吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2999|回复: 53
上一主题 下一主题
收起左侧

[Web逆向] 【js逆向】虾m视频真实地址

  [复制链接]
跳转到指定楼层
楼主
asone917 发表于 2025-4-6 21:23 回帖奖励
本帖最后由 asone917 于 2025-4-7 12:20 编辑

本文章中所有内容仅供学习交流使用,不用于其他任何目的,不提供完整代码,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关.本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作者均不负责

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
目标网址aHR0cHM6Ly9qeC54bWZsdi5jb20vP3VybD1odHRwczovL3YucXEuY29tL3gvY292ZXIvbXpjMDAyMDB1OHZmemN6Lmh0bWw=
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


感谢各位大佬的观看,我是菜鸟,新手上路,在某同学的忽悠下入坑js逆向,请多指教

f12,输入网址后回车,点击xhr查看数据包:
要分析的是这个,它发的是post请求,但是得到的是一张裂图,感觉有点奇怪



把图片下载下来以txt文件打开查看内容


查看载荷,要求解的加密参数有三个url,time,key


全局搜索 'key':


进来,发现请求载荷参数生成的位置:



wap是固定值,不用管
先求解url,断点刷新网页调试


括号里面的url是视频的原地址


F9进来,复制整个文件的代码,利用工具解ob混淆





把代码复制下来


[JavaScript] 纯文本查看 复制代码
1
console.log(encrypt("原视频地址"))




找到 hex_md5函数的位置,缺啥补啥即可





运行就能得到结果:



接下来是分析time:
很明显,time的结果就是 encrypt(time)




代码测试:




接下来是分析key:


[JavaScript] 纯文本查看 复制代码
1
Il1liiI = l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))


控制台输出:

l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url))) 的结果:sign(l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))
编写代码:


关键的js代码:
[JavaScript] 纯文本查看 复制代码
1
2
3
4
5
6
7
function run() {
    encrypted_url = encrypt("原视频地址")
    time = Date['now']()
    encrypted_time = encrypt(time)
    key = encrypt(sign(hex_md5(time+"原视频地址")))
    return [encrypted_url, encrypted_time, key]
}



编写主函数:
[Python] 纯文本查看 复制代码
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs
 
base_url = '请求的网址'
 
headers = {
    "authority": "",
    "method": "POST",
    "path": "/xmflv.js",
    "scheme": "https",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "zh-CN,zh;q=0.9",
    "cache-control": "no-cache",
    "content-length": "549",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "origin": "",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
}
 
with open("main.js") as f:
    jscode = f.read()
 
js = execjs.compile(jscode)
 
result = js.call("run")
print(result)
payload = {
    'wap': 0,
    'url': result[0],
    'time': result[1],
    'key': result[2]
}
 
res = requests.post(base_url, headers=headers, data=payload)
print(res.text)


运行成功图示:得到的就是我们那个图片以文本文件打开显示的内容



补充!!!
鉴于评论区一位大佬给出的代码,再结合自己的理解和复现


加密函数:
[JavaScript] 纯文本查看 复制代码
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
const CryptoJS = require('crypto-js')
 
function generateRandom13Number() {
    return Math.floor(Math.random() * 9e12) + 1e12;
}
 
function signCoen(input) {
    const str = generateRandom13Number() + 'TG:@XMFLV' + input + generateRandom13Number();
    return [...str].map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join('');
}
 
function encrypt(input_string) {
 
    char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
    random_index = Math['floor']((Math['random']() * 65))
    random_char = char_set[random_index]
    secret_key = '54473a584d464c56'
 
    hash_key = CryptoJS.MD5(secret_key + random_char)
 
 
    hash_key = String(hash_key).substr(random_index % 8, 7);
    input_string = btoa(input_string)
 
    encrypted_string = ''
    new_index = 0
    hash_index = 0
    for (iIill11l = 0; iIill11l < 60; iIill11l++) {
        hash_index = hash_index === hash_key['length'] ? 0 : hash_index
        new_index = (random_index + char_set['indexOf'](input_string[iIill11l]) + hash_key[hash_index++]['charCodeAt'](0)) % 64
        encrypted_string += char_set[new_index];
    }
    return signCoen(encodeURI(random_char + encrypted_string))
}
 
console.log(encrypt('###'))




[JavaScript] 纯文本查看 复制代码
01
02
03
04
05
06
07
08
09
10
11
12
13
14
const CryptoJS = require('crypto-js')
 
function decrypt(iliiIiii, ill1lII, iil1IIII) {
    let i1i1i1lI = CryptoJS['AES']['decrypt'](iliiIiii, CryptoJS['enc']['Utf8']['parse'](ill1lII), {
        'iv': CryptoJS['enc']['Utf8']['parse'](iil1IIII),
        'mode': CryptoJS['mode']['CBC'],
        'padding': CryptoJS['pad']['Pkcs7']
    });
    return i1i1i1lI.toString(CryptoJS.enc.Utf8)
}
 
function run(url, aes_key, aes_iv){
    return decrypt(url, aes_key, aes_iv)
}



主函数:
[Python] 纯文本查看 复制代码
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import json
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs
 
base_url = '请求的网址'
 
