携程token纯算分析

1.入口定位

1.1 搜索window.signature

2.纯算分析

2.1 插桩点

• 个人习惯的插桩位置为apply以及基础运算 做出来后不需要那么多的运算，只需要一下茶砖点即可

• 减法
  

• apply
  

• 乘法
  

• 取余
  

2.2 数据分析

2.2.1初始化数据

• 一开始没关注这些数据，在开头的地方有几个初始化数据，需要记录
• S9mHXtfaMsZ6DNkgTnL5F0dzpb1lPAocQ8BGh47UqO3
  
• eIrWRYiEJwyjvxK
  

2.2.2.开始寻找第一次数据组合位置

• 数据信息
  
• 分析后发现

//时间戳
var timestamp = Date.now()
//ua
var ua = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36'
//UBT_VID cookie中的
var UBT_VID = cookie.split(';').find(item => item.includes('UBT_VID')).split('=')[1]
//uuid
var uuid = crypto.randomUUID().toString()

• uuid生成截图
  

• 接下来对str做了一个charcodeat的循环
  

• 循环完成后，会看到如下图所示内容

• 这个数组和md5魔法数字
  [1732584193, -271733879, -1732584194, 271733878, 1030517365, 7, -680876936]有些相似

• 推测为md5魔改数组，从全球最大同性交友平台扣一个代码下来，对前四个初始值进行替换

function MD5_Encrypt(instring) {var hexcase = 0;   /* hex output format. 0 - lowercase; 1 - uppercase        */var b64pad = "";  /* base-64 pad character. "=" for strict RFC compliance   *//** These are the functions you'll usually want to call* They take string arguments and return either hex or base-64 encoded strings*/function hex_md5(s) {return rstr2hex(rstr_md5(str2rstr_utf8(s)));}function b64_md5(s) {return rstr2b64(rstr_md5(str2rstr_utf8(s)));}function any_md5(s, e) {return rstr2any(rstr_md5(str2rstr_utf8(s)), e);}function hex_hmac_md5(k, d) {return rstr2hex(rstr_hmac_md5(str2rstr_utf8(k), str2rstr_utf8(d)));}function b64_hmac_md5(k, d) {return rstr2b64(rstr_hmac_md5(str2rstr_utf8(k), str2rstr_utf8(d)));}function any_hmac_md5(k, d, e) {return rstr2any(rstr_hmac_md5(str2rstr_utf8(k), str2rstr_utf8(d)), e);}/** Perform a simple self-test to see if the VM is working*/function md5_vm_test() {return hex_md5("abc").toLowerCase() == "900150983cd24fb0d6963f7d28e17f72";}/** Calculate the MD5 of a raw string*/function rstr_md5(s) {return binl2rstr(binl_md5(rstr2binl(s), s.length * 8));}/** Calculate the HMAC-MD5, of a key and some data (raw strings)*/function rstr_hmac_md5(key, data) {var bkey = rstr2binl(key);if (bkey.length > 16) bkey = binl_md5(bkey, key.length * 8);var ipad = Array(16), opad = Array(16);for (var i = 0; i < 16; i++) {ipad[i] = bkey[i] ^ 0x36363636;opad[i] = bkey[i] ^ 0x5C5C5C5C;}var hash = binl_md5(ipad.concat(rstr2binl(data)), 512 + data.length * 8);return binl2rstr(binl_md5(opad.concat(hash), 512 + 128));}/** Convert a raw string to a hex string*/function rstr2hex(input) {try {hexcase} catch (e) {hexcase = 0;}var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";var output = "";var x;for (var i = 0; i < input.length; i++) {x = input.charCodeAt(i);output += hex_tab.charAt((x >>> 4) & 0x0F)+ hex_tab.charAt(x & 0x0F);}return output;}/** Convert a raw string to a base-64 string*/function rstr2b64(input) {try {b64pad} catch (e) {b64pad = '';}var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var output = "";var len = input.length;for (var i = 0; i < len; i += 3) {var triplet = (input.charCodeAt(i) << 16)| (i + 1 < len ? input.charCodeAt(i + 1) << 8 : 0)| (i + 2 < len ? input.charCodeAt(i + 2) : 0);for (var j = 0; j < 4; j++) {if (i * 8 + j * 6 > input.length * 8) output += b64pad;else output += tab.charAt((triplet >>> 6 * (3 - j)) & 0x3F);}}return output;}/** Convert a raw string to an arbitrary string encoding*/function rstr2any(input, encoding) {var divisor = encoding.length;var i, j, q, x, quotient;/* Convert to an array of 16-bit big-endian values, forming the dividend */var dividend = Array(Math.ceil(input.length / 2));for (i = 0; i < dividend.length; i++) {dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);}/** Repeatedly perform a long division. The binary array forms the dividend,* the length of the encoding is the divisor. Once computed, the quotient* forms the dividend for the next step. All remainders are stored for later* use.