【js逆向】虾m视频真实地址

asone917

本文章中所有内容仅供学习交流使用，不用于其他任何目的，不提供完整代码，抓包内容、敏感网址、数据接口等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关.本文章未经许可禁止转载，禁止任何修改后二次传播，擅自使用本文讲解的技术而导致的任何意外，作者均不负责

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
目标网址：aHR0cHM6Ly9qeC54bWZsdi5jb20vP3VybD1odHRwczovL3YucXEuY29tL3gvY292ZXIvbXpjMDAyMDB1OHZmemN6Lmh0bWw=
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


感谢各位大佬的观看，我是菜鸟，新手上路，在某同学的忽悠下入坑js逆向，请多指教

f12，输入网址后回车，点击xhr查看数据包：
要分析的是这个，它发的是post请求，但是得到的是一张裂图，感觉有点奇怪



把图片下载下来以txt文件打开查看内容


查看载荷，要求解的加密参数有三个url，time，key


全局搜索 'key':


进来，发现请求载荷参数生成的位置：



wap是固定值，不用管
先求解url，断点刷新网页调试


括号里面的url是视频的原地址


F9进来，复制整个文件的代码，利用工具解ob混淆





把代码复制下来

[JavaScript] 纯文本查看 复制代码

?

1	console.log(encrypt("原视频地址"))

找到 hex_md5函数的位置，缺啥补啥即可





运行就能得到结果：



接下来是分析time：
很明显，time的结果就是 encrypt(time)




代码测试：




接下来是分析key：

[JavaScript] 纯文本查看 复制代码

?

1	Il1liiI = l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))

控制台输出：

l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url))) 的结果：sign(l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))
编写代码：


关键的js代码：

[JavaScript] 纯文本查看 复制代码

?

1 2 3 4 5 6 7

function run() {     encrypted_url = encrypt("原视频地址")     time = Date['now']()     encrypted_time = encrypt(time)     key = encrypt(sign(hex_md5(time+"原视频地址")))     return [encrypted_url, encrypted_time, key] }

编写主函数：

[Python] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

import requests import subprocess from functools import partial subprocess.Popen = partial(subprocess.Popen, encoding="utf-8") import execjs   base_url = '请求的网址'   headers = {     "authority": "",     "method": "POST",     "path": "/xmflv.js",     "scheme": "https",     "accept": "application/json, text/javascript, */*; q=0.01",     "accept-encoding": "gzip, deflate, br, zstd",     "accept-language": "zh-CN,zh;q=0.9",     "cache-control": "no-cache",     "content-length": "549",     "content-type": "application/x-www-form-urlencoded; charset=UTF-8",     "origin": "",     "pragma": "no-cache",     "priority": "u=1, i",     "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",     "sec-ch-ua-mobile": "?0",     "sec-ch-ua-platform": "\"Windows\"",     "sec-fetch-dest": "empty",     "sec-fetch-mode": "cors",     "sec-fetch-site": "cross-site",     "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", }   with open("main.js") as f:     jscode = f.read()   js = execjs.compile(jscode)   result = js.call("run") print(result) payload = {     'wap': 0,     'url': result[0],     'time': result[1],     'key': result[2] }   res = requests.post(base_url, headers=headers, data=payload) print(res.text)

运行成功图示：得到的就是我们那个图片以文本文件打开显示的内容


补充!!!
鉴于评论区一位大佬给出的代码，再结合自己的理解和复现


加密函数:

[JavaScript] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

const CryptoJS = require('crypto-js')   function generateRandom13Number() {     return Math.floor(Math.random() * 9e12) + 1e12; }   function signCoen(input) {     const str = generateRandom13Number() + 'TG:@XMFLV' + input + generateRandom13Number();     return [...str].map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join(''); }   function encrypt(input_string) {       char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"     random_index = Math['floor']((Math['random']() * 65))     random_char = char_set[random_index]     secret_key = '54473a584d464c56'       hash_key = CryptoJS.MD5(secret_key + random_char)         hash_key = String(hash_key).substr(random_index % 8, 7);     input_string = btoa(input_string)       encrypted_string = ''     new_index = 0     hash_index = 0     for (iIill11l = 0; iIill11l < 60; iIill11l++) {         hash_index = hash_index === hash_key['length'] ? 0 : hash_index         new_index = (random_index + char_set['indexOf'](input_string[iIill11l]) + hash_key[hash_index++]['charCodeAt'](0)) % 64         encrypted_string += char_set[new_index];     }     return signCoen(encodeURI(random_char + encrypted_string)) }   console.log(encrypt('###'))

