再遇wasm

再遇wasm

网站地址:aHR0cHM6Ly9tLndhbmRhY2luZW1hcy5jb20vP2NpbmVtYUlkPTYwMDYmY2luZW1hTmFtZT0lRTQlQkYlOUQlRTUlQUUlOUElRTYlOUMlQUElRTYlOUQlQTUlRTclOUYlQjMlRTQlQjglODclRTglQkUlQkUlRTUlQjklQkYlRTUlOUMlQkElRTUlQkElOTcmY2l0eUlkPTM3OSZjaXR5TmFtZT0lRTQlQkYlOUQlRTUlQUUlOUE=

加密参数确定


修改下参数发现不通过了

因此check就是我们要逆向的值
打上XHR断点

刷新网页

下面就是漫长的跟栈

我们看到这个地方可能有我们要的值

哦,发现了check就是由

1
d = document.getElementsByTagName("meta").env ? gowasm.sqp("" + m, p, "", n) : gowasm.sp("" + m, p, "", n)

这行代码生成的,调试发现就是后面的这个函数

1
gowasm.sp("" + m, p, "", n)

由gowasm这个类调用sp这个方法实现的,我们再看下m,p,n这几个参数的值

m是时间戳

p是我们的路径

n是一个定值
好了,进入gowasm.sp里面

发现这个代码混淆了这就要我们的好助手AST了

AST解混淆

我们先观察下这个函数

大致分为三部分 _0x14e1是一个大数组,_0x42d2,和一个自执行函数

我们发现自执行函数里面有_0x42d2这个函数

运行下刚好出值了
下面我们编写AST来解这个混淆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
const _0x14e1 = ['_values', 'resume', '_callbackTimeouts', 'ENOSYS', '_ids', '_inst', 'lastIndexOf', 'process', 'randomFillSync', 'setUint32', 'memory', 'TextDecoder', 'length', 'getInt32', 'electron', 'usage:\x20go_js_wasm_exec\x20[wasm\x20binary]\x20[arguments]', '_resolveExitPromise', 'Go\x20program\x20has\x20already\x20exited', '_makeFuncWrapper', 'importObject', 'exited', 'versions', '_start', 'require', 'trying\x20to\x20exit\x20with\x20code\x20', '_idPool', 'getUint32', 'get', 'main', 'floor', 'TextEncoder', 'performance', 'set', 'undefined', 'result', 'setFloat64', 'exports', 'log', '_pendingEvent', 'not\x20implemented', 'construct', 'catch', 'util', 'setUint8', 'getUint8', 'now', 'apply', 'readFileSync', '_nextCallbackTimeoutID', 'deleteProperty', 'symbol', 'exit', 'buffer', 'getFloat64', 'global', '_goRefCounts', 'push', 'cannot\x20export\x20Go\x20(neither\x20global,\x20window\x20nor\x20self\x20is\x20defined)', 'decode', 'run', 'pop', 'go_scheduler', '_resume'];
const _0x42d2 = function(_0x14e193, _0x42d2b6) {
    _0x14e193 = _0x14e193 - 0x0;
    let _0x34485d = _0x14e1[_0x14e193];
    return _0x34485d;
};
// 遍历并修改的方法的替换函数名
traverse(ast, {
    CallExpression:{
    //打印所有的node节点和其他的节点数 
    // console.log(path.toString());
    // 重上到下
    exit:function(path){
        // ```
        // // 多重嵌套重复调用
        // if(['_0x2246','_0x2200','_0x2132'].includes(path.node.callee.name)){
        //     path.replaceInline(types.stringLiteral(_0x2246(path.node.arguments[0].value,path.node.arguments[1].value)))
        //     console.log(path.toString())
        // }
        // ```
        // 解密函数===>
        if(path.node.callee.name=='_0x42d2'){
            path.replaceInline(types.stringLiteral(_0x42d2(path.node.arguments[0].value)))
            // console.log(path.toString())
            // 解密函数 作用域还原
            // const binding =path.scope.getBinding("_0x2246")
            // console.log(binding)

