【2022春节】解题领红包之番外篇 {Web 中级题}
本帖最后由 QAQ~QL 于 2022-2-18 19:14 编辑思路
[*]中级题,Web题,先搭起来看看
解压,文件为52tube.saz和52tube.wacz,saz为Fiddler文件,导入查看
发现为ts视频,查找key和iv在所有链接中/api/drm较为符合32位字串08A5E6C2C261A8ACB4D79C49AF160A3ADA4E5CEAE16FED46EB6F498C9B63D53B
但m3u8中为AES-128-CBC无iv加密,秘钥长度应为16位,遂排除直接解密,虚拟机模拟环境直接搭建
搭建完毕,打开页面,发现29秒视频,但加载失败
参考官网示例MEDIA_ERR_ABORTED - 取回过程被用户中止无法找到原因
遂下断点查看
//Uint8Array转字符串
const Uint8ArrayToString=function(fileData) {
var dataString = "";
for (var i = 0; i < fileData.length; i++) {
dataString += String.fromCharCode(fileData);
}
return dataString
}
//字符串转Uint8Array
const stringToUint8Array=function(str) {
var arr = [];
for (var i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
var tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array
}
//Uint8Array转Hex
const U8A2Hex=function(uint8Array) {
return Array.prototype.map.call(uint8Array, (x) => ('00' + x.toString(16)).slice(-2)).join('');
}
//Hex转Uint8Array
const Hex2Uint8Array=function(hex){
var typedArray = new Uint8Array(hex.match(/[\da-f]{2}/gi).map(function (h) {
return parseInt(h, 16)
}))
return typedArray
}
//ArrayBuffer转Hex
const B2hex=function(buffer) {
//return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join('');
return Array.prototype.map.call(new Uint8Array(buffer), x => (x.toString(16)).slice(-2)).join('');
}
//Hex转ArrayBuffer
const Hex2ArrayBuffer=function(hex){
var typedArray = new Uint8Array(hex.match(/[\da-f]{2}/gi).map(function (h) {
return parseInt(h, 16)
}))
return typedArray.buffer
}
iv : 000000000000000key : ef8d9c7c7b31b626ab204804ae5852d3发现key值飘忽不定,否决前面的观点再次查看drm,发现为post方法,遂逐一检查method
除了该接口,其他都为get,此处的不小心下次一定改详查可知,ping通后继续访问drm,在此期间生成h和id
o.onSuccess = function(t, e, a) {
(async function(t) {
let e = await async function() {
let t = new Uint8Array(16);
crypto.getRandomValues(t);
let e = n(t.buffer) + Date.now() + Math.random();
return new Uint8Array((await async function(t) {
const e = (new TextEncoder).encode(t);
return await crypto.subtle.digest("SHA-256", e)
}(e)).slice(0, 16))
}();
var r = new URLSearchParams;
r.append("h", n(e.buffer)),
r.append("id", t);
var a = {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: r
};
let o = await fetch(i, a),
l = await o.arrayBuffer();
if (32 !== l.byteLength)
throw new Error("Invalid response");
let u = new Uint8Array(l.slice(0, 16)),
c = new Uint8Array(l.slice(16, 32));
return s(s(u, e), c)
})(r).then((t => {
l({
data: t.buffer
}, e, a)
}))
}由代码可知h由e算出,e是根据随机数和时间戳而定的即 逆向出e的值即可赋值hook
//t=e.buffer
function n(t) {
return [...new Uint8Array(t)].map((t => t.toString(16).padStart(2, "0"))).join("")
}
由函数n(t)可知,此过程为buffer转hex,所以目标h=7b10311e6e310f0df068d9ede10475a8的对应t->即e为
e=Hex2Uint8Array("7b10311e6e310f0df068d9ede10475a8")
crypto.getRandomValues(t);
let e = new Uint8Array("7b10311e6e310f0df068d9ede10475a8".match(/[\da-f]{2}/gi).map(function (h) {
return parseInt(h, 16)
}))
修改js,F5,结果如下
得到正确视频,注意s小写
视频提取工具感谢github作者 Momo707577045
https://github.com/Momo707577045/media-source-extract
视频过大,不进行上传
前排来学习了 学习了 学习了 学习一个 @QAQ~QL 这个也需要处理。
页:
[1]