Python crawler: on [cracking an easy cloud music encryption JS reverse]

    Web page and JS code analysis

Here, we directly enter the official website of an Yiyun music, and then enter the details page of any song for analysis. As shown below:

     Since we have previously analyzed the data composition of the web page, we will not repeat it here. Direct click in R_SO_4_1446235247?csrf_token =, turn down and you can see two encryption parameters: params and encSecKey, as shown in the figure:

     This is the goal of our crack this time. Click Initiator.

     Then you can see the called JS file. As shown below:

     Select and click a that appears more often. (you can't determine which one to click here, and you need to try.) after clicking enter, click the curly bracket in the lower left corner to format the code. As shown in the figure:

     Then we search for the first encryption parameter: params, as shown in the figure:

     We can see that params appear 37 times here. We need to find them one by one. Finally, we found the suspected target parameters at the sixth occurrence. As shown below:

     We guess this is the encrypted data. Break the point in line 13091, and then refresh and debug it. The results are shown in the figure below:

     So far, we can basically determine that this is the data we need. The next step is to analyze its source. As you can see from the code, these two data are taken from bYf7Y. The above code writes var bYf7Y = window.asrsea(JSON.stringify(i9b), bqR9I(["tears", "strong"]), bqR9I(QM2x.md), bqR9I(["love", "girl", "panic", "laugh"));. So you should go back to the window. Asrsea function to check. Our global search results are as follows:

   If the statement occurs twice, it must be defined once and called once. Let's look directly at the statement of the function, as shown in the figure:

Trace back to d function, as shown in the figure:

The d function receives four parameters. When we call it, we also pass four parameters. Make sure it is this function. Analyze the parameters. Make a breakpoint in line 12964 and turn the page for debugging:

     It can be seen that the d parameter is a series of statements related to the song id. the following guess is the id of the current page and the offset of each page (which can be confirmed later), while the other three parameters are constants when calling. We need to switch to other songs for judgment, and finally find that they are constants. In this way, we can copy the code locally for debugging.

     Code writing

     Create a new file named Music163.js locally, then copy the previous valid code and make some necessary modifications. The modified code is as follows:

!function() {
    function a(a) {
        var d, e, b = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", c = "";
        for (d = 0; a > d; d += 1)
            e = Math.random() * b.length,
            e = Math.floor(e),
            c += b.charAt(e);
        return c
    }
    function b(a, b) {
        var c = CryptoJS.enc.Utf8.parse(b)
          , d = CryptoJS.enc.Utf8.parse("0102030405060708")
          , e = CryptoJS.enc.Utf8.parse(a)
          , f = CryptoJS.AES.encrypt(e, c, {
            iv: d,
            mode: CryptoJS.mode.CBC
        });
        return f.toString()
    }
    function c(a, b, c) {
        var d, e;
        return setMaxDigits(131),
        d = new RSAKeyPair(b,"",c),
        e = encryptedString(d, a)
    }
    function d(d, e, f, g) {
        var h = {}
          , i = a(16);
        return h.encText = b(d, g),
        h.encText = b(h.encText, i),
        h.encSecKey = c(i, e, f),
        h
    }
    function e(a, b, d, e) {
        var f = {};
        return f.encText = c(a + e, b, d),
        f
    }
    window.asrsea = d,
    window.ecnonasr = e
}();

function start() {
    var d = {"rid": "R_SO_4_1446235247", "offset": "20", "total": "false", "limit": "20", "csrf_token": ""};
    var e = "010001";
    var f = "00e0b509f6259df8642dbc35662901477df22677ec152b5ff68ace615bb7b725152b3ab17a876aea8a5aa76d2e417629ec4ee341f56135fccf695280104e0312ecbda92557c93870114af6c9d05c4f7f0c3685b7a46bee255932575cce10b424d813cfe4875d3e82047b97ddef52741d546b8e289dc6935b3ece0462db0a22b8e7";
    var g = "0CoJUm6Qyw8W8jud";
    var bYf7Y = window.asrsea(JSON.stringify(d), e, f, g);
    var data = {
        params: bYf7Y.encText,
        encSecKey: bYf7Y.encSecKey
    }
    return data;
}

     Write the fixed parameters as constants and write the name directly when calling. And the window is deleted. Finally, the required data is returned. Create a Music163.py file locally and call the js code just now. Python code is as follows:

import execjs

js = open('./Music163.js', 'r').read()
ext = execjs.compile(js)

result = ext.call('start')
print(result)

   The following errors will be reported during operation:

  If a function is missing, we will find this parameter in the source code and put it in. We will go step by step until the final result comes out. Tip: there are many codes below. You can download the source code directly from the project address. Friendly tips: it's better to eat with video!

 

Tags: Python crawler

Posted on Fri, 10 Sep 2021 06:26:06 -0400 by filmixt