JS逆向【抖查查】逆向分析 | sign | secret签名验证

1.目标

目标网址：https://www.douchacha.com/bloggerRankingRise

切换日期出现目标请求

import requests
import jsonheaders = {"accept": "application/json, text/plain, */*","accept-language": "zh-CN,zh;q=0.9","cache-control": "no-cache","content-type": "application/json;charset=UTF-8","d-t": "1748263914419","d-v": "NSxHSGZjdzRkS2ZUVnplVFZyZkhiandyR1RyTVFxdzdaeFprZHpaSGI0Y1BVVU54Q1ROT1lUcld6VW1qT1R0QmNUcmRidXc3dlROeVZ3WkhiJTJCRGRiYVc4ZjVpMXdMS2xJaXc2NTV3NllVcUhiNnc3N1VRc2JtaFhDVHN4UFRFc2ZId29jVXI4Znp3N3JVbXg3VU5QblRzVVlUTThiZ3c1WlNUWHJVdjBsSEFYQ1V1c2IxQllPVHVzZk5FSGZld3FBSnc3WVVOQ2k0d3BjVU9ZWVVzSGZCdzVVVVBRVkpld1YydzdIcFRTMUM=","dcc-href": "https://www.douchacha.com/bloggerRankingRise","dcc-r": "https://www.douchacha.com/","dcc-v": "1.0","origin": "https://www.douchacha.com","pragma": "no-cache","priority": "u=1, i","referer": "https://www.douchacha.com/","sec-ch-ua": "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"","sec-ch-ua-mobile": "?0","sec-ch-ua-platform": "\"Windows\"","sec-fetch-dest": "empty","sec-fetch-mode": "cors","sec-fetch-site": "same-site","user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
}
url = "https://api.douchacha.com/api/tiktok/ranking/user_list_gain"
params = {"ts": "1748263914419","he": "gna8CHfKV3DJw45/WClWw7zUNsbzW8bFYdfJV0vTOOs=","sign": "74330c908d7ef526","secret": "110376408a9ef1f92f1c060100080a570a5c57055e0b0b1a011f07"
}
data = {"page_no": 1,"page_size": 30,"params_data": {"label_name": "","period": "DAY","period_value": "20250524"}
}
data = json.dumps(data, separators=(',', ':'))
response = requests.post(url, headers=headers, params=params, data=data)print(response.text)
print(response)

需要解决：

• 请求头参数：'d-t'和'd-v'
• 请求参数：

    "ts": "1748263914419","he": "gna8CHfKV3DJw45/WClWw7zUNsbzW8bFYdfJV0vTOOs=","sign": "74330c908d7ef526","secret": "110376408a9ef1f92f1c060100080a570a5c57055e0b0b1a011f07"

且'd-t'和'ts'需要一致

2.参数定位

• 方法一：

  点击请求拦截器
  

  

  在代码 n = n.then(t.shift(), t.shift()); 中，t 是一个存储着请求和响应拦截器的回调函数（成功回调 fulfilled 和失败回调 rejected）的数组。
  
  点击第一个方法
  
  可以看到请求头部加密参数'd-v'

• 方法二
  搜索关键词定位：
  尝试搜索请求参数'sign'、secret等
  和请求头参数 'd-t'、'd-v'
  
  这里选择搜索请求参数'd-v'

在搜请求头相关的加密参数可以根据js代码的习惯搜headers.common["d-v"]
如果搜不到可以搜他们的“未加密的兄弟参数”，比如"dcc-href"、"dcc-v"等

3.逆向分析

var d = window.btoa(window.v() + "," + window.hi("dt"));
t.headers.common["d-v"] = d

可以发现window.v()返回值固定为5，进入window.hi()方法可以看到混淆的

  _0x1ad0d3.t = new Date().getTime();_0x1ad0d3.h = window.location.host;_0x1ad0d3.p = navigator.plugins.length;_0x1ad0d3.e = eval.toString().length;_0x1ad0d3.w = 0; // 代表没有用自动化

function hi(_0x2632b7) {var _0x1ad0d3 = {"t": new Date().getTime(),"h": "www.douchacha.com","p": 5,"e": 33,"w": 0}return se(JSON.stringify(_0x1ad0d3), _0x2632b7);
}var dv = btoa(5 + "," + hi("dt"));
console.log(dv)

其他扣代码，缺什么补什么

如果参数不对，就会返回`

成功返回数据