标签:function xx pop sign push length var 破解
1、前面几篇文章分析了tls1.3协议,其实原子的加密算法就那么几种,基础的加密套件也就那么几种,关键是根据业务需求和目的灵活组合使用;不知道大家有没有发现一个问题:这些加密套件组合都在TCP层之上,从TCP层开始就没动过了,为啥了? 原因很简单:TCP层及以下都需要硬件支持,换句话说我们从一个节点把数据发到另一个节点,中间可能会经过大量的中转设备,常见的就是交换机和路由器了;这些硬件设备都是按照网络标准设计和制造的。如果我们自己擅自更改TCP层及以下的数据包内容、甚至格式,可能会让这些网络设备识别不了,导致数据包被丢弃! 所以现在所有的加密套件针对的都是TCP层以上的数据!
通信的三要素:(1)加密让明文变密文,就算被中间人拦截也不担心泄露关键信息 (2)身份认证,确保数据就是对方发的 (3)数据完整,没被篡改! tls1.3协议已经实现,浏览器和服务器通信时就算数据被第三方拦截,如果没有密钥,第三方也无法解密;所以现在很多外挂hook的时候一般不会再拦截中间的密文,而是等客户端收到、解密后再hook,这比解密密文容易多了!为了应对这种应用层的hook,又衍生出了应用层的保护方式:签名!
在应用层,由于需要给真正的用户展示数据,所以肯定会解密数据,这时再给数据加密已经没有意义了,只会浪费算力!那么怎么才能防止数据被第三方非法获取了?签名(原理类似数字签名)!大概的原理如下:
客户端要给服务端发送请求,肯定会带上很多参数,来标明请求的目的,比如请求商品数据?请求一些音视频? 或者是给谁点个赞? 或则是评论个啥?这些请求在应用层都是明文的,为了防止被第三方非法调用或篡改,往往会用一些关键的数据做签名,然后把签名和数据一起发给服务器;举个栗子:比如请求参数ts=xxxx&name=xxxx&login=xxxxx¬ice=xxxx等,如果直接这样传输,第三方很容易篡改参数,然后重新发包,达到重放攻击的目的!为了防止这种攻击,目前市面上客户端(比如app、浏览器)最常见的方式就是选几个关键的字段签名,然后请求参数带上签名字段。比如上面有4个参数,选择一种签名算法(可以是hash,也可以是自创的,这种算法主要用于验证或校验,要求不高)把这些参数“加密”(本质就是做个转换),单独形成一个字段,常见的就是sign=xxxxxxx,然后把sign字段和其他参数一起拼接后发给服务器。服务器收到参数后,用同样的方法计算sign字段,如果和客户端发过来的一样,说明没有被篡改(和数字签名的本质是一样的;当然这里是可以破解的,很多黑产就利用了这点),服务器随机返回客户端需要的数据;截至目前,据作者本人逆向的app客户端和很多web站点而言,都会对重要的参数加上签名,包括x音、某宝、并夕夕、某东等都是如此!为了防止这种签名算法被破解,app客户端做了大量的防护工作,android方面最典型的就是:(1)java层变量、类、方法名称混淆 (2)so层加密; windows的客户端也会采取加壳、反调试等方式增加逆向分析和复原签名算法的难度!为了便于理解这种算法的核心思路,这里先找个“软柿子”试试:xx音乐!
2、打开xx音乐的歌手列表,效果如下:标红的这个接口是返回所有歌手列表的接口。如果爬虫想要遍历爬取xx音乐的所有歌曲,第一步就需要遍历所有歌手列表,得到singer_mid的值,后续才能继续进入歌手自己的主页,找到该歌手的所有歌曲!
