Echo回声下载工具更新2015-09-17

昨天突然发现之前写的echo下载工具不能用了,于是看了一下echo的mobile版音乐终端页,改版了,加密了音乐文件的实际地址,但是不论你怎么加密,最后播放的时候还是会暴露出真实的文件地址,而且客户端解密的过程也是可以看到的,虽然对解密的js代码做了混淆加密,但是。。。还是被我破解了,呵呵

播放的关键代码:

window["\x65\x76\x61\x6c"]( window["\x65\x76\x61\x6c"]( window["\x65\x76\x61\x6c"]('"' + "227661722076203d206e756c6c3b766172205f505f203d2066756e6374696f6e2028782c20642c206e29207b6966282177696e646f775b5c225c5c7836655c5c7836315c5c7837365c5c7836395c5c7836375c5c7836315c5c7837345c5c7836665c5c7837325c225d5b5c225c5c7837355c5c7837335c5c7836355c5c7837325c5c7834315c5c7836375c5c7836355c5c7836655c5c7837345c225d292072657475726e3b7661722067203d207a28293b6966285c2f5c5c5c2f5c2f5b5c225c5c7837345c5c7836355c5c7837335c5c7837345c225d287829207c7c202167292072657475726e20783b7661722073203d20785b5c225c5c7837325c5c7836355c5c7837305c5c7836635c5c7836315c5c7836335c5c7836355c225d285c2f5b412d5a302d395d7b327d5c2f672c2066756e6374696f6e2028243029207b766172206363203d20675b315d5b2077696e646f775b5c225c5c7837305c5c7836315c5c7837325c5c7837335c5c7836355c5c7834395c5c7836655c5c7837345c225d2824302c203078313029205e20675b305d205d3b7661722068203d2063635b5c225c5c7837345c5c7836665c5c7835335c5c7837345c5c7837325c5c7836395c5c7836655c5c7836375c225d28307838202a2032293b72657475726e20272527202b20286363203c2030783130203f205c225c5c7833305c22202b2068203a2068295b5c225c5c7837345c5c7836665c5c7835355c5c7837305c5c7837305c5c7836355c5c7837325c5c7834335c5c7836315c5c7837335c5c7836355c225d28293b7d293b72657475726e2077696e646f775b5c225c5c7836345c5c7836355c5c7836335c5c7836665c5c7836345c5c7836355c5c7835355c5c7835325c5c7834395c5c7834335c5c7836665c5c7836645c5c7837305c5c7836665c5c7836655c5c7836355c5c7836655c5c7837345c225d2873293b7d3b66756e6374696f6e207a2829207b72657475726e2076203d205b39372c7b39323a302c38353a312c33353a322c37383a332c39303a342c3135333a352c343a362c34303a372c3131333a382c3130323a392c34373a31302c36363a31312c3138333a31322c3135323a31332c3231303a31342c38303a31352c3235353a31362c3138353a31372c34393a31382c3231333a31392c3230373a32302c39363a32312c39343a32322c31363a32332c36393a32342c3133313a32352c3235343a32362c3137333a32372c36313a32382c3235313a32392c32303a33302c3134313a33312c3234353a33322c3234373a33332c3134363a33342c3132343a33352c3131373a33362c38343a33372c32393a33382c3233333a33392c32343a34302c3235323a34312c3137383a34322c3231343a34332c3232353a34342c3137303a34352c3136343a34362c3233353a34372c3233323a34382c3130373a34392c38373a35302c37323a35312c3132333a35322c34383a35332c34363a35342c3134303a35352c32383a35362c35373a35372c3137373a35382c3139373a35392c3131313a36302c33303a36312c39373a36322c33373a36332c3133393a36342c3136363a36352c373a36362c3135373a36372c31353a36382c3233303a36392c3132393a37302c3139333a37312c3133303a37322c31343a37332c37353a37342c37313a37352c33363a37362c39393a37372c3133353a37382c3232333a37392c353a38302c303a38312c3138363a38322c33323a38332c3231393a38342c3135303a38352c3133383a38362c35313a38372c34343a38382c3234323a38392c37373a39302c34313a39312c35363a39322c3137313a39332c3133363a39342c3135363a39352c34323a39362c3132383a39372c3231363a39382c3