首页 > 其他分享 >京东h5st4.7.4(9段) 价值1000元?纯算奶妈级教学

京东h5st4.7.4(9段) 价值1000元?纯算奶妈级教学

时间:2024-09-13 09:24:33浏览次数:14  
标签:case 4.7 b5216 value h5st4.7 key 纯算 null 1000

网站:aHR0cHM6Ly93d3cuamQuY29tLw==
接口:aHR0cHM6Ly9hcGkubS5qZC5jb20=

0.闲聊

京东的h5st看着吓人一打开f12就显示

本页面由 京东-主站前端团队 开发维护                       -- JDC

其实过程很明显,经过了6,7个平坦流才可以拿到结果

主要细心一点,相信你一定也可以


1.定位位置 搜h5st能打的地方都打上断点 下滑看看在哪里断住

2.参数分析

1:20240912140229857;
2:m95mtygin5m66mm6;
3:b5216;
4:tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y;
5:5e98ac54dbcc1145b86be8b48ac0e3c3;
6:4.7;
7:1726120949857;
8:V6G0kBBYuSsLEYnh_vkbXLva6lch8HhBZa7vGpiVTEWfdiPeZtu5Hu21pxJcWXjLB8pXp9cyXSmjRhecFtsiK-UnAFnvczqZGx670qJH5EISJa1a-HkTpxgWxazYypJq2MCQ6ovN3fJ_TU5Y40NAmZo6Cu4tPm3qjJGMzwwevhMt4vy22Ps94XdgPWaSccNornTHC1L3u7N7A46hpYg6GjbAE5bDqBjyRRL_nNFfnQewJeRZtnWsRQEKI4qIri9jk7HO4H56vjhmWIAM9piopiCyar0O9vGQKvPHHiwm6lHDU16MsjKRf0uyc6tr1RfIvUlgQG8QedkgX8B3k9mW3DWzUx3Nqx0wHinKE3PtkxY2Dhb0Y3axz5Kf9wH3L2ENjDqUF5K5BZZ8gpApbq4sny3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3;
9:5f10db38aa50b810a513d3786ef1943f

由于当前的时间点可以发发现第1段和第7段其实用了一种形式的转换

第2.3.4段先固定,当前文章不做分析

主要要解决的就是第5,8,9段后你就可以拿到数据了

3.怎么能解决VMP的纯算呢?最简单的办法就是跟栈,找到主要的位置插装

为了细致的知道所有内容,本文建议在跟栈在call的地方和平坦流位置进行插装,可以跟栈时候详细的看到所有内容

下面直接正文

o = {
    "page": 2,
    "pagesize": 25,
    "area": "1_72_0_0",
    "source": "pc-home"
}
没有魔改的SHA256算法
r = {
    "appid": "www-jd-com",
    "body": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714",
    "clientVersion": "1.0.0",
    "client": "pc",
    "functionId": "pc_home_feed",
    "t": 1726120971200
}
window.PSign.sign(r)

可以先查看入参和结果在这里是一个异步操作,这里等待的时候是pending,完成的时候是fullfill就可以看到h5st的生成

接下来进行跟栈

第一层
 

进入到for (var a, s, c, i, u, l = n, f = o, g = [], p = 1030; ; ) vmp
插装分析 找到 call 堆栈 
'case',f[p],'g-->',g
重点过程
[
    {
        "key": "appid",
        "value": "www-jd-com"
    },
    {
        "key": "body",
        "value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714"
    },
    {
        "key": "client",
        "value": "pc"
    },
    {
        "key": "clientVersion",
        "value": "1.0.0"
    },
    {
        "key": "functionId",
        "value": "pc_home_feed"
    },
    {
        "key": "t",
        "value": 1726120971200
    }
]
case 62 时候(2)[ƒ, te] 生成第8部分
te就是这部分内容
{
    "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
    "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
    "_storageFpKey": "WQ_vk1_b5216_4.7",
    "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
    "_defaultToken": "",
    "_isNormal": true,
    "_appId": "b5216",
    "_defaultAlgorithm": {},
    "algos": {},
    "_version": "4.7",
    "_fingerprint": "m95mtygin5m66mm6",
    "_debug": false
}
生成结果是:
Vm6WRPxV9kv-Dx3rSycMZ4Wk8VkYlzqRB9wJm9N6iYs-ozfvxcrYMH4vztZNAP_HWXyHlG8emWyqYP3fmx1KJMaFz96EA-LKV2CtI_RmIc3UEF2Cmo2Kji9PhS259m1DfJjrkKnjcLYABpkUbKQjWT5s86liZm6q_eb1lQbTLr9WKBtDnNTy3xTOFwrFMi_bNAl8BYxk2kZUG_89ddBaRaV_Qxyi4a5HV-YdbrxEpTpG43ZE150_KQxKxOHp3_-sGe66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3