既然是http接口,就要遵从http协议!http请求头如下:
:authority: xxxxxxxx :method: GET :path: /cgi-bin/musics.fcg?-=getUCGI5650218101004765&g_tk=5381&sign=zzax2nhlf4kqqx2f3fef04bda3a286eeb40136f6b80f4a&loginUin=0&hostUin=0&format=json&inCharset=utf8&outCharset=utf-8¬ice=0&platform=yqq.json&needNewCode=0&data=%7B%22comm%22%3A%7B%22ct%22%3A24%2C%22cv%22%3A0%7D%2C%22singerList%22%3A%7B%22module%22%3A%22Music.SingerListServer%22%2C%22method%22%3A%22get_singer_list%22%2C%22param%22%3A%7B%22area%22%3A-100%2C%22sex%22%3A-100%2C%22genre%22%3A-100%2C%22index%22%3A-100%2C%22sin%22%3A0%2C%22cur_page%22%3A1%7D%7D%7D :scheme: https accept: application/json, text/javascript, */*; q=0.01 accept-encoding: gzip, deflate, br accept-language: zh-CN,zh;q=0.9,en;q=0.8 cookie: _ga=GA1.2.148670794.1595925440; ied_qq=o1595205151; o_cookie=1595205151; pac_uid=1_1595205151; pgv_pvi=7010615296; pgv_pvid=5315621604; ptcz=57a0d6f0ef5ebec6de37f6bf2b32743731a808df842a36fd3c18839f8f2b6dcb; RK=SkgxEIVsRA; tvfe_boss_uuid=e66e71c1405d1b04; XWINDEXGREY=0; ptui_loginuin=3382604797; iip=1; ts_uid=4018853478; userAction=1; yqq_stat=0; pgv_info=ssid=s3722110056; ts_last=y.qq.com/portal/singer_list.html origin: https://xxxxxxx referer: https://xxxxxx/ sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-site user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
从这里看,没啥特别的,都是按照http协议要求构造的“废话”,对于逆向人员而言,没啥特殊的价值(由于需要符合http协议,这些字段都是固定的,否则服务端无法解析,所以这里也没有啥大的扩展空间)!继续看query string参数,如下:
-: getUCGI5650218101004765
g_tk: 5381
sign: zzax2nhlf4kqqx2f3fef04bda3a286eeb40136f6b80f4a
loginUin: 0
hostUin: 0
format: json
inCharset: utf8
outCharset: utf-8
notice: 0
platform: yqq.json
needNewCode: 0
data: {"comm":{"ct":24,"cv":0},"singerList":{"module":"Music.SingerListServer","method":"get_singer_list","param":{"area":-100,"sex":-100,"genre":-100,"index":-100,"sin":0,"cur_page":1}}}
这个接口请求最大的猫腻就在这里了:有个字段叫sign,取值看着很奇怪,一点都不像普通的字符串或数字,正常人都无法理解其含义,“事出反常必有妖”!这个字段是干什么的了?截至目前我也不知道,干脆去掉这个sign字段再请求一下服务器,看看服务器都返回了啥,如下:原先返回的歌手列表都没了,只有这么3个字段,这个code应该是个错误码,ts是时间!
重新带上这个sign字段,服务器又能返回歌手列表了!
所以这里的sign字段作用就很明显了:浏览器带上这个sign才能通过服务器的认证鉴权,否则直接返回错误!自己写爬虫爬关键数据,当然是需要动态生成这个sign字段了,现在最核心的问题来了:这个sign字段是怎么生成的了?sign字段是在URL中被作为参数的字段之一,那么肯定有生成sign字段、并且和其他字段拼接起来的地方!浏览这边干这种活的一般都是js代码,所以直接在chrome中用“sign=”作为关键词搜索,结果如下: 
这里很明显实在生成sign字段,并且和其他字段拼接;为了确认我们的猜测,可以在这样代码这里下断点,然后刷新页面,可以看到这里的r.data.data就是请求参数里面的data字段的内容;也就是说:整个请求的字段中,js代码会调用getSecuritySign方法对data字段进行处理,生成一段人看不懂的密文sign;那么getSecuritySign方法又是怎么实现的了?