        }
    }
    }
});

还原后的js代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
const _0x14e1 = ['_values', 'resume', '_callbackTimeouts', 'ENOSYS', '_ids', '_inst', 'lastIndexOf', 'process', 'randomFillSync', 'setUint32', 'memory', 'TextDecoder', 'length', 'getInt32', 'electron', 'usage:\x20go_js_wasm_exec\x20[wasm\x20binary]\x20[arguments]', '_resolveExitPromise', 'Go\x20program\x20has\x20already\x20exited', '_makeFuncWrapper', 'importObject', 'exited', 'versions', '_start', 'require', 'trying\x20to\x20exit\x20with\x20code\x20', '_idPool', 'getUint32', 'get', 'main', 'floor', 'TextEncoder', 'performance', 'set', 'undefined', 'result', 'setFloat64', 'exports', 'log', '_pendingEvent', 'not\x20implemented', 'construct', 'catch', 'util', 'setUint8', 'getUint8', 'now', 'apply', 'readFileSync', '_nextCallbackTimeoutID', 'deleteProperty', 'symbol', 'exit', 'buffer', 'getFloat64', 'global', '_goRefCounts', 'push', 'cannot\x20export\x20Go\x20(neither\x20global,\x20window\x20nor\x20self\x20is\x20defined)', 'decode', 'run', 'pop', 'go_scheduler', '_resume'];
const _0x42d2 = function (_0x14e193, _0x42d2b6) {
  _0x14e193 = _0x14e193 - 0x0;
  let _0x34485d = _0x14e1[_0x14e193];
  return _0x34485d;
};
(() => {
  if (typeof global !== 'undefined') {} else if (typeof window !== "undefined") {
    window['global'] = window;
  } else if (typeof self !== "undefined") {
    self["global"] = self;
  } else {
    throw new Error("cannot export Go (neither global, window nor self is defined)");
  }
  if (!global['require'] && typeof require !== "undefined") {
    global['require'] = require;
  }
  if (!global['fs'] && global["require"]) {
    global['fs'] = require('fs');
  }
  const _0x48e3cb = () => {
    const _0x1312b6 = new Error("not implemented");
    _0x1312b6['code'] = "ENOSYS";
    return _0x1312b6;
  };
  if (!global['fs']) {
    let _0x295b45 = '';
    global['fs'] = {
      'constants': {
        'O_WRONLY': -0x1,
        'O_RDWR': -0x1,
        'O_CREAT': -0x1,
        'O_TRUNC': -0x1,
        'O_APPEND': -0x1,
        'O_EXCL': -0x1
      },
      'writeSync'(_0x5353bd, _0x5fa36) {
        _0x295b45 += _0x56eccc["decode"](_0x5fa36);
        const _0x3fe092 = _0x295b45["lastIndexOf"]('\x0a');
        if (_0x3fe092 != -0x1) {
          console['log'](_0x295b45['substr'](0x0, _0x3fe092));
          _0x295b45 = _0x295b45['substr'](_0x3fe092 + 0x1);
        }
        return _0x5fa36["length"];
      },
      'write'(_0x32b764, _0x32a120, _0x496f0f, _0x310e98, _0x512ae1, _0x4b877d) {
        if (_0x496f0f !== 0x0 || _0x310e98 !== _0x32a120['length'] || _0x512ae1 !== null) {
          _0x4b877d(_0x48e3cb());
          return;
        }
        const _0x3a65cb = this['writeSync'](_0x32b764, _0x32a120);
        _0x4b877d(null, _0x3a65cb);
      },
      'chmod'(_0x1b99b5, _0x12f472, _0x568fbc) {
        _0x568fbc(_0x48e3cb());
      },
      'chown'(_0x35c439, _0x50e9a2, _0x1355f6, _0x3041f4) {
        _0x3041f4(_0x48e3cb());
      },
      'close'(_0x4ef07c, _0x229d79) {
        _0x229d79(_0x48e3cb());
      },
      'fchmod'(_0x56ea30, _0x2adc9c, _0x3bd043) {
        _0x3bd043(_0x48e3cb());
      },
      'fchown'(_0x3679ce, _0xe9a842, _0x13e36a, _0x5bbfdc) {
        _0x5bbfdc(_0x48e3cb());
