文章内容仅供参考学习,禁止用于商业用途与非法用途,相关接口已经过脱敏处理,由此产生的一切后果均与作者无关,若有侵权,请联系我立即删除
前戏
今天要分析的是网站poco中的sign_code参数分析。
地址:aHR0cHM6Ly93d3cucG9jby5jbi9jYW1lcmFtYW4vcmVjb21tZW5k
接口分析
直接打开network ,刷新页面,对其我们所需要的接口进行分析
刷新两次页面,对比Fromdata中参数变化,发现ctime,time_point,sign_code发生变化
| Fromdata 关键参数 | 分析结果 |
|---|---|
| ctime | 16开头,长度为14位,疑似时间戳 |
| time_point | 与ctime前11位相同,疑似时间戳 |
| sign_code | 密文,可能与时间戳相关 |
接下来直接搜索sign_code这个关键字发现只有一处js与之相关
直接点进这个js内部进行,定位到sign_code位置
此处js代码逻辑并没有经过混淆,比较简单清晰,就是创建了一个payload对象,由此可知而其中的n参数就是我们此次的目标,而n由t()方法得出,直接打一个断点,跟进去调试看,可以看出e就是我们之前在分析接口时payload中的param,然后转换组成新的字符串后传入了t方法,那我们跟下去看t方法内部逻辑
可以看出已经跳到了另一个js文件,n参数就是我们之前穿进来的参数,接下来就是疯狂一直下一步,直到调试出加密后的sign_code
此时,已经执行完加密逻辑,而加密逻辑只涉及到了一个js文件,跳出了t函数,然后经过substr方法取出切割后的字符串,现在,我们整个加密逻辑就已经很清楚。
那我们就得分析sign_code生成逻辑,重新进到刚刚那个js中,具体分析,通过python复现或者扣出相关的js调用相关库去执行加密逻辑代码,我们这里为了方便,选择后者
js代码
function r(n, t) {
var r = (65535 & n) + (65535 & t)
, e = (n >> 16) + (t >> 16) + (r >> 16);
return e << 16 | 65535 & r
};
function e(n, t) {
return n << t | n >>> 32 - t
};
function u(n, t, u, o, c, f) {
return r(e(r(r(t, n), r(o, f)), c), u)
};
function o(n, t, r, e, o, c, f) {
return u(t & r | ~t & e, n, t, o, c, f)
};
function c(n, t, r, e, o, c, f) {
return u(t & e | r & ~e, n, t, o, c, f)
};
function f(n, t, r, e, o, c, f) {
return u(t ^ r ^ e, n, t, o, c, f)
};
function i(n, t, r, e, o, c, f) {
return u(r ^ (t | ~e), n, t, o, c, f)
};
function a(n, t) {
n[t >> 5] |= 128 << t % 32,
n[(t + 64 >>> 9 << 4) + 14] = t;
var e, u, a, h, g, d = 1732584193, l = -271733879, v = -1732584194, s = 271733878;
for (e = 0; e < n.length; e += 16)
u = d,
a = l,
h = v,
g = s,
d = o(d, l, v, s, n[e], 7, -680876936),
s = o(s, d, l, v, n[e + 1], 12, -389564586),
v = o(v, s, d, l, n[e + 2], 17, 606105819),
l = o(l, v, s, d, n[e + 3], 22, -1044525330),
d = o(d, l, v, s, n[e + 4], 7, -176418897),
s = o(s, d, l, v, n[e + 5], 12, 1200080426),
v = o(v, s, d, l, n[e + 6], 17, -1473231341),
l = o(l, v, s, d, n[e + 7], 22, -45705983),
d = o(d, l, v, s, n[e + 8], 7, 1770035416),
s = o(s, d, l, v, n[e + 9], 12, -1958414417),
v = o(v, s, d, l, n[e + 10], 17, -42063),
l = o(l, v, s, d, n[e + 11], 22, -1990404162),
d = o(d, l, v, s, n[e + 12], 7, 1804603682),
s = o(s, d, l, v, n[e + 13], 12, -40341101),
v = o(v, s, d, l, n[e + 14], 17, -1502002290),
l = o(l, v, s, d, n[e + 15], 22, 1236535329),
d = c(d, l, v, s, n[e + 1], 5, -165796510),
s = c(s, d, l, v, n[e + 6], 9, -1069501632),
v = c(v, s, d, l, n[e + 11], 14, 643717713),
l = c(l, v, s, d, n[e], 20, -373897302),
d = c(d, l, v, s, n[e + 5], 5, -701558691),
s = c(s, d, l, v, n[e + 10], 9, 38016083),
v = c(v, s, d, l, n[e + 15], 14, -660478335),
l = c(l, v, s, d, n[e + 4], 20, -405537848),
d = c(d, l, v, s, n[e + 9], 5, 568446438),
s = c(s, d, l, v, n[e + 14], 9, -1019803690),
v = c(v, s, d, l, n[e + 3], 14, -187363961),
l = c(l, v, s, d, n[e + 8], 20, 1163531501),
d = c(d, l, v, s, n[e + 13], 5, -1444681467),
s = c(s, d, l, v, n[e + 2], 9, -51403784),
v = c(v, s, d, l, n[e + 7], 14, 1735328473),
l = c(l, v, s, d, n[e + 12], 20, -1926607734),
d = f(d, l, v, s, n[e + 5], 4, -378558),
s = f(s, d, l, v, n[e + 8], 11, -2022574463),
