网站:aHR0cHM6Ly93d3cuamQuY29tLw==
接口:aHR0cHM6Ly9hcGkubS5qZC5jb20=
0.闲聊
京东的h5st看着吓人一打开f12就显示
本页面由 京东-主站前端团队 开发维护 -- JDC
其实过程很明显,经过了6,7个平坦流才可以拿到结果
主要细心一点,相信你一定也可以
1.定位位置 搜h5st能打的地方都打上断点 下滑看看在哪里断住
2.参数分析
1:20240912140229857;
2:m95mtygin5m66mm6;
3:b5216;
4:tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y;
5:5e98ac54dbcc1145b86be8b48ac0e3c3;
6:4.7;
7:1726120949857;
8:V6G0kBBYuSsLEYnh_vkbXLva6lch8HhBZa7vGpiVTEWfdiPeZtu5Hu21pxJcWXjLB8pXp9cyXSmjRhecFtsiK-UnAFnvczqZGx670qJH5EISJa1a-HkTpxgWxazYypJq2MCQ6ovN3fJ_TU5Y40NAmZo6Cu4tPm3qjJGMzwwevhMt4vy22Ps94XdgPWaSccNornTHC1L3u7N7A46hpYg6GjbAE5bDqBjyRRL_nNFfnQewJeRZtnWsRQEKI4qIri9jk7HO4H56vjhmWIAM9piopiCyar0O9vGQKvPHHiwm6lHDU16MsjKRf0uyc6tr1RfIvUlgQG8QedkgX8B3k9mW3DWzUx3Nqx0wHinKE3PtkxY2Dhb0Y3axz5Kf9wH3L2ENjDqUF5K5BZZ8gpApbq4sny3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3;
9:5f10db38aa50b810a513d3786ef1943f
由于当前的时间点可以发发现第1段和第7段其实用了一种形式的转换
第2.3.4段先固定,当前文章不做分析
主要要解决的就是第5,8,9段后你就可以拿到数据了
3.怎么能解决VMP的纯算呢?最简单的办法就是跟栈,找到主要的位置插装
为了细致的知道所有内容,本文建议在跟栈在call的地方和平坦流位置进行插装,可以跟栈时候详细的看到所有内容
下面直接正文
o = {
"page": 2,
"pagesize": 25,
"area": "1_72_0_0",
"source": "pc-home"
}
没有魔改的SHA256算法
r = {
"appid": "www-jd-com",
"body": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714",
"clientVersion": "1.0.0",
"client": "pc",
"functionId": "pc_home_feed",
"t": 1726120971200
}
window.PSign.sign(r)
可以先查看入参和结果在这里是一个异步操作,这里等待的时候是pending,完成的时候是fullfill就可以看到h5st的生成
接下来进行跟栈
第一层
进入到for (var a, s, c, i, u, l = n, f = o, g = [], p = 1030; ; ) vmp
插装分析 找到 call 堆栈
'case',f[p],'g-->',g
重点过程
[
{
"key": "appid",
"value": "www-jd-com"
},
{
"key": "body",
"value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714"
},
{
"key": "client",
"value": "pc"
},
{
"key": "clientVersion",
"value": "1.0.0"
},
{
"key": "functionId",
"value": "pc_home_feed"
},
{
"key": "t",
"value": 1726120971200
}
]
case 62 时候(2)[ƒ, te] 生成第8部分
te就是这部分内容
{
"_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
"_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
"_storageFpKey": "WQ_vk1_b5216_4.7",
"_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
"_defaultToken": "",
"_isNormal": true,
"_appId": "b5216",
"_defaultAlgorithm": {},
"algos": {},
"_version": "4.7",
"_fingerprint": "m95mtygin5m66mm6",
"_debug": false
}
生成结果是:
Vm6WRPxV9kv-Dx3rSycMZ4Wk8VkYlzqRB9wJm9N6iYs-ozfvxcrYMH4vztZNAP_HWXyHlG8emWyqYP3fmx1KJMaFz96EA-LKV2CtI_RmIc3UEF2Cmo2Kji9PhS259m1DfJjrkKnjcLYABpkUbKQjWT5s86liZm6q_eb1lQbTLr9WKBtDnNTy3xTOFwrFMi_bNAl8BYxk2kZUG_89ddBaRaV_Qxyi4a5HV-YdbrxEpTpG43ZE150_KQxKxOHp3_-sGe66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3
当发现是通过函数来执行的时候如果通过日志没法清楚地知道里面的过程,就是点进去跟栈,接下来进入到第二层
跟进进入
key: $,
value: function() {
for (var e, t, a, s, c, i = n, u = o, l = [], h = 821; ; )
这个vmp
'case',u[h],'l-->',l
观察日志
case 28 l--> [{…}]
case 45 l--> (5) [ƒ, undefined, {…}, null, 2]看入参
{
"sua": "Windows NT 10.0; Win64; x64",
"pp": {},
"extend": {
"wd": 0,
"l": 0,
"ls": 5,
"wk": 0,
"bu1": "0.1.4",
