吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2679|回复: 55
收起左侧

[Web逆向] 【js逆向】虾m视频真实地址

  [复制链接]
asone917 发表于 2025-4-6 21:23
本帖最后由 asone917 于 2025-4-7 12:20 编辑

本文章中所有内容仅供学习交流使用,不用于其他任何目的,不提供完整代码,抓包内容、敏感网址、数据接口等均已做脱敏处理,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关.本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作者均不负责

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
目标网址aHR0cHM6Ly9qeC54bWZsdi5jb20vP3VybD1odHRwczovL3YucXEuY29tL3gvY292ZXIvbXpjMDAyMDB1OHZmemN6Lmh0bWw=
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


感谢各位大佬的观看,我是菜鸟,新手上路,在某同学的忽悠下入坑js逆向,请多指教

f12,输入网址后回车,点击xhr查看数据包:
要分析的是这个,它发的是post请求,但是得到的是一张裂图,感觉有点奇怪
image.png
image.png

把图片下载下来以txt文件打开查看内容
image.png

查看载荷,要求解的加密参数有三个url,time,key
image.png

全局搜索 'key':
image.png

进来,发现请求载荷参数生成的位置:
image.png


wap是固定值,不用管
先求解url,断点刷新网页调试


括号里面的url是视频的原地址
image.png

F9进来,复制整个文件的代码,利用工具解ob混淆
image.png

image.png


把代码复制下来

image.png
[JavaScript] 纯文本查看 复制代码
console.log(encrypt("原视频地址"))


image.png

找到 hex_md5函数的位置,缺啥补啥即可
image.png

image.png
image.png

运行就能得到结果:
image.png


接下来是分析time:
很明显,time的结果就是 encrypt(time)
image.png
image.png


代码测试:
image.png



接下来是分析key:
image.png

[JavaScript] 纯文本查看 复制代码
Il1liiI = l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))


控制台输出:
image.png
l11llIl[I1Il1i1I(0x303, '**7N')](sign, l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url))) 的结果:sign(l11llIl[I1Il1i1I(0x88e, 'irmS')](hex_md5, l11llIl[I1Il1i1I(0x348, 'uRzI')](ili11II, url)))
编写代码:
image.png

关键的js代码:
[JavaScript] 纯文本查看 复制代码
function run() {
    encrypted_url = encrypt("原视频地址")
    time = Date['now']()
    encrypted_time = encrypt(time)
    key = encrypt(sign(hex_md5(time+"原视频地址")))
    return [encrypted_url, encrypted_time, key]
}



编写主函数:
[Python] 纯文本查看 复制代码
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs

base_url = '请求的网址'

headers = {
    "authority": "",
    "method": "POST",
    "path": "/xmflv.js",
    "scheme": "https",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "zh-CN,zh;q=0.9",
    "cache-control": "no-cache",
    "content-length": "549",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "origin": "",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
}

with open("main.js") as f:
    jscode = f.read()

js = execjs.compile(jscode)

result = js.call("run")
print(result)
payload = {
    'wap': 0,
    'url': result[0],
    'time': result[1],
    'key': result[2]
}

res = requests.post(base_url, headers=headers, data=payload)
print(res.text)


运行成功图示:得到的就是我们那个图片以文本文件打开显示的内容

image.png

补充!!!
鉴于评论区一位大佬给出的代码,再结合自己的理解和复现


加密函数:
[JavaScript] 纯文本查看 复制代码
const CryptoJS = require('crypto-js')

function generateRandom13Number() {
    return Math.floor(Math.random() * 9e12) + 1e12;
}

function signCoen(input) {
    const str = generateRandom13Number() + 'TG:@XMFLV' + input + generateRandom13Number();
    return [...str].map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join('');
}

function encrypt(input_string) {

    char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
    random_index = Math['floor']((Math['random']() * 65))
    random_char = char_set[random_index]
    secret_key = '54473a584d464c56'

    hash_key = CryptoJS.MD5(secret_key + random_char)


    hash_key = String(hash_key).substr(random_index % 8, 7);
    input_string = btoa(input_string)

    encrypted_string = ''
    new_index = 0
    hash_index = 0
    for (iIill11l = 0; iIill11l < 60; iIill11l++) {
        hash_index = hash_index === hash_key['length'] ? 0 : hash_index
        new_index = (random_index + char_set['indexOf'](input_string[iIill11l]) + hash_key[hash_index++]['charCodeAt'](0)) % 64
        encrypted_string += char_set[new_index];
    }
    return signCoen(encodeURI(random_char + encrypted_string))
}

console.log(encrypt('###'))




