a_bogus参数日志分析
插桩位置根据墨竹大佬的视频的插桩https://www.bilibili.com/video/BV1dVM6z5EzC/?spm_id_from=333.337.search-card.all.click
建议多准备几份日志对比分析
搜请求的ab的值,然后往上能分析出ab是由一个个字符拼接出来的
主要是把加密字符串通过charCodeAt取出来,经过位运算后,再通过Dkdpgh2ZmsQB80/MfvV36XI1R45-WUAlEixNLwoqYTOPuzKFjJnry79HbGcaStCe进行编码,类似于一个魔改的base64
// 写死的数字可由多份日志对比出来,固定不变
let a1 = code1 & 255
let a2 = a1 << 16
let b1 = code2 & 255
let b2 = b1 << 8
let b3 = a2 | b2
let c1 = code3 & 255
let c2 = b3 | c1
let c3 = c2 & 16515072
let c4 = c3 >> 18
result += base64_map.charAt(c4)
let c5 = (c2 & 258048) >> 12
result += base64_map.charAt(c5)
let c6 = (c2 & 4032) >> 6
result += base64_map.charAt(c6)
let c7 = c2 & 63
result += base64_map.charAt(c7)
这里可以看出,被编码的字符串是由两部分拼接而成
"function apply() { [native code] }.apply(function fromCharCode() { [native code] }, function String() { [native code] },171,82,82,18) ==> «RR\u0012"
短字符串是4位数字转换出来的
后面的长字符串,多次对比能看出来就是对一个加密字符串进行循环取,并^一个数得出来的,一共138位长度
继续往上跟能找到加密字符串由一个138位数组得到,138位数组由一个8位数组和130位数组得到
8位数组是由两个4位数组组成
130位数组:
直接搜数组的前4位就能定位到数组生成的开头地方,由一个98位数组(不固定,分为前50位,和后47,48位都有),每3位切割,经过位运算得到
98位数组:
自己看日志根据v4和v1插桩的索引r一点点找吧,贴图太麻烦了。
const time = new Date().getTime()
function get_98_arr() {
let aid = 2385 // window.bdms.init
let pageId = 27032
let result = []
let code1 = (time / 256 / 256 / 256 / 256 / 256) & 255
let code2 = 8 // 没看出来变化,暂时写8
// fmUm...字符串为UA转换得来的
// 逻辑是对UA每个字符串取值去^一个固定值,然后fromCharCode,再经过一个魔改base64和后面的最后的两个base64用的map不一样
let arr_UA = []
// 对请求参数进行加密转换得到的数组
let arr_arg = []
// 对captchaBody进行加密转换得到的数组
let arr_captchaBody = []
let code3 = arr_UA[11]
let code4 = ((time - 1) >> 8) & 255
let code5 = (aid >> 16) & 255
let code6 = time & 255
let code7 = (pageId >> 24) & 255
let code8 = (code2 >> 8) & 255
let code9 = (code1 % 256) & 255
let code10 = arr_arg[18]
let code11 = 193 // 和code26的那个数组在一起,但是一直没有变化
let code12 = 3 // 一直没有变化
let code13 = arr_arg[3]
let code14 = (pageId >> 8) & 255
let code15 = (time - time + 3) & 255
let code16 = arr_arg[9]
let code17 = (time / 256 / 256 / 256 / 256) & 255
let code18 = (code2 >> 24) & 255
let code19 = (time >> 8) & 255
let code20 = aid & 255
let code21 = ((time + 20 - 1721836800000) / 1000 / 60 / 60 / 24 / 14) >> 0
let code22 = arr_captchaBody[4]
let code23 = (time >> 16) & 255
let code24 = (pageId >> 16) & 255
let code25 = arr_UA[5]
let code26 = 21 // 没找到怎么来的,暂时这么写
let code27 = (time >> 16) & 255
let code28 = (time >> 24) & 255
let code29 = arr_UA[3]
let code30 = (aid >> 8) & 255
let code31 = 1 // 和code26有关的那个数组,1或者2
let code32 = (aid >> 24) & 255
let code33 = arr_UA[21]
let code34 = arr_captchaBody[10]
let code35 = 1 // 和code26有关的那个数组,1或者2
let code36 = (code11 >> 8) & 255
let code37 = (time / 256 / 256 / 256 / 256) & 255
let code38 = pageId & 255
let code39 = arr_captchaBody[19]
let code40 = 0 // 和code26有关的那个数组,1或者2
let code41 = ((time - 1) / 256 / 256 / 256 / 256 / 256) & 255
let code42 = (code2 >> 16) & 255
let code43 = (code1 / 256) & 255
let code44 = arr_UA[28]
let code45 = (time - 1) & 255
let code46 = (time >> 24) & 255
// 由 380|384|2560|1392|2560|1392|2560|1440|Win32 转换来的数组,可固定没找逻辑
let after_arr = [51, 56, 48, 124, 51, 56, 52, 124, 50, 53, 54, 48, 124, 49, 51, 57, 50, 124, 50, 53, 54, 48, 124, 49, 51, 57, 50, 124, 50, 53, 54, 48, 124, 49, 52, 52, 48, 124, 87, 105, 110, 51, 50]
let code47 = after_arr.length
let code48 = (code47 >> 8) & 255
let time_str = ((time + 3) & 255) + ""
let code49 = time_str.length + 1 // 和后面生成的长度有关
let code50 = (code49 >> 8) & 255
for (let i = 1; i <= 50; i++) {
result.push(eval('code' + i));
}
result.concat(after_arr)
for (let i = 0; i < time_str.length; i++) {
result.push(time_str.charCodeAt(i))
}
result.push(44)
let tmp_arr = []
let random1 = Math.random()
let a1 = (random1 * 65535) & 255
let a2 = ((random1 * 65535) >> 8) & 255
tmp_arr.push((a1 & 170) | 1)
tmp_arr.push((a1 & 85) | 0)
tmp_arr.push((a2 & 170) | 0)
tmp_arr.push((a2 & 85) | 0)
let random2 = Math.random()
let b1 = (random2 * 109) >> 0
let b2 = (b1 + 110) + (b1 % 2)
let random3 = Math.random()
let c1 = (((((random3 * 255) >> 0) | 2) | 16) | 32) | 128
tmp_arr.push((b2 & 170) | 1)
tmp_arr.push((b2 & 85) | 0)
tmp_arr.push((c1 & 170) | 16)
tmp_arr.push((c1 & 85) | 2)
let tmp_num = tmp_arr[0]
for (let i = 1; i < tmp_arr.length; i++) {
tmp_num ^= tmp_arr[i]
}
for (let i = 0; i < 50; i++) {
tmp_num ^= result[i]
}
result.push(tmp_num)
return result
}
本文章中所有内容仅供学习交流使用,不用于其他任何目的,严禁用于商业用途和非法用途,否则由此产生的一切后果均与作者无关!
浙公网安备 33010602011771号