banner
阿珏酱

阿珏酱

いつもとは逆の電車に乗り、見たこともない風景を見に行く
twitter
github
facebook
bilibili
zhihu
steam_profiles
youtube

China Telecom Login RSA Algorithm + Analysis Graphics

Tips: When you see this prompt, it indicates that the current article has been migrated from the original emlog blog system. The publication date of the article is quite old, and the formatting and content may not be complete. Thank you for your understanding.

China Telecom Login RSA Algorithm + Analysis

Date: 2016-9-30 A Jue Tutorial Views: 2727 Comments: 9

No more nonsense!


1. Tools Used

1. IE browser (version 9 and above)

2. HttpWatch (available in both Chinese and English)

3. JS Debugging Tool

Target website: http://xz.189.cn/sso/LoginServlet Telecom 189 Login


2. Packet Capture:

1. Clear the website's cookies and cache before capturing packets
image

2. Start the packet capture tool before the page opens (otherwise, you won't capture the encrypted JS)

3. Determine which one is our login submission packet
image

3. Analyze the captured data:

image

1. Here we will use the F12 Developer Tools in IE


2. Find our password keyword: password passWord
image

3. Continue to trace the function called for encryption: encryptedString
image

4. We also need to know what the two parameters of the encryptedString function are. Continue to search for the key.

image
image
image

5. Now I have enough parameters for encryption, and the next step is debugging. Some may ask, aren't there two parameters? What about the other s? Through the function, we know that s is the encrypted password pwd. Through the function call if judgment, we can see that pwd is our password passWord.

6. Next, copy the calling function and debug it in the developer tools. It requires the key and s parameters.
image

7. Debugging in IE is fine, so let's debug in the JS debugging tool next.


8. Copy the three confidential RSA JS and key, call the bodyRSA() function with the password as the parameter. We find that it is an object and cannot be called directly. If we continue to call it, it will cause the tool to crash.
image

9. This is the difficulty of RSA, it needs to be rewritten, otherwise our easy language cannot call it.

10. Copy the rewritten function into the debugging tool just like before, still calling the bodyrsa() function.
image


Finally, we found that we succeeded.
image

Because I don't have a Telecom phone number, I can't write a complete cookie operation login. Looking forward to the next issue!

User Comments:

image Zhong Ju 5 years ago (2016-10-06)
My friend, try logging in with a Telecom number.

image Sui Yuan Sui Yi 5 years ago (2016-10-02)
http://login.189.cn/login Is this the login for 189?

image A Jue 5 years ago (2016-10-03)
I wrote the address I captured above, it's not this one.

image Sui Yuan Sui Yi 5 years ago (2016-10-03)
It can only be in Tibet. Changing regions doesn't work [tears]

image Zhong Ju 5 years ago (2016-10-06)
My Telecom phone number, broadband number, and landline number can log in at LOGIN.189.CN/LOGIN. The packet capture analysis is the same as this encryption.

image Zhong Ju 5 years ago (2016-09-30)
My friend, I have a Telecom phone number, add me on QQ71***38. I'm exploring this thing and want to log in with POST.

image A Jue 5 years ago (2016-10-01)
Click the link below the website to contact me.

image Zhong Ju 5 years ago (2016-10-02)
Can't find the link.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.