[JavaScript] 纯文本查看 复制代码
const CryptoJS = require('crypto-js')

function decrypt(iliiIiii, ill1lII, iil1IIII) {
    let i1i1i1lI = CryptoJS['AES']['decrypt'](iliiIiii, CryptoJS['enc']['Utf8']['parse'](ill1lII), {
        'iv': CryptoJS['enc']['Utf8']['parse'](iil1IIII),
        'mode': CryptoJS['mode']['CBC'],
        'padding': CryptoJS['pad']['Pkcs7']
    });
    return i1i1i1lI.toString(CryptoJS.enc.Utf8)
}

function run(url, aes_key, aes_iv){
    return decrypt(url, aes_key, aes_iv)
}



主函数:
[Python] 纯文本查看 复制代码
import json
import requests
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs

base_url = '请求的网址'

headers = {
    "authority": "",
    "method": "POST",
    "path": "/xmflv.js",
    "scheme": "https",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "zh-CN,zh;q=0.9",
    "cache-control": "no-cache",
    "content-length": "549",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "origin": "",
    "pragma": "no-cache",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
}

with open("main.js") as f:
    jscode = f.read()

js = execjs.compile(jscode)

result = js.call("run")
print(result)
payload = {
    'wap': 0,
    'url': result[0],
    'time': result[1],
    'key': result[2]
}

res = requests.post(base_url, headers=headers, data=payload)
print(res.text)
json_data = res.text
json_data = json.loads(json_data)

url = json_data['url']
aes_key = json_data['aes_key']
aes_iv = json_data['aes_iv']


with open("main2.js") as f:
    jscode = f.read()

js = execjs.compile(jscode)

result = js.call("run", url, aes_key, aes_iv)

print(result)




整个过程就是这样,有不足之处请各位大佬指出,今天的分享就到这里!



免费评分

参与人数 22威望 +1 吾爱币 +42 热心值 +18 收起 理由
gs2003 + 1 + 1 谢谢@Thanks!
beihai1314 + 1 + 1 我很赞同!
bianqi + 1 + 1 我很赞同!
flome + 1 谢谢@Thanks!
sinmu + 1 + 1 谢谢@Thanks!
KsAigg + 1 + 1 我很赞同!
scz + 1 + 1 谢谢分享
zoeblow + 1 谢谢@Thanks!
ImpJ + 1 + 1 谢谢@Thanks!
dxiaolong + 1 用心讨论,共获提升!
zaijianwukong + 1 + 1 谢谢@Thanks!
liuxuming3303 + 1 + 1 谢谢@Thanks!
yyb414 + 1 + 1 热心回复!
Qchi + 1 + 1 我很赞同!
wangxiaoqiqiqi + 1 + 1 我很赞同!
surepj + 1 + 1 用心讨论,共获提升!
lwGoodChinese + 1 我很赞同!
hHunter + 1 谢谢@Thanks!
漁滒 + 4 + 1 我很赞同!
zhoushengzhi + 1 + 1 谢谢@Thanks!
涛之雨 + 1 + 20 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
hicesamon + 1 用心讨论,共获提升!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

漁滒 发表于 2025-4-7 08:45
上周我也刚看了下

请求函数
[Python] 纯文本查看 复制代码
    data = {
        'wap': '1',
        'url': parse.quote(url, safe=''),
        'time': str(int(time.time()))
    }
    sign = MD5.new((data['time'] + data['url']).encode()).hexdigest()
    crypto = AES.new(key=MD5.new(sign.encode()).hexdigest().encode(), mode=AES.MODE_CBC, iv=b'3cccf88181408f19')
    data['key'] = base64.b64encode(crypto.encrypt(sign.encode())).decode()
    data['url'] = encrypt(data['url'])
    data['time'] = encrypt(data['time'])
    data['key'] = encrypt(data['key'])
    response = requests.post('https://xxxxxxxx/xmflv.js', data=data, headers={'origin': 'https://xxxxxxxxx'}).json()
    crypto = AES.new(key=response['aes_key'].encode(), mode=AES.MODE_CBC, iv=response['aes_iv'].encode())
    m3u8_url = Padding.unpad(crypto.decrypt(base64.b64decode(response['url'].encode())), AES.block_size).decode()



加密函数

[Python] 纯文本查看 复制代码
    def encrypt(input_string):
        char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-=+"
        random_index = random.randint(1, 60)
        random_char = char_set[random_index]
        secret_key = '54473a584d464c56'
        hash_key = MD5.new((secret_key + random_char).encode()).hexdigest()
        hash_key = hash_key[random_index % 8: (random_index % 8) + (random_index % 8) + 7]
        encoded_string = base64.b64encode(input_string.encode()).decode()
        encrypted_string = ''
        hash_index = 0
        for i in range(len(encoded_string)):
            hash_index = 0 if hash_index == len(hash_key) else hash_index
            new_index = (random_index + char_set.index(encoded_string[i]) + ord(hash_key[hash_index])) % 64
            hash_index += 1
            encrypted_string += char_set[new_index]
        timestamp = str(int(time.time() * 1000))
        result_string = timestamp + "TG:@XMFLV" + random_char + encrypted_string + timestamp
        return result_string.encode().hex()

免费评分

参与人数 3吾爱币 +5 热心值 +3 收起 理由
pwp + 3 + 1 鱼哥牛逼
surepj + 1 + 1 用心讨论,共获提升!
Carinx + 1 + 1 用心讨论,共获提升!

查看全部评分

qq5309 发表于 2025-4-7 00:13
 楼主| asone917 发表于 2025-4-7 00:17
laozhang4201 发表于 2025-4-7 05:52
学习学习。
imhanserok 发表于 2025-4-7 07:08
每天学习一下,开阔眼界
JacksonMa 发表于 2025-4-7 08:18
厉害呀,膜拜大佬
jianglin45 发表于 2025-4-7 08:31

厉害呀,膜拜大佬
eggplant 发表于 2025-4-7 08:34
跟着大神快速入坑。
tomliu 发表于 2025-4-7 08:48
还挺复杂, 学习到了
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2025-4-30 15:07

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表