选择getSecuritySign方法,点击step into,来到getSecuritySign方法内部,我这里直接复制了,如下(这个函数里面有个时间20200305,貌似是去年3月份写的):
!function(n, t) {
"object" == typeof exports && "undefined" != typeof module ? module.exports = t() : "function" == typeof define && define.amd ? define(t) : (n = n || self).getSecuritySign = t()
}(this, function() {
"use strict";
var n = function() {
if ("undefined" != typeof self)
return self;
if ("undefined" != typeof window)
return window;
if ("undefined" != typeof global)
return global;
throw new Error("unable to locate global object")
}();
n.__sign_hash_20200305 = function(n) {
function l(n, t) {
var o = (65535 & n) + (65535 & t);
return (n >> 16) + (t >> 16) + (o >> 16) << 16 | 65535 & o
}
function r(n, t, o, e, u, p) {
return l((i = l(l(t, n), l(e, p))) << (r = u) | i >>> 32 - r, o);
var i, r
}
function g(n, t, o, e, u, p, i) {
return r(t & o | ~t & e, n, t, u, p, i)
}
function a(n, t, o, e, u, p, i) {
return r(t & e | o & ~e, n, t, u, p, i)
}
function s(n, t, o, e, u, p, i) {
return r(t ^ o ^ e, n, t, u, p, i)
}
function v(n, t, o, e, u, p, i) {
return r(o ^ (t | ~e), n, t, u, p, i)
}
function t(n) {
return function(n) {
var t, o = "";
for (t = 0; t < 32 * n.length; t += 8)
o += String.fromCharCode(n[t >> 5] >>> t % 32 & 255);
return o
}(function(n, t) {
n[t >> 5] |= 128 << t % 32,
n[14 + (t + 64 >>> 9 << 4)] = t;
var o, e, u, p, i, r = 1732584193, f = -271733879, h = -1732584194, c = 271733878;
for (o = 0; o < n.length; o += 16)
r = g(e = r, u = f, p = h, i = c, n[o], 7, -680876936),
c = g(c, r, f, h, n[o + 1], 12, -389564586),
h = g(h, c, r, f, n[o + 2], 17, 606105819),
f = g(f, h, c, r, n[o + 3], 22, -1044525330),
r = g(r, f, h, c, n[o + 4], 7, -176418897),
c = g(c, r, f, h, n[o + 5], 12, 1200080426),
h = g(h, c, r, f, n[o + 6], 17, -1473231341),
f = g(f, h, c, r, n[o + 7], 22, -45705983),
r = g(r, f, h, c, n[o + 8], 7, 1770035416),
c = g(c, r, f, h, n[o + 9], 12, -1958414417),
h = g(h, c, r, f, n[o + 10], 17, -42063),
f = g(f, h, c, r, n[o + 11], 22, -1990404162),
r = g(r, f, h, c, n[o + 12], 7, 1804603682),
c = g(c, r, f, h, n[o + 13], 12, -40341101),
h = g(h, c, r, f, n[o + 14], 17, -1502002290),
r = a(r, f = g(f, h, c, r, n[o + 15], 22, 1236535329), h, c, n[o + 1], 5, -165796510),
c = a(c, r, f, h, n[o + 6], 9, -1069501632),
h = a(h, c, r, f, n[o + 11], 14, 643717713),
f = a(f, h, c, r, n[o], 20, -373897302),
r = a(r, f, h, c, n[o + 5], 5, -701558691),
c = a(c, r, f, h, n[o + 10], 9, 38016083),
h = a(h, c, r, f, n[o + 15], 14, -660478335),
f = a(f, h, c, r, n[o + 4], 20, -405537848),
