签名算法无效 - Githubissues

kdong007 commented 5 years ago
签名算法是模拟了一个cpu 他们自己写了一个指令集
其中有一部分是获取doucment.createElement("canvas")然后画一些东西 toDataUri然后放到签名里的
kdong007 commented 5 years ago
提供一点思路：
function generateSignature(userId) {
    let descriptions = `1 flip top
    4 push xxx
    5 stack top = ()=>push next char in top to stack, and return has more
    6 call one arg fn, ...|fn|arg|
    8 jump x and run, if error jump x2, else return result
    9 push run fn to stack
    10 stack top = keys(top) 
    11 pop top 2 and push their sum
    12 push XOR-mask(xxx)
    13 delete prop, ...|obj|key|
    14 push x
    59 convert stack top x values into arr, if x ==0 push []
    61 stack top = top[x]
    62 mem[0] euler 
    65 assign prop, ...|obj|key|val|
    66 binary op nextChar, ...|a|b|
    67 forkRun/apply, ...|v3|v2|v1|. v3.x == run -> forkRun(v3.y,v1,mem) else v3.apply(v2,v2)
    68 binary op, ...|a|b| op = if nextInstChar < '<' xxx else  nextInstChar + nextInstChar
    70 push false
    71 push global
    72 push int(xxx)
    75 pop, if poped false, jump x,  
    74 jump x
    76 push memory[x]
    77 get prop, ...|obj|key|
    78 create obj with x args. ...|className|x args|
    79 push memory[$x]
    81 assign prop, key = xxx, ...|obj|val|
    82 get prop, key = xxx, ...|obj|
    83 pop to memory[x]
    84 push true
    85 push undefined
    86 duplicate top
    88 mirror duplicate top 2
    89 push fn: fn.x = xxx fn.y = run, ()=> forkRun(fn.y, arguments, memory)
    90 push null
    91 push h
    93 pop to h
    0 halt and return top
    default push(opCode - 16)`;
    const descDB = {};
    for (const line of descriptions.split("\n")) {
        const arr = line.split(" ").filter(e => e);
        descDB[arr[0]] = arr.slice(1).join(" ");
    }
    var handler = {
        get: function(target, name) {
            console.log("*** get", name);
            return target[name];
        },
        set: function(target, name, val) {
            console.log("set", name);
            return (target[name] = val);
        },
    };

    var n = new Proxy(
        {
            Function,
            Date,
            tac,
            document: new Proxy(
                {
                    createElement(e) {
                        console.log("***********   createElement ******", e, typeof e);
                        return document.createElement(e);
                    },
                },
                handler
            ),
            RegExp,
            Error,
            String,
            navigator: new Proxy(navigator, handler),
        },
        handler
    );
    var e = {};

    var r = (function() {
        function e(e, a, r) {
            return (b[e] || (b[e] = t("x,y", "return x " + e + " y")))(r, a);
        }

        function a(e, a, r) {
            return (k[r] ||
                (k[r] = t(
                    "x,y",
                    "return new x[y](" +
                        Array(r + 1)
                            .join(",x[++y]")
                            .substr(1) +
                        ")"
                )))(e, a);
        }

        function r(e, a, r) {
            var n,
                t,
                s = {},
                b = (s.d = r ? r.d + 1 : 0);
            for (s["$" + b] = s, t = 0; t < b; t++) s[(n = "$" + t)] = r[n];
            for (t = 0, b = s.length = a.length; t < b; t++) s[t] = a[t];
            return c(e, 0, s);
        }

        function c(t, b, k) {
            function u(e) {
                console.log("push", e);
                v[x++] = e;
            }

            function f() {
                return (g = t.charCodeAt(b++) - 32), t.substring(b, (b += g));
            }

            function l() {
                try {
                    y = c(t, b, k);
                } catch (e) {
                    (h = e), (y = l);
                }
            }

