JS reverse network cloud suppression parameters

statement

First of all, it is hereby declared that this article is only for research and learning, and can not be used in any commercial activities, otherwise the consequences will be borne by yourself. In case of infringement, please contact me and delete it immediately.

gossip

Recently, I want to make an interface for searching lyrics and songs, which I usually use. Then, the first reaction was to engage in Internet cloud suppression.
In fact, we've done parameter analysis of cloud suppression before, but it's been a long time. I don't know if it can be used, so we'll just do it again. We don't talk much and start it directly.

analysis

Here I take an interface as an example, and the other methods are the same.

  • Here, take the song search interface as an example.

As usual, open the developer tool and start capturing packages. Then look and look for the bag. Finally, we will find a bag with the data we want

Let's look at interfaces and interface parameters.

We looked at the pictures of interface parameters. After repeated refresh and comparison, we found that csrf_token is always like this, while params and encSecKey are always changing. Because the returned data is in json format, the next xhr breakpoint between us.

Here, we search for the parameters encSecKey and params on the current JS page. There are many params here, so we search for encSecKey, which only has three. Finally, we will find that two parameters can be found on the current page.

var bUM2x = window.asrsea(JSON.stringify(i0x), bsG5L(["shed tears", "strong"]), bsG5L(WW8O.md), bsG5L(["love", "girl", "terrified", "laugh"]));
e0x.data = j0x.cs1x({
          params: bUM2x.encText,
          encSecKey: bUM2x.encSecKey
   })

We can see that the parameters params and encSecKey are from bUM2x, so we set a breakpoint at var bUM2x =.

In var bUM2x =... Code, there are bsG5L(["tears", "strong"]), bsG5L(WW8O.md),bsG5L(["love", "girl", "panic", "laugh"]). After repeated refresh and comparison, it is found that they are unchanged. In essence, the bsG5L function is calculating the value, and each element of the incoming array can be mapped to the corresponding value through a dictionary. The i0x in JSON.stringify(i0x) is what we want. In fact, we are encrypting it.

Let's next look at the window.asrsea function.

You can see from the figure above that window.asrsea is the d function. Let's take a look at the d function.

function d(d, e, f, g) {
    var h = {}
      , i = a(16);
    return h.encText = b(d, g),
    h.encText = b(h.encText, i),
    h.encSecKey = c(i, e, f),
    h
}

Here we can see the encSecKey parameter, but without the params parameter, we don't care. In fact, encText is params. You can know it by reversing it.

In fact, the whole reverse analysis is almost here. This i = a(16) is a random function.

function a(a) {
    var d, e, b = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", c = "";
    for (d = 0; a > d; d += 1)
        e = Math.random() * b.length,
            e = Math.floor(e),
            c += b.charAt(e);
    return c
}

Then, the parameter encText(params) here is actually encrypted twice. In the first encryption, the parameter d is i0x, and then g is a fixed value, while in the second encryption, I is a random value.

Parameter encSecKey is actually generated by encrypting random value i and fixed parameters e and f by function c.

Here, functions c and b are actually very familiar. Let's take a look.

function b(a, b) {
    var c = CryptoJS.enc.Utf8.parse(b)
      , d = CryptoJS.enc.Utf8.parse("0102030405060708")
      , e = CryptoJS.enc.Utf8.parse(a)
      , f = CryptoJS.AES.encrypt(e, c, {
        iv: d,
        mode: CryptoJS.mode.CBC
    });
    return f.toString()
}

function c(a, b, c) {
    var d, e;
    return setMaxDigits(131),
    d = new RSAKeyPair(b,"",c),
    e = encryptedString(d, a)
}

It can be seen that function b is AES encryption and function c is RSA encryption.

Here is the whole analysis process.

code

Here, you can write the encryption in python. Of course, you can also deduct the js code. Here I deduct the js code,

  • Code address
https://github.com/Esword618/jsCrack/tree/master/wangyiyun

result

Only the lyrics interface is shown here.

API

  • Lyrics API
https://music.163.com/weapi/song/lyric?csrf_token=
{"id":song id,"lv":-1,"tv":-1,"csrf_token":""}
  • Song API
https://music.163.com/weapi/cloudsearch/get/web
{"hlpretag": "<span class=\"s-fc7\">","hlposttag": "</span>","s": "thing","type": "1","offset": "0","total": "true","limit": "30","csrf_token": ""}

END

In fact, this is still very simple. I finally sent an article written by myself every n weeks.

Well, that's all for this issue. See you next issue!

Welcome to the official account.

Tags: Python Javascript

Posted on Mon, 22 Nov 2021 07:47:41 -0500 by xeidor