[WEB reverse] Algorithm research on a certain sound

Directory

Process Analysis

remote call

fastapi implements the interface


Process Analysis

The first step in reverse encryption parameters, analysis process.

Point to the source code and breakpoint through the stack information.

The apply method can hijack the method of another object and inherit the properties of another object. The apply method receives two parameters
obj: This object will replace the this object in the Function class
args: This is an array, which will be passed to Function as a parameter

After the breakpoint, we can see that t = this is the XMLHttpRequest object. Observe the request. The _url of the current request object contains signature and x-bogus.

So now we need to find the request object without signature and x-bogus.

When debugging e.nativeXMLHttpRequestSend about 7 steps forward, I found a method related to XMLHttpRequest.

Put a breakpoint at the send at the end of the method, then let go of all requests, and retrigger the breakpoint.

At this point, it can be found that in the object of the breakpoint, _url does not contain two encrypted parameters.

Then F11 continues to go down, it can be seen that it has entered the confused webmssdk, and it has been given certain operations on the request object.

When F8 jumps out here and returns to the final nativeXMLHttpRequestSend, it can be found that two signatures have been generated in _url.

Only these two breakpoints are needed to analyze the general process. First construct an XMLRequest object, and then pass it to the method in webmssdk for encryption by rewriting the send method. After encryption, return to XMLHttpRequest.prototype.send and reset The send method completes the request.

Each function has a prototype attribute, which points to a prototype object, which contains methods and properties shared by function instances.
In layman's terms, when an object of a class is generated through new, the properties of the prototype object become the properties of the instantiated object. 

remote call

Now that we know how the parameters come from, we can use the RPC method to simulate the generation.

Although we haven’t caught up with the encrypted JS and haven’t seen the encryption method, but due to the particularity of the encryption process, it is called based on the method of manipulating the XMLRequest object, so we can reproduce the process to generate parameters

Don’t worry about local calls, just follow the steps to learn.

RPC refers to the remote call process between processes, which means that the local operation browser executes some JS methods and returns the results. 

After execution, check the content printed on the console.

When we send a request in the current environment, and the returned content contains a signed link, and we can see that the responseText has returned data, it means that the overall encryption and request are included in the send.

Therefore, this part of the code is simulated locally, for example, through selenium to operate chromderver to send a request in the website environment, and then simple collection can be performed.

(Continue reading if you are interested)

local calls

In the above analysis, the generation process of encryption parameters has been clarified, and the webmssdk file needs to be processed next.

Those who are willing to spend time can try to restore it, or debug it slowly.

Online deobfuscation site: cnlans.com:8887

We need to add XMLReuqest locally, execute the send method, and copy the code in webmssdk.js to run locally.

First copy webmssdk.js to run, and fill in the environment at the beginning according to the error report.

Error Request is not defined, supplement: Request = function Request() {};

Error Headers is not defined, supplement: Headers = function Headers() {};

Error document is not defined, complement: document = {}

Error window is not defined, supplement: window = {}

Error document.addEventListener is not a function, supplement: document.addEventListener = function () {}

Continue to run without error, add XMLReuqest code and send the request.

Although the code is running, it has not ended. There are setInterval and setTimeout methods in the code that are regularly executed.

setTimeout = function(){return function(){}};
setInterval = function(){};

After modifying the timer method, continue to run and find that no error is reported and no useful results are returned. It’s normal, after all, the environment of complementing is still {}.

Now fill in all the environmental information you know and see.

Such as screen, navigator, document, location, canvas, localStorage, sessionStorage, PluginArray, Image, etc.

As a result, there is still nothing after the completion. At this time, it is necessary to analyze the source code.

It can be seen from the local code breakpoint that req.send() ends once, and the method does not go to the code of webmssdk.js, indicating that our call was not successful.

Debug with the code in our first paragraph and set a breakpoint.

Execute the code to see how the breakpoint goes. Unlike our local execution, you can directly enter function _0x65f4c7() at present.

Now we need to compare the difference between the local and the browser. In such cases, there is usually a lack of environment, or there is some initial loading in the browser environment.

byted_acrawler is unique to this page. (mainly the earliest version requires byted_acrawler.init, so you can see it at a glance)

After adding init, run the code again.

window.byted_acrawler.init({
    aid: 6383,
    boe: false,
    enablePathList: ['/webcast/*', '/aweme/v1/', '/aweme/v2/*','/v1/message/send'],
    isSDK: false,
    region: "cn",
    v: false
});

Error: Cannot read properties of undefined (reading ‘onabort’)

Definition: XMLHttpRequest.prototype.upload = function (){}

Error: Cannot read properties of undefined (reading ‘init’)

It means that byted_acrawler is not defined in window, so there is no init.

So you can guess that the byted_acrawler in this code is not attached to the window we defined, either because of a lack of environment, or because the supplemented window does not match the this of the source code. Then add window = this; to point to the current moudles

Execute again and return the result successfully.

analysis results

After printing the result, it is found that the url loaded after send is carried in the onload of req, and it can be found that after two calculations, X-Bogus and _signature are added respectively.

After the local can be successfully called, you can start to restore this set of calling processes, and put a breakpoint to debug and restore. I will not write this part.

This article is mainly for writing tutorials, and the value can be generated by supplementing the figure below, but there is no guarantee that the request will be successful.

It is too torturous to use text descriptions to supplement the environment. After all, there are many things to supplement, and some simple ones are skipped. Try it yourself, take care!

fastapi implements interface

It involves research technical issues. If you think the article is better, please give me some attention.

This article is just a technical discussion, please let me know if it affects you,