r = a(r, f, h, c, n[o + 9], 5, 568446438),
c = a(c, r, f, h, n[o + 14], 9, -1019803690),
h = a(h, c, r, f, n[o + 3], 14, -187363961),
f = a(f, h, c, r, n[o + 8], 20, 1163531501),
r = a(r, f, h, c, n[o + 13], 5, -1444681467),
c = a(c, r, f, h, n[o + 2], 9, -51403784),
h = a(h, c, r, f, n[o + 7], 14, 1735328473),
r = s(r, f = a(f, h, c, r, n[o + 12], 20, -1926607734), h, c, n[o + 5], 4, -378558),
c = s(c, r, f, h, n[o + 8], 11, -2022574463),
h = s(h, c, r, f, n[o + 11], 16, 1839030562),
f = s(f, h, c, r, n[o + 14], 23, -35309556),
r = s(r, f, h, c, n[o + 1], 4, -1530992060),
c = s(c, r, f, h, n[o + 4], 11, 1272893353),
h = s(h, c, r, f, n[o + 7], 16, -155497632),
f = s(f, h, c, r, n[o + 10], 23, -1094730640),
r = s(r, f, h, c, n[o + 13], 4, 681279174),
c = s(c, r, f, h, n[o], 11, -358537222),
h = s(h, c, r, f, n[o + 3], 16, -722521979),
f = s(f, h, c, r, n[o + 6], 23, 76029189),
r = s(r, f, h, c, n[o + 9], 4, -640364487),
c = s(c, r, f, h, n[o + 12], 11, -421815835),
h = s(h, c, r, f, n[o + 15], 16, 530742520),
r = v(r, f = s(f, h, c, r, n[o + 2], 23, -995338651), h, c, n[o], 6, -198630844),
c = v(c, r, f, h, n[o + 7], 10, 1126891415),
h = v(h, c, r, f, n[o + 14], 15, -1416354905),
f = v(f, h, c, r, n[o + 5], 21, -57434055),
r = v(r, f, h, c, n[o + 12], 6, 1700485571),
c = v(c, r, f, h, n[o + 3], 10, -1894986606),
h = v(h, c, r, f, n[o + 10], 15, -1051523),
f = v(f, h, c, r, n[o + 1], 21, -2054922799),
r = v(r, f, h, c, n[o + 8], 6, 1873313359),
c = v(c, r, f, h, n[o + 15], 10, -30611744),
h = v(h, c, r, f, n[o + 6], 15, -1560198380),
f = v(f, h, c, r, n[o + 13], 21, 1309151649),
r = v(r, f, h, c, n[o + 4], 6, -145523070),
c = v(c, r, f, h, n[o + 11], 10, -1120210379),
h = v(h, c, r, f, n[o + 2], 15, 718787259),
f = v(f, h, c, r, n[o + 9], 21, -343485551),
r = l(r, e),
f = l(f, u),
h = l(h, p),
c = l(c, i);
return [r, f, h, c]
}(function(n) {
var t, o = [];
for (o[(n.length >> 2) - 1] = void 0,
t = 0; t < o.length; t += 1)
o[t] = 0;
for (t = 0; t < 8 * n.length; t += 8)
o[t >> 5] |= (255 & n.charCodeAt(t / 8)) << t % 32;
return o
}(n), 8 * n.length))
}
function o(n) {
return t(unescape(encodeURIComponent(n)))
}
return function(n) {
var t, o, e = "0123456789abcdef", u = "";
for (o = 0; o < n.length; o += 1)
t = n.charCodeAt(o),
u += e.charAt(t >>> 4 & 15) + e.charAt(15 & t);
return u
}(o(n))
}
,
function r(f, h, c, l, g) {
g = g || [[this], [{}]];
for (var t = [], o = null, n = [function() {
return !0
}
, function() {}
, function() {
g.length = c[h++]
}
, function() {
g.push(c[h++])
}
