search

bilive / bilive_client

基于Node.JS的bilibili账号活跃系统
MIT License
457 stars 109 forks source link

新签名 client_sign #173

Closed lzghzr closed 4 years ago

lzghzr commented 4 years ago

原始数据

{"platform":"android","uuid":"965983d6-2144-4040-b1f6-fbfcbdc0f27e","buvid":"XY721587F2E5639D82213B9BA4211A4FB02AC","seq_id":"1","room_id":"5082","parent_id":"6","area_id":"283","timestamp":"1594740248","secret_key":"axoaadsffcazxksectbbb","watch_time":"300","up_id":"673816","up_level":"33","jump_from":"24001","gu_id":"9ebadb876715e80e2fa2d116207d18e01734ded1026","play_type":"0","play_url":"http://d1--cn-gotcha03.bilivideo.com/live-bvc/126229/live_673816_8552541_2500.flv?cdn=cn-gotcha03&expires=1594743846&len=0&oi=465680638&pt=android&qn=400&trid=abceb8f7b0ad4920949a49f824378f82&sigparams=cdn,expires,len,oi,pt,qn,trid&sign=c0f414cfe0ab6cf1448b6637d5f4d67a&ptype=0&src=5&level=3","s_time":"0","data_behavior_id":"","data_source_id":"","up_session":"l:one:live:record:5082:1594726910","visit_id":"77193bdd8a33d10d239eac2724b50011","watch_status":"%7B%22pk_id%22%3A0%2C%22screen_status%22%3A1%7D","click_id":"f981f115-cdb7-444c-953f-0321389b7081","session_id":"","player_type":"0","client_ts":"1594744851"}

3号算法 SHA512

22cf943cbff34b9e46800fe855b7c5a175e2f392a3b851b2d6d5acb968aecc1e0f21dfe4f7cfbb4570c3eab0563fe0011f1464d56fc3daac6d5f422801086b00

7号算法 SHA3-512

1eb8e33852cb69008520c8179232b5f6d7551a2bbaddc462880dfa9a5fd3406696435a269a9a0a2dce74a5d00651fe8f8224a66db976c4fdf058eb9a891dcf43

2号算法 SHA384

554aeafc7f4a595b071cf1c663c6ba78ebb3c6cacab408f0d9578fa082796982c29a9fea287566364871b19626bee630

6号算法 SHA3-384

dea56c7706c250cfea9289442a0af43a4de67d92577157fa72e521fbb2a38993bdcaec4b3259810e65d45c3a4dd28f4f

8号算法 BLAKE2b512

1bf468dc6d6cd74112a5867317cd818880175a5d4662d1bc7bd162c7d10472aec74ffd2073c358de14a33eaa4c0f1f964aec040a918e7415bf522b092c790f10

经过五次hash得到签名, 我是真不知道五次hash除了恶心人还有什么用

插件作者可以使用 tools.Hash(algorithm: string, data: string | Buffer): string 来计算hash 例如

tools.Hash('BLAKE2b512', 'dea56c7706c250cfea9289442a0af43a4de67d92577157fa72e521fbb2a38993bdcaec4b3259810e65d45c3a4dd28f4f')
// 1bf468dc6d6cd74112a5867317cd818880175a5d4662d1bc7bd162c7d10472aec74ffd2073c358de14a33eaa4c0f1f964aec040a918e7415bf522b092c790f10

\ \ \ \ \ 附破解算法, 其实就是暴力破解, 得益于现代计算机的性能, 五百万次hash计算也只要不到10秒钟


import { createHash } from 'crypto'

const Hash = (algorithm, data) => createHash(algorithm).update(data).digest('hex')

const algorithms = [
  'BLAKE2b512',
  'BLAKE2s256',
  'MD4',
  'MD5',
  'MD5-SHA1',
  'RIPEMD160',
  'SHA1',
  'SHA224',
  'SHA256',
  'SHA3-224',
  'SHA3-256',
  'SHA3-384',
  'SHA3-512',
  'SHA384',
  'SHA512',
  'SHA512-224',
  'SHA512-256',
  'SHAKE128',
  'SHAKE256',
  'SM3',
  'whirlpool'
]

const input = '{"platform":"android","uuid":"965983d6-2144-4040-b1f6-fbfcbdc0f27e","buvid":"XY721587F2E5639D82213B9BA4211A4FB02AC","seq_id":"1","room_id":"5082","parent_id":"6","area_id":"283","timestamp":"1594740248","secret_key":"axoaadsffcazxksectbbb","watch_time":"300","up_id":"673816","up_level":"33","jump_from":"24001","gu_id":"9ebadb876715e80e2fa2d116207d18e01734ded1026","play_type":"0","play_url":"http://d1--cn-gotcha03.bilivideo.com/live-bvc/126229/live_673816_8552541_2500.flv?cdn=cn-gotcha03&expires=1594743846&len=0&oi=465680638&pt=android&qn=400&trid=abceb8f7b0ad4920949a49f824378f82&sigparams=cdn,expires,len,oi,pt,qn,trid&sign=c0f414cfe0ab6cf1448b6637d5f4d67a&ptype=0&src=5&level=3","s_time":"0","data_behavior_id":"","data_source_id":"","up_session":"l:one:live:record:5082:1594726910","visit_id":"77193bdd8a33d10d239eac2724b50011","watch_status":"%7B%22pk_id%22%3A0%2C%22screen_status%22%3A1%7D","click_id":"f981f115-cdb7-444c-953f-0321389b7081","session_id":"","player_type":"0","client_ts":"1594744851"}'
const output = '1bf468dc6d6cd74112a5867317cd818880175a5d4662d1bc7bd162c7d10472aec74ffd2073c358de14a33eaa4c0f1f964aec040a918e7415bf522b092c790f10'

console.time('hash')
for (let i of algorithms) {
  const hash1 = Hash(i, input)
  for (let j of algorithms) {
    const hash2 = Hash(j, hash1)
    for (let k of algorithms) {
      const hash3 = Hash(k, hash2)
      for (let l of algorithms) {
        const hash4 = Hash(l, hash3)
        for (let m of algorithms) {
          const hash5 = Hash(m, hash4)
          if (hash5 === output) {
            console.timeEnd('hash')
            console.log(i, j, k, l, m)
          }
        }
      }
    }
  }
}
// hash: 4.851s
// SHA512 SHA3-512 SHA384 SHA3-384 BLAKE2b512
ShmilyChen commented 4 years ago

然而,破站一共有12套算法 有一说一,这波操作,没有妈妈

lzghzr commented 4 years ago

然而,破站一共有12套算法 有一说一,这波操作,没有妈妈

其他算法都是位数不同, 比如还有sha256, 不加盐的话排列组合跑一遍就行了

lc4t commented 4 years ago

除了恶心人没啥用,干脆直接上Bcrypt把用户也恶心一遍