某短视频的X-Gorgon，X-Ladon等加密

最新版X-Gorgon加密

这两天看了下该短视频的加密，先降级协议，顺利抓包，通过关键字是找不到加密的地方的，换下思路，用Hashmap找到调用加密的地方，生成X-Gorgon后请求一下接口的，没想到很顺利的就出来了，简短的记录一下。

请求模块：

import json
from copy import deepcopy
import requests
from dy_rpc import start_hook

headers = {
    ##
    ##
    ##
    "x-ladon": "lVArMWxRo3VXMRLJDRZQegNix0Jt6GBbLAei/PGuGM71GQKl",
    "x-khronos": "1682566202",
    "x-argus": "zxeHs6QZ12yTZo1aG3owFLOhSmTjjTIwVNf8UaSQvGhulshyn24SLV3AbLe6XtV0l+p6x1QLGQXP/GcOKwz+bOY8teVgCM3K6zui9D+jcxYQCojbDdBRkiddGUVSJoL3A1BkL7FYfLL2KMiVdoxV7DEnKC2bqkdAml+ImVujSlL4K1s6de0/8tCqCrbc6Qq5V4IJ1XCDAFrm7eJ2dmCP6HIOT2htkVp+0IJ/0hROkW2Jolk7I5de8rALEB2LIZ0j/RT9v6/NieYtJBzDIohBGS66gvDGMKCuPKco1mo1o1lQ0g==",
    "x-gorgon": "840400f500011c78ad1d86c2ab672d1e412d3ccbb96c63df2333",
    "x-helios": "AmfWGkG0VScQpMZ3+hoEwLuVQrMCYQGy7Ty1tk6ZyUo7be2K",
    "x-medusa": "OOxJZAyA3AgPnhP/3jhUAfJUMELwTpCEWUw5GEUn0JWCeVFrIxBD/vrRefnHyacT3KimcMt3J2dJ+ISVVB1PcbL3PYrMo6hDVsM5GDJhOJnknw5bf0xu1bf57Oe5+nJVE2M6vOd6GyLwCmANj8sqN0SOLISX9/o0mH9aUaJVPFR/L/QvsPph9SWQZm7EHCnp4Zq6pZCQjiH8/df9WNPka8pkSzPKulaCfiMDRxpEp2Dm3PI7BrtYDnqTSj2OR9n3rGhcSOx4kB73h/cMpy8dU4VDNFixE0PXIZmfLbfF0k0D52fcUBSx089xZWT6vRcXa5UJ3ph+chkdA8ViQh+8jnex1DWFBD005//tDsK7s9YlFNdqxrA="
}
cookies = {
##
##
}
headers_now = deepcopy(headers)
headers_now.pop('Host')
headers_now.pop('x-ladon')
headers_now.pop('x-khronos')
headers_now.pop('x-argus')
headers_now.pop('x-gorgon')
headers_now.pop('x-medusa')
headers_now["accept-encoding"] = "gzip"

url = ""

ladon, khronos, argus, gorgon, helios, medusa = start_hook(url, headers_now)
headers["x-ladon"] = ladon
headers["x-khronos"] = khronos
headers["x-argus"] = argus
headers["x-gorgon"] = gorgon
headers["x-helios"] = helios
headers["x-medusa"] = medusa
response = requests.get(url, headers=headers, cookies=cookies)

print(response.text)
print(response)

通过rpc调用获取加密参数
dy_rpc:

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# python 3.8
import datetime
import hashlib
import json
import re
import time
import uuid
from urllib.parse import urlencode
import frida
import requests


def on_message(message, data):
    if message['type'] == 'send':

        print("[*] {0}".format(message['payload']))

    else:
        print(data)
        print(message)


def frida_rpc(session):
    # hook相关js代码
    rpc_hook_js = '''
        rpc.exports = {
            para: function(StrUrl, headers) {
                var ret = {};
                Java.perform(function() {
                    Java.choose("##",{
                    onMatch: function(instance){
               		//  rpc调用代码
                    res = res.toString();
                    ret["result"] = res;
                                            },
                    onComplete: function(){
                        //console.log('******js load over*****')
                                            }

                                                                     })
                                        })
                                        return ret;
                                                                                }
                };
            '''
    script = session.create_script(rpc_hook_js)
    script.on('message', on_message)
    script.load()
    return script


# 初始化设备, 仅attach一次
device_name = ''
print('手机: {}'.format(device_name))
process = frida.get_device(device_name).attach('dy')
res = frida_rpc(process)


def start_hook(urls, h_dict):
    # 传参
    result_hook = res.exports.para(urls, h_dict)
    data = result_hook['result']
    return data

#
# if __name__ == "__main__":
#     pass

记录一下请求结果