, function() {
g.pop()
}
, function() {
var n = c[h++]
, t = g[g.length - 2 - n];
g[g.length - 2 - n] = g.pop(),
g.push(t)
}
, function() {
g.push(g[g.length - 1])
}
, function() {
g.push([g.pop(), g.pop()].reverse())
}
, function() {
g.push([l, g.pop()])
}
, function() {
g.push([g.pop()])
}
, function() {
var n = g.pop();
g.push(n[0][n[1]])
}
, function() {
g.push(g[g.pop()[0]][0])
}
, function() {
var n = g[g.length - 2];
n[0][n[1]] = g[g.length - 1]
}
, function() {
g[g[g.length - 2][0]][0] = g[g.length - 1]
}
, function() {
var n = g.pop()
, t = g.pop();
g.push([t[0][t[1]], n])
}
, function() {
var n = g.pop();
g.push([g[g.pop()][0], n])
}
, function() {
var n = g.pop();
g.push(delete n[0][n[1]])
}
, function() {
var n = [];
for (var t in g.pop())
n.push(t);
g.push(n)
}
, function() {
g[g.length - 1].length ? g.push(g[g.length - 1].shift(), !0) : g.push(void 0, !1)
}
, function() {
var n = g[g.length - 2]
, t = Object.getOwnPropertyDescriptor(n[0], n[1]) || {
configurable: !0,
enumerable: !0
};
t.get = g[g.length - 1],
Object.defineProperty(n[0], n[1], t)
}
, function() {
var n = g[g.length - 2]
, t = Object.getOwnPropertyDescriptor(n[0], n[1]) || {
configurable: !0,
enumerable: !0
};
t.set = g[g.length - 1],
Object.defineProperty(n[0], n[1], t)
}
, function() {
h = c[h++]
}
, function() {
var n = c[h++];
g[g.length - 1] && (h = n)
}
, function() {
throw g[g.length - 1]
}
, function() {
var n = c[h++]
, t = n ? g.slice(-n) : [];
g.length -= n,
g.push(g.pop().apply(l, t))
}
, function() {
var n = c[h++]
, t = n ? g.slice(-n) : [];
g.length -= n;
var o = g.pop();
g.push(o[0][o[1]].apply(o[0], t))
}
, function() {
var n = c[h++]
, t = n ? g.slice(-n) : [];
g.length -= n,
t.unshift(null),
g.push(new (Function.prototype.bind.apply(g.pop(), t)))
}
, function() {
var n = c[h++]
, t = n ? g.slice(-n) : [];
g.length -= n,
t.unshift(null);
var o = g.pop();
g.push(new (Function.prototype.bind.apply(o[0][o[1]], t)))
}
, function() {
g.push(!g.pop())
}
, function() {
g.push(~g.pop())
}
, function() {
g.push(typeof g.pop())
}
, function() {
g[g.length - 2] = g[g.length - 2] == g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] === g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] > g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] >= g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] << g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] >> g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] >>> g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] + g