"bu2": -1,
"bu3": 35,
"bu4": 0,
"bu5": 0,
"bu6": 23,
"bu7": "",
"bu8": 0
},
"pf": "Win32",
"random": "jRHedsNrt_x",
"v": "h5_file_v4.7.4",
"canvas": "d98dce374ca197fa2c2826390808089d",
"webglFp": "a3e19bf2c47e1ad07028cb74d487f910",
"ccn": 8,
"fp": "m95mtygin5m66mm6"
}
这个函数 var zw = function(e, t, r) {
return Dw(Mw.JSON.stringify, null, arguments)
}
得到结果
'{\n "sua": "Windows NT 10.0; Win64; x64",\n "pp": {},\n "extend": {\n "wd": 0,\n "l": 0,\n "ls": 5,\n "wk": 0,\n "bu1": "0.1.4",\n "bu2": -1,\n "bu3": 35,\n "bu4": 0,\n "bu5": 0,\n "bu6": 23,\n "bu7": "",\n "bu8": 0\n },\n "pf": "Win32",\n "random": "jRHedsNrt_x",\n "v": "h5_file_v4.7.4",\n "canvas": "d98dce374ca197fa2c2826390808089d",\n "webglFp": "a3e19bf2c47e1ad07028cb74d487f910",\n "ccn": 8,\n "fp": "m95mtygin5m66mm6"\n}'
case 93 l--> 把 "_M6Y?dvfN40VMF[X" parse一下
parse: function(e) {
return d.parse(unescape(encodeURIComponent(e)))
}
结果{
"words": [
1598895705,
1063548518,
1312043094,
1296456536
],
"sigBytes": 16
}
继续case93 拼接字符串[01,02,03,04,05,06,07,08]
'0102030405060708'
case 93
l[l.length - 2]['parse']('0102030405060708')
{
"words": [
808529970,
808661044,
808792118,
808923192
],
"sigBytes": 16
}
case 45:是AES加密(魔改的直接扣) 需要看下对啥做了AES
参数
[
null,
{},
"{\n \"sua\": \"Windows NT 10.0; Win64; x64\",\n \"pp\": {},\n \"extend\": {\n \"wd\": 0,\n \"l\": 0,\n \"ls\": 5,\n \"wk\": 0,\n \"bu1\": \"0.1.4\",\n \"bu2\": -1,\n \"bu3\": 35,\n \"bu4\": 0,\n \"bu5\": 0,\n \"bu6\": 23,\n \"bu7\": \"\",\n \"bu8\": 0\n },\n \"pf\": \"Win32\",\n \"random\": \"jRHedsNrt_x\",\n \"v\": \"h5_file_v4.7.4\",\n \"canvas\": \"d98dce374ca197fa2c2826390808089d\",\n \"webglFp\": \"a3e19bf2c47e1ad07028cb74d487f910\",\n \"ccn\": 8,\n \"fp\": \"m95mtygin5m66mm6\"\n}",
{
"words": [
1598895705,
1063548518,
1312043094,
1296456536
],
"sigBytes": 16
},
{
"iv": {
"words": [
808529970,
808661044,
808792118,
808923192
],
"sigBytes": 16
}
}
]
结果fy7/LPGAsT42+gdTDLw4SjnQR33s4OGTiNQ1fyrHZ58Lzjax5iIN414HayTvbS22FdqA1HhnMYj0scq+Bfd+Ue2Ry6O58pYyIdzhN4I+wQ5UXgyAjKfXjUeiOXp9xcepQdzrrWWsbh2LIqdH8826yrD7MBLyZQJfB3g83Wq272QOgkffMzTmK/JMyeHq6EmWnKpXJWw8oMPp46+cnUUzSfkYWZ0iaLnwYnYLTWk/cFgzj/MXZ1Fpqn5MSUQAgHSi0YyDQzF87ARjbsrgaRmKz2maEk3O2Tr09/o1cTn7WgUHVMdFcxaOfUq1atcqVNfB4YhrjMWBfLLZIajMdWoDzSOM6DUBB1XiBOAULg03cc5vhTIWzIIrn88C3CYX7pUch6IFAEkUbflwxtbEsVd0ve4m2rTSj5wTQ35xaarFfT6g/PfX/OYHHHRLYO1R4nmYmdXeDaBqyke72nz9SXgIoV1oUv/AVSBrdDJ7OS69bcdeRwB12pUlQFJnB8y+cliufqeL/xRPAgzEggcxiA6mjVL+vIgEL1cGRK7irEyDveLuclhHzwGbJj9OlIxF2J6MoBcD9SHcfOebBbRC7SdbYsAF4J3X83S0MKjUt621c1A=
生成的应该是ciphertext
{
"words": [
2133786412,
-243224258,
922355539,
213661770,
969951101,
-320806509,
-1999358593,
717711263,
198063793,
-433975837,
1577544484,
-278057546,
366641364,
2020028808,
-189674818,
100105809,
-309212253,
-1175284174,
568123703,
-2109816562,
1415449728,
-1935157363,
1201813882,
2110113705,
1104997293,
1705799197,
-1960663225,
-204621110,
-1325715438,
-228261281,
125320413,
