【js逆向】虾m视频真实地址

asone917 · 发表于 2025-4-6 21:23

本帖最后由 asone917 于 2025-4-7 12:20 编辑

本文章中所有内容仅供学习交流使用，不用于其他任何目的，不提供完整代码，抓包内容、敏感网址、数据接口等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关.本文章未经许可禁止转载，禁止任何修改后二次传播，擅自使用本文讲解的技术而导致的任何意外，作者均不负责

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
目标网址：aHR0cHM6Ly9qeC54bWZsdi5jb20vP3VybD1odHRwczovL3YucXEuY29tL3gvY292ZXIvbXpjMDAyMDB1OHZmemN6Lmh0bWw=
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

感谢各位大佬的观看，我是菜鸟，新手上路，在某同学的忽悠下入坑js逆向，请多指教

f12，输入网址后回车，点击xhr查看数据包：
要分析的是这个，它发的是post请求，但是得到的是一张裂图，感觉有点奇怪

把图片下载下来以txt文件打开查看内容

查看载荷，要求解的加密参数有三个url，time，key

全局搜索 'key':

进来，发现请求载荷参数生成的位置：

wap是固定值，不用管
先求解url，断点刷新网页调试

括号里面的url是视频的原地址

F9进来，复制整个文件的代码，利用工具解ob混淆

把代码复制下来

[JavaScript] 纯文本查看 复制代码

console.log(encrypt("原视频地址"))

找到 hex_md5函数的位置，缺啥补啥即可

运行就能得到结果：

接下来是分析time：
很明显，time的结果就是 encrypt(time)

代码测试：

接下来是分析key：

[JavaScript] 纯文本查看 复制代码

Il1liiI = l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))

控制台输出：

l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url))) 的结果：sign(l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))
编写代码：

关键的js代码：

[JavaScript] 纯文本查看 复制代码

function run() {
    encrypted_url = encrypt("原视频地址")
    time = Date['now']()
    encrypted_time = encrypt(time)
    key = encrypt(sign(hex_md5(time+"原视频地址")))
    return [encrypted_url, encrypted_time, key]
}

编写主函数：

[Python] 纯文本查看 复制代码

import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs

base_url = '请求的网址'

headers = {
    "authority": "",
    "method": "POST",
    "path": "/xmflv.js",
    "scheme": "https",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "zh-CN,zh;q=0.9",
    "cache-control": "no-cache",
    "content-length": "549",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "origin": "",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
}

with open("main.js") as f:
    jscode = f.read()

js = execjs.compile(jscode)

result = js.call("run")
print(result)
payload = {
    'wap': 0,
    'url': result[0],
    'time': result[1],
    'key': result[2]
}

res = requests.post(base_url, headers=headers, data=payload)
print(res.text)

运行成功图示：得到的就是我们那个图片以文本文件打开显示的内容

补充!!!
鉴于评论区一位大佬给出的代码，再结合自己的理解和复现

加密函数:

[JavaScript] 纯文本查看 复制代码

const CryptoJS = require('crypto-js')

function generateRandom13Number() {
    return Math.floor(Math.random() * 9e12) + 1e12;
}

function signCoen(input) {
    const str = generateRandom13Number() + 'TG:@XMFLV' + input + generateRandom13Number();
    return [...str].map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join('');
}

function encrypt(input_string) {

    char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
    random_index = Math['floor']((Math['random']() * 65))
    random_char = char_set[random_index]
    secret_key = '54473a584d464c56'

    hash_key = CryptoJS.MD5(secret_key + random_char)


    hash_key = String(hash_key).substr(random_index % 8, 7);
    input_string = btoa(input_string)

    encrypted_string = ''
    new_index = 0
    hash_index = 0
    for (iIill11l = 0; iIill11l < 60; iIill11l++) {
        hash_index = hash_index === hash_key['length'] ? 0 : hash_index
        new_index = (random_index + char_set['indexOf'](input_string[iIill11l]) + hash_key[hash_index++]['charCodeAt'](0)) % 64
        encrypted_string += char_set[new_index];
    }
    return signCoen(encodeURI(random_char + encrypted_string))
}

console.log(encrypt('###'))