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] - g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] * g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] / g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] % g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] | g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] & g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] ^ g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2]in g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2]instanceof g.pop()
}
, function() {
g[g[g.length - 1][0]] = void 0 === g[g[g.length - 1][0]] ? [] : g[g[g.length - 1][0]]
}
, function() {
for (var e = c[h++], u = [], n = c[h++], t = c[h++], p = [], o = 0; o < n; o++)
u[c[h++]] = g[c[h++]];
for (var i = 0; i < t; i++)
p[i] = c[h++];
g.push(function n() {
var t = u.slice(0);
t[0] = [this],
t[1] = [arguments],
t[2] = [n];
for (var o = 0; o < p.length && o < arguments.length; o++)
0 < p[o] && (t[p[o]] = [arguments[o]]);
return r(f, e, c, l, t)
})
}
, function() {
t.push([c[h++], g.length, c[h++]])
}
, function() {
t.pop()
}
, function() {
return !!o
}
, function() {
o = null
}
, function() {
g[g.length - 1] += String.fromCharCode(c[h++])
}
, function() {
g.push("")
}
, function() {
g.push(void 0)
}
, function() {
g.push(null)
}
, function() {
g.push(!0)
}
, function() {
g.push(!1)
}
, function() {
g.length -= c[h++]
}
, function() {
g[g.length - 1] = c[h++]
}
, function() {
var n = g.pop()
, t = g[g.length - 1];
t[0][t[1]] = g[n[0]][0]
}
, function() {
var n = g.pop()
, t = g[g.length - 1];
t[0][t[1]] = n[0][n[1]]
}
, function() {
var n = g.pop()
, t = g[g.length - 1];
g[t[0]][0] = g[n[0]][0]
}
, function() {
var n = g.pop()
, t = g[g.length - 1];
g[t[0]][0] = n[0][n[1]]
}
, function() {
g[g.length - 2] = g[g.length - 2] < g.pop()
}
, function() {
g[g.length - 2] = g[g.length - 2] <= g.pop()
}
]; ; )
try {
for (; !n[c[h++]](); )
;
if (o)
throw o;
return g.pop()
} catch (n) {
var e = t.pop();
if (void 0 === e)
throw n;
o = n,
h = e[0],
g.length = e[1],
e[2] && (g[e[2]][0] = o)
}
}(120731, 0, [21, 34, 50, 100, 57, 50, 102, 50, 98, 99, 101, 52, 54, 97, 52, 99, 55, 56, 52, 49, 57, 54, 57, 49, 56, 98, 102, 100, 100, 48, 48, 55, 55, 102, 2, 10, 3, 2, 9, 48, 61, 3, 9, 48, 61, 4, 9, 48, 61, 5, 9, 48, 61, 6, 9, 48, 61, 7, 9, 48, 61, 8, 9, 48, 61, 9, 9, 48, 4, 21, 427, 54, 2, 15, 3, 2, 9, 48, 61, 3, 9, 48, 61, 4, 9, 48, 61, 5, 9, 48, 61, 6, 9, 48, 61, 7, 9, 48, 61, 8, 9, 48, 61, 9, 9, 48, 61, 10, 9, 48, 61, 11, 9, 48, 61, 12, 9, 48, 61, 13, 9, 48, 61, 14, 9, 48, 