RC[d.charCodeAt(b)];return (a == null) ? -1 : a;}function bnpCopyTo(b) {for (var a = this.t - 1; a >= 0; --a) b[a] = this[a];b.t = this.t;b.s = this.s;}function bnpFromInt(a) {this.t = 1;this.s = (a < 0) ? -1 : 0;if (a > 0) this[0] = a;else if (a < -1) this[0] = a + DV;else this.t = 0;}function nbv(a) {var b = nbi();b.fromInt(a);return b;}function bnpFromString(f, a) {var d;if (a == 16) d = 4;else if (a == 8) d = 3;else if (a == 256) d = 8;else if (a == 2) d = 1;else if (a == 32) d = 5;else if (a == 4) d = 2;else { this.fromRadix(f, a); return;}this.t = 0;this.s = 0;var c = f.length,e = false,g = 0;while (--c >= 0) { var h = (d == 8) ? f[c] & 0xff: intAt(f, c); if (h < 0) { if (f.charAt(c) == "-") e = true; continue; } e = false; if (g == 0) this[this.t++] = h; else if (g + d > this.DB) { this[this.t - 1] |= (h & ((1 << (this.DB - g)) - 1)) << g; this[this.t++] = (h >> (this.DB - g)); } else this[this.t - 1] |= h << g; g += d; if (g >= this.DB) g -= this.DB;}if (d == 8 && (f[0] & 0x80) != 0) { this.s = -1; if (g > 0) this[this.t - 1] |= ((1 << (this.DB - g)) - 1) << g;}this.clamp();if (e) BigInteger.ZERO.subTo(this, this);}function bnpClamp() {var a = this.s & this.DM;while (this.t > 0 && this[this.t - 1] == a)--this.t;}function bnToString(a) {if (this.s < 0) return "-" + this.negate().toString(a);var f;if (a == 16) f = 4;else if (a == 8) f = 3;else if (a == 2) f = 1;else if (a == 32) f = 5;else if (a == 4) f = 2;else return this.toRadix(a);var g = (1 << f) - 1,c,h = false,l = "",e = this.t;var j = this.DB - (e * this.DB) % f;if (e-->0) { if (j < this.DB && (c = this[e] >> j) > 0) { h = true; l = int2char(c); } while (e >= 0) { if (j < f) { c = (this[e] & ((1 << j) - 1)) << (f - j); c |= this[--e] >> (j += this.DB - f); } else { c = (this[e] >> (j -= f)) & g; if (j <= 0) { j += this.DB; --e; } } if (c > 0) h = true; if (h) l += int2char(c); }}return h ? l: "0";}function bnNegate() {var a = nbi();BigInteger.ZERO.subTo(this, a);return a;}function bnAbs() {return (this.s < 0) ? this.negate() : this;}function bnCompareTo(b) {var d = this.s - b.s;if (d != 0) return d;var c = this.t;d = c - b.t;if (d != 0) return d;while (--c >= 0) if ((d = this[c] - b[c]) != 0) return d;return 0;}function nbits(c) {var a = 1,b;if ((b = c >>> 16) != 0) { c = b; a += 16;}if ((b = c >> 8) != 0) { c = b; a += 8;}if ((b = c >> 4) != 0) { c = b; a += 4;}if ((b = c >> 2) != 0) { c = b; a += 2;}if ((b = c >> 1) != 0) { c = b; a += 1;}return a;}function bnBitLength() {if (this.t <= 0) return 0;return this.DB * (this.t - 1) + nbits(this[this.t - 1] ^ (this.s & this.DM));}function bnpDLShiftTo(b, c) {var a;for (a = this.t - 1; a >= 0; --a) c[a + b] = this[a];for (a = b - 1; a >= 0; --a) c[a] = 0;c.t = this.t + b;c.s = this.s;}function bnpDRShiftTo(b, c) {for (var a = b; a < this.t; ++a) c[a - b] = this[a];c.t = Math.max(this.t - b, 0);c.s = this.s;}function bnpLShiftTo(h, j) {var b = h % this.DB;var e = this.DB - b;var a = (1 << e) - 1;var f = Math.floor(h / this.DB),d = (this.s << b) & this.DM,g;for (g = this.t - 1; g >= 0; --g) { j[g + f + 1] = (this[g] >> e) | d; d = (this[g] & a) << b;}for (g = f - 1; g >= 0; --g) j[g] = 0;j[f] = d;j.t = this.t + f + 1;j.s = this.s;j.clamp();}function bnpRShiftTo(f, g) {g.s = this.s;var d = Math.floor(f / this.DB);if (d >= this.t) { g.t = 0; return;}var b = f % this.DB;var c = this.DB - b;var a = (1 << b) - 1;g[0] = this[d] >> b;for (var e = d + 1; e < this.t; ++e) { g[e - d - 1] |= (this[e] & a) << c; g[e - d] = this[e] >> b;}if (b > 0) g[this.t - d - 1] |= (this.s & a) << c;g.t = this.t - d;g.clamp();}function bnpSubTo(b, g) {var e = 0,d = 0,f = Math.min(b.t, this.t);while (e < f) { d += this[e] - b[e]; g[e++] = d & this.DM; d >>= this.DB;}if (b.t < this.t) { d -= b.s; while (e < this.t) { d += this[e]; g[e++] = d & this.DM; d >>= this.DB; } d += this.s;} else { d += this.s; while (e < b.t) { d -= b[e]; g[e++] = d & this.DM; d >>= this.DB; } d -= b.s;}g.s = (d < 0) ? -1 : 0;if (d < -1) g[e++] = this.DV + d;else if (d > 0) g[e++] = d;g.t = e;g.clamp();}function bnpMultiplyTo(b, d) {var e = this.abs(),f = b.abs();var c = e.t;d.t = c + f.t;while (--c >= 0) d[c] = 0;for (c = 0; c < f.t; ++c) d[c + e.t] = e.am(0, f[c], d, c, 0, e.t);d.s = 0;d.clamp();if (this.s != b.s) BigInteger.ZERO.subTo(d, d);}function bnpSquareTo(d) {var e = this.abs();var b = d.t = 2 * e.t;while (--b >= 0) d[b] = 0;for (b = 0; b < e.t - 1; ++b) { var a = e.am(b, e[b], d, 2 * b, 0, 1); if ((d[b + e.t] += e.am(b + 1, 2 * e[b], d, 2 * b + 1, a, e.t - b - 1)) >= e.DV) { d[b + e.t] -= e.DV; d[b + e.t + 1] = 1; }}if (d.t > 0) d[d.t - 1] += e.am(b, e[b], d, 2 * b, 0, 1);d.s = 0;d.clamp();}function bnpDivRemTo(g, o, s) {var l = g.abs();if (l.t <= 0) return;var n = this.abs();if (n.t < l.t) { if (o != null) o.fromInt(0); if (s != null) this.copyTo(s); return;}if (s == null) s = nbi();var x = nbi(),w = this.s,h = g.s;var k = this.DB - nbits(l[l.t - 1]);if (k > 0) { l.lShiftTo(k, x); n.lShiftTo(k, s);} else { l.copyTo(x); n.copyTo(s);}var B = x.t;var A = x[B - 1];if (A == 0) return;var C = A * (1 << this.F1) + ((B > 1) ? x[B - 2] >> this.F2: 0);var a = this.FV / C,b = (1 << this.F1) / C,c = 1 << this.F2;var d = s.t,f = d - B,u = (o == null) ? nbi() : o;x.dlShiftTo(f, u);if (s.compareTo(u) >= 0) { s[s.t++] = 1; s.subTo(u, s);}BigInteger.ONE.dlShiftTo(B, u);u.subTo(x, x);while (x.t < B) x[x.t++] = 0;while (--f >= 0) { var p = (s[--d] == A) ? this.DM: Math.floor(s[d] * a + (s[d - 1] + c) * b); if ((s[d] += x.am(0, p, s, f, 0, B)) < p) { x.dlShiftTo(f, u); s.subTo(u, s); while (s[d] < --p) s.subTo(u, s); }}if (o != null) { s.drShiftTo(B, o); if (w != h) BigInteger.ZERO.subTo(o, o);}s.t = B;s.clamp();if (k > 0) s.rShiftTo(k, s);if (w < 0) BigInteger.ZERO.subTo(s, s);}function bnMod(b) {var c = nbi();this.abs().divRemTo(b, null, c);if (this.s < 0 && c.compareTo(BigInteger.ZERO) > 0) b.subTo(c, c);return c;}function Classic(a) {this.m = a;}function cConvert(a) {if (a.s < 0 || a.compareTo(this.m) >= 0) return a.mod(this.m);else return a;}function cRevert(a) {return a;}function cReduce(a) {a.divRemTo(this.m, null, a);}function cMulTo(b, c, a) {b.multiplyTo(c, a);this.reduce(a);}function cSqrTo(b, a) {b.squareTo(a);this.reduce(a);}Classic.prototype.convert = cConvert;Classic.prototype.revert = cRevert;Classic.prototype.reduce = cReduce;Classic.prototype.mulTo = cMulTo;Classic.prototype.sqrTo = cSqrTo;function bnpInvDigit() {if (this.t < 1) return 0;var a = this[0];if ((a & 1) == 0) return 0;var b = a & 3;b = (b * (2 - (a & 0xf) * b)) & 0xf;b = (b * (2 - (a & 0xff) * b)) & 0xff;b = (b * (2 - (((a & 0xffff) * b) & 0xffff))) & 0xffff;b = (b * (2 - a * b % this.DV)) % this.DV;return (b > 0) ? this.DV - b: -b;}function Montgomery(a) {this.m = a;this.mp = a.invDigit();this.mpl = this.mp & 0x7fff;this.mph = this.mp >> 15;this.um = (1 << (a.DB - 15)) - 1;this.mt2 = 2 * a.t;}function montConvert(b) {var a = nbi();b.abs().dlShiftTo(this.m.t, a);a.divRemTo(this.m, null, a);if (b.s < 0 && a.compareTo(BigInteger.ZERO) > 0) this.m.subTo(a, a);return a;}function montRevert(b) {var a = nbi();b.copyTo(a);this.reduce(a);return a;}function montReduce(d) {while (d.t <= this.mt2) d[d.t++] = 0;for (var a = 0; a < this.m.t; ++a) { var b = d[a] & 0x7fff; var c = (b * this.mpl + (((b * this.mph + (d[a] >> 15) * this.mpl) & this.um) << 15)) & d.DM; b = a + this.m.t; d[b] += this.m.am(0, c, d, a, 0, this.m.t); while (d[b] >= d.DV) { d[b] -= d.DV; d[++b]++; }}d.clamp();d.drShiftTo(this.m.t, d);if (d.compareTo(this.m) >= 0) d.subTo(this.m, d);}function montSqrTo(b, a) {b.squareTo(a);this.reduce(a);}function montMulTo(b, c, a) {b.multiplyTo(c, a);this.reduce(a);}Montgomery.prototype.convert = montConvert;Montgomery.prototype.revert = montRevert;Montgomery.prototype.reduce = montReduce;Montgomery.prototype.mulTo = montMulTo;Montgomery.prototype.sqrTo = montSqrTo;function bnpIsEven() {return ((this.t > 0) ? (this[0] & 1) : this.s) == 0;}function bnpExp(a, j) {if (a > 0xffffffff || a < 1) return BigInteger.ONE;var d = nbi(),f = nbi(),b = j.convert(this),c = nbits(a) - 1;b.copyTo(d);while (--c >= 0) { j.sqrTo(d, f); if ((a & (1 << c)) > 0) j.mulTo(f, b, d); else { var h = d; d = f; f = h; }}return j.revert(d);}function bnModPowInt(a, b) {var c;if (a < 256 || b.isEven()) c = new Classic(b);else c = new Montgomery(b);return this.exp(a, c);}BigInteger.prototype.copyTo = bnpCopyTo;BigInteger.prototype.fromInt = bnpFromInt;BigInteger.prototype.fromString = bnpFromString;BigInteger.prototype.clamp = bnpClamp;BigInteger.prototype.dlShiftTo = bnpDLShiftTo;BigInteger.prototype.drShiftTo = bnpDRShiftTo;BigInteger.prototype.lShiftTo = bnpLShiftTo;BigInteger.prototype.rShiftTo = bnpRShiftTo;BigInteger.prototype.subTo = bnpSubTo;BigInteger.prototype.multiplyTo = bnpMultiplyTo;BigInteger.prototype.squareTo = bnpSquareTo;BigInteger.prototype.divRemTo = bnpDivRemTo;BigInteger.prototype.invDigit = bnpInvDigit;BigInteger.prototype.isEven = bnpIsEven;BigInteger.prototype.exp = bnpExp;BigInteger.prototype.toString = bnToString;BigInteger.prototype.negate = bnNegate;BigInteger.prototype.abs = bnAbs;BigInteger.prototype.compareTo = bnCompareTo;BigInteger.prototype.bitLength = bnBitLength;BigInteger.prototype.mod = bnMod;BigInteger.prototype.modPowInt = bnModPowInt;BigInteger.ZERO = nbv(0);BigInteger.ONE = nbv(1);function Arcfour() {this.i = 0;this.j = 0;this.S = new Array();}function ARC4init(c) {var a, b, d;for (a = 0; a < 256; ++a) this.S[a] = a;b = 0;for (a = 0; a < 256; ++a) { b = (b + this.S[a] + c[a % c.length]) & 255; d = this.S[a]; this.S[a] = this.S[b]; this.S[b] = d;}this.i = 0;this.j = 0;}function ARC4next() {var a;this.i = (this.i + 1) & 255;this.j = (this.j + this.S[this.i]) & 255;a = this.S[this.i];this.S[this.i] = this.S[this.j];this.S[this.j] = a;return this.S[(a + this.S[this.i]) & 255];}Arcfour.prototype.init = ARC4init;Arcfour.prototype.next = ARC4next;function prng_newstate() {return new Arcfour();}var rng_psize = 256;var rng_state;var rng_pool;var rng_pptr;function rng_seed_int(a) {rng_pool[rng_pptr++] ^= a & 255;rng_pool[rng_pptr++] ^= (a >> 8) & 255;rng_pool[rng_pptr++] ^= (a >> 16) & 255;rng_pool[rng_pptr++] ^= (a >> 24) & 255;if (rng_pptr >= rng_psize) rng_pptr -= rng_psize;}function rng_seed_time() {rng_seed_int(new Date().getTime());}if (rng_pool == null) {rng_pool = new Array();rng_pptr = 0;var t;if (navigator.appName == "Netscape" && navigator.appVersion < "5" && window.crypto) { var z = window.crypto.random(32); for (t = 0; t < z.length; ++t) rng_pool[rng_pptr++] = z.charCodeAt(t) & 255;}while (rng_pptr < rng_psize) { t = Math.floor(65536 * Math.random()); rng_pool[rng_pptr++] = t >>> 8; rng_pool[rng_pptr++] = t & 255;}rng_pptr = 0;rng_seed_time();}function rng_get_byte() {if (rng_state == null) { rng_seed_time(); rng_state = prng_newstate(); rng_state.init(rng_pool); for (rng_pptr = 0; rng_pptr < rng_pool.length; ++rng_pptr) rng_pool[rng_pptr] = 0; rng_pptr = 0;}return rng_state.next();}function rng_get_bytes(a) {var b;for (b = 0; b < a.length; ++b) a[b] = rng_get_byte();}function SecureRandom() {}SecureRandom.prototype.nextBytes = rng_get_bytes;function parseBigInt(b, a) {return new BigInteger(b, a);}function linebrk(d, b) {var c = "";var a = 0;while (a + b < d.length) { c += d.substring(a, a + b) + "\n"; a += b;}return c + d.substring(a, d.length);}function byte2Hex(a) {if (a < 0x10) return "0" + a.toString(16);else return