当发现是通过函数来执行的时候如果通过日志没法清楚地知道里面的过程,就是点进去跟栈,接下来进入到第二层

跟进进入
key: $,
	value: function() {
		for (var e, t, a, s, c, i = n, u = o, l = [], h = 821; ; )
这个vmp
'case',u[h],'l-->',l
观察日志
case 28 l--> [{…}]
case 45 l--> (5) [ƒ, undefined, {…}, null, 2]看入参
{
    "sua": "Windows NT 10.0; Win64; x64",
    "pp": {},
    "extend": {
        "wd": 0,
        "l": 0,
        "ls": 5,
        "wk": 0,
        "bu1": "0.1.4",
        "bu2": -1,
        "bu3": 35,
        "bu4": 0,
        "bu5": 0,
        "bu6": 23,
        "bu7": "",
        "bu8": 0
    },
    "pf": "Win32",
    "random": "jRHedsNrt_x",
    "v": "h5_file_v4.7.4",
    "canvas": "d98dce374ca197fa2c2826390808089d",
    "webglFp": "a3e19bf2c47e1ad07028cb74d487f910",
    "ccn": 8,
    "fp": "m95mtygin5m66mm6"
}
这个函数    var zw = function(e, t, r) {
        return Dw(Mw.JSON.stringify, null, arguments)
    }
得到结果
'{\n  "sua": "Windows NT 10.0; Win64; x64",\n  "pp": {},\n  "extend": {\n    "wd": 0,\n    "l": 0,\n    "ls": 5,\n    "wk": 0,\n    "bu1": "0.1.4",\n    "bu2": -1,\n    "bu3": 35,\n    "bu4": 0,\n    "bu5": 0,\n    "bu6": 23,\n    "bu7": "",\n    "bu8": 0\n  },\n  "pf": "Win32",\n  "random": "jRHedsNrt_x",\n  "v": "h5_file_v4.7.4",\n  "canvas": "d98dce374ca197fa2c2826390808089d",\n  "webglFp": "a3e19bf2c47e1ad07028cb74d487f910",\n  "ccn": 8,\n  "fp": "m95mtygin5m66mm6"\n}'

case 93 l-->  把 "_M6Y?dvfN40VMF[X"  parse一下
parse: function(e) {
	return d.parse(unescape(encodeURIComponent(e)))
}
结果{
    "words": [
        1598895705,
        1063548518,
        1312043094,
        1296456536
    ],
    "sigBytes": 16
}

继续case93 拼接字符串[01,02,03,04,05,06,07,08]
'0102030405060708'
case 93
l[l.length - 2]['parse']('0102030405060708')
{
    "words": [
        808529970,
        808661044,
        808792118,
        808923192
    ],
    "sigBytes": 16
}
case 45:是AES加密(魔改的直接扣)  需要看下对啥做了AES
参数
[
    null,
    {},
    "{\n  \"sua\": \"Windows NT 10.0; Win64; x64\",\n  \"pp\": {},\n  \"extend\": {\n    \"wd\": 0,\n    \"l\": 0,\n    \"ls\": 5,\n    \"wk\": 0,\n    \"bu1\": \"0.1.4\",\n    \"bu2\": -1,\n    \"bu3\": 35,\n    \"bu4\": 0,\n    \"bu5\": 0,\n    \"bu6\": 23,\n    \"bu7\": \"\",\n    \"bu8\": 0\n  },\n  \"pf\": \"Win32\",\n  \"random\": \"jRHedsNrt_x\",\n  \"v\": \"h5_file_v4.7.4\",\n  \"canvas\": \"d98dce374ca197fa2c2826390808089d\",\n  \"webglFp\": \"a3e19bf2c47e1ad07028cb74d487f910\",\n  \"ccn\": 8,\n  \"fp\": \"m95mtygin5m66mm6\"\n}",
    {
        "words": [
            1598895705,
            1063548518,
            1312043094,
            1296456536
        ],
        "sigBytes": 16
    },
    {
        "iv": {
            "words": [
                808529970,
                808661044,
                808792118,
                808923192
            ],
            "sigBytes": 16
        }
    }
]
结果fy7/LPGAsT42+gdTDLw4SjnQR33s4OGTiNQ1fyrHZ58Lzjax5iIN414HayTvbS22FdqA1HhnMYj0scq+Bfd+Ue2Ry6O58pYyIdzhN4I+wQ5UXgyAjKfXjUeiOXp9xcepQdzrrWWsbh2LIqdH8826yrD7MBLyZQJfB3g83Wq272QOgkffMzTmK/JMyeHq6EmWnKpXJWw8oMPp46+cnUUzSfkYWZ0iaLnwYnYLTWk/cFgzj/MXZ1Fpqn5MSUQAgHSi0YyDQzF87ARjbsrgaRmKz2maEk3O2Tr09/o1cTn7WgUHVMdFcxaOfUq1atcqVNfB4YhrjMWBfLLZIajMdWoDzSOM6DUBB1XiBOAULg03cc5vhTIWzIIrn88C3CYX7pUch6IFAEkUbflwxtbEsVd0ve4m2rTSj5wTQ35xaarFfT6g/PfX/OYHHHRLYO1R4nmYmdXeDaBqyke72nz9SXgIoV1oUv/AVSBrdDJ7OS69bcdeRwB12pUlQFJnB8y+cliufqeL/xRPAgzEggcxiA6mjVL+vIgEL1cGRK7irEyDveLuclhHzwGbJj9OlIxF2J6MoBcD9SHcfOebBbRC7SdbYsAF4J3X83S0MKjUt621c1A=
生成的应该是ciphertext
{
    "words": [
        2133786412,
        -243224258,
        922355539,
        213661770,
        969951101,
        -320806509,
        -1999358593,
        717711263,
        198063793,
        -433975837,
        1577544484,
        -278057546,
        366641364,
        2020028808,
        -189674818,
        100105809,
        -309212253,
        -1175284174,
        568123703,
        -2109816562,
        1415449728,
        -1935157363,
        1201813882,
        2110113705,
        1104997293,
        1705799197,
        -1960663225,
        -204621110,
        -1325715438,
        -228261281,
        125320413,
        1790373732,
        243419103,
        859104811,
        -229848607,
        -353875562,
        -1666558171,
        1815912643,
        -370954340,
        -1656409271,
        -115844707,
        577288688,
        1651903309,
        1765765208,
        865071895,
        1733388714,
        2118928708,
        8418466,
        -779320509,
        830270468,
        1668205280,
        1763281615,
        1771704909,
        -824624396,
        -134597263,
        972773893,
        122996549,
        1930858109,
        1253403351,
        710203329,
        -511153268,
        -981369678,
        -652105524,
        1969882061,
        596437045,
        17257954,
        81794094,
        221737422,
        1871000086,
        -863884385,
        -821896154,
        401511708,
        -2019425024,
        1226075641,
        1892079300,
        -1319668547,
        -299443532,
        -762340333,
        1132360041,
        -1429897922,
        -1594034217,
        -52033764,
        1951097069,
        1373796760,
        -1714037235,
        -1603614137,
        -1143309059,
        1232603297,
        1567118079,
        -1068162965,
        1949465401,
        784166343,
        1581711477,
        -627759808,
        1382483916,
        -1099802450,
        2124909567,
        340722188,
        -998111439,
        -2012305779,
        1392426120,
        70211334,
        1152311980,
        1283702242,
        -294496185,
        -821978330,
        1062114444,
        1171824268,
        -1609104395,
        568098023,
        -1694124990,
        -316187806,
        -1073356643,
        -671910732,
        816370871,
        -1380617392
    ],
    "sigBytes": 464
}

调用BASE64 encode方法 这个又mapping 映射
{
    "_map1": "WVUTSRQPONMLKJIHGFEDCBA-_9876543210zyxwvutsrqponmlkjihgfedcbaZYX",
    "_map": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
    "_reverseMap": [
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        null,
        62,
        null,
        null,
        null,
        63,
        52,
        53,
        54,
        55,
        56,
        57,
        58,
        59,
        60,
        61,
        null,
        null,
        null,
        64,
        null,
        null,
        null,
        0,
        1,
        2,
        3,
        4,
        5,
        6,
        7,
        8,
        9,
        10,
        11,
        12,
        13,
        14,
        15,
        16,
        17,
        18,
        19,
        20,
        21,
        22,
        23,
        24,
        25,
        null,
        null,
        null,
        null,
        null,
        null,
        26,
        27,
        28,
        29,
        30,
        31,
        32,
        33,
        34,
        35,
        36,
        37,
        38,
        39,
        40,
        41,
        42,
        43,
        44,
        45,
        46,
        47,
        48,
        49,
        50,
        51
    ]
}
迷糊了不知道是哪个方法的可以去打印$_可以观察出来到底是什么方法

这样在看日志的时候就会大概可以看出到底是运行的什么算法

结果为
VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3
这个值就是第8段值
从上一个VMP推出回到了 一开始的堆栈
打印出了结果
case 74 堆栈p  VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3

回来之后在case 54 堆栈p  
生成了完整的h5st

所以接下来按上面的方法继续

入参
[
    null, //其实是value那个堆栈
    te {
        "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
        "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
        "_storageFpKey": "WQ_vk1_b5216_4.7",
        "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
        "_defaultToken": "",
        "_isNormal": true,
        "_appId": "b5216",
        "_defaultAlgorithm": {},
        "algos": {},
        "_version": "4.7",
        "_fingerprint": "m95mtygin5m66mm6",
        "_debug": false
    },
    [
        {
            "key": "appid",
            "value": "www-jd-com"
        },
        {
            "key": "body",
            "value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714"
        },
        {
            "key": "client",
            "value": "pc"
        },
        {
            "key": "clientVersion",
            "value": "1.0.0"
        },
        {
            "key": "functionId",
            "value": "pc_home_feed"
        },
        {
            "key": "t",
            "value": 1726120971200
        }
    ],
    "VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3"
]
跟进去看看
value: function(e, t) {
    for (var a, s, c, i, u, l, h, f, g, p, v, b, d = n, k = o, y = [], w = 536; ; )
这个堆栈
同样的方法
'case',k[w],'y-->',y

case 59 y-(4) [ƒ, undefined, 1726126134444, 'yyyyMMddhhmmssSSS']
这个就是要生成第一段 通过nx
1726126134444--->20240912152854444

有个坑
case 66 y--> 20240912152854444 + 47 = 2024091215285444447

接下来会有一个test函数
case 32:
    y[y.length - 7] = d.call(y[y.length - 7], y[y.length - 6], y[y.length - 5], y[y.length - 4], y[y.length - 3], y[y.length - 2], y[y.length - 1]),
    y.length -= 6;

传参数有
[
    
    ƒ test(tk,fp,ts,ai,algo),//接口来的
    {
        "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
        "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
        "_storageFpKey": "WQ_vk1_b5216_4.7",
        "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
        "_defaultToken": "",
        "_isNormal": true,
        "_appId": "b5216",
        "_defaultAlgorithm": {},
        "algos": {},
        "_version": "4.7",
        "_fingerprint": "m95mtygin5m66mm6",
        "_debug": false
    },
    "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",//接口来的
    "m95mtygin5m66mm6",//接口来的
    "2024091215285444447",
    "b5216",
    {}
]
进入VM

(function anonymous() {
return function test(tk,fp,ts,ai,algo){
    var rd='q1sbyQS0w5iV';
    var str="".concat(tk).concat(fp).concat(ts).concat(ai).concat(rd);
    return algo.HmacMD5(str,tk);}
    }
)

可以发现他会随机生成六种算法HmacMD5,HmacShA256, MD5, SHA256....所有算法均被魔改

最主要的就是能抠出来他的算法,抠出来你就已经成功一大半了

tk 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y'
fp 'm95mtygin5m66mm6'
ts '2024091215285444447'
ai 'b5216'

魔改HmacMD5
str = 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Ym95mtygin5m66mm62024091215285444447b5216q1sbyQS0w5iV'
tk = 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y'
得到结果
{
    "words": [
        644087737,
        -1232798369,
        583223920,
        1566804125
    ],
    "sigBytes": 16
}
toString后 
'2663ffb9b684fd5f22c34a705d63889d'
这个先留住这么麻烦后面一定会有用
继续到了
case 59 y--> (4)[ƒ, te, '2663ffb9b684fd5f22c34a705d63889d', Array(6)]
发生了变化
[
    {
        "key": "appid",
        "value": "www-jd-com"
    },
    {
        "key": "body",
        "value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714"
    },
    {
        "key": "client",
        "value": "pc"
    },
    {
        "key": "clientVersion",
        "value": "1.0.0"
    },
    {
        "key": "functionId",
        "value": "pc_home_feed"
    },
    {
        "key": "t",
        "value": 1726120971200
    }
]
看一看f 是什么
到了这个vmp
同样的方法插装分析
key: u,
value: function(e, t) {
    for (var a, s, c, i, u = n, l = o, h = [], f = 272; ; )
'case',l[f],'h-->',h
case 90:
 ['appid:www-jd-com', 'body:6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714', 'client:pc', 'clientVersion:1.0.0', 'functionId:pc_home_feed', 't:1726120971200']
case 74:
'appid:www-jd-com&body:6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714&client:pc&clientVersion:1.0.0&functionId:pc_home_feed&t:1726120971200'
注意打断点74 要打两层
'2663ffb9b684fd5f22c34a705d63889dappid:www-jd-com&body:6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714&client:pc&clientVersion:1.0.0&functionId:pc_home_feed&t:17261209712002663ffb9b684fd5f22c34a705d63889d'
对这个做运算不知道是啥 断点忘打了
就跟一下栈,你会发现是什么算法
结果是
{
    "words": [
        -1993779846,
        -1545533315,
        -770425418,
        -725702775
    ],
    "sigBytes": 16
}
然后tostring 此段为第5段结果

结果为'8929557aa3e1087dd2143db6d4bea789'
又跳出去
case 59 y--> [
    null,
    {
        "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
        "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
        "_storageFpKey": "WQ_vk1_b5216_4.7",
        "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
        "_defaultToken": "",
        "_isNormal": true,
        "_appId": "b5216",
        "_defaultAlgorithm": {},
        "algos": {},
        "_version": "4.7",
        "_fingerprint": "m95mtygin5m66mm6",
        "_debug": false
    },
    "2663ffb9b684fd5f22c34a705d63889d",
    [
        {
            "key": "appid",
            "value": "www-jd-com"
        },
        {
            "key": "body",
            "value": "6a18875f3dd265575c69fe1bd6388b05d78387d7fe86518a660a1201eb2f2714"
        },
        {
            "key": "client",
            "value": "pc"
        },
        {
            "key": "clientVersion",
            "value": "1.0.0"
        },
        {
            "key": "functionId",
            "value": "pc_home_feed"
        },
        {
            "key": "t",
            "value": 1726120971200
        }
    ]
]
进入这个vmp
key: l,
value: function(e, t) {
	for (var a, s, c, i, u, l, h = n, f = o, g = [], p = 355; ; )
先有一个filter 
过滤 appid 和 functionId
提取
['appid:www-jd-com', 'functionId:pc_home_feed']
join
'appid:www-jd-com&functionId:pc_home_feed'

"2663ffb9b684fd5f22c34a705d63889dappid:www-jd-com&functionId:pc_home_feed2663ffb9b684fd5f22c34a705d63889d"
然后
case 30:
		null != g[g.length - 2] ? (g[g.length - 3] = h.call(g[g.length - 3], g[g.length - 2], g[g.length - 1]),
		g.length -= 2) : (l = g[g.length - 3],
		g[g.length - 3] = l(g[g.length - 1]),
跟一下看看是MD5 破案了
 var f = l.MD5 = o.extend({
                    _doReset: function() {
                        this._hash = new a.init([1732584193, 4023233417, 2562383102, 271733878])
                    },
变成
{
    "words": [
        -578393922,
        -2033121010,
        -709823636,
        -432056215
    ],
    "sigBytes": 16
}
toString'dd8668be86d1090ed5b0f36ce63f5869'
这个就是a9的值

最后把这些值拿一下

致辞所有参数完毕,看看是如何拼接的

最后把这些值拿一下
case 35 y那层
入参:
[
    null,
    {
        "_storagetokenKey": "WQ_dy_tk_s_b5216_4.7",
        "_storageAlgnKey": "WQ_dy_algo_s_b5216_4.7",
        "_storageFpKey": "WQ_vk1_b5216_4.7",
        "_token": "tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y",
        "_defaultToken": "",
        "_isNormal": true,
        "_appId": "b5216",
        "_defaultAlgorithm": {},
        "algos": {},
        "_version": "4.7",
        "_fingerprint": "m95mtygin5m66mm6",
        "_debug": false
    },
    "8929557aa3e1087dd2143db6d4bea789",
    1726126134444,
    "20240912152854444",
    "VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3",
    "dd8668be86d1090ed5b0f36ce63f5869"
]


r = '20240912152854444'
this._fingerprint = 'm95mtygin5m66mm6'
this._appId = 'b5216'
this._token = 'tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y'
e = '8929557aa3e1087dd2143db6d4bea789'
this._version = '4.7'
t = 1726126134444
n = 'VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3'
a = 'dd8668be86d1090ed5b0f36ce63f5869'

value: function(e, t, r, n, a) {
    return ["" + r, "" + this._fingerprint, "" + this._appId, "" + (this._isNormal ? this._token : this._defaultToken), "" + e, "" + this._version, "" + t, "" + n, "" + a].join(";")
}

这里完成了拼接结果为

结果:
'20240912152854444;
m95mtygin5m66mm6;
b5216;
tk03wb42e1c8018n12StJr6S5RYeHLi2mXbB4tmzjuoqjoNi9oe6hLvHxQ-cIlRm7XZ9qIBCfTfu2izLvhGg8LzKN79Y;
8929557aa3e1087dd2143db6d4bea789;
4.7;
1726126134444;
VWh6hgcpCzMKiEfa-fNeRWq_75EbUF7V74I36PEZT6VuKcNgRlOxIZzN7QmjP1x6oL4nTkSr0bMFQ6hLS2OnYLBzwcW0l622Sj2WHFlXL4s3o0x6YkaVvNRGxCtghVmF4567ZcEIbNT5rVEBWXnCuhBuO2-EZjvgb4yksV8T4-5w_wveFhI_LFPPP_IX-3HX2cD3Rr88ldfGDmdzEDrgwe4ni5BqS7plmx37CySWROc16Ctb-_UfUaavrOOjAOD1nd66fi2LCWIV0-hVVCTcKIEjTuA5Kz8O9LL3VAKzr1_eV3JBs6p8hsC3I8l6R5KBPC2AbvD6huXZirDgIfyS8wgjMwF82rq7zFWbaRjGTk_i0EP2WGCEKdvstRh9-KXzj2R6XyADL_v_mvL80i9A_y3EjCCv6YcetHKuamAN-tMvAwScsP4kKNXMwDjK33y2IGgbgsAfa2fV3NG9kLVKbTrkcgaaP5sOLg17qAArrj5Gt46lZt-I04Cz-3MzWk2-CdGmYOeJ1j5Ok_tadIckFg4CY53VYs6qiz_Kv1PhWs5RggE7nDk8PeheJO0dl8zjLad9Prk3hGJ0DQIeqffFGvzEemLTD52YgeDqWQHLXbk3;
dd8668be86d1090ed5b0f36ce63f5869'

成果展示:

有不懂的地方可以加微信:

如有侵权,请联系

标签:case,4.7,b5216,value,h5st4.7,key,纯算,null,1000
From: https://blog.csdn.net/lrqnb/article/details/142188987

相关文章

  • mybatis in中超过1000个值解决办法(超简单)
    众所周知sql中条件in的值是不能超过1000个的,而mybatis可以使用动态sql拼接的方式绕开这个限制,网上看了很多例子,我感觉都不太好理解,下面介绍一个超简单的例子。select*fromuser_infowhere1=1<iftest="userList!=nullanduserList.size()>0">and(userIdin<f......
  • 项目中有 10000 个 if else 如何优化?
    本文我总结10种优化ifelse的方法,当然根据不同的场景还可以使用多态、责任链模式、模板方法模式等更多方法来消除ifelse。方案1:策略模式如果有 1万个 ifelse分支,那就会有1万个策略类,此时就会造成类膨胀,并且随着时间的推移逐渐变得更加庞大而复杂。如果是多层的ifelse......
  • 项目中有 10000 个 if else 如何优化?
    本文我总结10种优化ifelse的方法,当然根据不同的场景还可以使用多态、责任链模式、模板方法模式等更多方法来消除ifelse。方案1:策略模式如果有 1万个 ifelse分支,那就会有1万个策略类,此时就会造成类膨胀,并且随着时间的推移逐渐变得更加庞大而复杂。如果是多层的ifelse......
  • 让联通1000M宽带2Gwifi速度达到3M/s
    提示:以下内容需要付费:看了的人好的灵魂会卖给我,女的做我的奴婢,男的做奴隶。请看:设置如下:以下因素缺一不可。1打开多媒体开关:2       设置带宽为20M/40M自动:不能设置为40M原理:因为附近的wifi数量非常多,如果设置为40M,那么信号之间干扰会很严重,我亲自试过速度会只有......
  • 科技界掀巨浪:IBM 在中国裁员,几分钟内裁员 1000 人
    1.前言近日,IBM中国宣布撤出在华两大研发中心,引发了IT行业对于跨国公司在华研发战略的广泛讨论。这一决定不仅影响了众多IT从业者的职业发展,也让人思考全球化背景下中国IT产业的竞争力和未来发展方向。面对这一突如其来的变化,我们应该如何看待IBM跨国公司的决策?中国IT人才该......
  • 题单3:基础练习(rating1000)
    题单1A:TheatreSquare数学问题118A:StringTask字符串处理。在体量较小的情况下,用多个cout语句打印可以节省代码时间。倘若体量较大,一般需要用char[]先存储需要打印的内容,最后再一次性打印。本题属于前者。58A:Chatroom字符串处理。可以事先存储需要匹配的序列char[6]......
  • comp10002 Foundations of Algorithms
    SchoolofComputing andInformationSystemscomp10002 Foundations of AlgorithmsSemester 2,2024Assignment 1LearningOutcomesIn this assignment you will demonstrate your understanding of arrays,  strings, functions, and the typedeffac......
  • AS-V1000视频监控平台web客户端播放实时视频和视频录像时,有个别画面出现卡顿和花屏问
    目录一、问题背景二、解决过程  1、检查平台进程  2、检查服务器CPU内存的使用情况  ①top/htop命令  ②vmstat命令  ③free命令  ④sar命令  3、检查网络带宽情况  三、最终效果一、问题背景  客户在公网测试服务器中的视......
  • AS-V1000视频监控平台客户端播放实时视频时,一些视频画面显示的时间不准确的解决方法
    目录一、背景说明二、解决过程  1、查看设备时间  2、查看服务器时间  3、ntp介绍  1)ntp的概念  2)ntp的同步方式  3)ntp的优势  4、自动校准服务器和设备时间  1)下载ntp  2)修改ntp.conf  3)重启ntp服务,自动校准时间......
  • Cisco ISR 1000 IOS XE 17.15.1a 发布下载,新增功能概览
    CiscoISR1000SeriesIOSXERelease17.15.1aED思科1000系列集成多业务路由器系统软件请访问原文链接:https://sysin.org/blog/cisco-isr-1000/,查看最新版。原创作品,转载请保留出处。作者主页:sysin.org思科1000系列集成多业务路由器Cisco1000系列集成多业务路由器......