[JavaScript] 纯文本查看 复制代码

const CryptoJS = require('crypto-js')

function decrypt(iliiIiii, ill1lII, iil1IIII) {
    let i1i1i1lI = CryptoJS['AES']['decrypt'](iliiIiii, CryptoJS['enc']['Utf8']['parse'](ill1lII), {
        'iv': CryptoJS['enc']['Utf8']['parse'](iil1IIII),
        'mode': CryptoJS['mode']['CBC'],
        'padding': CryptoJS['pad']['Pkcs7']
    });
    return i1i1i1lI.toString(CryptoJS.enc.Utf8)
}

function run(url, aes_key, aes_iv){
    return decrypt(url, aes_key, aes_iv)
}

主函数:

[Python] 纯文本查看 复制代码

import json
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs

base_url = '请求的网址'

headers = {
    "authority": "",
    "method": "POST",
    "path": "/xmflv.js",
    "scheme": "https",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "zh-CN,zh;q=0.9",
    "cache-control": "no-cache",
    "content-length": "549",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "origin": "",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
}

with open("main.js") as f:
    jscode = f.read()

js = execjs.compile(jscode)

result = js.call("run")
print(result)
payload = {
    'wap': 0,
    'url': result[0],
    'time': result[1],
    'key': result[2]
}

res = requests.post(base_url, headers=headers, data=payload)
print(res.text)
json_data = res.text
json_data = json.loads(json_data)

url = json_data['url']
aes_key = json_data['aes_key']
aes_iv = json_data['aes_iv']


with open("main2.js") as f:
    jscode = f.read()

js = execjs.compile(jscode)

result = js.call("run", url, aes_key, aes_iv)

print(result)

整个过程就是这样，有不足之处请各位大佬指出，今天的分享就到这里！

漁滒 · 发表于 2025-4-7 08:45

上周我也刚看了下

请求函数

[Python] 纯文本查看 复制代码

    data = {
        'wap': '1',
        'url': parse.quote(url, safe=''),
        'time': str(int(time.time()))
    }
    sign = MD5.new((data['time'] + data['url']).encode()).hexdigest()
    crypto = AES.new(key=MD5.new(sign.encode()).hexdigest().encode(), mode=AES.MODE_CBC, iv=b'3cccf88181408f19')
    data['key'] = base64.b64encode(crypto.encrypt(sign.encode())).decode()
    data['url'] = encrypt(data['url'])
    data['time'] = encrypt(data['time'])
    data['key'] = encrypt(data['key'])
    response = requests.post('https://xxxxxxxx/xmflv.js', data=data, headers={'origin': 'https://xxxxxxxxx'}).json()
    crypto = AES.new(key=response['aes_key'].encode(), mode=AES.MODE_CBC, iv=response['aes_iv'].encode())
    m3u8_url = Padding.unpad(crypto.decrypt(base64.b64decode(response['url'].encode())), AES.block_size).decode()

加密函数

[Python] 纯文本查看 复制代码

    def encrypt(input_string):
        char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
        random_index = random.randint(1, 60)
        random_char = char_set[random_index]
        secret_key = '54473a584d464c56'
        hash_key = MD5.new((secret_key + random_char).encode()).hexdigest()
        hash_key = hash_key[random_index % 8: (random_index % 8) + (random_index % 8) + 7]
        encoded_string = base64.b64encode(input_string.encode()).decode()
        encrypted_string = ''
        hash_index = 0
        for i in range(len(encoded_string)):
            hash_index = 0 if hash_index == len(hash_key) else hash_index
            new_index = (random_index + char_set.index(encoded_string[i]) + ord(hash_key[hash_index])) % 64
            hash_index += 1
            encrypted_string += char_set[new_index]
        timestamp = str(int(time.time() * 1000))
        result_string = timestamp + "TG:@XMFLV" + random_char + encrypted_string + timestamp
        return result_string.encode().hex()

qq5309 · 发表于 2025-4-7 00:13

大佬工具分享下

asone917 · 发表于 2025-4-7 00:17

qq5309 发表于 2025-4-7 00:13
大佬工具分享下

https://github.com/cilame/v_jstools

laozhang4201 · 发表于 2025-4-7 05:52

学习学习。

imhanserok · 发表于 2025-4-7 07:08

每天学习一下，开阔眼界

JacksonMa · 发表于 2025-4-7 08:18

厉害呀，膜拜大佬

jianglin45 · 发表于 2025-4-7 08:31

厉害呀，膜拜大佬

eggplant · 发表于 2025-4-7 08:34

跟着大神快速入坑。

tomliu · 发表于 2025-4-7 08:48

还挺复杂, 学习到了

帐号		自动登录	找回密码
密码			注册[Register]

[Web逆向] 【js逆向】虾m视频真实地址

免费评分

免费评分