巨量星图逆向分析

网站

https://www.xingtu.cn/ad/creator/user/task/management

分析

请求的时候有个加密参数sign

流程

1、直接看调用栈，因为我这里已经分析过了，直接进入加密点的位置

2、进入这里之后，搜索 t.wordsToBytes(a(e, n)) 这里就是加密的位置

e:加密参数
n:undefined
3、直接将加密函数复制到本地

// 逆向星图sign参数
// 测试参数
text_args = "limit10page1queryqueryservice_methodDemanderGetUniversalDemandListservice_nametask.AdStarTaskServicesign_strict1e39539b8836fb99e1538974d3ac1fe98"
// text_args = "service_methodStarDemanderBasicInfoservice_namedemander.AdStarDemanderServicesign_strict1e39539b8836fb99e1538974d3ac1fe98"
n = undefined

// 补环境
window = global
rotl = function (e, t) {
    return e << t | e >>> 32 - t
}
endian = function (e) {
    if (e.constructor == Number) {
        return 16711935 & rotl(e, 8) | 4278255360 & rotl(e, 24)
    }
    for (var t = 0; t < e.length; t++) {
        e[t] = endian(e[t])
    }
    return e
}
var t = {
    utf8: {
        stringToBytes: function (e) {
            return t.bin.stringToBytes(unescape(encodeURIComponent(e)))
        },
        bytesToString: function (e) {
            return decodeURIComponent(escape(t.bin.bytesToString(e)))
        }
    },
    bin: {
        stringToBytes: function (e) {
            for (var t = [], n = 0; n < e.length; n++) {
                t.push(255 & e.charCodeAt(n))
            }
            return t
        },
        bytesToString: function (e) {
            for (var t = [], n = 0; n < e.length; n++) {
                t.push(String.fromCharCode(e[n]))
            }
            return t.join("")
        }
    },
    bytesToWords: function (e) {
        for (var t = [], n = 0, r = 0; n < e.length; n++,
            r += 8) {
            t[r >>> 5] |= e[n] << 24 - r % 32
        }
        return t
    },
    wordsToBytes: function (e) {
        for (var t = [], n = 0; n < 32 * e.length; n += 8) {
            t.push(e[n >>> 5] >>> 24 - n % 32 & 255)
        }
        return t
    },
    bytesToHex: function (e) {
        for (var t = [], n = 0; n < e.length; n++) {
            t.push((e[n] >>> 4).toString(16)),
                t.push((15 & e[n]).toString(16))
        }
        return t.join("")
    }

}
var r = {
    stringToBytes: function (e) {
        return t.bin.stringToBytes(unescape(encodeURIComponent(e)))
    },

}
a._hh = function (e, t, n, r, i, o, a) {
    var s = e + (t ^ n ^ r) + (i >>> 0) + a;
    return (s << o | s >>> 32 - o) + t
}
a._ff = function (e, t, n, r, i, o, a) {
    var s = e + (t & n | ~t & r) + (i >>> 0) + a;
    return (s << o | s >>> 32 - o) + t
}
a._gg = function (e, t, n, r, i, o, a) {
    var s = e + (t & r | n & ~r) + (i >>> 0) + a;
    return (s << o | s >>> 32 - o) + t
}
a._ii = function (e, t, n, r, i, o, a) {
    var s = e + (n ^ (t | ~r)) + (i >>> 0) + a;
    return (s << o | s >>> 32 - o) + t
}