[JavaScript] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14

const CryptoJS = require('crypto-js')   function decrypt(iliiIiii, ill1lII, iil1IIII) {     let i1i1i1lI = CryptoJS['AES']['decrypt'](iliiIiii, CryptoJS['enc']['Utf8']['parse'](ill1lII), {         'iv': CryptoJS['enc']['Utf8']['parse'](iil1IIII),         'mode': CryptoJS['mode']['CBC'],         'padding': CryptoJS['pad']['Pkcs7']     });     return i1i1i1lI.toString(CryptoJS.enc.Utf8) }   function run(url, aes_key, aes_iv){     return decrypt(url, aes_key, aes_iv) }

主函数:

[Python] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

import json import requests import subprocess from functools import partial subprocess.Popen = partial(subprocess.Popen, encoding="utf-8") import execjs   base_url = '请求的网址'   headers = {     "authority": "",     "method": "POST",     "path": "/xmflv.js",     "scheme": "https",     "accept": "application/json, text/javascript, */*; q=0.01",     "accept-encoding": "gzip, deflate, br, zstd",     "accept-language": "zh-CN,zh;q=0.9",     "cache-control": "no-cache",     "content-length": "549",     "content-type": "application/x-www-form-urlencoded; charset=UTF-8",     "origin": "",     "pragma": "no-cache",     "priority": "u=1, i",     "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",     "sec-ch-ua-mobile": "?0",     "sec-ch-ua-platform": "\"Windows\"",     "sec-fetch-dest": "empty",     "sec-fetch-mode": "cors",     "sec-fetch-site": "cross-site",     "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", }   with open("main.js") as f:     jscode = f.read()   js = execjs.compile(jscode)   result = js.call("run") print(result) payload = {     'wap': 0,     'url': result[0],     'time': result[1],     'key': result[2] }   res = requests.post(base_url, headers=headers, data=payload) print(res.text) json_data = res.text json_data = json.loads(json_data)   url = json_data['url'] aes_key = json_data['aes_key'] aes_iv = json_data['aes_iv']     with open("main2.js") as f:     jscode = f.read()   js = execjs.compile(jscode)   result = js.call("run", url, aes_key, aes_iv)   print(result)

整个过程就是这样，有不足之处请各位大佬指出，今天的分享就到这里！

漁滒

上周我也刚看了下

请求函数

[Python] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14

data = {     'wap': '1',     'url': parse.quote(url, safe=''),     'time': str(int(time.time())) } sign = MD5.new((data['time'] + data['url']).encode()).hexdigest() crypto = AES.new(key=MD5.new(sign.encode()).hexdigest().encode(), mode=AES.MODE_CBC, iv=b'3cccf88181408f19') data['key'] = base64.b64encode(crypto.encrypt(sign.encode())).decode() data['url'] = encrypt(data['url']) data['time'] = encrypt(data['time']) data['key'] = encrypt(data['key']) response = requests.post('https://xxxxxxxx/xmflv.js', data=data, headers={'origin': 'https://xxxxxxxxx'}).json() crypto = AES.new(key=response['aes_key'].encode(), mode=AES.MODE_CBC, iv=response['aes_iv'].encode()) m3u8_url = Padding.unpad(crypto.decrypt(base64.b64decode(response['url'].encode())), AES.block_size).decode()

加密函数

[Python] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18

def encrypt(input_string):     char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"     random_index = random.randint(1, 60)     random_char = char_set[random_index]     secret_key = '54473a584d464c56'     hash_key = MD5.new((secret_key + random_char).encode()).hexdigest()     hash_key = hash_key[random_index % 8: (random_index % 8) + (random_index % 8) + 7]     encoded_string = base64.b64encode(input_string.encode()).decode()     encrypted_string = ''     hash_index = 0     for i in range(len(encoded_string)):         hash_index = 0 if hash_index == len(hash_key) else hash_index         new_index = (random_index + char_set.index(encoded_string[i]) + ord(hash_key[hash_index])) % 64         hash_index += 1         encrypted_string += char_set[new_index]     timestamp = str(int(time.time() * 1000))     result_string = timestamp + "TG:@XMFLV" + random_char + encrypted_string + timestamp     return result_string.encode().hex()

qq5309

大佬工具分享下

asone917

qq5309 发表于 2025-4-7 00:13
大佬工具分享下

https://github.com/cilame/v_jstools

laozhang4201

学习学习。

imhanserok

每天学习一下，开阔眼界

jianglin45

厉害呀，膜拜大佬

eggplant

跟着大神快速入坑。

tomliu

还挺复杂, 学习到了

asi7

正在学js