{
"title": "逆向日记0x1",
"tags": [
"post",
"逆向"
],
"sources": [
"xlog"
],
"external_urls": [
"https://ming5ming.xlog.app/ni-xiang-ri-ji-0x1"
],
"date_published": "2023-02-16T00:03:12.650Z",
"content": "最近在看*女高中生的废度日常*, 然而b站的番剧画质压缩太大, 所以找了一个解析网站.\n结果发现网站的js代码带有混淆, 遂逆向之.\n\n---\n\n### 逆向目标\naHR0cHM6Ly9qeC5wbGF5ZXJqeS5jb20v\n### 分析\n\n\n\n\n可以看出, 视频加载出来了, 可是没有看见任何有关视频的请求.\n\n\n这几个请求的响应数据没法加载, 但是可以猜测出应该是视频片段.\n打开文件后显示如下:\n\n\n\n\n\n\n那么大致的请求过程是:\n\n\n\n\n\n\nM3U8 file 是一个保存video clip的请求url的文本文件.\n有了它我们就能拿到整个视频文件的网址.\n\n向上追溯, 找到接受m3u8 file的请求:\n\n\n\n\n\n\n\nhttps://省略/1676376933/4d140af4cb5d1c5466a7491918b43e5b/b3489f29121e97e6dd1dcb1957e5788c-20230214.m3u8?from=https://banyung.pw\n\n请求网址的构成:\nhttps://网址域名/时间戳/未知/未知.m3u8 + 固定参数\n\n如果这里不细心的话, 很容易就下xhr断点去追踪js代码了. 我自己一开始分析的时候就进入了这个误区, 在繁杂的代码和各种加密里转来转去.\n\n\n\n\n\n然而这个请求不用我们构造, 它由上一个请求接受, 甚至没有加密, 明文传输过来了!\n\n\n\n\n再看这个请求的playload:\n\n\n\n\n两个参数**time**, **key** \ntime是时间戳, key看样子应该是md5密文. 逆向js代码后其实是CBC加密, 然而让我无语的是, 几乎在我分析完js代码并开始用python模拟请求的时候, 我发现key和time又在上一个请求被明文发过来了!!!\n\n\n\n\n\n### 写代码\n\n```python\n#getPram.py\nimport time\nimport requests as rq\nfrom lxml import etree\nfrom lxml import html\n\nheaders = {\n\n \"referer\": \"https://jx.playerjy.com/\",\n \"user-agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\",\n \"Cache-Control\": \"no-cache\",\n \"Host\": \"jy.we-vip.com:5433\"\n}\n\ndef getHtml(ep):\n url = \"https://jy.we-vip.com:5433/?url=\" + ep\n return rq.get(url=url, headers=headers, verify=False).content \n \n# get time and key\ndef getData(bili_url):\n htmlString = html.fromstring(getHtml(bili_url))\n result = htmlString.xpath('//body/script/text()')\n #gettime\n timebegin = result[0].index('time') + 8\n timeend = int(str(result[0]).index('\",', timebegin))\n time = result[0][timebegin:timeend]\n #getkey\n keybegin = result[0].index('key') + 7\n keyend = int(str(result[0]).index('\",', keybegin))\n key = result[0][keybegin:keyend]\n return time, key \n\nif __name__ == \"__main__\":\n time, key = getData()\n print(f\"time is {time}, key is {key}\")\n```\n\n```python\nimport requests as rq\nimport getPram\n\ntime, key = getPram.getData(input(\"bilibili_url:\"))\n\nheaders = {\n \"authority\" : \"jy.we-vip.com:5433\",\n \"accept\" : \"application/json, text/javascript, */*; q=0.01\",\n \"content-type\" : \"application/x-www-form-urlencoded; charset=UTF-8\",\n \"user-agent\" : \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\",\n \"Host\" : \"jy.we-vip.com:5433\",\n \"Content-Length\": \"115\",\n \"Cache-Control\": \"no-cache\"\n}\n\nurl = r\"https://jy.we-vip.com:5433/API.php\"\ndata = {\n \"url\": \"https://www.bilibili.com/bangumi/play/ep276690\",\n \"time\": time,\n \"key\": key\n}\nrsp = rq.post(url, headers=headers, data=data, verify=False)\nprint(rsp.content)\n```\n\n### 反思\n- 分析的思路像依托答辩, 兜兜转转最后连请求过程都没有好好分析, 浪费了很多时间. 逆向就像高中的数学题, 开始只有模糊的方向, 需要耐心慢慢溯源追踪.\n- 代码写的依托答辩, 逻辑不是很清楚, 提取子字符串想到很多种方法, 最后选了最简单但是可读性极差的方式...\n",
"attributes": [
{
"value": "ni-xiang-ri-ji-0x1",
"trait_type": "xlog_slug"
}
]
}