      },
      'fstat'(_0x35ff8f, _0xa6a416) {
        _0xa6a416(_0x48e3cb());
      },
      'fsync'(_0x42be95, _0xfa1bbb) {
        _0xfa1bbb(null);
      },
      'ftruncate'(_0x91c13c, _0x4cf59b, _0x2796fb) {
        _0x2796fb(_0x48e3cb());
      },
      'lchown'(_0x52cf09, _0x7aa3f9, _0x210f5e, _0x45f9c9) {
        _0x45f9c9(_0x48e3cb());
      },
      'link'(_0x64f432, _0x3cb6bf, _0x4afbcc) {
        _0x4afbcc(_0x48e3cb());
      },
      'lstat'(_0x2fb4bc, _0x55acf7) {
        _0x55acf7(_0x48e3cb());
      },
      'mkdir'(_0x538884, _0xd33397, _0x4b0c35) {
        _0x4b0c35(_0x48e3cb());
      },
      'open'(_0x302746, _0x42ebb9, _0xe99071, _0x16ba8b) {
        _0x16ba8b(_0x48e3cb());
      },
      'read'(_0x41cdea, _0x2eecc2, _0x6c9f82, _0x37e641, _0x4c692c, _0x1abcb1) {
        _0x1abcb1(_0x48e3cb());
      },
      'readdir'(_0x45fede, _0x520d0e) {
        _0x520d0e(_0x48e3cb());
      },
      'readlink'(_0x4842d2, _0x35fe81) {
        _0x35fe81(_0x48e3cb());
      },
      'rename'(_0x2cbb0a, _0x28387a, _0x1506bd) {
        _0x1506bd(_0x48e3cb());
      },
      'rmdir'(_0x32aa5b, _0x19ca9c) {
        _0x19ca9c(_0x48e3cb());
      },
      'stat'(_0x54b405, _0x1893e7) {
        _0x1893e7(_0x48e3cb());
      },
      'symlink'(_0x1d6fc0, _0x256083, _0x592400) {
        _0x592400(_0x48e3cb());
      },
      'truncate'(_0x283279, _0x241343, _0x222fa2) {
        _0x222fa2(_0x48e3cb());
      },
      'unlink'(_0x1b0fae, _0x1fc225) {
        _0x1fc225(_0x48e3cb());
      },
      'utimes'(_0x2c0db8, _0x469a74, _0x5f5dc5, _0x45305f) {
        _0x45305f(_0x48e3cb());
      }
    };
  }
  if (!global["process"]) {
    global['process'] = {
      'getuid'() {
        return -0x1;
      },
      'getgid'() {
        return -0x1;
      },
      'geteuid'() {
        return -0x1;
      },
      'getegid'() {
        return -0x1;
      },
      'getgroups'() {
        throw _0x48e3cb();
      },
      'pid': -0x1,
      'ppid': -0x1,
      'umask'() {
        throw _0x48e3cb();
      },
      'cwd'() {
        throw _0x48e3cb();
      },
      'chdir'() {
        throw _0x48e3cb();
      }
    };
  }
  if (!global['crypto']) {
    const _0x1fe257 = require('crypto');
    global['crypto'] = {
      'getRandomValues'(_0x50937a) {
        _0x1fe257["randomFillSync"](_0x50937a);
      }
    };
  }
  if (!global['performance']) {
    global["performance"] = {
      'now'() {
        const [_0x205b6b, _0x5e4cbb] = process['hrtime']();
        return _0x205b6b * 0x3e8 + _0x5e4cbb / 0xf4240;
      }
    };
  }
  if (!global["TextEncoder"]) {
    global["TextEncoder"] = require("util")["TextEncoder"];
  }
  if (!global["TextDecoder"]) {
    global['TextDecoder'] = require("util")["TextDecoder"];
  }
  const _0x1c9575 = new TextEncoder('utf-8');
  const _0x56eccc = new TextDecoder('utf-8');
  var _0x1c4210 = [];
  global['Go'] = class {
    constructor() {
      this["_callbackTimeouts"] = new Map();
      this["_nextCallbackTimeoutID"] = 0x1;
      const _0x804eb1 = () => {
        return new DataView(this["_inst"]['exports']["memory"]['buffer']);
      };
      const _0x48faec = (_0x2ebbb6, _0x30b320) => {
        _0x804eb1()['setUint32'](_0x2ebbb6 + 0x0, _0x30b320, !![]);
