RPC浅析，加密数据解析

 个人总结

其实就是HOOK注入wbsocket 链接创建服务端和客户端进行通信，直接调用js代码中的加密方法

将结果通过浏览器客户端传入服务端。一种比较好实用的一种技术 

https://blog.csdn.net/qq_36759224/article/details/123082574

（搬运记录下）

RPC，英文 RangPaCong，中文让爬虫，旨在为爬虫开路，秒杀一切，让爬虫畅通无阻！

开个玩笑，实际上 RPC 为远程过程调用，全称 Remote Procedure Call，是一种技术思想而非一种规范或协议。RPC 的诞生事实上离不开分布式的发展，RPC 主要解决了两个问题：

1.解决了分布式系统中，服务之间的互相调用问题；2.RPC 使得在远程调用时，像本地调用一样方便，让调用者感知不到远程调用的逻辑。

RPC 的存在让构建分布式系统更加容易，相比于 HTTP 协议，RPC 采用二进制字节码传输，因此也更加高效、安全。在一个典型 RPC 的使用场景中，包含了服务发现、负载、容错、网络传输、序列化等组件

RPC 技术是非常复杂的，对于我们搞爬虫、逆向的来说，不需要完全了解，只需要知道这项技术如何在逆向中应用就行了。

RPC 在逆向中，简单来说就是将本地和浏览器，看做是服务端和客户端，二者之间通过 WebSocket 协议进行 RPC 通信，在浏览器中将加密函数暴露出来，在本地直接调用浏览器中对应的加密函数，从而得到加密结果，不必去在意函数具体的执行逻辑，也省去了扣代码、补环境等操作，可以省去大量的逆向调试时间。我们以某团网页端的登录为例来演示 RPC 在逆向中的具体使用方法。（假设你已经有一定逆向基础，了解 WebSocket 协议，纯小白可以先看看K哥以前的文章）

import sys
import asyncio
import websocketsasync def receive_massage(websocket):while True:send_text = input("请输入要加密的字符串: ")if send_text == "exit":print("Exit, goodbye!")await websocket.send(send_text)await websocket.close()sys.exit()else:await websocket.send(send_text)response_text = await websocket.recv()print("\n加密结果：", response_text)start_server = websockets.serve(receive_massage, '127.0.0.1', 5678)  # 自定义端口
asyncio.get_event_loop().run_until_complete(start_server)
asyncio.get_event_loop().run_forever()

var ws = new WebSocket("ws://127.0.0.1:5678");  // 自定义端口ws.onmessage = function (evt) {console.log("Received Message: " + evt.data);if (evt.data == "exit") {ws.close();} else {ws.send(utility.getH5fingerprint(evt.data))}
};

然后我们需要把客户端代码注入到网页中，这里方法有很多，比如抓包软件 Fiddler 替换响应、浏览器插件 ReRes 替换 JS、浏览器开发者工具 Overrides 重写功能等，也可以通过插件、油猴等注入 Hook 的方式插入，反正方法很多，对这些方法不太了解的朋友可以去看看K哥以前的文章，都有介绍。

这里我们使用浏览器开发者工具 Overrides 重写功能，将 WebSocket 客户端代码加到加密的这个 JS 文件里并 Ctrl+S 保存，这里将其写成了 IIFE 自执行方式，这样做的原因是防止污染全局变量，不用自执行方式当然也是可以的。

