免责声明:
本篇博文的初衷是分享自己学习逆向分析时的个人感悟,所涉及的内容仅供学习、交流,请勿将其用于非法用途!!!任何由此引发的法律纠纷均与作者本人无关,请自行负责!!!
分析
直接抓包进行分析,我们可以直接找到这个歌曲对应的url所在的包中的内容
![](https://file.jishuzhan.net/article/1740542739314905090/0dbb14ed5127530329c117ba7533d450.webp)
记录下来参数,刷新几次页面,观察参数的变化,发现只有reqld是发生变化的
![](https://file.jishuzhan.net/article/1740542739314905090/ca521db95c5ae00597c29f3afa3a89bc.webp)
观察请求头变化,存在一个加密的参数变化,这个参数的变化是连续的。
![](https://file.jishuzhan.net/article/1740542739314905090/be025931e62c24fc7ac1d504e15152ce.webp)
所以先进行Secret加密的获取,再进行请求参数中的reqid的获取
Secret加密参数的获取
获取这个加密参数我们可以通过搜索关键字,XHR断点根栈分析,hook查找等方法,这边我们直接搜索这个内容
![](https://file.jishuzhan.net/article/1740542739314905090/48146b9b1583e4ac4e603f80781033e8.webp)
找到位置直接进行打断点调试
![](https://file.jishuzhan.net/article/1740542739314905090/48146b9b1583e4ac4e603f80781033e8.webp)
发现参数需要e,我们直接拷贝下来
javascript
var e = Object(d.c)(f);
o.a.defaults.headers.Secret = h(e, f)
搜索e的加密
替换f的数值。
![](https://file.jishuzhan.net/article/1740542739314905090/2da93868ed5474c5095546ea1fce0b36.webp)
我们注意到这里面有一个document,cookie所以我们直接输出观察改变值
![](https://file.jishuzhan.net/article/1740542739314905090/a2d89d7cb5aedc5deb334e0ddb77ab55.webp)
刷新网页记录cookie
![](https://file.jishuzhan.net/article/1740542739314905090/07a2e0c5ae885e4059bab80e973e7efe.webp)
可以发现只有最后面的使得一个Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324这个是改变的。所以把前面的都给拷贝下来替换document.cookie
![](https://file.jishuzhan.net/article/1740542739314905090/229fefe988e706643a3624f6b18708b6.webp)
继续开始查找h,搜索,复制。
![](https://file.jishuzhan.net/article/1740542739314905090/da17c8baeaa77b8ed6f240291101772a.webp)
运行出来结果但是并不符合,注意我们有一个数值没有填写 res
![](https://file.jishuzhan.net/article/1740542739314905090/99b2e423f63563b873314608fe3f64ff.webp)
我们填写一个正确的数值,看一下这个结果
![](https://file.jishuzhan.net/article/1740542739314905090/9fb6bd8ecb462df8da1833ce1eded951.webp)
完美获取,而这个数值,是通过请求之后服务器返回的一个cookie,那么这个加密参数Secret已经查找结束,我们补全这个函数
javascript
function getSecret(coo){
function h(t, e) {
if (null == e || e.length <= 0)
return console.log("Please enter a password with which to encrypt the message."),
null;
for (var n = "", i = 0; i < e.length; i++)
n += e.charCodeAt(i).toString();
var r = Math.floor(n.length / 5)
, o = parseInt(n.charAt(r) + n.charAt(2 * r) + n.charAt(3 * r) + n.charAt(4 * r) + n.charAt(5 * r))
, l = Math.ceil(e.length / 2)
, c = Math.pow(2, 31) - 1;
if (o < 2)
return console.log("Algorithm cannot find a suitable hash. Please choose a different password. \nPossible considerations are to choose a more complex or longer password."),
null;
var d = Math.round(1e9 * Math.random()) % 1e8;
for (n += d; n.length > 10; )
n = (parseInt(n.substring(0, 10)) + parseInt(n.substring(10, n.length))).toString();
n = (o * n + l) % c;
var h = ""
, f = "";
for (i = 0; i < t.length; i++)
f += (h = parseInt(t.charCodeAt(i) ^ Math.floor(n / c * 255))) < 16 ? "0" + h.toString(16) : h.toString(16),
n = (o * n + l) % c;
for (d = d.toString(16); d.length < 8; )
d = "0" + d;
return f += d
}
v = function(t) {
res = "FTDFBA8TkwNG4eQpzAPM7QxN5thPsDrD"
var e = `_ga=GA1.2.1617862873.1703732461; _gid=GA1.2.1291582354.1703732461; Hm_lvt_cdb524f42f0ce19b169a8071123a4797=1703725476; Hm_lpvt_cdb524f42f0ce19b169a8071123a4797=1703734897; _ga_ETPBRPM9ML=GS1.2.1703732461.1.1.1703734896.33.0.0; Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324=${res}`
, n = e.indexOf(t + "=");
if (-1 != n) {
n = n + t.length + 1;
var r = e.indexOf(";", n);
return -1 == r && (r = e.length),
unescape(e.substring(n, r))
}
return null
}
var e = v("Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324");