        _0x804eb1()['setUint32'](_0x2ebbb6 + 0x4, Math["floor"](_0x30b320 / 0x100000000), !![]);
      };
      const _0x2f0d9b = _0x5560a0 => {
        const _0x11e172 = _0x804eb1()["getFloat64"](_0x5560a0, !![]);
        if (_0x11e172 === 0x0) {
          return undefined;
        }
        if (!isNaN(_0x11e172)) {
          return _0x11e172;
        }
        const _0x2f8470 = _0x804eb1()["getUint32"](_0x5560a0, !![]);
        return this['_values'][_0x2f8470];
      };
      const _0x4cb245 = (_0x4bf3c2, _0x537b97) => {
        const _0x2225f1 = 0x7ff80000;
        if (typeof _0x537b97 === 'number') {
          if (isNaN(_0x537b97)) {
            _0x804eb1()["setUint32"](_0x4bf3c2 + 0x4, _0x2225f1, !![]);
            _0x804eb1()["setUint32"](_0x4bf3c2, 0x0, !![]);
            return;
          }
          if (_0x537b97 === 0x0) {
            _0x804eb1()['setUint32'](_0x4bf3c2 + 0x4, _0x2225f1, !![]);
            _0x804eb1()["setUint32"](_0x4bf3c2, 0x1, !![]);
            return;
          }
          _0x804eb1()['setFloat64'](_0x4bf3c2, _0x537b97, !![]);
          return;
        }
        switch (_0x537b97) {
          case undefined:
            _0x804eb1()["setFloat64"](_0x4bf3c2, 0x0, !![]);
            return;
          case null:
            _0x804eb1()["setUint32"](_0x4bf3c2 + 0x4, _0x2225f1, !![]);
            _0x804eb1()['setUint32'](_0x4bf3c2, 0x2, !![]);
            return;
          case !![]:
            _0x804eb1()["setUint32"](_0x4bf3c2 + 0x4, _0x2225f1, !![]);
            _0x804eb1()['setUint32'](_0x4bf3c2, 0x3, !![]);
            return;
          case ![]:
            _0x804eb1()["setUint32"](_0x4bf3c2 + 0x4, _0x2225f1, !![]);
            _0x804eb1()["setUint32"](_0x4bf3c2, 0x4, !![]);
            return;
        }
        let _0x157a16 = this["_ids"]["get"](_0x537b97);
        if (_0x157a16 === undefined) {
          _0x157a16 = this["_idPool"]["pop"]();
          if (_0x157a16 === undefined) {
            _0x157a16 = this['_values']["length"];
          }
          this['_values'][_0x157a16] = _0x537b97;
          this["_goRefCounts"][_0x157a16] = 0x0;
          this["_ids"]['set'](_0x537b97, _0x157a16);
        }
        this['_goRefCounts'][_0x157a16]++;
        let _0x460de2 = 0x1;
        switch (typeof _0x537b97) {
          case 'string':
            _0x460de2 = 0x2;
            break;
          case "symbol":
            _0x460de2 = 0x3;
            break;
          case 'function':
            _0x460de2 = 0x4;
            break;
        }
        _0x804eb1()['setUint32'](_0x4bf3c2 + 0x4, _0x2225f1 | _0x460de2, !![]);
        _0x804eb1()['setUint32'](_0x4bf3c2, _0x157a16, !![]);
      };
      const _0x59f60c = (_0x3e6d89, _0x48ab5a, _0x32c54e) => {
        return new Uint8Array(this['_inst']["exports"]["memory"]["buffer"], _0x3e6d89, _0x48ab5a);
      };
      const _0x5e83d7 = (_0x3ffd7f, _0x593a8b, _0x3dae15) => {
        const _0x34340c = new Array(_0x593a8b);
        for (let _0x312a4b = 0x0; _0x312a4b < _0x593a8b; _0x312a4b++) {
          _0x34340c[_0x312a4b] = _0x2f0d9b(_0x3ffd7f + _0x312a4b * 0x8);
        }
        return _0x34340c;
      };
      const _0x2b6a37 = (_0x541a2b, _0x2d838d) => {
        return _0x56eccc["decode"](new DataView(this['_inst']['exports']["memory"]['buffer'], _0x541a2b, _0x2d838d));