// 函数
function a(e, n) {
    e.constructor == String ? e = n && "binary" === n.encoding ? o.stringToBytes(e) : r.stringToBytes(e) : i(e) ? e = Array.prototype.slice.call(e, 0) : Array.isArray(e) || e.constructor === Uint8Array || (e = e.toString());
    for (var s = t.bytesToWords(e), l = 8 * e.length, c = 1732584193, u = -271733879, d = -1732584194, f = 271733878, h = 0; h < s.length; h++) {
        s[h] = 16711935 & (s[h] << 8 | s[h] >>> 24) | 4278255360 & (s[h] << 24 | s[h] >>> 8)
    }
    s[l >>> 5] |= 128 << l % 32, s[14 + (l + 64 >>> 9 << 4)] = l;
    var p = a._ff, m = a._gg, g = a._hh, v = a._ii;
    for (h = 0; h < s.length; h += 16) {
        var y = c, A = u, b = d, _ = f;
        c = p(c, u, d, f, s[h + 0], 7, -680876936), f = p(f, c, u, d, s[h + 1], 12, -389564586), d = p(d, f, c, u, s[h + 2], 17, 606105819), u = p(u, d, f, c, s[h + 3], 22, -1044525330), c = p(c, u, d, f, s[h + 4], 7, -176418897), f = p(f, c, u, d, s[h + 5], 12, 1200080426), d = p(d, f, c, u, s[h + 6], 17, -1473231341), u = p(u, d, f, c, s[h + 7], 22, -45705983), c = p(c, u, d, f, s[h + 8], 7, 1770035416), f = p(f, c, u, d, s[h + 9], 12, -1958414417), d = p(d, f, c, u, s[h + 10], 17, -42063), u = p(u, d, f, c, s[h + 11], 22, -1990404162), c = p(c, u, d, f, s[h + 12], 7, 1804603682), f = p(f, c, u, d, s[h + 13], 12, -40341101), d = p(d, f, c, u, s[h + 14], 17, -1502002290), u = p(u, d, f, c, s[h + 15], 22, 1236535329), c = m(c, u, d, f, s[h + 1], 5, -165796510), f = m(f, c, u, d, s[h + 6], 9, -1069501632), d = m(d, f, c, u, s[h + 11], 14, 643717713), u = m(u, d, f, c, s[h + 0], 20, -373897302), c = m(c, u, d, f, s[h + 5], 5, -701558691), f = m(f, c, u, d, s[h + 10], 9, 38016083), d = m(d, f, c, u, s[h + 15], 14, -660478335), u = m(u, d, f, c, s[h + 4], 20, -405537848), c = m(c, u, d, f, s[h + 9], 5, 568446438), f = m(f, c, u, d, s[h + 14], 9, -1019803690), d = m(d, f, c, u, s[h + 3], 14, -187363961), u = m(u, d, f, c, s[h + 8], 20, 1163531501), c = m(c, u, d, f, s[h + 13], 5, -1444681467), f = m(f, c, u, d, s[h + 2], 9, -51403784), d = m(d, f, c, u, s[h + 7], 14, 1735328473), u = m(u, d, f, c, s[h + 12], 20, -1926607734), c = g(c, u, d, f, s[h + 5], 4, -378558), f = g(f, c, u, d, s[h + 8], 11, -2022574463), d = g(d, f, c, u, s[h + 11], 16, 1839030562), u = g(u, d, f, c, s[h + 14], 23, -35309556), c = g(c, u, d, f, s[h + 1], 4, -1530992060), f = g(f, c, u, d, s[h + 4], 11, 1272893353), d = g(d, f, c, u, s[h + 7], 16, -155497632), u = g(u, d, f, c, s[h + 10], 23, -1094730640), c = g(c, u, d, f, s[h + 13], 4, 681279174), f = g(f, c, u, d, s[h + 0], 11, -358537222), d = g(d, f, c, u, s[h + 3], 16, -722521979), u = g(u, d, f, c, s[h + 6], 23, 76029189), c = g(c, u, d, f, s[h + 9], 4, -640364487), f = g(f, c, u, d, s[h + 12], 11, -421815835), d = g(d, f, c, u, s[h + 15], 16, 530742520), u = g(u, d, f, c, s[h + 2], 23, -995338651), c = v(c, u, d, f, s[h + 0], 6, -198630844), f = v(f, c, u, d, s[h + 7], 10, 1126891415), d = v(d, f, c, u, s[h + 14], 15, -1416354905), u = v(u, d, f, c, s[h + 5], 21, -57434055), c = v(c, u, d, f, s[h + 12], 6, 1700485571), f = v(f, c, u, d, s[h + 3], 10, -1894986606), d = v(d, f, c, u, s[h + 10], 15, -1051523), u = v(u, d, f, c, s[h + 1], 21, -2054922799), c = v(c, u, d, f, s[h + 8], 6, 1873313359), f = v(f, c, u, d, s[h + 15], 10, -30611744), d = v(d, f, c, u, s[h + 6], 15, -1560198380), u = v(u, d, f, c, s[h + 13], 21, 1309151649), c = v(c, u, d, f, s[h + 4], 6, -145523070), f = v(f, c, u, d, s[h + 11], 10, -1120210379), d = v(d, f, c, u, s[h + 2], 15, 718787259), u = v(u, d, f, c, s[h + 9], 21, -343485551), c = c + y >>> 0, u = u + A >>> 0, d = d + b >>> 0, f = f + _ >>> 0
    }
    return endian([c, u, d, f])
}

function get_sign(page) {
    text_args = "limit10page" + page + "queryqueryservice_methodDemanderGetUniversalDemandListservice_nametask.AdStarTaskServicesign_strict1e39539b8836fb99e1538974d3ac1fe98"
    n = undefined
    result = t.bytesToHex(t.wordsToBytes(a(text_args, n)))
    return result
}

console.log(get_sign("2"))

4、其他sign也是同样的加密方法，只要替换下e的参数就行了，下面是python中的调用

import execjs


def get_sign(page):
    f = open('demo.js', 'r', encoding='utf-8').read()
    context = execjs.compile(f)
    result = context.call("get_sign", page)
    return result