shermie js rpc

• Start service

Enter the bin directory and execute the following command on the command line (to download cli.exe, go to my other article: https://learnku.com/articles/67419)

 . / cli . exe Websocket . php

• Browser running

1. Create a Websocket connection in the browser (first inject the Websocket.js file into the browser)

2. Register the js function that needs to be called on the client object

# 假设我们需要通过http调用btoa这个函数,第一个参数随便命名,第二个参数是函数执行的内容，需要自己定义执行内容
let client = ( new WebsocketClient ( "ws://127.0.0.1:9501" ) ) . start ( ) ;
client . registeCall ( "btoa" , function ( resolve , params ) {
    let result = btoa ( params ) ;
    resolve ( result ) ;
} ) ;

# 会输出一个访问地址,比如这样
[ 2022 / 4 / 24 18 : 16 : 01 ] [ info ]  连接到服务器成功
[ 2022 / 4 / 24 18 : 16 : 52 ] [ info ]  注册函数btoa成功
[ 2022 / 4 / 24 18 : 16 : 52 ] [ info ]  访问地址：http: //127.0.0.1:9501/call?group=ef8d3da2-dca4-4236-ba99-82f76a5e1901&action=btoa&input=

# 参数说明
group:客户端分组ID (不用管)

action:注册的需要调用的函数(不用管)

input:调用这个函数传入的参数(需要输入)

• To obtain the result, access the address printed above and pass in the custom parameters: http://127.0.0.1:9501/call?group=df777a58-ff44-41bb-81ce-935b6bea9c25&action=btoa&input="abc" . The final return is: The result of window.btoa("ss") execution

Often encrypted parameters are generated by a function in a certain js file. What we need to do is to find the location where the encrypted parameters are generated through breakpoints, and then dynamically inject our scripts and use external code to call them. Assume here You have already found the key code, so you only need to dynamically inject our script, which is done in two steps.

• replace file

We need to add the key encryption function to the logic of connecting to ws, save it as a new js file, and then use the browser's override or fiddler to replace the encrypted js file. If we find the encryption function

 function sign(){
    // w函数存在其他地方
    return w(x+y);
}

After transforming it

 function sign() {
    // 动态注入js文件
    (function () {
        var newElement = document.createElement("script");
        newElement.setAttribute("type", "text/javascript");
        newElement.setAttribute("src", "https://github.com/kxg3030/js-rpc/blob/main/Websocket.js");
        document.body.appendChild(newElement);
        function startWs() {
            var client = (new WebsocketClient("ws://127.0.0.1:9501")).start();

            client.registeCall("a", function (resolve, params) {
                // 重点!在这里我们主动调用w函数并传入参数
                resolve(w(params));
            })
        }
        setTimeout(startWs, 1000)
    })();
    // w函数存在其他地方
    return w(x + y);
}

Then save the modified js file and replace the original js file with the same name in the web page

• remote call

Just use an external ws server to communicate with the browser

 / call 调用函数获取返回值

/ list 获取当前服务的websocket客户端数量