阿里140-语雀逆向分析
逆向网址
bash
aHR0cHM6Ly93d3cueXVxdWUuY29tL2xvZ2luP3JlZ2lzdGVyX3dpdGhfc2NlbmU9dHJ1ZSZkZWZhdWx0VHlwZT1vcmcmcmVnaXN0ZXJfZnJvbT1vZmZpY2lhbF93ZWJzaXRlX3RvcF9idXR0b24=initialize.jsonp
访问地址
bash
curl 'https://cf.aliyun.com/nocaptcha/initialize.jsonp?a=FFFF000000000179A3AD&t=FFFF000000000179A3AD%3A1763785658728%3A0.9939028669557559&scene=register&lang=cn&v=v1.2.21&href=https%3A%2F%2Fwww.yuque.com%2Flogin&comm=\{\}&callback=initializeJsonp_07768477864404844' \
-H 'Accept: */*' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Referer: https://www.yuque.com/' \
-H 'Sec-Fetch-Dest: script' \
-H 'Sec-Fetch-Mode: no-cors' \
-H 'Sec-Fetch-Site: cross-site' \
-H 'Sec-Fetch-Storage-Access: none' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"'返回结果
bash
initializeJsonp_05223948906246048({
"result": {
"msg": "success",
"success": true
},
"success": true
});所需参数
bash
a FFFF000000000179A3AD
t FFFF000000000179A3AD:1763784974488:0.08279396684865736
scene register
lang cn
v v1.2.21
href https://www.yuque.com/login
comm {}
callback initializeJsonp_05223948906246048参数a
bash
a = FFFF000000000179A3AD
这个值来自于访问
curl 'https://www.yuque.com/login?register_with_scene=true&defaultType=org®ister_from=official_website_top_button' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: none' \
-H 'Sec-Fetch-User: ?1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"'
所返回的HTML内容中window.appData = JSON.parse(decodeURIComponent())
参数t
bash
t = FFFF000000000179A3AD:1763784974488:0.08279396684865736
var i = (null === (e = window.appData) || void 0 === e ? void 0 : e.captchaAppKey) || "FFFF000000000179A3AD"
s = [i, (new Date).getTime(), Math.random()].join(":")
python代码如下
python
":".join(["FFFF000000000179A3AD",str(int(time.time() * 1000)),str(random.random())])参数callback
bash
callback = initializeJsonp_05223948906246048
这个值来自nc.js
var e = ("initializeJsonp_" + Math.random()).replace(".", "")
python代码如下
python
("initializeJsonp_" + str(random.random())).replace(".", "")analyze.jsonp
访问地址
bash
curl 'https://cf.aliyun.com/nocaptcha/analyze.jsonp?a=FFFF000000000179A3AD&t=FFFF000000000179A3AD%3A1763785658728%3A0.9939028669557559&n=140%23jVTdMHBEzzWYxQo24Zr%2B4pN8s9zDwbw4WpHg49Y19eEZUK3w4nUw3PbiRP%2BfPB%2BPveP1rYU9KFIMlp1zzXktnreXwFzx02wmO6h%2Fzzrb22U3lp1xzZPNciJqUb%2Bx2oa3V3gqzm1nTRi7KrvZrI7Zb51gEAJLiF4VLkvAZk7887PaDO%2FLuJVkbacjMc1%2ByrFfyxWNXt0VTyUiaR6Rj0KyDf8FViqd%2BdaU6jXpC8NMXb%2F0Qm%2Fdt0oA2IuVX%2B%2BcHYyNPKZdegxUQpEqaQSa1fhUUieivOm7OIQR9YU3DKHIZI3PtTILpspHRDeniQeWfxK%2F4WXGyfgsqKDrDjmb3wGnAck6MBAFuW0VR7wnHlZd6z49HZYW0bp2s59fjY0FyYPS9fQB7mSpFw3yPBLH8BaJUrCB1PjHGXHpL%2FkuOM9MnnRQf13gVWW02hxGqdjWjJ7XvLLEfn43KGirhsRKJTyehJ9bg%2B0n%2F51rydm6hG9%2BT%2Bs7%2BQHW8KMlSDKwtbZaYvSndIAxo7mlWgBOiF3PWGMcz%2FF7e3XV0YQtt%2FuIp9KFbC4wWZ%2BNAKEPBml1fzpdfLZYbm%2FR9ftTBD3%2FXczTCpd1q90%2BTWoAxtTzTxs0WdCp6uV0gDTZwpzVFBEuDqMyhhxVpfKKiiCjazAFMAf9tWxac1WqJu7UmVEfvcsxuykzYWrx2ZssX9CBD6Eurk0HHfz9nn3V2jFxBoZwwT6eAUQRZtXyE8H7QttvEVaPOqaMyWznvSVVYue94EnVetOaRplVhn%2FtV0%2B3k3m%2FyQqZR6t0HKe9Y8sgLGIP8ev8q1A35DCoGnMfFRq1XKNibxJy%2F%2FoCpNb6I4fNw9j3a2qKI%2FRn9r97kSZGXtf6vK1UPFZABks6x9Jqrggjeu4Q09exT9ZfvzYE0rsuAObS%2F9zCE%2FmhLhqsrQO7BJo%2Bq43cXA%2FBuuseRwjlhy5WGI3UTDXZbAWtM%2BUorT5jy%2Bb3upSd177DG%2BTJn4SG1B%2Bu4KAMT9QavmYKBYFIPmtFx8uQHGF8gXYAekE11PiXQUBnYpXq0cK8Or9YD6czhVuhnsOZjPEEySU996PqD%2FoD0wB95sNZW549lHw3bGKa1mzyUj7mgT0THp5bDmBj%2FqIwiKDpr7mnHG3PJ%2BHaHV8NQATBIOLW%2B3x%2F5yyvgAkHCipqcKvo1HE6hZMhdBHKjTDRlsaS2siE25KvQvWx%2FqBZfePGgvu6qGzUmvoC5yTapBAAlRNSsi5vIQ0eyJYLWv3cKgMuUmki1XnS6HrlFQbkBnrzWnVXrofF%2Bapd024sJi9RHE5OskeY4E03z0uzGoAzHyNMuxSbD3LP9JdHpxP0N19yZAqUva34cOVtGOPXJ2cZ76iJFdHXfdkkiW%2BzbI0loWTTU9qIWwN0jZqSJteOa8cVOSs%2B4VgoPo7NDaHtmZhlWIOONvtf81Fq72zDiLp0OrCjR7h%2B5VFU4rQmdRiV08m2fJiKqX05gbCdxi9dVZNPRIbF55gXCmA9A9%2B7Iaw7gPyBOKvez%2BoUZvEBRyW%2Bka9qTn42tVr2IMZ1Npr9zpswczTD0wZ4RA4blbtUzkK273aPxbiZHzIust%2FUCr6mKvQ8eGNs0tbAPgo2KRXPg4WXxGBY8symilPcKnVGaY0bBHq8lgEYcpugH06ilSPPrweIA0Z%2FTRJdXI1RhFuY7NKlDf0qqhDn2pCfxpFVlp5EbIoDFd73gu0y%2Bar105wK0nL%2F8fLOi%2Bqten962Mfi4EUift5G2IyOOA4Yd2HMZNyo8B7azQ39ubKApLaatfF%2F2rEWL%2BZjRZpj2hUyiz7cld3YzsPCvE0N%2BPgTSW9NjTpm56demAojPnIfJRU5hcwGr%2BKG2jOsrwUl08LAiawlwShDcU%2BRBEDfLV%2FC2tENwu1BlkhWSdAddvzAHtQrmuasUOA2Dif%3D&p=%7B%22ncSessionID%22%3A%226425ea564360%22%2C%22umidToken%22%3A%22T2gA5QbDSPMnsWLkgj1SdX8rnKbHNSAtsmRmwvWOqfTcBPPLBd2rLQgnFb-viw-AULw%3D%22%7D&scene=register&asyn=0&lang=cn&v=1099&callback=jsonp_05185345410832506' \
-H 'Accept: */*' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Referer: https://www.yuque.com/' \
-H 'Sec-Fetch-Dest: script' \
-H 'Sec-Fetch-Mode: no-cors' \
-H 'Sec-Fetch-Site: cross-site' \
-H 'Sec-Fetch-Storage-Access: none' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"'返回结果
bash
jsonp_05185345410832506({
"result": {
"code": 0,
"csessionid": "0152JIZgtMjy7iQLwB8JakWd5AD5RV4yFC1-F2cN7r0WTrZ3MnWtINPEf5VqXupliKYkBY7pT3nqVBQAVS4XQ2bHq6EScUIX26OCTaq-MjzO9uft5-c-nRPAn3s7B0UZ9lKLQTFkf1LXGASygBIlS7Rw",
