智慧树(知到)刷课破解
刚上大学,心理课需要刷够时长,那就破解一下喵。下面总结一下具体破解的步骤!
目标文件:newVideoPlay.js
前言
如果只是为了刷课,直接在网络选项卡里找到对应请求
/stuStudy/saveStuStudyRecord,稍微分析一下源代码中的signature部分,找到加的盐是啥就行了。但是咱一不做二不休,就是想把整个js全都逆向出来,也为大家提供一下js逆向的一般思路喵~破解步骤
反反破解:去除debugger
这个js里存在着多处调用
debugger的代码,多次删除就好了喵。反反破解:去除格式化代码检测部分
debugger终于不弹出来了,可是电脑风扇开始狂转,网页卡死无响应,一看就是进死循环了喵。 为了找出问题部分,我浪费了好几个小时研究它是怎么检测到打开Devtools的,最后实在走投无路QwQ,打开jsjiami6的网站才发现检测的是代码被没被格式化:某个函数
toString后发生了变化,说明源代码被修改了喵。 这个js中同样存在着多处检测,先不要格式化代码,直接搜索哪里使用了new RegExp,并强行返回true或false即可。对于其他类型的检测,可以使用Devtools的性能选项卡进行分析,死循环的部分极其明显,一眼就能看出来。 这个js很逆天的一点是把检测代码伪装成了一段Cookie操作,只看代码八辈子都想不出来这玩意竟然是干这个的。反混淆:标识符解密
现在这份代码终于变得能调试了,然而还是处于深度混淆状态了QAQ。。。 观察一下可以发现有个函数
_0x1e77出现了几千次,盲猜它是用来返回一个固定的字符串的加密函数(用黑话说应该叫无副作用的纯函数?)。 我们先复制整份代码,注意不要直接复制,否则反斜杠和模板字符串会转义的喵!简单粗暴的解决方法是在网页控制台里直接输入let a = await fetch("https://hike.zhihuishu.com/aidedteaching/assets/student/scripts/sourceLearning/newVideoPlay.js?v=20210927").then(e => e.text())然后直接大胆替换!
a.replace(/_0x1e77\('([^']+)', '([^']+)'\)/g, (_, a, b) => "'" + _0x1e77(a, b) + "'")这时在输出的文本上右键点击【复制字符串内容】,检查一下有没有奇怪的语法错误,代码就大大简化了(然而还是很乱qwq 用相同的道理可以简化其他频繁出现的函数喵~
反混淆:简化控制流
代码结构:
var _0x01919810 = { 114: function (_0x0d00, _0x0721) { return _0x0d00(_0x0721) }, 514: function (_0x0d00, _0x0721, _0xyzczex) { return _0x0d00(_0x0721, _0xyzczex) }, 1919: function (_0x0d00, _0x0721) { return _0x0d00 + _0x0721 }, ... }
_0x01919810['114'](console.log, _0x01919810'1919')
怎么简化?写个babel插件手动抠语法树去简化当然可行的喵,但是网上有现成的[反混淆工具](https://obf-io.deobfuscate.io/)呀(
简化后可能需要手动删去`_0x01919810`之类的未使用代码,虽然用Ctrl+左键查看一下有没有引用就可以了,但还是单独写一节吧,毕竟每操作一步就可以删去一些花指令的说。
### 删去无用代码(花指令)
**Ctrl+左键大法好**,但还是全局搜索一下吧,有可能有`obj['met' + 'hod']`这种漏网之鱼。
未使用的对象、函数都可以删了,删一个刷新一下页面看看功能是否正常即可。它们有一些相似的特征(都是自动生成的),大多长得都差不多,可以举一反三全都删了。
### 反反破解:去除`console`无效化
之前调试时我就已经遇到`console.log`不起效果的情况,当时我还以为是Devtools日常抽风(
当经过上述简化后代码基本能看了,这时我们可以全局搜索`console`,把那几处`console['log'] = function () {}`的代码删了。
### 手动整理:变量、函数重命名
发挥创造力的时候到啦!为史山代码命名多是一件美事啊(
### 手动整理:替换加密函数为简化版
这段代码中内置了`md5`函数实现,然而经过混淆后实在是无法复原。那我们就去网上找一份替换了吧。
## 最终简化代码
```javascript
// Part 1: Play Video
let videoInfo = {}
let uuidValue = $('#uuid').val()
let arr = []
let playRate = 1
window.$play = {
init(data) {
videoInfo = data
$('#' + videoInfo.id).Ableplayer(
{ id: videoInfo.videoId, autostart: false },
{
onReady() {
console.log('onReady')
if (videoInfo.seek > 0) {
ablePlayerX(videoInfo.id).seek(videoInfo.seek)
}
if (window.fuckZHS) updateStudyRecord()
},
onPause() {
$interval.close()
updateStudyRecord()
console.log('onPause')