1790373732,
243419103,
859104811,
-229848607,
-353875562,
-1666558171,
1815912643,
-370954340,
-1656409271,
-115844707,
577288688,
1651903309,
1765765208,
865071895,
1733388714,
2118928708,
8418466,
-779320509,
830270468,
1668205280,
1763281615,
1771704909,
-824624396,
-134597263,
972773893,
122996549,
1930858109,
1253403351,
710203329,
-511153268,
-981369678,
-652105524,
1969882061,
596437045,
17257954,
81794094,
221737422,
1871000086,
-863884385,
-821896154,
401511708,
-2019425024,
1226075641,
1892079300,
-1319668547,
-299443532,
-762340333,
1132360041,
-1429897922,
-1594034217,
-52033764,
1951097069,
1373796760,
-1714037235,
-1603614137,
-1143309059,
1232603297,
1567118079,
-1068162965,
1949465401,
784166343,
1581711477,
-627759808,
1382483916,
-1099802450,
2124909567,
340722188,
-998111439,
-2012305779,
1392426120,
70211334,
1152311980,
1283702242,
-294496185,
-821978330,
1062114444,
1171824268,
-1609104395,
568098023,
-1694124990,
-316187806,
-1073356643,
-671910732,
816370871,
-1380617392
],
"sigBytes": 464
}
调用BASE64 encode方法 这个又mapping 映射
{
"_map1": "WVUTSRQPONMLKJIHGFEDCBA-_9876543210zyxwvutsrqponmlkjihgfedcbaZYX",
"_map": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
"_reverseMap": [
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
null,
62,
null,
null,
null,
63,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
null,
null,
null,
64,
null,
null,
null,
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
null,
null,
null,
null,
null,
null,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51
]
}
迷糊了不知道是哪个方法的可以去打印$_可以观察出来到底是什么方法
这样在看日志的时候就会大概可以看出到底是运行的什么算法
结果为 VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3 这个值就是第8段值
从上一个VMP推出回到了 一开始的堆栈 打印出了结果 case 74 堆栈p VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3 回来之后在case 54 堆栈p 生成了完整的h5st
所以接下来按上面的方法继续
入参
[
null, //其实是value那个堆栈
te {
"_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
"_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
"_storageFpKey": "WQ_vk1_b5216_4.7",
"_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
"_defaultToken": "",
"_isNormal": true,
"_appId": "b5216",
"_defaultAlgorithm": {},
"algos": {},
"_version": "4.7",
"_fingerprint": "m95mtygin5m66mm6",
"_debug": false
},
[
{
"key": "appid",
"value": "www-jd-com"
},
{
"key": "body",
"value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714"
},
{
"key": "client",
"value": "pc"
},
{
"key": "clientVersion",
"value": "1.0.0"
},
{
"key": "functionId",
"value": "pc_home_feed"
},
{
"key": "t",
"value": 1726120971200
}
],
"VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3"
]
