Little red book timestamp2 (2022 / 04 / 22)

Received group friend message , The little red book timestamp2 Updated .

Slider problem

It is recommended to delete... During debugging timestamp2 Just go , Don't put all of cookie All deleted , Otherwise, enter the infinite slider . Although only delete timestamp2, The generated parameter values are the same .

When you turn on the console , Put this div Delete and drag .

If you still enter the infinite slider link , Replace IP, It will be unsealed later .

Interface Analysis

Previous registerCanvas The interface has also been updated ,FormData Medium sign Encrypted .

timestamp2 Now the server returns , When you request, you only need to carry timestamp2.

Sign analysis

Take out the ancestral XHR The breakpoint . Input ： /v2/shield/registerCanvas , Delete timestamp2 Refresh the page

Take two steps back , You can see the parameters i and u.

Corresponding id and sign.

stay call stack Middle down debugging .

eureka u = I.qrTqB(l, I.PNXDL, JSON[r(1347)](i)) , Print out all the parameters and have a look .

namely ：

So the deduction process should be like this

After a while of analysis , Find the key position in I[o(1159)](function(n, t, e) {} here .

I.“uPhZo” = function(n, t, e, r) { return n(t, e, r) },

So the final call is shown in the figure below ：

eyJ1c2VyQWdlbnQiOiJNb3ppbGxh yes Browser parameters base64 Later results .

 '{"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36","webdriver":false,"language":"zh-CN","colorDepth":24,"deviceMemory":8,"hardwareConcurrency":8,"screenResolution":"1920;1080","availableScreenResolution":"1920;1040","timezoneOffset":-480,"timezone":"Asia/Shanghai","sessionStorage":1,"localStorage":1,"indexedDb":1,"openDatabase":1,"cpuClass":"unknown","platform":"Win32","plugins":["PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chrome PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chromium PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","WebKit built-in PDF::Portable Document Format::application/pdf~pdf,text/pdf~pdf"],"canvas":"10cfbbb02b2606dbc2ccb15a3cd2b558","adBlock":false,"hasLiedLanguages":false,"hasLiedResolution":false,"hasLiedOs":false,"hasLiedBrowser":false,"touchSupport":"0;false;false","fonts":"4;7;8","audio":"124.04347527516074"}'  

Deduction code supplement environment

H There are encryption and decryption related variable names in .

In the parameter, it will be judged that encrypt still decrypt, The encryption method will eventually come to case 9 in return T in .

On the problem of complement variable name , You can write a regular unified replacement .

Process summary

Sign The generation process is to put the browser information first base64, Then encrypt to get k,s, And then k and s adopt FbmlO The method is spliced to get b, Then on b Then encrypt to get the final sign value .

The code will be posted later , Link to the original text ： http://t.c