61, 10, 9, 55, 54, 97, 54, 98, 54, 99, 54, 100, 54, 101, 54, 102, 54, 103, 54, 104, 54, 105, 54, 106, 54, 107, 54, 108, 54, 109, 54, 110, 54, 111, 54, 112, 54, 113, 54, 114, 54, 115, 54, 116, 54, 117, 54, 118, 54, 119, 54, 120, 54, 121, 54, 122, 54, 48, 54, 49, 54, 50, 54, 51, 54, 52, 54, 53, 54, 54, 54, 55, 54, 56, 54, 57, 13, 4, 61, 11, 9, 55, 54, 77, 54, 97, 54, 116, 54, 104, 8, 55, 54, 102, 54, 108, 54, 111, 54, 111, 54, 114, 14, 55, 54, 77, 54, 97, 54, 116, 54, 104, 8, 55, 54, 114, 54, 97, 54, 110, 54, 100, 54, 111, 54, 109, 14, 25, 0, 3, 4, 9, 11, 3, 3, 9, 11, 39, 3, 1, 38, 40, 3, 3, 9, 11, 38, 25, 1, 13, 4, 61, 12, 9, 55, 13, 4, 61, 13, 9, 3, 0, 13, 4, 4, 3, 13, 9, 11, 3, 11, 9, 11, 66, 22, 306, 4, 21, 422, 24, 4, 3, 14, 9, 55, 54, 77, 54, 97, 54, 116, 54, 104, 8, 55, 54, 102, 54, 108, 54, 111, 54, 111, 54, 114, 14, 55, 54, 77, 54, 97, 54, 116, 54, 104, 8, 55, 54, 114, 54, 97, 54, 110, 54, 100, 54, 111, 54, 109, 14, 25, 0, 3, 10, 9, 55, 54, 108, 54, 101, 54, 110, 54, 103, 54, 116, 54, 104, 15, 10, 40, 25, 1, 13, 4, 61, 12, 9, 6, 11, 3, 10, 9, 3, 14, 9, 11, 15, 10, 38, 13, 4, 61, 13, 9, 6, 11, 6, 5, 1, 5, 0, 3, 1, 38, 13, 4, 61, 0, 5, 0, 43, 4, 21, 291, 61, 3, 12, 9, 11, 0, 3, 9, 9, 49, 72, 0, 2, 3, 4, 13, 4, 61, 8, 9, 21, 721, 3, 2, 8, 3, 2, 9, 48, 61, 3, 9, 48, 61, 4, 9, 48, 61, 5, 9, 48, 61, 6, 9, 48, 61, 7, 9, 48, 4, 55, 54, 115, 54, 101, 54, 108, 54, 102, 8, 10, 30, 55, 54, 117, 54, 110, 54, 100, 54, 101, 54, 102, 54, 105, 54, 110, 54, 101, 54, 100, 32, 28, 22, 510, 4, 21, 523, 22, 4, 55, 54, 115, 54, 101, 54, 108, 54, 102, 8, 10, 0, 55, 54, 119, 54, 105, 54, 110, 54, 100, 54, 111, 54, 119, 8, 10, 30, 55, 54, 117, 54, 110, 54, 100, 54, 101, 54, 102, 54, 105, 54, 110, 54, 101, 54, 100, 32, 28, 22, 566, 4, 21, 583, 3, 4, 55, 54, 119, 54, 105, 54, 110, 54, 100, 54, 111, 54, 119, 8, 10, 0, 55, 54, 103, 54, 108, 54, 111, 54, 98, 54, 97, 54, 108, 8, 10, 30, 55, 54, 117, 54, 110, 54, 100, 54, 101, 54, 102, 54, 105, 54, 110, 54, 101, 54, 100, 32, 28, 22, 626, 4, 21, 643, 25, 4, 55, 54, 103, 54, 108, 54, 111, 54, 98, 54, 97, 54, 108, 8, 10, 0, 55, 54, 69, 54, 114, 54, 114, 54, 111, 54, 114, 8, 55, 54, 117, 54, 110, 54, 97, 54, 98, 54, 108, 54, 101, 54, 32, 54, 116, 54, 111, 54, 32, 54, 108, 54, 111, 54, 99, 54, 97, 54, 116, 54, 101, 54, 32, 54, 103, 54, 108, 54, 111, 54, 98, 54, 97, 54, 108, 54, 32, 54, 111, 54, 98, 54, 106, 54, 101, 54, 99, 54, 116, 27, 1, 23, 56, 0, 49, 444, 0, 0, 24, 0, 13, 4, 61, 8, 9, 55, 54, 95, 54, 95, 54, 103, 54, 101, 54, 116, 54, 83, 54, 101, 54, 99, 54, 117, 