            for (var h, y, d, g, v = [], x = 0; ; ) {
                g = t.charCodeAt(b++) - 32;
                console.log(g, descDB[g]);
                switch (g) {
                    case 1:
                        u(!v[--x]);
                        break;
                    case 4:
                        v[x++] = f();
                        break;
                    case 5:
                        u(
                            (function(e) {
                                var a = 0,
                                    r = e.length;
                                return function() {
                                    var c = a < r;
                                    return c && u(e[a++]), c;
                                };
                            })(v[--x])
                        );
                        break;
                    case 6:
                        (y = v[--x]), u(v[--x](y));
                        break;
                    case 8:
                        if (((g = t.charCodeAt(b++) - 32), l(), (b += g), (g = t.charCodeAt(b++) - 32), y === c))
                            b += g;
                        else if (y !== l) return y;
                        break;
                    case 9:
                        v[x++] = c;
                        break;
                    case 10:
                        u(s(v[--x]));
                        break;
                    case 11:
                        (y = v[--x]), u(v[--x] + y);
                        break;
                    case 12:
                        for (y = f(), d = [], g = 0; g < y.length; g++) d[g] = y.charCodeAt(g) ^ (g + y.length);
                        u(String.fromCharCode.apply(null, d));
                        break;
                    case 13:
                        (y = v[--x]), (h = delete v[--x][y]);
                        break;
                    case 14:
                        v[x++] = t.charCodeAt(b++) - 32;
                        break;
                    case 59:
                        u((g = t.charCodeAt(b++) - 32) ? ((y = x), v.slice((x -= g), y)) : []);
                        break;
                    case 61:
                        u(v[--x][t.charCodeAt(b++) - 32]);
                        break;
                    case 62:
                        (g = v[--x]), (k[0] = (65599 * k[0] + k[1].charCodeAt(g)) >>> 0);
                        break;
                    case 65:
                        (h = v[--x]), (y = v[--x]), (v[--x][y] = h);
                        break;
                    case 66:
                        u(e(t[b++], v[--x], v[--x]));
                        break;
                    case 67:
                        (y = v[--x]), (d = v[--x]), u((g = v[--x]).x === c ? r(g.y, y, k) : g.apply(d, y));
                        break;
                    case 68:
                        u(e((g = t[b++]) < "<" ? (b--, f()) : g + g, v[--x], v[--x]));
                        break;
                    case 70:
                        u(!1);
                        break;
                    case 71:
                        v[x++] = n;
                        break;
                    case 72:
                        v[x++] = +f();
                        break;
                    case 73:
                        u(parseInt(f(), 36));
                        break;
                    case 75:
                        if (v[--x]) {
                            b++;
                            break;
                        }
                    case 74:
                        (g = ((t.charCodeAt(b++) - 32) << 16) >> 16), (b += g);
                        break;
                    case 76:
                        u(k[t.charCodeAt(b++) - 32]);
                        break;
                    case 77:
                        (y = v[--x]), u(v[--x][y]);
                        break;
                    case 78:
                        (g = t.charCodeAt(b++) - 32), u(a(v, (x -= g + 1), g));
                        break;
                    case 79:
                        (g = t.charCodeAt(b++) - 32), u(k["$" + g]);
                        break;
                    case 81: {
                        let key = f();
                        console.log("key", key);
                        h = v[--x];
                        v[--x][key] = h;
                        console.log("assigned", h, "to", v[x + 1]);
                        break;
                    }
                    case 82: {
                        let key = f();
                        console.log("key", key);
                        u(v[--x][key]);
                        break;
                    }
                    case 83:
                        (h = v[--x]), (k[t.charCodeAt(b++) - 32] = h);
                        break;
                    case 84:
                        v[x++] = !0;
                        break;
                    case 85:
                        v[x++] = void 0;
                        break;
                    case 86:
                        u(v[x - 1]);
                        break;
                    case 88:
                        (h = v[--x]), (y = v[--x]), (v[x++] = h), (v[x++] = y);
                        break;
                    case 89:
                        u(
                            (function() {
                                function e() {
                                    return r(e.y, arguments, k);
                                }

                                return (e.y = f()), (e.x = c), e;
                            })()
                        );
                        break;
                    case 90:
                        v[x++] = null;
                        break;
                    case 91:
                        v[x++] = h;
                        break;
                    case 93:
                        h = v[--x];
                        break;
                    case 0:
                        return v[--x];
                    default:
                        u(((g << 16) >> 16) - 16);
                }
            }
        }

        var t = n.Function,
            s =
                Object.keys ||
                function(e) {
                    var a = {},
                        r = 0;
                    for (var c in e) a[r++] = c;
                    return (a.length = r), a;
                },
            b = {},
            k = {};
        return r;
    })()(
        'gr$Daten Иb/s!l y͒yĹg,(lfi~ah`{mv,-n|jqewVxp{rvmmx,&effkx[!cs"l".Pq%widthl"@q&heightl"vr*getContextx$"2d[!cs#l#,*;?|u.|uc{uq$fontl#vr(fillTextx$$龘ฑภ경2<[#c}l#2q*shadowBlurl#1q-shadowOffsetXl#$$limeq+shadowColorl#vr#arcx88802[%c}l#vr&strokex[ c}l"v,)}eOmyoZB]mx[ cs!0s$l$Pb<k7l l!r&lengthb%^l$1+s$jl  s#i$1ek1s$gr#tack4)zgr#tac$! +0o![#cj?o ]!l$b%s"o ]!l"l$b*b^0d#>>>s!0s%yA0s"l"l!r&lengthb<k+l"^l"1+s"jl  s&l&z0l!$ +["cs\'(0l#i\'1ps9wxb&s() &{s)/s(gr&Stringr,fromCharCodes)0s*yWl ._b&s o!])l l Jb<k$.aj;l .Tb<k$.gj/l .^b<k&i"-4j!+& s+yPo!]+s!l!l Hd>&l!l Bd>&+l!l <d>&+l!l 6d>&+l!l &+ s,y=o!o!]/q"13o!l q"10o!],l 2d>& s.{s-yMo!o!]0q"13o!]*Ld<l 4d#>>>b|s!o!l q"10o!],l!& s/yIo!o!].q"13o!],o!]*Jd<l 6d#>>>b|&o!]+l &+ s0l-l!&l-l!i\'1z141z4b/@d<l"b|&+l-l(l!b^&+l-l&zl\'g,)gk}ejo{cm,)|yn~Lij~em["cl$b%@d<l&zl\'l $ +["cl$b%b|&+l-l%8d<@b|l!b^&+ q$sign ',
        [e]
    );
    return e.sign(userId);
}
lbcake commented 5 years ago
完全看不懂直接能发出来改进后的版本更好
kdong007 commented 5 years ago
@ibcake 他们的代码只能在浏览器里运行在别的环境下能跑起来但是数值不对
lbcake commented 5 years ago
@ibcake 他们的代码只能在浏览器里运行在别的环境下能跑起来但是数值不对
所以说亲现在是用什么下载的自己改进后的？能否发出来一下我的邮箱872531203@qq.com
lg003x commented 4 years ago
@kdong007 可以微信联系一下吗？
kdong007 commented 4 years ago
@lg003x 微信同号
loadchange / amemv-crawler

签名算法无效 #159