a.toString(16);}function pkcs1pad2(e, c) {if (c < e.length + 11) { alert("Message too long for RSA"); return null;}var a = new Array();var b = e.length - 1;while (b >= 0 && c > 0) a[--c] = e.charCodeAt(b--);a[--c] = 0;var d = new SecureRandom();var f = new Array();while (c > 2) { f[0] = 0; while (f[0] == 0) d.nextBytes(f); a[--c] = f[0];}a[--c] = 2;a[--c] = 0;return new BigInteger(a);}function RSAKey() {this.n = null;this.e = 0;this.d = null;this.p = null;this.q = null;this.dmp1 = null;this.dmq1 = null;this.coeff = null;}function RSASetPublic(b, a) {if (b != null && a != null && b.length > 0 && a.length > 0) { this.n = parseBigInt(b, 16); this.e = parseInt(a, 16);} else alert("Invalid RSA public key");}function RSADoPublic(a) {return a.modPowInt(this.e, this.n);}function RSAEncrypt(e) {var d = pkcs1pad2(e, (this.n.bitLength() + 7) >> 3);if (d == null) return null;var a = this.doPublic(d);if (a == null) return null;var b = a.toString(16);if ((b.length & 1) == 0) return b;else return "0" + b;}RSAKey.prototype.doPublic = RSADoPublic;RSAKey.prototype.setPublic = RSASetPublic;RSAKey.prototype.encrypt = RSAEncrypt;var b64map = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var b64pad = "=";function hex2b64(b) {var d;var a;var e = "";for (d = 0; d + 3 <= b.length; d += 3) { a = parseInt(b.substring(d, d + 3), 16); e += b64map.charAt(a >> 6) + b64map.charAt(a & 63);}if (d + 1 == b.length) { a = parseInt(b.substring(d, d + 1), 16); e += b64map.charAt(a << 2);} else if (d + 2 == b.length) { a = parseInt(b.substring(d, d + 2), 16); e += b64map.charAt(a >> 2) + b64map.charAt((a & 3) << 4);}while ((e.length & 3) > 0) e += b64pad;return e;}function b64tohex(d) {var c = "";var a;var b = 0;var e;for (a = 0; a < d.length; ++a) { if (d.charAt(a) == b64pad) break; v = b64map.indexOf(d.charAt(a)); if (v < 0) continue; if (b == 0) { c += int2char(v >> 2); e = v & 3; b = 1; } else if (b == 1) { c += int2char((e << 2) | (v >> 4)); e = v & 0xf; b = 2; } else if (b == 2) { c += int2char(e); c += int2char(v >> 2); e = v & 3; b = 3; } else { c += int2char((e << 2) | (v >> 4)); c += int2char(v & 0xf); b = 0; }}if (b == 1) c += int2char(e << 2);return c;}function b64toBA(e) {var c = b64tohex(e);var d;var b = new Array();for (d = 0; 2 * d < c.length; ++d) { b[d] = parseInt(c.substring(2 * d, 2 * d + 2), 16);}return b;}function safeauth_js() {}function getPwd(pwd) {var PublicKey = "CF87D7B4C864F4842F1D337491A48FFF54B73A17300E8E42FA365420393AC0346AE55D8AFAD975DFA175FAF0106CBA81AF1DDE4ACEC284DAC6ED9A0D8FEB1CC070733C58213EFFED46529C54CEA06D774E3CC7E073346AEBD6C66FC973F299EB74738E400B22B1E7CDC54E71AED059D228DFEB5B29C530FF341502AE56DDCFE9";var RSA = new RSAKey();RSA.setPublic(PublicKey, "10001");var PublicTs = "1578280046";var Res = RSA.encrypt(pwd + ‘\n‘ + PublicTs + ‘\n‘);return hex2b64(Res);}

View Code

结果：

 思路就是这样，不去用python做登录测试了。