最新版X-Gorgon加密
这两天看了下该短视频的加密,先降级协议,顺利抓包,通过关键字是找不到加密的地方的,换下思路,用Hashmap找到调用加密的地方,生成X-Gorgon后请求一下接口的,没想到很顺利的就出来了,简短的记录一下。
请求模块:
import json
from copy import deepcopy
import requests
from dy_rpc import start_hook
headers = {
##
##
##
"x-ladon": "lVArMWxRo3VXMRLJDRZQegNix0Jt6GBbLAei/PGuGM71GQKl",
"x-khronos": "1682566202",
"x-argus": "zxeHs6QZ12yTZo1aG3owFLOhSmTjjTIwVNf8UaSQvGhulshyn24SLV3AbLe6XtV0l+p6x1QLGQXP/GcOKwz+bOY8teVgCM3K6zui9D+jcxYQCojbDdBRkiddGUVSJoL3A1BkL7FYfLL2KMiVdoxV7DEnKC2bqkdAml+ImVujSlL4K1s6de0/8tCqCrbc6Qq5V4IJ1XCDAFrm7eJ2dmCP6HIOT2htkVp+0IJ/0hROkW2Jolk7I5de8rALEB2LIZ0j/RT9v6/NieYtJBzDIohBGS66gvDGMKCuPKco1mo1o1lQ0g==",
"x-gorgon": "840400f500011c78ad1d86c2ab672d1e412d3ccbb96c63df2333",
"x-helios": "AmfWGkG0VScQpMZ3+hoEwLuVQrMCYQGy7Ty1tk6ZyUo7be2K",
"x-medusa": "OOxJZAyA3AgPnhP/3jhUAfJUMELwTpCEWUw5GEUn0JWCeVFrIxBD/vrRefnHyacT3KimcMt3J2dJ+ISVVB1PcbL3PYrMo6hDVsM5GDJhOJnknw5bf0xu1bf57Oe5+nJVE2M6vOd6GyLwCmANj8sqN0SOLISX9/o0mH9aUaJVPFR/L/QvsPph9SWQZm7EHCnp4Zq6pZCQjiH8/df9WNPka8pkSzPKulaCfiMDRxpEp2Dm3PI7BrtYDnqTSj2OR9n3rGhcSOx4kB73h/cMpy8dU4VDNFixE0PXIZmfLbfF0k0D52fcUBSx089xZWT6vRcXa5UJ3ph+chkdA8ViQh+8jnex1DWFBD005//tDsK7s9YlFNdqxrA="
}
cookies = {
##
##
}
headers_now = deepcopy(headers)
headers_now.pop('Host')
headers_now.pop('x-ladon')
headers_now.pop('x-khronos')
headers_now.pop('x-argus')
headers_now.pop('x-gorgon')
headers_now.pop('x-medusa')
headers_now["accept-encoding"] = "gzip"
url = ""
ladon, khronos, argus, gorgon, helios, medusa = start_hook(url, headers_now)
headers["x-ladon"] = ladon
headers["x-khronos"] = khronos
headers["x-argus"] = argus
headers["x-gorgon"] = gorgon
headers["x-helios"] = helios
headers["x-medusa"] = medusa
response = requests.get(url, headers=headers, cookies=cookies)
print(response.text)
print(response)
通过rpc调用获取加密参数
dy_rpc:
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# python 3.8
import datetime
import hashlib
import json
import re
import time
import uuid
from urllib.parse import urlencode
import frida
import requests
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(data)
print(message)
def frida_rpc(session):
# hook相关js代码
rpc_hook_js = '''
rpc.exports = {
para: function(StrUrl, headers) {
var ret = {};
Java.perform(function() {
Java.choose("##",{
onMatch: function(instance){
// rpc调用代码
res = res.toString();
ret["result"] = res;
},
onComplete: function(){
//console.log('******js load over*****')
}
})
})
return ret;
}
};
'''
script = session.create_script(rpc_hook_js)
script.on('message', on_message)
script.load()
return script
# 初始化设备, 仅attach一次
device_name = ''
print('手机: {}'.format(device_name))
process = frida.get_device(device_name).attach('dy')
res = frida_rpc(process)
def start_hook(urls, h_dict):
# 传参
result_hook = res.exports.para(urls, h_dict)
data = result_hook['result']
return data
#
# if __name__ == "__main__":
# pass
记录一下请求结果