0x00 先获取网页的cookie
有个网页的cookie参数ttwid,也可以通过模拟获取。
0x01 实时获取弹幕内容
在连接webcast/im/fetch/?中,有个X-Bogus参数,获取的返回的内容就是Protobuf格式的数据,需用之前写的《Protobuf中的proto3文件如何写》来还原数据为明文即可。
0x02 重点分析X-Bogus参数和《Protobuf中的proto3文件如何写》
X-Bogus参数,可以根据网页中的js,单步调试挖掘出有用的js代码来利用。Protobuf数据格式,主要是配置好proto3文件来进行对应的数据解析,提取我们需要的数据就行。
可以根据下面的函数去调试研究:
function _0x138914(_0x166658, _0x3b76a8) {
let _0x149966, _0x339e20 = [], _0x33716e = 0x446 + -0xbe6 * -0x3 + 0x13fc * -0x2, _0x4145f8 = '';
for (let _0x543939 = 0x234 * 0x8 + -0x2c8 + -0xed8; _0x543939 < 0x20d3 + 0x1 * 0x150b + -0x2 * 0x1a6f; _0x543939++)
_0x339e20[_0x543939] = _0x543939;
for (let _0x1f583e = -0x2040 + -0x1579 + -0x35b9 * -0x1; _0x1f583e < -0x1af * -0xf + -0x15b2 + -0x1 * 0x28f; _0x1f583e++)
_0x33716e = (_0x33716e + _0x339e20[_0x1f583e] + _0x166658['charCodeAt'](_0x1f583e % _0x166658['length'])) % (0x511 + -0xa15 + 0x604),
_0x149966 = _0x339e20[_0x1f583e],
_0x339e20[_0x1f583e] = _0x339e20[_0x33716e],
_0x339e20[_0x33716e] = _0x149966;
let _0x65dfbc = -0x691 * -0x2 + 0xafe + -0x1820;
_0x33716e = -0x1a18 + -0x3 * 0x93b + 0x35c9;
for (let _0x377807 = -0xffa + -0x2 * -0xed1 + -0xda8; _0x377807 < _0x3b76a8['length']; _0x377807++)
_0x65dfbc = (_0x65dfbc + (0x1962 + -0x14f5 + 0x46c * -0x1)) % (-0x1268 + -0x1 * 0x406 + -0x176e * -0x1),
_0x33716e = (_0x33716e + _0x339e20[_0x65dfbc]) % (-0x1f96 + -0x1245 + 0x32db * 0x1),
_0x149966 = _0x339e20[_0x65dfbc],
_0x339e20[_0x65dfbc] = _0x339e20[_0x33716e],
_0x339e20[_0x33716e] = _0x149966,
_0x4145f8 += String['fromCharCode'](_0x3b76a8['charCodeAt'](_0x377807) ^ _0x339e20[(_0x339e20[_0x65dfbc] + _0x339e20[_0x33716e]) % (-0x208d + -0xc07 * 0x3 + 0x45a2)]);
return _0x4145f8;
}