      };
      const _0x5c8fcc = Date["now"]() - performance['now']();
      this["importObject"] = {
        'wasi_unstable': {
          'fd_write': function (_0x19a591, _0x240dd7, _0x4b41f3, _0x326504) {
            let _0x6342ba = 0x0;
            if (_0x19a591 == 0x1) {
              for (let _0x16219d = 0x0; _0x16219d < _0x4b41f3; _0x16219d++) {
                let _0x95f43a = _0x240dd7 + _0x16219d * 0x8;
                let _0x15f8e2 = _0x804eb1()["getUint32"](_0x95f43a + 0x0, !![]);
                let _0x9c90d6 = _0x804eb1()["getUint32"](_0x95f43a + 0x4, !![]);
                for (let _0x100baf = 0x0; _0x100baf < _0x9c90d6; _0x100baf++) {
                  let _0x59f4a4 = _0x804eb1()["getUint8"](_0x15f8e2 + _0x100baf);
                  if (_0x59f4a4 == 0xd) {} else if (_0x59f4a4 == 0xa) {
                    let _0x4b5d53 = _0x56eccc['decode'](new Uint8Array(_0x1c4210));
                    _0x1c4210 = [];
                    console["log"](_0x4b5d53);
                  } else {
                    _0x1c4210['push'](_0x59f4a4);
                  }
                }
              }
            } else {
              console['error']('invalid\x20file\x20descriptor:', _0x19a591);
            }
            _0x804eb1()["setUint32"](_0x326504, _0x6342ba, !![]);
            return 0x0;
          }
        },
        'env': {
          'runtime.ticks': () => {
            return _0x5c8fcc + performance["now"]();
          },
          'runtime.sleepTicks': _0x3b78dc => {
            setTimeout(this['_inst']['exports']["go_scheduler"], _0x3b78dc);
          },
          'syscall.Exit': _0x48e574 => {
            if (global["process"]) {
              process["exit"](_0x48e574);
            } else {
              throw "trying to exit with code " + _0x48e574;
            }
          },
          'syscall/js.finalizeRef': _0x525ddc => {
            const _0x2ee841 = _0x804eb1()['getUint32'](_0x525ddc, !![]);
            this["_goRefCounts"][_0x2ee841]--;
            if (this["_goRefCounts"][_0x2ee841] === 0x0) {
              const _0x2f3110 = this["_values"][_0x2ee841];
              this["_values"][_0x2ee841] = null;
              this["_ids"]['delete'](_0x2f3110);
              this["_idPool"]["push"](_0x2ee841);
            }
          },
          'syscall/js.stringVal': (_0x2af5b2, _0xbb9903, _0x2d0099) => {
            const _0x2ee0c0 = _0x2b6a37(_0xbb9903, _0x2d0099);
            _0x4cb245(_0x2af5b2, _0x2ee0c0);
          },
          'syscall/js.valueGet': (_0x53e44e, _0x4b460f, _0x3c495e, _0x5020c5) => {
            let _0x46d467 = _0x2b6a37(_0x3c495e, _0x5020c5);
            let _0x4713f8 = _0x2f0d9b(_0x4b460f);
            let _0x25d3d1 = Reflect['get'](_0x4713f8, _0x46d467);
            _0x4cb245(_0x53e44e, _0x25d3d1);
          },
          'syscall/js.valueSet': (_0x1bd8a0, _0x5b7545, _0x516a93, _0x48a3eb) => {
            const _0xcaa817 = _0x2f0d9b(_0x1bd8a0);
            const _0x472c88 = _0x2b6a37(_0x5b7545, _0x516a93);
            const _0x5109ed = _0x2f0d9b(_0x48a3eb);
            Reflect["set"](_0xcaa817, _0x472c88, _0x5109ed);
          },
          'syscall/js.valueDelete': (_0x1df616, _0x57c8cb, _0x5f38c9) => {