*/var full_length = Math.ceil(input.length * 8 /(Math.log(encoding.length) / Math.log(2)));var remainders = Array(full_length);for (j = 0; j < full_length; j++) {quotient = Array();x = 0;for (i = 0; i < dividend.length; i++) {x = (x << 16) + dividend[i];q = Math.floor(x / divisor);x -= q * divisor;if (quotient.length > 0 || q > 0)quotient[quotient.length] = q;}remainders[j] = x;dividend = quotient;}/* Convert the remainders to the output string */var output = "";for (i = remainders.length - 1; i >= 0; i--)output += encoding.charAt(remainders[i]);return output;}/** Encode a string as utf-8.* For efficiency, this assumes the input is valid utf-16.*/function str2rstr_utf8(input) {var output = "";var i = -1;var x, y;while (++i < input.length) {/* Decode utf-16 surrogate pairs */x = input.charCodeAt(i);y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;if (0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF) {x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);i++;}/* Encode output as utf-8 */if (x <= 0x7F)output += String.fromCharCode(x);else if (x <= 0x7FF)output += String.fromCharCode(0xC0 | ((x >>> 6) & 0x1F),0x80 | (x & 0x3F));else if (x <= 0xFFFF)output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),0x80 | ((x >>> 6) & 0x3F),0x80 | (x & 0x3F));else if (x <= 0x1FFFFF)output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),0x80 | ((x >>> 12) & 0x3F),0x80 | ((x >>> 6) & 0x3F),0x80 | (x & 0x3F));}return output;}/** Encode a string as utf-16*/function str2rstr_utf16le(input) {var output = "";for (var i = 0; i < input.length; i++)output += String.fromCharCode(input.charCodeAt(i) & 0xFF,(input.charCodeAt(i) >>> 8) & 0xFF);return output;}function str2rstr_utf16be(input) {var output = "";for (var i = 0; i < input.length; i++)output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,input.charCodeAt(i) & 0xFF);return output;}/** Convert a raw string to an array of little-endian words* Characters >255 have their high-byte silently ignored.*/function rstr2binl(input) {var output = Array(input.length >> 2);for (var i = 0; i < output.length; i++)output[i] = 0;for (var i = 0; i < input.length * 8; i += 8)output[i >> 5] |= (input.charCodeAt(i / 8) & 0xFF) << (i % 32);return output;}/** Convert an array of little-endian words to a string*/function binl2rstr(input) {var output = "";for (var i = 0; i < input.length * 32; i += 8)output += String.fromCharCode((input[i >> 5] >>> (i % 32)) & 0xFF);return output;}/** Calculate the MD5 of an array of little-endian words, and a bit length.*/function binl_md5(x, len) {/* append padding */x[len >> 5] |= 0x80 << ((len) % 32);x[(((len + 64) >>> 9) << 4) + 14] = len;// var a = 1732584193;// var b = -271733879;// var c = -1732584194;// var d = 271733878;var a=1732584201var b=4023233415var c=2562383102var d=271733878for (var i = 0; i < x.length; i += 16) {var olda = a;var oldb = b;var oldc = c;var oldd = d;a = md5_ff(a, b, c, d, x[i + 0], 7, -680876936);d = md5_ff(d, a, b, c, x[i + 1], 12, -389564586);c = md5_ff(c, d, a, b, x[i + 2], 17, 606105819);b = md5_ff(b, c, d, a, x[i + 3], 22, -1044525330);a = md5_ff(a, b, c, d, x[i + 4], 7, -176418897);d = md5_ff(d, a, b, c, x[i + 5], 12, 1200080426);c = md5_ff(c, d, a, b, x[i + 6], 17, -1473231341);b = md5_ff(b, c, d, a, x[i + 7], 22, -45705983);a = md5_ff(a, b, c, d, x[i + 8], 7, 1770035416);d = md5_ff(d, a, b, c, x[i + 9], 12, -1958414417);c = md5_ff(c, d, a, b, x[i + 10], 17, -42063);b = md5_ff(b, c, d, a, x[i + 11], 