【2022春节】解题领红包之番外篇 {Web 中级题}

QAQ~QL

思路

• 中级题,Web题,先搭起来看看
  

解压,文件为52tube.saz和52tube.wacz,saz为Fiddler文件,导入查看

发现为ts视频,查找key和iv在所有链接中/api/drm较为符合32位字串08A5E6C2C261A8ACB4D79C49AF160A3ADA4E5CEAE16FED46EB6F498C9B63D53B

但m3u8中为AES-128-CBC无iv加密,秘钥长度应为16位,遂排除直接解密,虚拟机模拟环境直接搭建

搭建完毕,打开页面,发现29秒视频,但加载失败

参考官网示例MEDIA_ERR_ABORTED - 取回过程被用户中止无法找到原因
遂下断点查看

[PHP] 纯文本查看 复制代码

//Uint8Array转字符串
const Uint8ArrayToString=function(fileData) {
        var dataString = "";
        for (var i = 0; i < fileData.length; i++) {
                dataString += String.fromCharCode(fileData[i]);
        }
        return dataString
}

//字符串转Uint8Array
const stringToUint8Array=function(str) {
        var arr = [];
        for (var i = 0, j = str.length; i < j; ++i) {
                arr.push(str.charCodeAt(i));
        }
        var tmpUint8Array = new Uint8Array(arr);
        return tmpUint8Array
}

//Uint8Array转Hex
const U8A2Hex=function(uint8Array) {
        return Array.prototype.map.call(uint8Array, (x) => ('00' + x.toString(16)).slice(-2)).join('');
}

//Hex转Uint8Array
const Hex2Uint8Array=function(hex){
        var typedArray = new Uint8Array(hex.match(/[\da-f]{2}/gi).map(function (h) {
                return parseInt(h, 16)
        }))
        return typedArray
}

//ArrayBuffer转Hex
const B2hex=function(buffer) {
        //return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join('');
        return Array.prototype.map.call(new Uint8Array(buffer), x => (x.toString(16)).slice(-2)).join('');
}

//Hex转ArrayBuffer
const Hex2ArrayBuffer=function(hex){
        var typedArray = new Uint8Array(hex.match(/[\da-f]{2}/gi).map(function (h) {
                return parseInt(h, 16)
        }))
        return typedArray.buffer
}

iv    : 000000000000000[0-7]key : ef8d9c7c7b31b626ab204804ae5852d3发现key值飘忽不定,否决前面的观点再次查看drm,发现为post方法,遂逐一检查method

除了该接口,其他都为get,此处的不小心下次一定改详查可知,ping通后继续访问drm,在此期间生成h和id

[PHP] 纯文本查看 复制代码

o.onSuccess = function(t, e, a) {
        (async function(t) {
                let e = await async function() {
                        let t = new Uint8Array(16);
                        crypto.getRandomValues(t);
                        let e = n(t.buffer) + Date.now() + Math.random();
                        return new Uint8Array((await async function(t) {
                                const e = (new TextEncoder).encode(t);
                                return await crypto.subtle.digest("SHA-256", e)
                        }(e)).slice(0, 16))
                }();
                var r = new URLSearchParams;
                r.append("h", n(e.buffer)),
                        r.append("id", t);
                var a = {
                        method: "POST",
                        headers: {
                                "Content-Type": "application/x-www-form-urlencoded"
                        },
                        body: r
                };
                let o = await fetch(i, a),
                        l = await o.arrayBuffer();
                if (32 !== l.byteLength)
                        throw new Error("Invalid response");
                let u = new Uint8Array(l.slice(0, 16)),
                        c = new Uint8Array(l.slice(16, 32));
                return s(s(u, e), c)
        })(r).then((t => {
                l({
                        data: t.buffer
                }, e, a)
        }))
}

由代码可知h由e算出,e是根据随机数和时间戳而定的即 逆向出e的值即可赋值hook

[PHP] 纯文本查看 复制代码

//t=e.buffer
function n(t) {
        return [...new Uint8Array(t)].map((t => t.toString(16).padStart(2, "0"))).join("")
}

由函数n(t)可知,此过程为buffer转hex,所以目标h=7b10311e6e310f0df068d9ede10475a8的对应t->即e为

[PHP] 纯文本查看 复制代码

e=Hex2Uint8Array("7b10311e6e310f0df068d9ede10475a8")

crypto.getRandomValues(t);
let e = new Uint8Array("7b10311e6e310f0df068d9ede10475a8".match(/[\da-f]{2}/gi).map(function (h) {
        return parseInt(h, 16)
}))

修改js,F5,结果如下

得到正确视频,注意s小写

视频提取工具感谢github作者 Momo707577045
https://github.com/Momo707577045/media-source-extract
视频过大,不进行上传

菠萝蜜

前排来学习了

じ☆ve不哭

学习了 学习了

Meiosis

学习一个

Hmily

@QAQ~QL 这个也需要处理。