跟进去看看 value: function(e, t) { for (var a, s, c, i, u, l, h, f, g, p, v, b, d = n, k = o, y = [], w = 536; ; ) 这个堆栈 同样的方法 'case',k[w],'y-->',y case 59 y-(4) [ƒ, undefined, 1726126134444, 'yyyyMMddhhmmssSSS'] 这个就是要生成第一段 通过nx 1726126134444--->20240912152854444 有个坑 case 66 y--> 20240912152854444 + 47 = 2024091215285444447 接下来会有一个test函数 case 32: y[y.length - 7] = d.call(y[y.length - 7], y[y.length - 6], y[y.length - 5], y[y.length - 4], y[y.length - 3], y[y.length - 2], y[y.length - 1]), y.length -= 6; 传参数有 [ ƒ test(tk,fp,ts,ai,algo),//接口来的 { "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7", "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7", "_storageFpKey": "WQ_vk1_b5216_4.7", "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y", "_defaultToken": "", "_isNormal": true, "_appId": "b5216", "_defaultAlgorithm": {}, "algos": {}, "_version": "4.7", "_fingerprint": "m95mtygin5m66mm6", "_debug": false }, "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",//接口来的 "m95mtygin5m66mm6",//接口来的 "2024091215285444447", "b5216", {} ]
进入VM (function anonymous() { return function test(tk,fp,ts,ai,algo){ var rd='q1sbyQS0w5iV'; var str="".concat(tk).concat(fp).concat(ts).concat(ai).concat(rd); return algo.HmacMD5(str,tk);} } )
可以发现他会随机生成六种算法HmacMD5,HmacShA256, MD5, SHA256....所有算法均被魔改
最主要的就是能抠出来他的算法,抠出来你就已经成功一大半了
tk 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y'
fp 'm95mtygin5m66mm6'
ts '2024091215285444447'
ai 'b5216'
魔改HmacMD5
str = 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Ym95mtygin5m66mm62024091215285444447b5216q1sbyQS0w5iV'
tk = 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y'
得到结果
{
"words": [
644087737,
-1232798369,
583223920,
1566804125
],
"sigBytes": 16
}
toString后
'2663ffb9b684fd5f22c34a705d63889d'
这个先留住这么麻烦后面一定会有用
继续到了 case 59 y--> (4)[ƒ, te, '2663ffb9b684fd5f22c34a705d63889d', Array(6)] 发生了变化 [ { "key": "appid", "value": "www-jd-com" }, { "key": "body", "value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714" }, { "key": "client", "value": "pc" }, { "key": "clientVersion", "value": "1.0.0" }, { "key": "functionId", "value": "pc_home_feed" }, { "key": "t", "value": 1726120971200 } ] 看一看f 是什么 到了这个vmp 同样的方法插装分析
key: u,
value: function(e, t) {
for (var a, s, c, i, u = n, l = o, h = [], f = 272; ; )
'case',l[f],'h-->',h
case 90: ['appid:www-jd-com', 'body:6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714', 'client:pc', 'clientVersion:1.0.0', 'functionId:pc_home_feed', 't:1726120971200'] case 74: 'appid:www-jd-com&body:6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714&client:pc&clientVersion:1.0.0&functionId:pc_home_feed&t:1726120971200' 注意打断点74 要打两层 '2663ffb9b684fd5f22c34a705d63889dappid:www-jd-com&body:6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714&client:pc&clientVersion:1.0.0&functionId:pc_home_feed&t:17261209712002663ffb9b684fd5f22c34a705d63889d' 对这个做运算不知道是啥 断点忘打了 就跟一下栈,你会发现是什么算法 结果是 { "words": [ -1993779846, -1545533315, -770425418, -725702775 ], "sigBytes": 16 } 然后tostring 此段为第5段结果 结果为'8929557aa3e1087dd2143db6d4bea789'
