ningmou

ningmou

telegram
HomeArchives

Research on a certain wall-climbing client

686
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The structure analysis of an electron image revealed that the source code was not packaged in the app.asar file as usual, but was exposed outside. The project used multiple package management programs and had dependencies that were unnecessarily large, leading to a final package size of nearly 100MB. The author's actions included extracting encrypted strings to obtain URLs and modifying functions to access content from a gitee repository. The usage involved modifying code to retrieve and decode addresses from a base64 encrypted JSON. The client code was only reviewed for Windows and was deemed to potentially have many bugs based on code quality and implementation.

Structural Analysis#

Electron at a glance
image
So open resources and take a look

image
It's a bit different from the classic structure, normally the source code should be packaged into app.asar, but this one is different, it's exposed directly, which is convenient.

Research Process#

Open pacakage.json

image

image
First of all, it's difficult to crash because this project uses several common package managers. The json file mentions npm yarn, and there is also pnpm in the folder, just choose one. It's impressive that it can integrate so many and still run normally.

Next, let's focus on the main file
It's not encrypted, just compressed, formatting it will be fine.
Now let's move on to the author's brilliant operation.

image
There is obfuscation in the dependencies, but it's not used, I don't know why it's referenced.
Vue should be a development dependency, and it's directly included in the final package.
As a result, the final dependencies are nearly 100MB.
Now let's go back to the main file.

截屏 2024-04-01 20.48.24_副本

I immediately noticed these two strings, it looks like getting the address of oss first, then getting the panel address. They are clearly encrypted strings, and there is also base64 with == at the end, which clearly indicates that it's encrypted information.

console.log(w().replaceAll("}", ""));

Just take out the relevant function separately, and you can see the address by outputting it. It's from gitee.
https://gitee.com/wepc_1_0/appconfig
Then get the content, modify the x function, and output it directly.

function x() {
            var n = f;
           console.log(n)
}
var data = "content obtained from gitee";
var n = new Buffer(data, "base64").toString("UTF-8");
m(n);
x();

The content is roughly like this, you can decrypt it yourself, I won't put it here because it's too long.

{
  apiUrl: 'https://.',
  crispId: '',
  siteName: '',
  website: 'https://',
  tgGroup: '',
  invite: '',
  inviteIntroduce: '',
  affText: 'Invite link: ',
  payMethod: '1',
...........

Usage#

Just modify the following code

await c().get("get address").then((e => {
                    var n = new Buffer(e.data, "base64").toString("UTF-8");
                    m(n), x()
                }))

Then put the base64 encrypted json in the address part, the format is in the gitee obtained in the previous steps, decrypt it yourself and replace it.

Others#

How to get the package, those who understand, understand, gitee has given it to you.
To be honest, I only looked at the win client, um, how should I put it, judging from the code quality and implementation, I think there should be quite a few bugs.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.