某乎搜尋資訊獲取(x-zse-96)引數JS逆向破解
阿新 • • 發佈:2021-12-08
網站:aHR0cHM6Ly93d3cuemhpaHUuY29tLw==
1、網頁抓包分析,找到返回資料介面與加密引數
可以看到search_v3這個就是返回引數的介面,複製對應的cURL(base)到postman進行重新請求
通過重複測試可以知道只需要三個引數就能獲取到資料(x-zse-96、x-zse-93、cookie),其中x-zse-93為固定值、cookie為身份認證資訊,只有x-zse-96為動態變化,下滑資料也能得到新的請求資訊,驗證x-zse-96為動態引數
2、加密引數破解
老一套,全域性搜尋和找堆疊都行,我直接找堆疊,查詢到對應的js檔案,然後搜尋,發現有兩個位置有、全部打上斷點,重新整理頁面
成功在第二個位置被斷住,分析引數資訊
signature: a()(l()(s))
y = E.signature;
h.set("x-zse-96", "2.0_" + y)
由上可以看出signature <==> x-zse-96、接下來打上斷點分析signature的生成
具體為兩此加密,先使用l()函式對s加密,然後使用a()函式對第一次加密後的值進行加密,而s的幾個引數拼接而來
r: 對應版本
c: 請求url後半斷
i: uuid + 時間戳
此處不想扣程式碼的直接使用,l()函式為md5加密
3、扣程式碼
記一下s的值:101_3_2.0+/api/v4/search_v3?t=general&q=go&correction=1&offset=0&limit=20&filter_fields=&lc_idx=0&show_all_topics=0&search_source=Normal+"AFDeIw78aBOPTrv9RWbHmw_h9YqQp_-2nok=|1626242911" 方便後面進行比較
進入l()函式,跳到一個新的位置,發現這個函式在一個大函式裡面。那麼使用全域性思想,將整個大函式全扣下來,然後呼叫中間的函式就行。
var md5 = function(e, t, n) { var r; return function(i) { "use strict"; function o(e, t) { var n = (65535 & e) + (65535 & t); return (e >> 16) + (t >> 16) + (n >> 16) << 16 | 65535 & n } function a(e, t, n, r, i, a) { return o((c = o(o(t, e), o(r, a))) << (u = i) | c >>> 32 - u, n); var c, u } function c(e, t, n, r, i, o, c) { return a(t & n | ~t & r, e, t, i, o, c) } function u(e, t, n, r, i, o, c) { return a(t & r | n & ~r, e, t, i, o, c) } function s(e, t, n, r, i, o, c) { return a(t ^ n ^ r, e, t, i, o, c) } function l(e, t, n, r, i, o, c) { return a(n ^ (t | ~r), e, t, i, o, c) } function d(e, t) { var n, r, i, a, d; e[t >> 5] |= 128 << t % 32, e[14 + (t + 64 >>> 9 << 4)] = t; var f = 1732584193 , p = -271733879 , h = -1732584194 , b = 271733878; for (n = 0; n < e.length; n += 16) r = f, i = p, a = h, d = b, f = c(f, p, h, b, e[n], 7, -680876936), b = c(b, f, p, h, e[n + 1], 12, -389564586), h = c(h, b, f, p, e[n + 2], 17, 606105819), p = c(p, h, b, f, e[n + 3], 22, -1044525330), f = c(f, p, h, b, e[n + 4], 7, -176418897), b = c(b, f, p, h, e[n + 5], 12, 1200080426), h = c(h, b, f, p, e[n + 6], 17, -1473231341), p = c(p, h, b, f, e[n + 7], 22, -45705983), f = c(f, p, h, b, e[n + 8], 7, 1770035416), b = c(b, f, p, h, e[n + 9], 12, -1958414417), h = c(h, b, f, p, e[n + 10], 17, -42063), p = c(p, h, b, f, e[n + 11], 22, -1990404162), f = c(f, p, h, b, e[n + 12], 7, 1804603682), b = c(b, f, p, h, e[n + 13], 12, -40341101), h = c(h, b, f, p, e[n + 14], 17, -1502002290), f = u(f, p = c(p, h, b, f, e[n + 15], 22, 1236535329), h, b, e[n + 1], 5, -165796510), b = u(b, f, p, h, e[n + 6], 9, -1069501632), h = u(h, b, f, p, e[n + 11], 14, 643717713), p = u(p, h, b, f, e[n], 20, -373897302), f = u(f, p, h, b, e[n + 5], 5, -701558691), b = u(b, f, p, h, e[n + 10], 9, 38016083), h = u(h, b, f, p, e[n + 15], 14, -660478335), p = u(p, h, b, f, e[n + 4], 20, -405537848), f = u(f, p, h, b, e[n + 9], 5, 568446438), b = u(b, f, p, h, e[n + 14], 9, -1019803690), h = u(h, b, f, p, e[n + 3], 14, -187363961), p = u(p, h, b, f, e[n + 8], 20, 1163531501), f = u(f, p, h, b, e[n + 13], 