This is the 9th day of my participation in the More text Challenge. For details, see more text Challenge
Antecedents to review
In the previous issue, we have successfully obtained all parameters except _signature. In this article, we will analyze the function of the _signature parameter and its fetching logic.
Parameter meaning
It is literally determined that the _signature parameter is the signature of the interface call to verify the validity of the source of interface access.
_signature Parameter source and analysis
First of all, we still analyze the source code search from the debugging tool.
By searching we find that _signature is inindex.98ac6f5d.js
The assignment is performed on line 1289 of the file.
Data [‘_signature’] = signature; // See readme@note 1. Signature = (0, _bytedacrawler.sign)(nonce); .
According to the context, the parameter nonce is sec_uid, the signture is calculated, there should be an encryption algorithm, we continue to find. Var _bytedAcrawler = __webpack_require__(” 9bd2804C7e68ac461d65 “);
It is required to import the code to the file index.98ac6f5d.js. It is required to import the code to the file index.98ac6f5d.js. We find the body of this method on line 66.
The method is called with the fixed parameter 9bd2804C7e68AC461d65. We continue to use this parameter to search the foreground code. We find the following in vvendor. The corresponding method body should be used to generate the signature. This code has been encrypted and confused, so we can’t see the logic in it. Let’s try to run this code.
After a period of time after trying, though trying to confuse to clear back to the part of the code, but these code directly split local difficulty is bigger, we might as well change the way of thinking, the page file through the browser to save directly to the local and try to run in the browser, and then try to split out the code we need.
After saving, the two core JS files searched in the browser are saved.
Ok, so let’s go to the corresponding place in the code and add a line of alert to debug it. Originally, the nonce is from the URL, so I’m just going to open the HTML without param, so I’m going to put a fixed value here.
Opening the HTML page in the browser, we find that the signature value we need has popped up and changes every time we refresh it
The code that generated the signature runs locally without any problems, which means you can split the code. Let’s try calling the interface with this signature value.
After the call, it is found that the content has been successfully returned. After several times of generation and replacement, the call does not find the problem, indicating that this method is feasible.
So far, all the parameters required to call the interface of the list of works have been obtained. The more complex interface analysis part has come to an end. From the next period, I will share the implementation process of the function development of the download part.