},
onPlay() {
arr = [{ time: new Date().getTime(), playRate }]
startWatchTime = Math.ceil(ablePlayerX(videoInfo.id).getPosition())
$interval.start(a => {
if (a >= 3e4) updateStudyRecord()
}, 1e3)
console.log('onPlay')
},
playbackRate(rate) {
playRate = rate
console.log('playRate:' + playRate)
arr.push({ time: new Date().getTime(), playRate: playRate })
},
}
)
$('#' + videoInfo.id + ' .progress').live('mousedown', () => {
updateStudyRecord()
console.log('播放进度改变::')
})
window.onbeforeunload = updateStudyRecord
},
closeDialog() {
$('.dialog-pop').hide()
},
}
// Part 2: Update Study Record
let startWatchTime = 0
let millSecondsLeft = 0
function updateStudyRecord() {
let { etime, stime } = $interval.result()
let cnt = 0
for (let i = arr.length - 1; i >= 0; i--) {
const { time, playRate } = arr[i]
if (etime > time) {
if (stime >= time) {
cnt += (etime - stime) * playRate
break
} else {
cnt += (etime - time) * playRate
etime = time
}
}
}
console.log(cnt)
cnt += millSecondsLeft
millSecondsLeft = cnt % 1e3
cnt -= cnt % 1e3
let studyTotalTime = cnt / 1e3
let endWatchTime = Math.ceil(ablePlayerX(videoInfo.id).getPosition())
if (isNaN(endWatchTime)) endWatchTime = 0
let payload = {
uuid: uuidValue,
courseId: videoInfo.courseId,
fileId: videoInfo.fileId,
studyTotalTime,
startWatchTime,
endWatchTime,
startDate: stime,
endDate: etime,
}
// ========== 下方代码为自行添加 ==========
console.log(uuidValue, courseId, fileId)
if (window.fuckZHS) {
const 卷 = Math.min(600, videoInfo.totalTime)
// 经测试后发现大于 600 秒(即 10 分钟)的值会被服务器忽略
payload = {
uuid: uuidValue,
courseId: videoInfo.courseId,
fileId: videoInfo.fileId,
// 视频播放时间,单位是秒
studyTotalTime: 卷,
startWatchTime: 0,
endWatchTime: videoInfo.totalTime,
// 真实系统时间戳,单位是毫秒,应该与视频播放时间一致
startDate: etime - 卷 * 1000 + 3,
endDate: etime,
}
console.log('Fuck '.repeat(10))
}
// ========== 上方代码为自行添加 ==========
payload.signature = getSaltedMD5(payload)
server.get(
'//hike-teaching.zhihuishu.com/stuStudy/saveStuStudyRecord',
payload,
function (_0x4d9355) {
if (_0x4d9355.status == 200 && !archive) {
videoInfo.studyTime = _0x4d9355.rt
$('#file_' + videoInfo.fileId + ' .status-box').html(
switchProgress(videoInfo)
)
}
}
)
startWatchTime = endWatchTime
}
function getSaltedMD5(data) {
let saltedString =
'o6xpt3b#Qy$Z' +
data.uuid +
data.courseId +
data.fileId +
data.studyTotalTime +
data.startDate +
data.endDate +
data.endWatchTime +
data.startWatchTime +
data.uuid
console.log(saltedString)
return $md5(saltedString)
}