又跳出去 case 59 y--> [ null, { "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7", "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7", "_storageFpKey": "WQ_vk1_b5216_4.7", "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y", "_defaultToken": "", "_isNormal": true, "_appId": "b5216", "_defaultAlgorithm": {}, "algos": {}, "_version": "4.7", "_fingerprint": "m95mtygin5m66mm6", "_debug": false }, "2663ffb9b684fd5f22c34a705d63889d", [ { "key": "appid", "value": "www-jd-com" }, { "key": "body", "value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714" }, { "key": "client", "value": "pc" }, { "key": "clientVersion", "value": "1.0.0" }, { "key": "functionId", "value": "pc_home_feed" }, { "key": "t", "value": 1726120971200 } ] ] 进入这个vmp
key: l,
value: function(e, t) {
for (var a, s, c, i, u, l, h = n, f = o, g = [], p = 355; ; )
先有一个filter
过滤 appid 和 functionId
提取
['appid:www-jd-com', 'functionId:pc_home_feed']
join
'appid:www-jd-com&functionId:pc_home_feed'
"2663ffb9b684fd5f22c34a705d63889dappid:www-jd-com&functionId:pc_home_feed2663ffb9b684fd5f22c34a705d63889d"
然后
case 30:
null != g[g.length - 2] ? (g[g.length - 3] = h.call(g[g.length - 3], g[g.length - 2], g[g.length - 1]),
g.length -= 2) : (l = g[g.length - 3],
g[g.length - 3] = l(g[g.length - 1]),
跟一下看看是MD5 破案了
var f = l.MD5 = o.extend({
_doReset: function() {
this._hash = new a.init([1732584193, 4023233417, 2562383102, 271733878])
},
变成
{
"words": [
-578393922,
-2033121010,
-709823636,
-432056215
],
"sigBytes": 16
}
toString'dd8668be86d1090ed5b0f36ce63f5869'
这个就是a9的值
最后把这些值拿一下
致辞所有参数完毕,看看是如何拼接的
最后把这些值拿一下 case 35 y那层 入参: [ null, { "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7", "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7", "_storageFpKey": "WQ_vk1_b5216_4.7", "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y", "_defaultToken": "", "_isNormal": true, "_appId": "b5216", "_defaultAlgorithm": {}, "algos": {}, "_version": "4.7", "_fingerprint": "m95mtygin5m66mm6", "_debug": false }, "8929557aa3e1087dd2143db6d4bea789", 1726126134444, "20240912152854444", "VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3", "dd8668be86d1090ed5b0f36ce63f5869" ]
r = '20240912152854444'
this._fingerprint = 'm95mtygin5m66mm6'
this._appId = 'b5216'
this._token = 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y'
e = '8929557aa3e1087dd2143db6d4bea789'
this._version = '4.7'
t = 1726126134444
n = 'VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3'
a = 'dd8668be86d1090ed5b0f36ce63f5869'
value: function(e, t, r, n, a) {
return ["" + r, "" + this._fingerprint, "" + this._appId, "" + (this._isNormal ? this._token : this._defaultToken), "" + e, "" + this._version, "" + t, "" + n, "" + a].join(";")
}
这里完成了拼接结果为
结果: '20240912152854444; m95mtygin5m66mm6; b5216; tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y; 8929557aa3e1087dd2143db6d4bea789; 4.7; 1726126134444; VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3; dd8668be86d1090ed5b0f36ce63f5869'
成果展示:
有不懂的地方可以加微信:
如有侵权,请联系
标签:case,4.7,b5216,value,h5st4.7,key,纯算,null,1000 From: https://blog.csdn.net/lrqnb/article/details/142188987