/* ==================================
# @Time    : 2022-02-14
# @Author  : 微信公众号：K哥爬虫
# @FileName: sekiro.js
# @Software: PyCharm
# ================================== */(function () {'use strict';function SekiroClient(wsURL) {this.wsURL = wsURL;this.handlers = {};this.socket = {};// checkif (!wsURL) {throw new Error('wsURL can not be empty!!')}this.webSocketFactory = this.resolveWebSocketFactory();this.connect()}SekiroClient.prototype.resolveWebSocketFactory = function () {if (typeof window === 'object') {var theWebSocket = window.WebSocket ? window.WebSocket : window.MozWebSocket;return function (wsURL) {function WindowWebSocketWrapper(wsURL) {this.mSocket = new theWebSocket(wsURL);}WindowWebSocketWrapper.prototype.close = function () {this.mSocket.close();};WindowWebSocketWrapper.prototype.onmessage = function (onMessageFunction) {this.mSocket.onmessage = onMessageFunction;};WindowWebSocketWrapper.prototype.onopen = function (onOpenFunction) {this.mSocket.onopen = onOpenFunction;};WindowWebSocketWrapper.prototype.onclose = function (onCloseFunction) {this.mSocket.onclose = onCloseFunction;};WindowWebSocketWrapper.prototype.send = function (message) {this.mSocket.send(message);};return new WindowWebSocketWrapper(wsURL);}}if (typeof weex === 'object') {// this is weex env : https://weex.apache.org/zh/docs/modules/websockets.htmltry {console.log("test webSocket for weex");var ws = weex.requireModule('webSocket');console.log("find webSocket for weex:" + ws);return function (wsURL) {try {ws.close();} catch (e) {}ws.WebSocket(wsURL, '');return ws;}} catch (e) {console.log(e);//ignore}}//TODO support ReactNativeif (typeof WebSocket === 'object') {return function (wsURL) {return new theWebSocket(wsURL);}}// weex 和 PC环境的websocket API不完全一致，所以做了抽象兼容throw new Error("the js environment do not support websocket");};SekiroClient.prototype.connect = function () {console.log('sekiro: begin of connect to wsURL: ' + this.wsURL);var _this = this;// 不check close，让// if (this.socket && this.socket.readyState === 1) {//     this.socket.close();// }try {this.socket = this.webSocketFactory(this.wsURL);} catch (e) {console.log("sekiro: create connection failed,reconnect after 2s");setTimeout(function () {_this.connect()}, 2000)}this.socket.onmessage(function (event) {_this.handleSekiroRequest(event.data)});this.socket.onopen(function (event) {console.log('sekiro: open a sekiro client connection')});this.socket.onclose(function (event) {console.log('sekiro: disconnected ,reconnection after 2s');setTimeout(function () {_this.connect()}, 2000)});};SekiroClient.prototype.handleSekiroRequest = function (requestJson) {console.log("receive sekiro request: " + requestJson);var request = JSON.parse(requestJson);var seq = request['__sekiro_seq__'];if (!request['action']) {this.sendFailed(seq, 'need request param {action}');return}var action = request['action'];if (!this.handlers[action]) {this.sendFailed(seq, 'no action handler: ' + action + ' defined');return}var theHandler = this.handlers[action];var _this = this;try {theHandler(request, function (response) {try {_this.sendSuccess(seq, response)} catch (e) {_this.sendFailed(seq, "e:" + e);}}, function (errorMessage) {_this.sendFailed(seq, errorMessage)})} catch (e) {console.log("error: " + e);_this.sendFailed(seq, ":" + e);}};SekiroClient.prototype.sendSuccess = function (seq, response) {var responseJson;if (typeof response == 'string') {try {responseJson = JSON.parse(response);} catch (e) {responseJson = {};responseJson['data'] = response;}} else if (typeof response == 'object') {responseJson = response;} else {responseJson = {};responseJson['data'] = response;}if (Array.isArray(responseJson)) {responseJson = {data: responseJson,code: 0}}if (responseJson['code']) {responseJson['code'] = 0;} else if (responseJson['status']) {responseJson['status'] = 0;} else {responseJson['status'] = 0;}responseJson['__sekiro_seq__'] = seq;var responseText = JSON.stringify(responseJson);console.log("response :" + responseText);this.socket.send(responseText);};SekiroClient.prototype.sendFailed = function (seq, errorMessage) {if (typeof errorMessage != 'string') {errorMessage = JSON.stringify(errorMessage);}var responseJson = {};responseJson['message'] = errorMessage;responseJson['status'] = -1;responseJson['__sekiro_seq__'] = seq;var responseText = JSON.stringify(responseJson);console.log("sekiro: response :" + responseText);this.socket.send(responseText)};SekiroClient.prototype.registerAction = function (action, handler) {if (typeof action !== 'string') {throw new Error("an action must be string");}if (typeof handler !== 'function') {throw new Error("a handler must be function");}console.log("sekiro: register action: " + action);this.handlers[action] = handler;return this;};function guid() {function S4() {return (((1 + Math.random()) * 0x10000) | 0).toString(16).substring(1);}return (S4() + S4() + "-" + S4() + "-" + S4() + "-" + S4() + "-" + S4() + S4() + S4());}var client = new SekiroClient("ws://127.0.0.1:5620/business-demo/register?group=rpc-test&clientId=" + guid());client.registerAction("getH5fingerprint", function (request, resolve, reject) {resolve(utility.getH5fingerprint(request["url"]));})})();