v = f(v, s, d, l, n[e + 11], 16, 1839030562),
l = f(l, v, s, d, n[e + 14], 23, -35309556),
d = f(d, l, v, s, n[e + 1], 4, -1530992060),
s = f(s, d, l, v, n[e + 4], 11, 1272893353),
v = f(v, s, d, l, n[e + 7], 16, -155497632),
l = f(l, v, s, d, n[e + 10], 23, -1094730640),
d = f(d, l, v, s, n[e + 13], 4, 681279174),
s = f(s, d, l, v, n[e], 11, -358537222),
v = f(v, s, d, l, n[e + 3], 16, -722521979),
l = f(l, v, s, d, n[e + 6], 23, 76029189),
d = f(d, l, v, s, n[e + 9], 4, -640364487),
s = f(s, d, l, v, n[e + 12], 11, -421815835),
v = f(v, s, d, l, n[e + 15], 16, 530742520),
l = f(l, v, s, d, n[e + 2], 23, -995338651),
d = i(d, l, v, s, n[e], 6, -198630844),
s = i(s, d, l, v, n[e + 7], 10, 1126891415),
v = i(v, s, d, l, n[e + 14], 15, -1416354905),
l = i(l, v, s, d, n[e + 5], 21, -57434055),
d = i(d, l, v, s, n[e + 12], 6, 1700485571),
s = i(s, d, l, v, n[e + 3], 10, -1894986606),
v = i(v, s, d, l, n[e + 10], 15, -1051523),
l = i(l, v, s, d, n[e + 1], 21, -2054922799),
d = i(d, l, v, s, n[e + 8], 6, 1873313359),
s = i(s, d, l, v, n[e + 15], 10, -30611744),
v = i(v, s, d, l, n[e + 6], 15, -1560198380),
l = i(l, v, s, d, n[e + 13], 21, 1309151649),
d = i(d, l, v, s, n[e + 4], 6, -145523070),
s = i(s, d, l, v, n[e + 11], 10, -1120210379),
v = i(v, s, d, l, n[e + 2], 15, 718787259),
l = i(l, v, s, d, n[e + 9], 21, -343485551),
d = r(d, u),
l = r(l, a),
v = r(v, h),
s = r(s, g);
return [d, l, v, s]
};
function h(n) {
var t, r = "";
for (t = 0; t < 32 * n.length; t += 8)
r += String.fromCharCode(n[t >> 5] >>> t % 32 & 255);
return r
};
function g(n) {
var t, r = [];
for (r[(n.length >> 2) - 1] = void 0,
t = 0; t < r.length; t += 1)
r[t] = 0;
for (t = 0; t < 8 * n.length; t += 8)
r[t >> 5] |= (255 & n.charCodeAt(t / 8)) << t % 32;
return r
};
function d(n) {
return h(a(g(n), 8 * n.length))
};
function l(n, t) {
var r, e, u = g(n), o = [], c = [];
for (o[15] = c[15] = void 0,
u.length > 16 && (u = a(u, 8 * n.length)),
r = 0; 16 > r; r += 1)
o[r] = 909522486 ^ u[r],
c[r] = 1549556828 ^ u[r];
return e = a(o.concat(g(t)), 512 + 8 * t.length),
h(a(c.concat(e), 640))
};
function v(n) {
var t, r, e = "0123456789abcdef", u = "";
for (r = 0; r < n.length; r += 1)
t = n.charCodeAt(r),
u += e.charAt(t >>> 4 & 15) + e.charAt(15 & t);
return u
};
function s(n) {
return unescape(encodeURIComponent(n))
};
function C(n) {
return d(s(n))
};
function A(n) {
return v(C(n))
};
function m(n, t) {
return l(s(n), s(t))
};
function p(n, t) {
return v(m(n, t))
};
function b(n, t, r) {
return t ? r ? m(t, n) : p(t, n) : r ? C(n) : A(n)
};
# get_sign()为自定义方法
function get_sign(e) {
var o = JSON.stringify(e);
var sign = b("poco_" + o + "_app");
sign = sign.substr(5, 19);
return sign
}
python测试代码
import requests
import execjs
def encrypt(param):
'''
通过execjs库 调用相关js 获取加密后的密文
:return:
'''
with open('encrypt_poco.js')as fp:
encrypt_js = fp.read()
ctx = execjs.compile(encrypt_js)
enc_sign = ctx.call('get_sign', param)
return enc_sign
if __name__ == '__main__':
param = {"start": 0, "length": 20, "time_point": 1641813425, "recommend_type": "editor"}
res = encrypt(param)
print(res)
效果
尾声
好了,以上就是此次全部分析过程
我是XinCheng,生死看淡、不服就干
记录爬虫的摸爬滚打