54, 114, 54, 105, 54, 116, 54, 121, 54, 83, 54, 105, 54, 103, 54, 110, 15, 21, 1126, 49, 2, 14, 3, 2, 9, 48, 61, 3, 9, 48, 61, 4, 9, 48, 61, 5, 9, 48, 61, 6, 9, 48, 61, 7, 9, 48, 61, 8, 9, 48, 61, 9, 9, 48, 61, 10, 9, 48, 61, 11, 9, 48, 61, 9, 9, 55, 54, 108, 54, 111, 54, 99, 54, 97, 54, 116, 54, 105, 54, 111, 54, 110, 8, 10, 30, 55, 54, 117, 54, 110, 54, 100, 54, 101, 54, 102, 54, 105, 54, 110, 54, 101, 54, 100, 32, 28, 22, 862, 21, 932, 21, 4, 55, 54, 108, 54, 111, 54, 99, 54, 97, 54, 116, 54, 105, 54, 111, 54, 110, 8, 55, 54, 104, 54, 111, 54, 115, 54, 116, 14, 55, 54, 105, 54, 110, 54, 100, 54, 101, 54, 120, 54, 79, 54, 102, 14, 55, 54, 121, 54, 46, 54, 113, 54, 113, 54, 46, 54, 99, 54, 111, 54, 109, 25, 1, 3, 0, 3, 1, 39, 32, 22, 963, 4, 55, 54, 67, 54, 74, 54, 66, 54, 80, 54, 65, 54, 67, 54, 114, 54, 82, 54, 117, 54, 78, 54, 121, 54, 55, 21, 974, 50, 4, 3, 12, 9, 11, 3, 8, 3, 10, 24, 2, 13, 4, 61, 10, 9, 3, 13, 9, 55, 54, 95, 54, 95, 54, 115, 54, 105, 54, 103, 54, 110, 54, 95, 54, 104, 54, 97, 54, 115, 54, 104, 54, 95, 54, 50, 54, 48, 54, 50, 54, 48, 54, 48, 54, 51, 54, 48, 54, 53, 15, 10, 22, 1030, 21, 1087, 22, 4, 3, 13, 9, 55, 54, 95, 54, 95, 54, 115, 54, 105, 54, 103, 54, 110, 54, 95, 54, 104, 54, 97, 54, 115, 54, 104, 54, 95, 54, 50, 54, 48, 54, 50, 54, 48, 54, 48, 54, 51, 54, 48, 54, 53, 15, 3, 9, 9, 11, 3, 3, 9, 11, 38, 25, 1, 13, 4, 61, 11, 9, 3, 12, 9, 11, 3, 10, 3, 53, 3, 37, 39, 24, 2, 13, 4, 4, 55, 54, 122, 54, 122, 54, 97, 3, 11, 9, 11, 38, 3, 10, 9, 11, 38, 0, 49, 771, 2, 1, 12, 9, 13, 8, 3, 12, 4, 4, 56, 0], n);
var t = n.__getSecuritySign;
return delete n.__getSecuritySign,
t
});
这种代码我估计一般人看着都头晕,更别说去逐行分析了!幸运的是,服务端只看结果,不看过程!换句话说,只要我们自己能生成正确的sign字段,服务器是不会管这个sign字段是怎么来的!所以一般情况下是没必要逐行分析代码、搞清楚每行代码意义的(当然出于学习的目的,有空的小伙伴可以自己试试)!这里直接调用这段js代码,生成sign字段即可(后续搞app逆向也可以如法炮制:so层的sign函数很多时候其实没必要真正的去破解,在java层直接调用生成sign字段即可)!为了方便地执行这段js,我这里选择python,有execjs.compile可以直接执行js代码,核心python代码如下:
def get_sign(data):
with open('./get_sign.js','r',encoding='utf-8') as f:
text = f.read()
js_data = execjs.compile(text)
sign = js_data.call('get_sign',data)
return sign
把上面sign的js代码保存到同目录下的get_sign.js文件即可!更详细可以看下面参考的链接!
最后,xx音乐web界面弹窗,建议用户使用客户端,我个人猜测:客户端的防护相比浏览器要容易很多,这大概也是原因之一吧!浏览器要生成自定义的加密签名,只能依靠js,很容易被找到并调用;android客户端可以把加密的关键逻辑放到so层,然后用OLLVM混淆so的代码,增加反编译和调试的难度,比浏览器安全多了!
参考:
1、https://space.bilibili.com/343154012?spm_id_from=333.788.b_765f7570696e666f.1 爬虫
标签:function,xx,pop,sign,push,length,var,破解 来源: https://www.cnblogs.com/theseventhson/p/14643538.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。