某药平台的ex1参数逆向

请求抓包:

POST /special-topic/pc-vert/getVertDetails/v4180 HTTP/1.1 Host: dian.ysbang.cn Connection: keep-alive Content-Length: 179 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102" Accept: */* Content-Type: application/json sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 sentry-trace: 9c5b69199bc245ac9f1e58372b918b4c-9bc24694271a88a3-1 sec-ch-ua-platform: "Windows" Origin: https://dian.ysbang.cn Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://dian.ysbang.cn/ Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%221847a5d9161728-0a8f8e80cec43b8-26021b51-2073600-1847a5d9162ad%22%2C%22first_id%22%3A%22%22%2C%22props%22%3A%7B%22%24latest_traffic_source_type%22%3A%22%E5%BC%95%E8%8D%90%E6%B5%81%E9%87%8F%22%2C%22%24latest_search_keyword%22%3A%22%E6%9C%AA%E5%8F%96%E5%88%B0%E5%80%BC%22%2C%22%24latest_referrer%22%3A%22https%3A%2F%2Fkb.yuncai998.com%2F%22%7D%2C%22identities%22%3A%22eyIkaWRlbnRpdHlfY29va2llX2lkIjoiMTg0N2E1ZDkxNjE3MjgtMGE4ZjhlODBjZWM0M2I4LTI2MDIxYjUxLTIwNzM2MDAtMTg0N2E1ZDkxNjJhZCJ9%22%2C%22history_login_id%22%3A%7B%22name%22%3A%22%22%2C%22value%22%3A%22%22%7D%2C%22%24device_id%22%3A%221847a5d9161728-0a8f8e80cec43b8-26021b51-2073600-1847a5d9162ad%22%7D; rcfp=bcb430d5f1f8433fa1495b11080f20fc75bd

{"platform":"pc","version":"5.18.0","ua":"Chrome102","ex":"2022-10-31 10:3 login 11-16 14:18:46 11-16 14:18:46","trafficType":0,"ex1":"3sqgij7g2","authcode":"123456","types":[41]}

搜索关键参数:trafficType

定位到代码:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
case 12:
    return void 0 === t.data && (t.data = {}),
    console.log("test=>", f.Z.currentRoute.query.trafficType),
    n = E(n = {
        platform: "pc",
        version: "5.18.0",
        ua: (0,
        p.Vk)().browserName + (0,
        p.Vk)().version,
        ex: "2022-10-31 10:3 " + (f.Z.currentRoute && f.Z.currentRoute.name || "") + " ".concat(_()(V).format("MM-DD HH:mm:ss"), " ").concat(_()().format("MM-DD HH:mm:ss")),
        trafficType: Number(f.Z.currentRoute.query.trafficType || "0")
    }),
    t.data = Object.assign(n, t.data),
    "post" === t.method && (0,
    d.LP)() && !t.data.token && (t.data.token = (0,
    d.LP)()),
    "get" === t.method && (t.params = t.data,
    (0,
    d.LP)() && !t.data.token && (t.params.token = (0,
    d.LP)(),
    t.data.token = (0,
    d.LP)())),
    u.Z.getters.token && (t.headers["X-Token"] = (0,
    d.LP)()),
    e.abrupt("return", t);

打印E函数,定位到E函数代码:


1
2
3
4
5
6
7
8
9
10
11
12
function E() {
    var e = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : {}
      , t = "e"
      , n = "x"
      , a = "1"
      , r = w();
    return e[t + n + a] = O(r),
    t = null,
    n = null,
    a = null,
    e
}

打印w函数,定位到w函数代码:


1
2
3
function w() {
    return String(parseInt((new Date).getTime()) + u.Z.getters.systemTimeDValue)
}

打印O函数,定位到O函数代码:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function O(e) {
    for (var t = T.wR.split("").map((function(e) {
        return Number(e)
    }
    )), n = e.split("").map((function(e) {
        return Number(e)
    }
    )), a = 7 * n.reduce((function(e, t) {
        return e + t
    }
    ), 0) % 10, r = [], o = 0, i = 0; i < n.length; i++)
        r[i] = (n[i] + t[o]) % 10,
        o = (o + 1) % t.length;
    for (var c = t.length % n.length, s = Array.apply(null, {
        length: 10
    }), l = 0; l < c; l++)
        s[l] = r[r.length - l - 1];
    s[c] = a;
    for (var u = c + 1; u < r.length + 1; u++)
        s[u] = r[r.length - u];
    return P(s.join(""))
}

打印参数T.wR,得到具体数值:


1
T.wR="9527"

打印P函数,定位到P函数代码:


1
2
3
4
5
6
7
8
9
10
11
12
function P(e) {
    for (var t = [], n = function() {
        for (var e = [], t = 0; t < 36; t++)
            t >= 0 && t <= 9 ? e.push(t) : e.push(String.fromCharCode(t + 87));
        return e
    }(); e; ) {
        var a = e % 36;
        t.unshift(n[a]),
        e = parseInt(e / 36)
    }
    return t.join("")
}

至此全部所需函数整理完毕。

归纳总结ex1参数算法:

w函数得到13位时间戳

再调用O函数传入时间戳算出ex1参数

----------------------------------------------------------------------------------------------------
文章内容仅用作技术探讨研究,禁止他用!
若相关单位认为文章内容不适合公开发表,请联系站长删除!
----------------------------------------------------------------------------------------------------
上一篇
下一篇