// Part 3: Timer
let started = false
let t2 = 0
let t1 = 0
let handle = null
window.$interval = {
start(arg1, arg2) {
if (handle) window.clearTimeout(handle)
started = true
t2 = new Date().getTime()
function update(arg1, arg2) {
handle = window.setTimeout(() => {
if (started) {
arg1(() => {
if (!started) t1 = new Date().getTime()
return t1 - t2
})
update(arg1, arg2)
}
}, arg2)
}
update(arg1, arg2)
},
close() {
if (started) {
started = false
t1 = new Date().getTime()
window.clearTimeout(handle)
}
},
result() {
if (started) t1 = new Date().getTime()
let data = { stime: t2, etime: Math.max(t1, t2) }
t2 = new Date().getTime()
return data
},
}
// Part 4: MD5 Implement (Replaced)
window.$md5 = str => bin2hex(core_md5(str2bin(str), str.length * 8))
function core_md5(x, len) {
x[len >> 5] |= 0x80 << len % 32
x[(((len + 64) >>> 9) << 4) + 14] = len
let a = 1732584193
let b = -271733879
let c = -1732584194
let d = 271733878
for (let i = 0; i < x.length; i += 16) {
const A = a
const B = b
const C = c
const D = d
a = F(a, b, c, d, x[i + 0], 7, -680876936)
d = F(d, a, b, c, x[i + 1], 12, -389564586)
c = F(c, d, a, b, x[i + 2], 17, 606105819)
b = F(b, c, d, a, x[i + 3], 22, -1044525330)
a = F(a, b, c, d, x[i + 4], 7, -176418897)
d = F(d, a, b, c, x[i + 5], 12, 1200080426)
c = F(c, d, a, b, x[i + 6], 17, -1473231341)
b = F(b, c, d, a, x[i + 7], 22, -45705983)
a = F(a, b, c, d, x[i + 8], 7, 1770035416)
d = F(d, a, b, c, x[i + 9], 12, -1958414417)
c = F(c, d, a, b, x[i + 10], 17, -42063)
b = F(b, c, d, a, x[i + 11], 22, -1990404162)
a = F(a, b, c, d, x[i + 12], 7, 1804603682)
d = F(d, a, b, c, x[i + 13], 12, -40341101)
c = F(c, d, a, b, x[i + 14], 17, -1502002290)
b = F(b, c, d, a, x[i + 15], 22, 1236535329)
a = G(a, b, c, d, x[i + 1], 5, -165796510)
d = G(d, a, b, c, x[i + 6], 9, -1069501632)
c = G(c, d, a, b, x[i + 11], 14, 643717713)
b = G(b, c, d, a, x[i + 0], 20, -373897302)
a = G(a, b, c, d, x[i + 5], 5, -701558691)
d = G(d, a, b, c, x[i + 10], 9, 38016083)
c = G(c, d, a, b, x[i + 15], 14, -660478335)
b = G(b, c, d, a, x[i + 4], 20, -405537848)
a = G(a, b, c, d, x[i + 9], 5, 568446438)
d = G(d, a, b, c, x[i + 14], 9, -1019803690)
c = G(c, d, a, b, x[i + 3], 14, -187363961)
b = G(b, c, d, a, x[i + 8], 20, 1163531501)
a = G(a, b, c, d, x[i + 13], 5, -1444681467)
d = G(d, a, b, c, x[i + 2], 9, -51403784)
c = G(c, d, a, b, x[i + 7], 14, 1735328473)
b = G(b, c, d, a, x[i + 12], 20, -1926607734)
a = H(a, b, c, d, x[i + 5], 4, -378558)