"value": "05a1C7nT4bR5hcbZlAujcdyX7dBXPIzHot1crVxsVPdY-By_YcdE6yvKHvjpi3kNIuSR-PaFhlj1lXjJgEd1a9tItlkKeRtB6KSDz3DPO-EiViGp4-RSlo2wwzH2kqN58cH9GYe7ZPnjg1sHQwyS9W_52JCYRJvNHC79bElLDmB9qBrUy_iSYJx8i-AGiGAseUn6z-PTxAlNCmkdCreztqEuEuelayZzwfVmdXdQyevZ8_aguBJLbKPQESvh74CuVfr59BIWjoyDNhcM6yiIwdH-uEVp6XSEiGrQoXSGAk0xYHVbdeWM1jKQqPwufGOqEpPRkVLWbPjPgc_kP0-Qd1BA5mLCreuZfRsQNSajjSXIJtNZHkJ0SCUDMIEFiimdkvCCiLRI3ErA4tHDg2a8XZmQ"
},
"success": true
});所需参数
bash
a FFFF000000000179A3AD
t FFFF000000000179A3AD:1763785658728:0.9939028669557559
n 140#jVTdMHBEzzWYxQo24Zr+4pN8s9zDwbw4WpHg49Y19eEZUK3w4nUw3PbiRP+fPB+PveP1rYU9KFIMlp1zzXktnreXwFzx02wmO6h/zzrb22U3lp1xzZPNciJqUb+x2oa3V3gqzm1nTRi7KrvZrI7Zb51gEAJLiF4VLkvAZk7887PaDO/LuJVkbacjMc1+yrFfyxWNXt0VTyUiaR6Rj0KyDf8FViqd+daU6jXpC8NMXb/0Qm/dt0oA2IuVX++cHYyNPKZdegxUQpEqaQSa1fhUUieivOm7OIQR9YU3DKHIZI3PtTILpspHRDeniQeWfxK/4WXGyfgsqKDrDjmb3wGnAck6MBAFuW0VR7wnHlZd6z49HZYW0bp2s59fjY0FyYPS9fQB7mSpFw3yPBLH8BaJUrCB1PjHGXHpL/kuOM9MnnRQf13gVWW02hxGqdjWjJ7XvLLEfn43KGirhsRKJTyehJ9bg+0n/51rydm6hG9+T+s7+QHW8KMlSDKwtbZaYvSndIAxo7mlWgBOiF3PWGMcz/F7e3XV0YQtt/uIp9KFbC4wWZ+NAKEPBml1fzpdfLZYbm/R9ftTBD3/XczTCpd1q90+TWoAxtTzTxs0WdCp6uV0gDTZwpzVFBEuDqMyhhxVpfKKiiCjazAFMAf9tWxac1WqJu7UmVEfvcsxuykzYWrx2ZssX9CBD6Eurk0HHfz9nn3V2jFxBoZwwT6eAUQRZtXyE8H7QttvEVaPOqaMyWznvSVVYue94EnVetOaRplVhn/tV0+3k3m/yQqZR6t0HKe9Y8sgLGIP8ev8q1A35DCoGnMfFRq1XKNibxJy//oCpNb6I4fNw9j3a2qKI/Rn9r97kSZGXtf6vK1UPFZABks6x9Jqrggjeu4Q09exT9ZfvzYE0rsuAObS/9zCE/mhLhqsrQO7BJo+q43cXA/BuuseRwjlhy5WGI3UTDXZbAWtM+UorT5jy+b3upSd177DG+TJn4SG1B+u4KAMT9QavmYKBYFIPmtFx8uQHGF8gXYAekE11PiXQUBnYpXq0cK8Or9YD6czhVuhnsOZjPEEySU996PqD/oD0wB95sNZW549lHw3bGKa1mzyUj7mgT0THp5bDmBj/qIwiKDpr7mnHG3PJ+HaHV8NQATBIOLW+3x/5yyvgAkHCipqcKvo1HE6hZMhdBHKjTDRlsaS2siE25KvQvWx/qBZfePGgvu6qGzUmvoC5yTapBAAlRNSsi5vIQ0eyJYLWv3cKgMuUmki1XnS6HrlFQbkBnrzWnVXrofF+apd024sJi9RHE5OskeY4E03z0uzGoAzHyNMuxSbD3LP9JdHpxP0N19yZAqUva34cOVtGOPXJ2cZ76iJFdHXfdkkiW+zbI0loWTTU9qIWwN0jZqSJteOa8cVOSs+4VgoPo7NDaHtmZhlWIOONvtf81Fq72zDiLp0OrCjR7h+5VFU4rQmdRiV08m2fJiKqX05gbCdxi9dVZNPRIbF55gXCmA9A9+7Iaw7gPyBOKvez+oUZvEBRyW+ka9qTn42tVr2IMZ1Npr9zpswczTD0wZ4RA4blbtUzkK273aPxbiZHzIust/UCr6mKvQ8eGNs0tbAPgo2KRXPg4WXxGBY8symilPcKnVGaY0bBHq8lgEYcpugH06ilSPPrweIA0Z/TRJdXI1RhFuY7NKlDf0qqhDn2pCfxpFVlp5EbIoDFd73gu0y+ar105wK0nL/8fLOi+qten962Mfi4EUift5G2IyOOA4Yd2HMZNyo8B7azQ39ubKApLaatfF/2rEWL+ZjRZpj2hUyiz7cld3YzsPCvE0N+PgTSW9NjTpm56demAojPnIfJRU5hcwGr+KG2jOsrwUl08LAiawlwShDcU+RBEDfLV/C2tENwu1BlkhWSdAddvzAHtQrmuasUOA2Dif=
p {"ncSessionID":"6425ea564360","umidToken":"T2gA5QbDSPMnsWLkgj1SdX8rnKbHNSAtsmRmwvWOqfTcBPPLBd2rLQgnFb-viw-AULw="}