22, -1990404162);a = md5_ff(a, b, c, d, x[i + 12], 7, 1804603682);d = md5_ff(d, a, b, c, x[i + 13], 12, -40341101);c = md5_ff(c, d, a, b, x[i + 14], 17, -1502002290);b = md5_ff(b, c, d, a, x[i + 15], 22, 1236535329);a = md5_gg(a, b, c, d, x[i + 1], 5, -165796510);d = md5_gg(d, a, b, c, x[i + 6], 9, -1069501632);c = md5_gg(c, d, a, b, x[i + 11], 14, 643717713);b = md5_gg(b, c, d, a, x[i + 0], 20, -373897302);a = md5_gg(a, b, c, d, x[i + 5], 5, -701558691);d = md5_gg(d, a, b, c, x[i + 10], 9, 38016083);c = md5_gg(c, d, a, b, x[i + 15], 14, -660478335);b = md5_gg(b, c, d, a, x[i + 4], 20, -405537848);a = md5_gg(a, b, c, d, x[i + 9], 5, 568446438);d = md5_gg(d, a, b, c, x[i + 14], 9, -1019803690);c = md5_gg(c, d, a, b, x[i + 3], 14, -187363961);b = md5_gg(b, c, d, a, x[i + 8], 20, 1163531501);a = md5_gg(a, b, c, d, x[i + 13], 5, -1444681467);d = md5_gg(d, a, b, c, x[i + 2], 9, -51403784);c = md5_gg(c, d, a, b, x[i + 7], 14, 1735328473);b = md5_gg(b, c, d, a, x[i + 12], 20, -1926607734);a = md5_hh(a, b, c, d, x[i + 5], 4, -378558);d = md5_hh(d, a, b, c, x[i + 8], 11, -2022574463);c = md5_hh(c, d, a, b, x[i + 11], 16, 1839030562);b = md5_hh(b, c, d, a, x[i + 14], 23, -35309556);a = md5_hh(a, b, c, d, x[i + 1], 4, -1530992060);d = md5_hh(d, a, b, c, x[i + 4], 11, 1272893353);c = md5_hh(c, d, a, b, x[i + 7], 16, -155497632);b = md5_hh(b, c, d, a, x[i + 10], 23, -1094730640);a = md5_hh(a, b, c, d, x[i + 13], 4, 681279174);d = md5_hh(d, a, b, c, x[i + 0], 11, -358537222);c = md5_hh(c, d, a, b, x[i + 3], 16, -722521979);b = md5_hh(b, c, d, a, x[i + 6], 23, 76029189);a = md5_hh(a, b, c, d, x[i + 9], 4, -640364487);d = md5_hh(d, a, b, c, x[i + 12], 11, -421815835);c = md5_hh(c, d, a, b, x[i + 15], 16, 530742520);b = md5_hh(b, c, d, a, x[i + 2], 23, -995338651);a = md5_ii(a, b, c, d, x[i + 0], 6, -198630844);d = md5_ii(d, a, b, c, x[i + 7], 10, 1126891415);c = md5_ii(c, d, a, b, x[i + 14], 15, -1416354905);b = md5_ii(b, c, d, a, x[i + 5], 21, -57434055);a = md5_ii(a, b, c, d, x[i + 12], 6, 1700485571);d = md5_ii(d, a, b, c, x[i + 3], 10, -1894986606);c = md5_ii(c, d, a, b, x[i + 10], 15, -1051523);b = md5_ii(b, c, d, a, x[i + 1], 21, -2054922799);a = md5_ii(a, b, c, d, x[i + 8], 6, 1873313359);d = md5_ii(d, a, b, c, x[i + 15], 10, -30611744);c = md5_ii(c, d, a, b, x[i + 6], 15, -1560198380);b = md5_ii(b, c, d, a, x[i + 13], 21, 1309151649);a = md5_ii(a, b, c, d, x[i + 4], 6, -145523070);d = md5_ii(d, a, b, c, x[i + 11], 10, -1120210379);c = md5_ii(c, d, a, b, x[i + 2], 15, 718787259);b = md5_ii(b, c, d, a, x[i + 9], 21, -343485551);a = safe_add(a, olda);b = safe_add(b, oldb);c = safe_add(c, oldc);d = safe_add(d, oldd);}return Array(a, b, c, d);}/** These functions implement the four basic operations the algorithm uses.*/function md5_cmn(q, a, b, x, s, t) {return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s), b);}function md5_ff(a, b, c, d, x, s, t) {return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);}function md5_gg(a, b, c, d, x, s, t) {return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);}function md5_hh(a, b, c, d, x, s, t) {return md5_cmn(b ^ c ^ d, a, b, x, s, t);}function md5_ii(a, b, c, d, x, s, t) {return md5_cmn(c ^ (b | (~d)), a, b, x, s, t);}/** Add integers, wrapping at 2^32. This uses 16-bit operations internally* to work around bugs in some JS interpreters.*/function safe_add(x, y) {var lsw = (x & 0xFFFF) + (y & 0xFFFF);var msw = (x >> 16) + (y >> 16) + (lsw >> 16);return (msw << 16) | (lsw & 0xFFFF);}/** Bitwise rotate a 32-bit number to the left.*/function bit_rol(num, cnt) {return (num << cnt) | (num >>> (32 - cnt));}return hex_md5(instring);
}