d = H(d, a, b, c, x[i + 8], 11, -2022574463)
c = H(c, d, a, b, x[i + 11], 16, 1839030562)
b = H(b, c, d, a, x[i + 14], 23, -35309556)
a = H(a, b, c, d, x[i + 1], 4, -1530992060)
d = H(d, a, b, c, x[i + 4], 11, 1272893353)
c = H(c, d, a, b, x[i + 7], 16, -155497632)
b = H(b, c, d, a, x[i + 10], 23, -1094730640)
a = H(a, b, c, d, x[i + 13], 4, 681279174)
d = H(d, a, b, c, x[i + 0], 11, -358537222)
c = H(c, d, a, b, x[i + 3], 16, -722521979)
b = H(b, c, d, a, x[i + 6], 23, 76029189)
a = H(a, b, c, d, x[i + 9], 4, -640364487)
d = H(d, a, b, c, x[i + 12], 11, -421815835)
c = H(c, d, a, b, x[i + 15], 16, 530742520)
b = H(b, c, d, a, x[i + 2], 23, -995338651)
a = I(a, b, c, d, x[i + 0], 6, -198630844)
d = I(d, a, b, c, x[i + 7], 10, 1126891415)
c = I(c, d, a, b, x[i + 14], 15, -1416354905)
b = I(b, c, d, a, x[i + 5], 21, -57434055)
a = I(a, b, c, d, x[i + 12], 6, 1700485571)
d = I(d, a, b, c, x[i + 3], 10, -1894986606)
c = I(c, d, a, b, x[i + 10], 15, -1051523)
b = I(b, c, d, a, x[i + 1], 21, -2054922799)
a = I(a, b, c, d, x[i + 8], 6, 1873313359)
d = I(d, a, b, c, x[i + 15], 10, -30611744)
c = I(c, d, a, b, x[i + 6], 15, -1560198380)
b = I(b, c, d, a, x[i + 13], 21, 1309151649)
a = I(a, b, c, d, x[i + 4], 6, -145523070)
d = I(d, a, b, c, x[i + 11], 10, -1120210379)
c = I(c, d, a, b, x[i + 2], 15, 718787259)
b = I(b, c, d, a, x[i + 9], 21, -343485551)
a = add(a, A)
b = add(b, B)
c = add(c, C)
d = add(d, D)
}
return Array(a, b, c, d)
}
const rol = (num, cnt) => (num << cnt) | (num >>> (32 - cnt))
const cmn = (q, a, b, x, s, t) => add(rol(add(add(a, q), add(x, t)), s), b)
const F = (a, b, c, d, x, s, t) => cmn((b & c) | (~b & d), a, b, x, s, t)
const G = (a, b, c, d, x, s, t) => cmn((b & d) | (c & ~d), a, b, x, s, t)
const H = (a, b, c, d, x, s, t) => cmn(b ^ c ^ d, a, b, x, s, t)
const I = (a, b, c, d, x, s, t) => cmn(c ^ (b | ~d), a, b, x, s, t)
function add(x, y) {
const lsw = (x & 0xffff) + (y & 0xffff)
const msw = (x >> 16) + (y >> 16) + (lsw >> 16)
return (msw << 16) | (lsw & 0xffff)
}
function str2bin(str) {
const bin = []
for (let i = 0; i < str.length * 8; i += 8)
bin[i >> 5] |= (str.charCodeAt(i / 8) & 255) << i % 32
return bin
}
function bin2hex(arr) {
const table = '0123456789abcdef'
let str = ''
for (let i = 0; i < arr.length * 4; i++)
str +=
table.charAt((arr[i >> 2] >> ((i % 4) * 8 + 4)) & 0xf) +
table.charAt((arr[i >> 2] >> ((i % 4) * 8)) & 0xf)
return str
}需要的话直接替换原js文件并根据需要修改那一部分即可!
完结撒花╰(°▽°)╯
参考文献
- Python刷课脚本
破解完了才发现有这玩意,这辈子有了