Secret = h(e, "Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324")
return Secret
}
reqId加密参数的查询
直接搜索
![](https://file.jishuzhan.net/article/1740542739314905090/bcbd2466b2569410cfb708cb4337e748.webp)
观察结果直接获取这个n的值即可。
![](https://file.jishuzhan.net/article/1740542739314905090/b71c5f0b59c4f5b52008192fab2649b2.webp)
我们搜索c是一个什么,发现他是一个函数
![](https://file.jishuzhan.net/article/1740542739314905090/42b7679fa00278c4ff494f37f12a61ae.webp)
替换下来,直接复制粘贴
![](https://file.jishuzhan.net/article/1740542739314905090/d2bda74129a4a586a691ad1ad4e22d91.webp)
修改一下
![](https://file.jishuzhan.net/article/1740542739314905090/3b6d51783eef82834a0036e4e3774d47.webp)
找不到r,开始检索
![](https://file.jishuzhan.net/article/1740542739314905090/a37d36078feb5de2831db8926948716b.webp)
找不到o
![](https://file.jishuzhan.net/article/1740542739314905090/67923063bec440ad1c0c7cc0ce637a27.webp)
调试到这个位置,直接悬浮之后进行定位
![](https://file.jishuzhan.net/article/1740542739314905090/27a90d68e24f9e66c7242ed84ad9ebd8.webp)
把这段内容也拷贝下来
![](https://file.jishuzhan.net/article/1740542739314905090/6f5cdbb73d253820fe28695c81aefc0c.webp)
查找n(204) n(205)我们直接控制台输出
![](https://file.jishuzhan.net/article/1740542739314905090/61912f2de9d24fc749bcd83541013b56.webp)
这个内容必须要先定位到这个位置,然后进行控制台输出
![](https://file.jishuzhan.net/article/1740542739314905090/919aee0b848cd4e5caa213e6f662e7c6.webp)
直接复制下来这个内容
避免出现环境问题,我们直接获取n的值,多试几次看看是不是定值,我们发现n是一个加密函数,这个加密再js中是有对应的加密库,所以直接替换即可
![](https://file.jishuzhan.net/article/1740542739314905090/ba1e20f7af2023fd0eb16655bb3971e5.webp)
javascript
var CryptoJS = require("crypto-js");
// 使用 CryptoJS 生成随机数
function getRandomValuesCryptoJS(array) {
for (var i = 0; i < array.length; i++) {
array[i] = Math.floor(Math.random() * 256); // 在 0 到 255 之间生成随机数填充数组
}
}
var getRandomValues = "undefined" != typeof crypto && crypto.getRandomValues && crypto.getRandomValues.bind(crypto) || "undefined" != typeof msCrypto && "function" == typeof window.msCrypto.getRandomValues && msCrypto.getRandomValues.bind(msCrypto);
if (!getRandomValues) {
getRandomValues = getRandomValuesCryptoJS; // 如果原始代码中的 getRandomValues 不存在,就使用 CryptoJS 代替
}
var r = new Uint8Array(16);
ArrayS = function () {
return getRandomValues(r), r;
};
同理找到n(205)直接替换中间的值t,找到内容刷新几次观察是否存在变化
![](https://file.jishuzhan.net/article/1740542739314905090/f0d3f130b1758502348654a75f55e202.webp)
直接复制进去然后整合代码
javascript
var CryptoJS = require("crypto-js");
// 使用 CryptoJS 生成随机数
function getRandomValuesCryptoJS(array) {
for (var i = 0; i < array.length; i++) {
array[i] = Math.floor(Math.random() * 256); // 在 0 到 255 之间生成随机数填充数组
}
}
var getRandomValues = "undefined" != typeof crypto && crypto.getRandomValues && crypto.getRandomValues.bind(crypto) || "undefined" != typeof msCrypto && "function" == typeof window.msCrypto.getRandomValues && msCrypto.getRandomValues.bind(msCrypto);
if (!getRandomValues) {
getRandomValues = getRandomValuesCryptoJS; // 如果原始代码中的 getRandomValues 不存在,就使用 CryptoJS 代替
}
var r = new Uint8Array(16);
ArrayS = function () {
return getRandomValues(r), r;
};
for (var n = [], i = 0; i < 256; ++i)
n[i] = (i + 256).toString(16).substr(1);
DDD = function () {
var t = [
45,
118,
133,
112,
165,
33,
17,
238,
140,
170,
189,
11,
98,
119,
132,
45
]
var i = 0
, r = n;
return [r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], "-", r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]], r[t[i++]]].join("")
}
var r, o, l = ArrayS, c = DDD, d = 0, h = 0;
function A(t, e, n) {
var i = e && n || 0
, b = e || []
, f = (t = t || {}).node || r