            const _0x5443a5 = _0x2f0d9b(_0x1df616);
            const _0x2febde = _0x2b6a37(_0x57c8cb, _0x5f38c9);
            Reflect["deleteProperty"](_0x5443a5, _0x2febde);
          },
          'syscall/js.valueIndex': (_0x723f07, _0x13ad40, _0x1cfdec) => {
            _0x4cb245(_0x723f07, Reflect["get"](_0x2f0d9b(_0x13ad40), _0x1cfdec));
          },
          'syscall/js.valueSetIndex': (_0x4b999b, _0x3bb130, _0x2bf038) => {
            Reflect['set'](_0x2f0d9b(_0x4b999b), _0x3bb130, _0x2f0d9b(_0x2bf038));
          },
          'syscall/js.valueCall': (_0x3f0c17, _0x3a8c5b, _0x5b7b11, _0x2e362e, _0xa1e2ac, _0x549af5, _0x25dcdd) => {
            const _0x5aae32 = _0x2f0d9b(_0x3a8c5b);
            const _0x5311ef = _0x2b6a37(_0x5b7b11, _0x2e362e);
            const _0x4aa1f5 = _0x5e83d7(_0xa1e2ac, _0x549af5, _0x25dcdd);
            try {
              const _0x1693ae = Reflect['get'](_0x5aae32, _0x5311ef);
              _0x4cb245(_0x3f0c17, Reflect["apply"](_0x1693ae, _0x5aae32, _0x4aa1f5));
              _0x804eb1()["setUint8"](_0x3f0c17 + 0x8, 0x1);
            } catch (_0x3a880) {
              _0x4cb245(_0x3f0c17, _0x3a880);
              _0x804eb1()["setUint8"](_0x3f0c17 + 0x8, 0x0);
            }
          },
          'syscall/js.valueInvoke': (_0x5f240f, _0x280651, _0x3d6cc5, _0x224fe5, _0xe332d7) => {
            try {
              const _0xa08368 = _0x2f0d9b(_0x280651);
              const _0x378c55 = _0x5e83d7(_0x3d6cc5, _0x224fe5, _0xe332d7);
              _0x4cb245(_0x5f240f, Reflect['apply'](_0xa08368, undefined, _0x378c55));
              _0x804eb1()['setUint8'](_0x5f240f + 0x8, 0x1);
            } catch (_0x36d54e) {
              _0x4cb245(_0x5f240f, _0x36d54e);
              _0x804eb1()["setUint8"](_0x5f240f + 0x8, 0x0);
            }
          },
          'syscall/js.valueNew': (_0x48f19e, _0x17e071, _0x478105, _0xa01d5c, _0x55f044) => {
            const _0x1f4e53 = _0x2f0d9b(_0x17e071);
            const _0x51a5c5 = _0x5e83d7(_0x478105, _0xa01d5c, _0x55f044);
            try {
              _0x4cb245(_0x48f19e, Reflect["construct"](_0x1f4e53, _0x51a5c5));
              _0x804eb1()['setUint8'](_0x48f19e + 0x8, 0x1);
            } catch (_0x1d2f1c) {
              _0x4cb245(_0x48f19e, _0x1d2f1c);
              _0x804eb1()['setUint8'](_0x48f19e + 0x8, 0x0);
            }
          },
          'syscall/js.valueLength': _0x246f33 => {
            return _0x2f0d9b(_0x246f33)["length"];
          },
          'syscall/js.valuePrepareString': (_0x3fa4a7, _0xf39f19) => {
            const _0xe83989 = String(_0x2f0d9b(_0xf39f19));
            const _0x3f0b53 = _0x1c9575['encode'](_0xe83989);
            _0x4cb245(_0x3fa4a7, _0x3f0b53);
            _0x48faec(_0x3fa4a7 + 0x8, _0x3f0b53["length"]);
          },
          'syscall/js.valueLoadString': (_0x2a3ff0, _0x3ab1a0, _0x6cd1b1, _0x3428de) => {
            const _0x803679 = _0x2f0d9b(_0x2a3ff0);
            _0x59f60c(_0x3ab1a0, _0x6cd1b1, _0x3428de)['set'](_0x803679);
          },
          'syscall/js.valueInstanceOf': (_0x4a4dbf, _0x150655) => {
            return _0x2f0d9b(v_attr) instanceof _0x2f0d9b(_0x150655);
          },
          'syscall/js.copyBytesToGo': (_0x235706, _0x24a6f4, _0x265c4a, _0x3b7608, _0x5dcc18) => {
            let _0x1e7a2f = _0x235706;
            let _0x202d6b = _0x235706 + 0x4;
            const _0xb942c5 = _0x59f60c(_0x24a6f4, _0x265c4a);
            const _0x524144 = _0x2f0d9b(_0x5dcc18);
            if (!(_0x524144 instanceof Uint8Array)) {
              _0x804eb1()['setUint8'](_0x202d6b, 0x0);
              return;
            }
            const _0x1c2565 = _0x524144['subarray'](0x0, _0xb942c5["length"]);
            _0xb942c5['set'](_0x1c2565);
            _0x48faec(_0x1e7a2f, _0x1c2565['length']);
            _0x804eb1()["setUint8"](_0x202d6b, 0x1);
          },
          'syscall/js.copyBytesToJS': (_0x26df29, _0x538d9b, _0x5c489a, _0x168904, _0x20abaa) => {
            let _0xb296c5 = _0x26df29;
            let _0x328b13 = _0x26df29 + 0x4;
            const _0x2c4ad8 = _0x2f0d9b(_0x538d9b);
            const _0x332d37 = _0x59f60c(_0x5c489a, _0x168904);
            if (!(_0x2c4ad8 instanceof Uint8Array)) {
              _0x804eb1()['setUint8'](_0x328b13, 0x0);
              return;
            }
            const _0x4179a3 = _0x332d37['subarray'](0x0, _0x2c4ad8["length"]);
            _0x2c4ad8['set'](_0x4179a3);
            _0x48faec(_0xb296c5, _0x4179a3["length"]);
            _0x804eb1()['setUint8'](_0x328b13, 0x1);
          }
        }
      };
    }
    async ["run"](_0x2b9889) {
      this["_inst"] = _0x2b9889;
      this['_values'] = [NaN, 0x0, null, !![], ![], global, this];
      this['_goRefCounts'] = [];
      this["_ids"] = new Map();
      this['_idPool'] = [];
      this['exited'] = ![];
      while (!![]) {
        const _0x54628d = new Promise(_0x2bd36a => {
          this['_resolveCallbackPromise'] = () => {
            if (this['exited']) {
              throw new Error('bad\x20callback:\x20Go\x20program\x20has\x20already\x20exited');
            }
            setTimeout(_0x2bd36a, 0x0);
          };
        });
        this["_inst"]["exports"]["_start"]();
        if (this['exited']) {
          break;
        }
        await _0x54628d;
      }
    }
    ["_resume"]() {
      if (this["exited"]) {
        throw new Error("Go program has already exited");
      }
      this["_inst"]['exports']["resume"]();
      if (this['exited']) {
        this["_resolveExitPromise"]();
      }
    }
    ["_makeFuncWrapper"](_0x31ab0b) {
      const _0x2c92d2 = this;
      return function () {
        const _0x455bbd = {
          'id': _0x31ab0b,
          'this': this,
          'args': arguments
        };
        _0x2c92d2["_pendingEvent"] = _0x455bbd;
        _0x2c92d2["_resume"]();
        return _0x455bbd["result"];
      };
    }
  };
  if (global['require'] && global["require"]["main"] === module && global['process'] && global['process']["versions"] && !global["process"]["versions"]["electron"]) {
    if (process['argv']['length'] != 0x3) {
      console['error']("usage: go_js_wasm_exec [wasm binary] [arguments]");
      process['exit'](0x1);
    }
    const _0x454c42 = new Go();
    WebAssembly['instantiate'](fs["readFileSync"](process['argv'][0x2]), _0x454c42["importObject"])['then'](_0x41dd78 => {
      return _0x454c42['run'](_0x41dd78['instance']);
    })["catch"](_0x3dc424 => {
      console['error'](_0x3dc424);
      process['exit'](0x1);
    });
  }
})();