scene register
asyn 0
lang cn
v 1099
callback jsonp_05185345410832506a
bash
a = FFFF000000000179A3AD 已经逆了t
bash
t = FFFF000000000179A3AD:1763785658728:0.9939028669557559 已经逆了n
bash
参数n的值来自于
collina.js
var n = e(1, o);
通过补环境或者纯算来获取(这里只展示补环境)
需要把自执行删掉
并从浏览器中把 e(1, o)中的o提取出来
还要把O提取出来
放入代码中之后补环境即可得出
p
umidToken
bash
umidToken = T2gA5QbDSPMnsWLkgj1SdX8rnKbHNSAtsmRmwvWOqfTcBPPLBd2rLQgnFb-viw-AULw=
来自访问curl 'https://ynuf.aliapp.org/service/um.json' \
-H 'accept: */*' \
-H 'accept-language: zh-CN,zh;q=0.9' \
-H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
-b 'cbc=T2gA2naYoyk_BYilGOYmfC3P9jKqeydpyI1RsxIDsTp8TBjQ5Eh6tADeg8J87u0vURI=' \
-H 'origin: https://www.yuque.com' \
-H 'priority: u=1, i' \
-H 'referer: https://www.yuque.com/' \
-H 'sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: cross-site' \
-H 'sec-fetch-storage-access: none' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36' \
--data-raw $'data=107\u0021fZOI8gBPfQ6f59l6WPmuTF8G9UN09Il8iGDeJfgNAT10tz5SAT%2BUAy00McdJJcQeWP%2FVD0aV7T5HHSVd3gGndS9mO2kR3AKffMLQ7hZOICqbNEVXNheKDW7Q1lshmPn0lM4deN657DpdQYfffNl0tJJiPKKXYVYoeAmfPf1HIN9iKfxtdI4qXNkGLYgDK%2Fjx5SGYxXG2WPYQdyCPdu4qCfGx2Sl%2FSqXf08jaPRuypwGuXVZ6NI%2BW2%2Fa8cz5KroUvA7FmStERRMWO7unJBD8GjvoT8gV865zCeCbNz%2FIg4a0gC1nIMJFuzdF78sO2m62iMayM04DwPTD%2Bpz%2FFZl1dwE0Kn0WtGxfAkuyUVnJWYFkX2aDwkR3stmhwNS99VoVkk%2BRFkRAk6g3f87R5R0DRN8WJjhTvthhL5T%2FDam40bDynOAnx0T2ljQ16QZd3nAZ%2FVsoRzKXcKPv9IvsGBdNBSEQEBXBQfUaXCZJ39v4n99rydOKiwFitVCsiw%2FtAbqasuNLDlG6zaSDEvrg8atzTPUBm0kZIdcwBk3HWq6MmQ%2FiNBZ5JRx4QUU7%2Bp8XdkTRZ07FYyrj3v2pPJ%2B2ASupshoaro%2F%3D%3D&xa=FFFF000000000179A3AD&xt=&efy=1'
返回的 tn
访问这个链接所需的cookie cbc则来自于
curl 'https://ynuf.aliapp.org/w/wu.json' \
-H 'accept: */*' \
-H 'accept-language: zh-CN,zh;q=0.9' \
-H 'referer: https://www.yuque.com/' \
-H 'sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"' \
-H 'sec-fetch-dest: script' \
-H 'sec-fetch-mode: no-cors' \
-H 'sec-fetch-site: cross-site' \
-H 'sec-fetch-storage-access: none' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36'
返回的set-cookie
ncSessionID
bash
ncSessionID = 6425ea564360
来自于
getNcSession: function(e) {
return parseInt(e.offsetWidth + "a" + e.offsetHeight + "a" + this.getElementLeft(e) + "a" + this.getElementTop(e), 11).toString(16)
}
可以为固定值
callback
bash
callback = jsonp_05185345410832506 和上一个参数一样只是把initializeJsonp_改为jsonp_python代码如下
python
("jsonp_" + str(random.random())).replace(".", "")最后的效果