• 验证一下 成功搜索到了内容

2.2.3 字符拼接

• 上面的md5结果
  
  我这里将math.random设置固定返回值1

Math.random=function(){return 1}

• 通过上图发现是对字符串前后加了3个随机字符

字符获取方式为:

String.fromCharCode(Math.ceil(Math.random()*94+36))

• 时间戳
  

• 空字符串
  

• u_vid
  

• uuid
  

注意这里后面做了一大堆的环境监测 如canvas等

做完监测仍然需要继续做字符拼接
包含

• canvas指纹、
• 24、
• win32、
• 时区、
• 屏幕、
• window.avatorheight之类的参数

一共12个参数，最后使用# 拼接返回一个字符串

至此第二步完成

第三步 计算结果

将第二步获取到的str通过fromcharcode转换成数组

比值计算 计算值是否比10大

• 初始值为0

• 如果大于10

• 则用初始值+100 然后使用比值 对100取余 最后用初始值+取余的结果 并将初始值换成结果

• 然后就到了核心位置
  

• 记录下来的最后结果 对43 也就是我们的初始化数值S9mHXtfaMsZ6DNkgTnL5F0dzpb1lPAocQ8BGh47UqO3的长度取余 获取到初始的头

• 图中对应的l

• 然后坐加法 切割 以及一个扣下来的算法
  
  

• 130 就是数组的第一位

• 第二个是对Tm 做charcode

• 在做加法和取余 以及最后对15取余

• 在获取初始值’eIrWRYiEJwyjvxK’取位数 进行相加

• 通过循环数组的长度，即可获取到token的尾部
  

• 最后加入固定值1001_common_ +获取的值，纯算结束