明显js代码的可读性强了,回到我们的代码里

我们发现跟到了一个叫resume的一个函数,进入发现

这个是一个汇编语言,我们下载下来分析它

JEBPro分析wasm代码


这个是反编译后的js代码

结合浏览器和IDAPro分析


我们更到这里发现熟悉的MD5那具体是不是呢?

ok 我们的猜想是对的
那么我们跟下md5的参数

nice! 参数跟到了直接请求。到这里逆向就结束了剩下的就发请求就行了,最后代码贴下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import requests
import time
import hashlib
import json

# 计算 MD5
datanow = int(time.time() * 1000)
data = f'Wanda1_3FA425A3F9F5FFFC4389994548F83298776F8B46B752A83A6A798C6ED8FE8BFE1{datanow}/movie/hot_show.api?cityId=379&cinemaId=6006&day=0'
data_bytes = data.encode('utf-8')
md5_hash = hashlib.md5()
md5_hash.update(data_bytes)
md5_result = md5_hash.hexdigest()

# 请求参数
params = {
    'cityId': '379',
    'cinemaId': '6006',
    'day': '0',
}

# 原始 MX-API 数据
mx_api_data = {
    "ver": "7.0.0",
    "sCode": "Wanda",
    "_mi_": "",
    "width": 1280,
    "json": True,
    "cCode": "1_3",
    "check": "",  # 这里将被替换
    "ts": 1744014064885,
    "heigth": 720,
    "appId": "4"
}

# 更新 MX-API 中的 check 和 ts 字段
mx_api_data["check"] = md5_result
mx_api_data["ts"] = datanow

# 将 MX-API 转换为 JSON 字符串
mx_api_json = json.dumps(mx_api_data)
# 请求头
headers = {
    'Accept': 'application/json, text/javascript, */*; q=0.01',
    'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
    'Cache-Control': 'no-cache',
    'Connection': 'keep-alive',
    'MX-API': mx_api_json,  # 使用更新后的 MX-API
    'Origin': 'https://m.wandacinemas.com',
    'Pragma': 'no-cache',
    'Referer': 'https://m.wandacinemas.com/',
    'Sec-Fetch-Dest': 'empty',
    'Sec-Fetch-Mode': 'cors',
    'Sec-Fetch-Site': 'cross-site',
    'Sec-Fetch-Storage-Access': 'active',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0',
    'sec-ch-ua': '"Microsoft Edge";v="135", "Not-A.Brand";v="8", "Chromium";v="135"',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '"Windows"',
}
# 发送请求
response = requests.get('https://cinema-api-prd-mx.wandafilm.com/movie/hot_show.api', params=params, headers=headers).json()
print("时间戳:", datanow)
print("MD5 哈希值:", md5_result)
print("响应:", response)


ok,完结

总结

在我逆向的过程中,我发现wasm的代码结构较为复杂,但是通过结合浏览器和IDAPro的分析,我成功地找到了关键的MD5加密函数,并确定了其参数。这个过程虽然有些曲折,但最终的结果是令人满意的。但还是要加强ida的使用和浏览器的协助调试才能更好调试出来,还有就是注意技术的交互使用。