Disclaimer: This article is only for learning and communication, and it is prohibited to be used for illegal purposes, commercial activities, etc. Otherwise, do so at your own risk. If there is any infringement, please inform and delete, thank you! This tutorial is not written specifically for a certain website, purely technical research
Table of contents
case analysis
Target case: aHR0cHM6Ly93d3cudml2by5jb20uY24vc2VydmljZS9tb2JpbGVQaG9uZUF1dGhlbnRpY2l0eUNoZWNrL2luZGV4
- The request corresponding to the interface and difficulty
a
c1's first request
c2's second request
v1's request
Parametric analysis
The viewers are a little busy recently, and have no time to study. I have time these two days to learn the slider of the top image. This is a very weakened version, mainly to learn a way of thinking.
Through modification, it is found that the value of c can be assigned to be empty, and the value of t is the same. Ak is the product id, aid is dx-+time stamp plus a random number, and other fixed values can be used to know the corresponding values of
p1 and p2 respectively. It is the gap and the picture, o is the restoration of the picture, sid is needed later,
so let’s look at the restoration of the picture first, the canvas I use here is broken, and you can try to break it yourself. There is a talk in the previous slider Then
let’s continue to look at the Param of v1 for the first time. Through the initiator,
we can see that through the breakpoint, it is found that he encrypted these parameters.
Here we can see that the generation of lid is time plus a function, and we can directly deduct it. I like
the js code generated by the self-collected Halid below
function lid() {
for (var i = 32, a = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', u = [], f = 0; f < i; f++)
u[f] = a['charAt'](Math['floor'](Math.random() * a['length']));
return u['join']("")
};
function get_lid(){
return (new Date).getTime() + lid()
}
console.log(get_lid())
python code
import math
import random
def get_lid():
a = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
return "".join(a[math.floor(random.random() * len(a))] for _ in range(32))
You can see that the appKey is fixed and I have swiped it many times
. Let’s look at the encryption of Param. You can see the extracted js or python. This is the
js version for the first time.
var u = "=x1LItAH4sf8gp6ewnXQTiKuF_5EkC2m7WjdrM"
, f = "UlGhvYo3aRzcq-VPyJBb9NZOD0S";
function y(r) {
return r.split("").reverse().join("")
};
function encode(r, o) {
if (!r)
return "";
for (var i, a, u, f, c, s, l, v, g = "", p = 0; p < r[(v = "htgnel",
v.split("").reverse().join(""))]; )
i = r['charCodeAt'](p++),
a = r.charCodeAt(p++),
u = r['charCodeAt'](p++),
f = i >> 2,
c = (3 & i) << 4 | a >> 4,
s = (15 & a) << 2 | u >> 6,
l = 63 & u,
isNaN(a) ? s = l = 64 : isNaN(u) && (l = 64),
g = g + o.charAt(f) + o['charAt'](c) + o.charAt(s) + o.charAt(l);
return g
}
function S(r) {
var e = encode(JSON.stringify(r), y(u + f));
return e
};
S({
"lid": "", // lid
"lidType": 1,
"cache": true,
"appKey": "" // appkey 固定的
}) // 自己填写入参
The second input parameter is, except that the lid is generated above, we can use it directly, and the rest can basically be fixed, and then call the above encryption. At this point, the two c1s are over. Let's look at the v1 interface
. The function of ac can be found to be overloaded after encryption every time. He found that it was empty
at the first ua. Here is his detection. There are relatively few detections on this website. Basically, he is familiar with the process and basically revolves around this app, then we can look more at the app and we can see that this is the first time we can see that the following is the fingerprint , then we continue to look at sendSA, we can find that sa is encrypted, sa is through recordSA, and then call the app function Here you can see that he is encrypting the slider gap , so it's over here! ! ! You can look at the process of familiarizing yourself with the top image, and the normal scheduling of the second slider can still pass. See you next time! ! ! Bye-Bye! ! !
Show results
first time
second time verification