headers = {
    "authority": "",
    "method": "POST",
    "path": "/xmflv.js",
    "scheme": "https",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "zh-CN,zh;q=0.9",
    "cache-control": "no-cache",
    "content-length": "549",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "origin": "",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
}
 
with open("main.js") as f:
    jscode = f.read()
 
js = execjs.compile(jscode)
 
result = js.call("run")
print(result)
payload = {
    'wap': 0,
    'url': result[0],
    'time': result[1],
    'key': result[2]
}
 
res = requests.post(base_url, headers=headers, data=payload)
print(res.text)
json_data = res.text
json_data = json.loads(json_data)
 
url = json_data['url']
aes_key = json_data['aes_key']
aes_iv = json_data['aes_iv']
 
 
with open("main2.js") as f:
    jscode = f.read()
 
js = execjs.compile(jscode)
 
result = js.call("run", url, aes_key, aes_iv)
 
print(result)




整个过程就是这样,有不足之处请各位大佬指出,今天的分享就到这里!



免费评分

参与人数 22威望 +1 吾爱币 +42 热心值 +18 收起 理由
gs2003 + 1 + 1 谢谢@Thanks!
beihai1314 + 1 + 1 我很赞同!
bianqi + 1 + 1 我很赞同!
flome + 1 谢谢@Thanks!
sinmu + 1 + 1 谢谢@Thanks!
KsAigg + 1 + 1 我很赞同!
scz + 1 + 1 谢谢分享
zoeblow + 1 谢谢@Thanks!
ImpJ + 1 + 1 谢谢@Thanks!
dxiaolong + 1 用心讨论,共获提升!
zaijianwukong + 1 + 1 谢谢@Thanks!
liuxuming3303 + 1 + 1 谢谢@Thanks!
yyb414 + 1 + 1 热心回复!
Qchi + 1 + 1 我很赞同!
wangxiaoqiqiqi + 1 + 1 我很赞同!
surepj + 1 + 1 用心讨论,共获提升!
lwGoodChinese + 1 我很赞同!
hHunter + 1 谢谢@Thanks!
漁滒 + 4 + 1 我很赞同!
zhoushengzhi + 1 + 1 谢谢@Thanks!
涛之雨 + 1 + 20 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
hicesamon + 1 用心讨论,共获提升!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

推荐
漁滒 发表于 2025-4-7 08:45
上周我也刚看了下

请求函数
[Python] 纯文本查看 复制代码
01
02
03
04
05
06
07
08
09
10
11
12
13
14
data = {
    'wap': '1',
    'url': parse.quote(url, safe=''),
    'time': str(int(time.time()))
}
sign = MD5.new((data['time'] + data['url']).encode()).hexdigest()
crypto = AES.new(key=MD5.new(sign.encode()).hexdigest().encode(), mode=AES.MODE_CBC, iv=b'3cccf88181408f19')
data['key'] = base64.b64encode(crypto.encrypt(sign.encode())).decode()
data['url'] = encrypt(data['url'])
data['time'] = encrypt(data['time'])
data['key'] = encrypt(data['key'])
response = requests.post('https://xxxxxxxx/xmflv.js', data=data, headers={'origin': 'https://xxxxxxxxx'}).json()
crypto = AES.new(key=response['aes_key'].encode(), mode=AES.MODE_CBC, iv=response['aes_iv'].encode())
m3u8_url = Padding.unpad(crypto.decrypt(base64.b64decode(response['url'].encode())), AES.block_size).decode()



加密函数

[Python] 纯文本查看 复制代码
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
def encrypt(input_string):
    char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
    random_index = random.randint(1, 60)
    random_char = char_set[random_index]
    secret_key = '54473a584d464c56'
    hash_key = MD5.new((secret_key + random_char).encode()).hexdigest()
    hash_key = hash_key[random_index % 8: (random_index % 8) + (random_index % 8) + 7]
    encoded_string = base64.b64encode(input_string.encode()).decode()
    encrypted_string = ''
    hash_index = 0
    for i in range(len(encoded_string)):
        hash_index = 0 if hash_index == len(hash_key) else hash_index
        new_index = (random_index + char_set.index(encoded_string[i]) + ord(hash_key[hash_index])) % 64
        hash_index += 1
        encrypted_string += char_set[new_index]
    timestamp = str(int(time.time() * 1000))
    result_string = timestamp + "TG:@XMFLV" + random_char + encrypted_string + timestamp
    return result_string.encode().hex()

免费评分

参与人数 3吾爱币 +5 热心值 +3 收起 理由
pwp + 3 + 1 鱼哥牛逼
surepj + 1 + 1 用心讨论,共获提升!
Carinx + 1 + 1 用心讨论,共获提升!

查看全部评分

3#
qq5309 发表于 2025-4-7 00:13
4#
 楼主| asone917 发表于 2025-4-7 00:17 |楼主
5#
laozhang4201 发表于 2025-4-7 05:52
学习学习。
6#
imhanserok 发表于 2025-4-7 07:08
每天学习一下,开阔眼界
7#
jianglin45 发表于 2025-4-7 08:31

厉害呀,膜拜大佬
8#
eggplant 发表于 2025-4-7 08:34
跟着大神快速入坑。
9#
tomliu 发表于 2025-4-7 08:48
还挺复杂, 学习到了
10#
asi7 发表于 2025-4-7 09:00
正在学js
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2025-5-18 04:03

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表