, v = void 0 !== t.clockseq ? t.clockseq : o;
if (null == f || null == v) {
var m = l();
null == f && (f = r = [1 | m[0], m[1], m[2], m[3], m[4], m[5]]),
null == v && (v = o = 16383 & (m[6] << 8 | m[7]))
}
var y = void 0 !== t.msecs ? t.msecs : (new Date).getTime()
, w = void 0 !== t.nsecs ? t.nsecs : h + 1
, dt = y - d + (w - h) / 1e4;
if (dt < 0 && void 0 === t.clockseq && (v = v + 1 & 16383),
(dt < 0 || y > d) && void 0 === t.nsecs && (w = 0),
w >= 1e4)
throw new Error("uuid.v1(): Can't create more than 10M uuids/sec");
d = y,
h = w,
o = v;
var x = (1e4 * (268435455 & (y += 122192928e5)) + w) % 4294967296;
b[i++] = x >>> 24 & 255,
b[i++] = x >>> 16 & 255,
b[i++] = x >>> 8 & 255,
b[i++] = 255 & x;
var _ = y / 4294967296 * 1e4 & 268435455;
b[i++] = _ >>> 8 & 255,
b[i++] = 255 & _,
b[i++] = _ >>> 24 & 15 | 16,
b[i++] = _ >>> 16 & 255,
b[i++] = v >>> 8 | 128,
b[i++] = 255 & v;
for (var A = 0; A < 6; ++A)
b[i + A] = f[A];
return e || c(b)
}
function main(){
m = A();
return m;
}
function getSecret(coo){
function h(t, e) {
if (null == e || e.length <= 0)
return console.log("Please enter a password with which to encrypt the message."),
null;
for (var n = "", i = 0; i < e.length; i++)
n += e.charCodeAt(i).toString();
var r = Math.floor(n.length / 5)
, o = parseInt(n.charAt(r) + n.charAt(2 * r) + n.charAt(3 * r) + n.charAt(4 * r) + n.charAt(5 * r))
, l = Math.ceil(e.length / 2)
, c = Math.pow(2, 31) - 1;
if (o < 2)
return console.log("Algorithm cannot find a suitable hash. Please choose a different password. \nPossible considerations are to choose a more complex or longer password."),
null;
var d = Math.round(1e9 * Math.random()) % 1e8;
for (n += d; n.length > 10; )
n = (parseInt(n.substring(0, 10)) + parseInt(n.substring(10, n.length))).toString();
n = (o * n + l) % c;
var h = ""
, f = "";
for (i = 0; i < t.length; i++)
f += (h = parseInt(t.charCodeAt(i) ^ Math.floor(n / c * 255))) < 16 ? "0" + h.toString(16) : h.toString(16),
n = (o * n + l) % c;
for (d = d.toString(16); d.length < 8; )
d = "0" + d;
return f += d
}
function AD(t) {
let currentTime = Date.now();
// let replacedString = `_ga=GA1.2.26371751.${currentTime}; _gid=GA1.2.747646009.${currentTime}; Hm_lvt_cdb524f42f0ce19b169a8071123a4797=${currentTime}; Hm_lpvt_cdb524f42f0ce19b169a8071123a4797=${currentTime+1000}; _ga_ETPBRPM9ML=GS1.2.${currentTime+1}.1.1.${currentTime+1000}.42.0.0; Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324=tFnXWXriYFBkmeMjRHep7mzaxHz8pwbT`;
// var e = "_ga=GA1.2.26371751.1703725476; _gid=GA1.2.747646009.1703725476; Hm_lvt_cdb524f42f0ce19b169a8071123a4797=1703725476; Hm_lpvt_cdb524f42f0ce19b169a8071123a4797=1703728234; _ga_ETPBRPM9ML=GS1.2.1703725477.1.1.1703728234.42.0.0; Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324=tFnXWXriYFBkmeMjRHep7mzaxHz8pwbT"
// var e = replacedString
var result = coo
var e = `_ga=GA1.2.26371751.1703725476; _gid=GA1.2.747646009.1703725476; Hm_lvt_cdb524f42f0ce19b169a8071123a4797=1703725476; Hm_lpvt_cdb524f42f0ce19b169a8071123a4797=1703729334; _ga_ETPBRPM9ML=GS1.2.1703725477.1.1.1703729335.60.0.0; Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324=${result}`
, n = e.indexOf(t + "=");
console.log(e)
if (-1 != n) {
n = n + t.length + 1;
var r = e.indexOf(";", n);
return -1 == r && (r = e.length),
unescape(e.substring(n, r))
}
return null
}
var e = AD("Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324");
console.log(e)
return h(e,"Hm_Iuvt_cdb524f42f0cer9b268e4v7y735ewrq2324")
}
console.log(getSecret())
即可获取到需要的内容