本帖最后由 asone917 于 2025-4-7 12:20 编辑
本文章中所有内容仅供学习交流使用,不用于其他任何目的,不提供完整代码,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关.本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作者均不负责
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
目标网址:aHR0cHM6Ly9qeC54bWZsdi5jb20vP3VybD1odHRwczovL3YucXEuY29tL3gvY292ZXIvbXpjMDAyMDB1OHZmemN6Lmh0bWw=
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
感谢各位大佬的观看,我是菜鸟,新手上路,在某同学的忽悠下入坑js逆向,请多指教
f12,输入网址后回车,点击xhr查看数据包:
要分析的是这个,它发的是post请求,但是得到的是一张裂图,感觉有点奇怪
把图片下载下来以txt文件打开查看内容
查看载荷,要求解的加密参数有三个url,time,key
全局搜索 'key':
进来,发现请求载荷参数生成的位置:
wap是固定值,不用管
先求解url,断点刷新网页调试
括号里面的url是视频的原地址
F9进来,复制整个文件的代码,利用工具解ob混淆
把代码复制下来
[JavaScript] 纯文本查看 复制代码 1 | console.log(encrypt( "原视频地址" ))
|
找到 hex_md5函数的位置,缺啥补啥即可
运行就能得到结果:
接下来是分析time:
很明显,time的结果就是 encrypt(time)
代码测试:
接下来是分析key:
[JavaScript] 纯文本查看 复制代码 1 | Il1liiI = l11llIl[I1Il1i1I(0x303, '**7N' )](sign, l11llIl[I1Il1i1I(0x88e, 'irmS' )](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI' )](ili11II, url)))
|
控制台输出:
l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url))) 的结果:sign(l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))
编写代码:
关键的js代码:
[JavaScript] 纯文本查看 复制代码 1 2 3 4 5 6 7 | function run() {
encrypted_url = encrypt( "原视频地址" )
time = Date[ 'now' ]()
encrypted_time = encrypt(time)
key = encrypt(sign(hex_md5(time+ "原视频地址" )))
return [encrypted_url, encrypted_time, key]
}
|
编写主函数:
[Python] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding = "utf-8" )
import execjs
base_url = '请求的网址'
headers = {
"authority" : "",
"method" : "POST" ,
"path" : "/xmflv.js" ,
"scheme" : "https" ,
"accept" : "application/json, text/javascript, */*; q=0.01" ,
"accept-encoding" : "gzip, deflate, br, zstd" ,
"accept-language" : "zh-CN,zh;q=0.9" ,
"cache-control" : "no-cache" ,
"content-length" : "549" ,
"content-type" : "application/x-www-form-urlencoded; charset=UTF-8" ,
"origin" : "",
"pragma" : "no-cache" ,
"priority" : "u=1, i" ,
"sec-ch-ua" : "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" ,
"sec-ch-ua-mobile" : "?0" ,
"sec-ch-ua-platform" : "\"Windows\"" ,
"sec-fetch-dest" : "empty" ,
"sec-fetch-mode" : "cors" ,
"sec-fetch-site" : "cross-site" ,
"user-agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" ,
}
with open ( "main.js" ) as f:
jscode = f.read()
js = execjs. compile (jscode)
result = js.call( "run" )
print (result)
payload = {
'wap' : 0 ,
'url' : result[ 0 ],
'time' : result[ 1 ],
'key' : result[ 2 ]
}
res = requests.post(base_url, headers = headers, data = payload)
print (res.text)
|
运行成功图示:得到的就是我们那个图片以文本文件打开显示的内容
补充!!!
鉴于评论区一位大佬给出的代码,再结合自己的理解和复现
加密函数:
[JavaScript] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | const CryptoJS = require( 'crypto-js' )
function generateRandom13Number() {
return Math.floor(Math.random() * 9e12) + 1e12;
}
function signCoen(input) {
const str = generateRandom13Number() + 'TG:@XMFLV' + input + generateRandom13Number();
return [...str].map(c => c.charCodeAt(0).toString(16).padStart(2, '0' )).join( '' );
}
function encrypt(input_string) {
char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
random_index = Math[ 'floor' ]((Math[ 'random' ]() * 65))
random_char = char_set[random_index]
secret_key = '54473a584d464c56'
hash_key = CryptoJS.MD5(secret_key + random_char)
hash_key = String(hash_key).substr(random_index % 8, 7);
input_string = btoa(input_string)
encrypted_string = ''
new_index = 0
hash_index = 0
for (iIill11l = 0; iIill11l < 60; iIill11l++) {
hash_index = hash_index === hash_key[ 'length' ] ? 0 : hash_index
new_index = (random_index + char_set[ 'indexOf' ](input_string[iIill11l]) + hash_key[hash_index++][ 'charCodeAt' ](0)) % 64
encrypted_string += char_set[new_index];
}
return signCoen(encodeURI(random_char + encrypted_string))
}
console.log(encrypt( '###' ))
|
[JavaScript] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 | const CryptoJS = require( 'crypto-js' )
function decrypt(iliiIiii, ill1lII, iil1IIII) {
let i1i1i1lI = CryptoJS[ 'AES' ][ 'decrypt' ](iliiIiii, CryptoJS[ 'enc' ][ 'Utf8' ][ 'parse' ](ill1lII), {
'iv' : CryptoJS[ 'enc' ][ 'Utf8' ][ 'parse' ](iil1IIII),
'mode' : CryptoJS[ 'mode' ][ 'CBC' ],
'padding' : CryptoJS[ 'pad' ][ 'Pkcs7' ]
});
return i1i1i1lI.toString(CryptoJS.enc.Utf8)
}
function run(url, aes_key, aes_iv){
return decrypt(url, aes_key, aes_iv)
}
|
主函数:
[Python] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | import json
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding = "utf-8" )
import execjs
base_url = '请求的网址'
headers = {
"authority" : "",
"method" : "POST" ,
"path" : "/xmflv.js" ,
"scheme" : "https" ,
"accept" : "application/json, text/javascript, */*; q=0.01" ,
"accept-encoding" : "gzip, deflate, br, zstd" ,
"accept-language" : "zh-CN,zh;q=0.9" ,
"cache-control" : "no-cache" ,
"content-length" : "549" ,
"content-type" : "application/x-www-form-urlencoded; charset=UTF-8" ,
"origin" : "",
"pragma" : "no-cache" ,
"priority" : "u=1, i" ,
"sec-ch-ua" : "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" ,
"sec-ch-ua-mobile" : "?0" ,
"sec-ch-ua-platform" : "\"Windows\"" ,
"sec-fetch-dest" : "empty" ,
"sec-fetch-mode" : "cors" ,
"sec-fetch-site" : "cross-site" ,
"user-agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" ,
}
with open ( "main.js" ) as f:
jscode = f.read()
js = execjs. compile (jscode)
result = js.call( "run" )
print (result)
payload = {
'wap' : 0 ,
'url' : result[ 0 ],
'time' : result[ 1 ],
'key' : result[ 2 ]
}
res = requests.post(base_url, headers = headers, data = payload)
print (res.text)
json_data = res.text
json_data = json.loads(json_data)
url = json_data[ 'url' ]
aes_key = json_data[ 'aes_key' ]
aes_iv = json_data[ 'aes_iv' ]
with open ( "main2.js" ) as f:
jscode = f.read()
js = execjs. compile (jscode)
result = js.call( "run" , url, aes_key, aes_iv)
print (result)
|
整个过程就是这样,有不足之处请各位大佬指出,今天的分享就到这里!
|