5, -1444681467), b = u(b, f, p, h, e[n + 2], 9, -51403784), h = u(h, b, f, p, e[n + 7], 14, 1735328473), f = s(f, p = u(p, h, b, f, e[n + 12], 20, -1926607734), h, b, e[n + 5], 4, -378558), b = s(b, f, p, h, e[n + 8], 11, -2022574463), h = s(h, b, f, p, e[n + 11], 16, 1839030562), p = s(p, h, b, f, e[n + 14], 23, -35309556), f = s(f, p, h, b, e[n + 1], 4, -1530992060), b = s(b, f, p, h, e[n + 4], 11, 1272893353), h = s(h, b, f, p, e[n + 7], 16, -155497632), p = s(p, h, b, f, e[n + 10], 23, -1094730640), f = s(f, p, h, b, e[n + 13], 4, 681279174), b = s(b, f, p, h, e[n], 11, -358537222), h = s(h, b, f, p, e[n + 3], 16, -722521979), p = s(p, h, b, f, e[n + 6], 23, 76029189), f = s(f, p, h, b, e[n + 9], 4, -640364487), b = s(b, f, p, h, e[n + 12], 11, -421815835), h = s(h, b, f, p, e[n + 15], 16, 530742520), f = l(f, p = s(p, h, b, f, e[n + 2], 23, -995338651), h, b, e[n], 6, -198630844), b = l(b, f, p, h, e[n + 7], 10, 1126891415), h = l(h, b, f, p, e[n + 14], 15, -1416354905), p = l(p, h, b, f, e[n + 5], 21, -57434055), f = l(f, p, h, b, e[n + 12], 6, 1700485571), b = l(b, f, p, h, e[n + 3], 10, -1894986606), h = l(h, b, f, p, e[n + 10], 15, -1051523), p = l(p, h, b, f, e[n + 1], 21, -2054922799), f = l(f, p, h, b, e[n + 8], 6, 1873313359), b = l(b, f, p, h, e[n + 15], 10, -30611744), h = l(h, b, f, p, e[n + 6], 15, -1560198380), p = l(p, h, b, f, e[n + 13], 21, 1309151649), f = l(f, p, h, b, e[n + 4], 6, -145523070), b = l(b, f, p, h, e[n + 11], 10, -1120210379), h = l(h, b, f, p, e[n + 2], 15, 718787259), p = l(p, h, b, f, e[n + 9], 21, -343485551), f = o(f, r), p = o(p, i), h = o(h, a), b = o(b, d); return [f, p, h, b] } function f(e) { var t, n = "", r = 32 * e.length; for (t = 0; t < r; t += 8) n += String.fromCharCode(e[t >> 5] >>> t % 32 & 255); return n } function p(e) { var t, n = []; for (n[(e.length >> 2) - 1] = void 0, t = 0; t < n.length; t += 1) n[t] = 0; var r = 8 * e.length; for (t = 0; t < r; t += 8) n[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32; return n } function h(e) { var t, n, r = ""; for (n = 0; n < e.length; n += 1) t = e.charCodeAt(n), r += "0123456789abcdef".charAt(t >>> 4 & 15) + "0123456789abcdef".charAt(15 & t); return r } function b(e) { return unescape(encodeURIComponent(e)) } function v(e) { return function(e) { return f(d(p(e), 8 * e.length)) }(b(e)) } function O(e, t) { return function(e, t) { var n, r, i = p(e), o = [], a = []; for (o[15] = a[15] = void 0, i.length > 16 && (i = d(i, 8 * e.length)), n = 0; n < 16; n += 1) o[n] = 909522486 ^ i[n], a[n] = 1549556828 ^ i[n]; return r = d(o.concat(p(t)), 512 + 8 * t.length), f(d(a.concat(r), 640)) }(b(e), b(t)) } function g(e, t, n) { return t ? n ? O(t, e) : h(O(t, e)) : n ? v(e) : h(v(e)) } return g /* void 0 === (r = function() { return g } .call(t, n, t, e)) || (e.exports = r) */ }() }
測試一下:
可以看到確實為md5加密,接下來分析a()函式,同理也是全域性思想
此處比較重要的一點是此函式需要進行引數的傳入
可以看到此函式是這個樣子的,打上斷點分析引數,將引數傳進去
加密看下效果:
一致,完成。
結果:
總結
全域性思想,對於很多函式內部函式,很不好扣,或者說一扣起來就得扣半天,此時使用全域性思想就好很多