qq音乐sign参数逆向
1.概览
参数sign长度40
多次调试发现,前缀zzb不变
2.打日志
跟站发现是vpm,在apply调用打上日志断点:
连蒙带猜知道,最终字符串四部分构成,zzb 24DC2798 HI0TvE4tOMqzN4w88oZCjQ EE0A88FE
1.把请求的body参数直接MD5得到c8a043f88d8e9b012eeb72673ec92a8b
2.利用固定数组[21, 4, 9, 26, 16, 20, 27, 30]和上面结果,使用charat得到字符串:
24DC2798
EE0A88FE
3.中间的HI0TvE4tOMqzN4w88oZCjQ,我们分析这个
HI0TvE4tOMqzN4w88oZCjQ来源:
把vmp的栈打印,在位运算的地方打上日志点:
发现两个固定东西:
let fmap = {"0":0,"1":1,"2":2,"3":3,"4":4,"5":5,"6":6,"7":7,"8":8,"9":9,"A":10,"B":11,"C":12,"D":13,"E":14,"F":15}
let arr = [212,45,80,68,195,163,163,203,157,220,254,91,204,79,104,6];
需要参与运算,运算日志如下:
E1EFCB705902FAD5BFD7F8C3CA904EF0 ->data的md5值
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:54 '-' 38 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 14 '*' 16 '=>' 224
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '*' 2 '=>' 0
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '+' 1 '=>' 1
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 224 '+' 1 '=>' 225
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 225 '^' 212 '=>' 53
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> [] args-> [53]
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '+' 1 '=>' 1
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '|' 0 '=>' 0
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 19 '-' 3 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 1 '*' 2 '=>' 2
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 54 '-' 38 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 14 '*' 16 '=>' 224
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 1 '*' 2 '=>' 2
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 2 '+' 1 '=>' 3
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 224 '+' 15 '=>' 239
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 239 '^' 45 '=>' 194
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> [53] args-> [194]
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 1 '+' 1 '=>' 2
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '|' 1 '=>' 1
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 19 '-' 3 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 2 '*' 2 '=>' 4
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 54 '-' 38 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 12 '*' 16 '=>' 192
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 2 '*' 2 '=>' 4
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 4 '+' 1 '=>' 5
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 192 '+' 11 '=>' 203
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 203 '^' 80 '=>' 155
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> (2) [53, 194] args-> [155]
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 2 '+' 1 '=>' 3
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '|' 2 '=>' 2
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 19 '-' 3 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 3 '*' 2 '=>' 6
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 54 '-' 38 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 7 '*' 16 '=>' 112
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 3 '*' 2 '=>' 6
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 6 '+' 1 '=>' 7
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 112 '+' 0 '=>' 112
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 112 '^' 68 '=>' 52
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> (3) [53, 194, 155] args-> [52]
可以发现,
第0组:
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:14 '*' 16 '=>' 224
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '*' 2 '=>' 0
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 0 '+' 1 '=>' 1
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 224 '+' 1 '=>' 225
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 225 '^' 212 '=>' 53
我们记let md5v = E1EFCB705902FAD5BFD7F8C3CA904EF0
16是每组都一样的固定值:
14是fmap[md5v[0]]
1是fmap[md5v[0+1]]
212是arr[0]
第1组:
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 54 '-' 38 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 14 '*' 16 '=>' 224
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 1 '*' 2 '=>' 2
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 2 '+' 1 '=>' 3
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 224 '+' 15 '=>' 239
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 239 '^' 45 '=>' 194
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> [53] args-> [194]
我们记let md5v = E1EFCB705902FAD5BFD7F8C3CA904EF0
16是每组都一样的固定值:
14是fmap[md5v[2]]
15是fmap[md5v[2+1]]
45是arr[1]
第2组:
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 54 '-' 38 '=>' 16
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 12 '*' 16 '=>' 192
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 2 '*' 2 '=>' 4
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 4 '+' 1 '=>' 5
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 192 '+' 11 '=>' 203
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 203 '^' 80 '=>' 155
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> (2) [53, 194] args-> [155]
我们记let md5v = E1EFCB705902FAD5BFD7F8C3CA904EF0
16是每组都一样的固定值:
12是fmap[md5v[4]]
11是fmap[md5v[4+1]]
80是arr[2]
第3组:
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 7 '*' 16 '=>' 112
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 3 '*' 2 '=>' 6
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 6 '+' 1 '=>' 7
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 112 '+' 0 '=>' 112
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 112 '^' 68 '=>' 52
vendor.chunk.b71d8ba4d37617cb2e8d.js?max_age=2592000:1 this-> (3) [53, 194, 155] args-> [52]
我们记let md5v = E1EFCB705902FAD5BFD7F8C3CA904EF0
16是每组都一样的固定值:
7是fmap[md5v[6]]
0是fmap[md5v[6+1]]
68是arr[3]
那么,第i组:
(fmap[md5v[i*2]] * 16 + fmap[md5v[i*2+1]]) ^ arr[i]
js代码为:
function get_arr_16(str32){
let ans = [];
let fmap = {"0":0,"1":1,"2":2,"3":3,"4":4,"5":5,"6":6,"7":7,"8":8,"9":9,"A":10,"B":11,"C":12,"D":13,"E":14,"F":15}
let arr = [212,45,80,68,195,163,163,203,157,220,254,91,204,79,104,6];
for (let i = 0; i < 16; i++) {
ans.push((fmap[str32[i*2]]*16 + fmap[str32[i*2+1]])^arr[i])
}
console.log(ans)
return ans;
}
综上所有逻辑结束。
3.验证:
