JS逆向 -- 浏覽器補環境實戰(sign加密分析)

接上節課内容

JS逆向 -- 某新聞資料包中sign值加密分析

一、将補環境代碼複制到上節課那個js檔案裡面

const jsdom = require("jsdom");
const { JSDOM } = jsdom;//導入jsdom子產品
const html = "<!DOCTYPE html><p>逆向有你</p>";
const resourceLoader = new jsdom.ResourceLoader({
    userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36",
});
const dom = new JSDOM(html,{
    url: "https://www.toutiao.com",
    referrer: "https://www.toutiao.com",
    contentType: "text/html",
    resources: resourceLoader,
})


window = global
document = dom.window.document
const params = {
    location: {
        hash: "",
        host: "www.toutiao.com",
        hostname: "www.toutiao.com",
        href: "https://www.toutiao.com",
        origin: "https://www.toutiao.com",
        pathname: "/",
        port: "",
        protocol: "https:",
        search: "",
    },
    navigator: {
        appCodeName: "Mozilla",
        appName: "Netscape",
        appVersion: "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36",
        cookieEnabled: true,
        deviceMemory: 8,
        doNotTrack: null,
        hardwareConcurrency: 12,
        language: "zh-CN",
        languages: ["zh-CN", "zh"],
        maxTouchPoints: 0,
        onLine: true,
        platform: "Win112",
        product: "Gecko",
        productSub: "20030107",
        userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36",
        vendor: "Google Inc.",
        vendorSub: "",
        webdriver: false
    }
};
Object.assign(global,params)           

二、列印我們要的結果

console.log(window.byted_acrawler.sign({'url':'https://www.toutiao.com/toutiaohttps://lf3-config.bytetcc.com/obj/tcc-config-web/tcc-v2-data-toutiao.fe.toutiao_web_pc-common'}))           

三、提示報錯，找不到sign函數，上面函數中，e參數裡面有一個exports導緻

四、将該三目運算複制到網站的控制台，結果是undefined，是以直接将該運算替換成void 0

五、重新運作JS代碼，成功擷取sign值

六、Python代碼實作加載資料

1、由于sign函數參數不是固定，為了增加通用性，是以我們繼續修改成如下代碼

console.log(window.byted_acrawler.sign({'url':process.argv[2]}))           

2、調用方式如下，将url位址直接寫到後面

3、python代碼實作擷取sign

import subprocess
url='https://www.toutiao.com/api/pc/list/feed?channel_id=3189398996&max_behot_time=1684844002&offset=0&category=pc_profile_channel&client_extra_params=%7B%22short_video_item%22:%22filter%22%7D&aid=24&app_name=toutiao_web'
sign=subprocess.getoutput('node jiami.js %s' % url)
print(sign)