232303a39392c3136323a3130302c3130393a3130312c3130363a3130322c39353a3130332c3232323a3130342c3130303a3130352c38393a3130362c3137343a3130372c39333a3130382c3131393a3130392c3135353a3131302c3134383a3131312c34333a3131322c3230363a3131332c3139313a3131342c38333a3131352c37343a3131362c32353a3131372c3136393a3131382c3231353a3131392c333a3132302c3230383a3132312c36333a3132322c38323a3132332c3133343a3132342c3135343a3132352c36303a3132362c3137353a3132372c37333a3132382c3138343a3132392c3231383a3133302c37303a3133312c3139303a3133322c3139353a3133332c3139363a3133342c3132353a3133352c3233313a3133362c3134323a3133372c36383a3133382c3234343a3133392c34353a3134302c3233383a3134312c3138393a3134322c3230343a3134332c35383a3134342c3232363a3134352c3130343a3134362c3130313a3134372c3230393a3134382c3234333a3134392c35353a3135302c3135313a3135312c3138323a3135322c3136333a3135332c3235333a3135342c31383a3135352c3139323a3135362c3230303a3135372c31303a3135382c33343a3135392c39383a3136302c3132303a3136312c3130383a3136322c3134353a3136332c3137363a3136342c3131343a3136352c31333a3136362c3137323a3136372c3134343a3136382c31313a3136392c35303a3137302c3135383a3137312c36373a3137322c3131303a3137332c32373a3137342c3132323a3137352c33313a3137362c39313a3137372c3133333a3137382c3132373a3137392c36323a3138302c35323a3138312c3138313a3138322c393a3138332c3131353a3138342c35343a3138352c32323a3138362c35393a3138372c3230323a3138382c3234383a3138392c3131323a3139302c3134393a3139312c313a3139322c3136373a3139332c3232383a3139342c3231373a3139352c33333a3139362c32333a3139372c3230313a3139382c3133323a3139392c31323a3230302c3131383a3230312c3134373a3230322c3231313a3230332c3233393a3230342c31373a3230352c3132313a3230362c32363a3230372c3233343a3230382c3138373a3230392c3130333a3231302c323a3231312c32313a3231322c3133373a3231332c383a3231342c3136383a3231352c33383a3231362c3137393a3231372c3135393a3231382c3138303a3231392c37363a3232302c3234303a3232312c35333a3232322c37393a3232332c36353a3232342c38363a3232352c3136313a3232362c3232393a3232372c3234363a3232382c33393a3232392c3139393a3233302c3232343a3233312c3234393a3233322c3139343a3233332c3232373a3233342c31393a3233352c38383a3233362c3232313a3233372c36343a3233382c3132363a3233392c3138383a3234302c3131363a3234312c3136353a3234322c3230353a3234332c3134333a3234342c3233373a3234352c3233363a3234362c3130353a3234372c363a3234382c3139383a3234392c3136303a3235302c3231323a3235312c3230333a3235322c3235303a3235332c38313a3235342c3234313a3235357d5d3b7d3b22"["\x72\x65\x70\x6c\x61\x63\x65"](/(..)/g, "\\x$1") + '"') ) ); 
play_source("335631", 'audio/mpeg', _P_("BF2B2B4AD08A8AED0BC83E2B38C5BDF51636C55E89C53E3CB9C5AF05FA0578BDC3FAC5BDF5168A7D4F0C29B9B9E1365829364F0AC37D580A58C3ED7DE1C3C30AE189B9E10B5136"));

play_source的代码就不贴了,有兴趣的可以自己去echo页面源码里找,第三个参数就是实际的播放地址,通过一个_P_的方法解密,比较有意思的是这个_P_函数名是随机产生的,有可能是_W_ _P_之类的,但是变的也只是函数名,内部实现并没有变,所以破解的思路就是在我的服务端实现这个函数,抓取页面后通过正则匹配到上述代码第二行_P_的参数,也就是加密后的播放地址,然后调用自己实现的_P_方法解密。

然后就是如何实现这个_P_的问题了,这个其实很简单,因为echo的页面里已经自己实现了,直接拿过来用就好了,也就是上述代码的第一行,可以看到这行代码做了加密,看不出具体逻辑,不过无所谓啊,我也不需要看懂,因为我的服务端是nodejs做的,于是直接复制过来。。。

下一步就是解决nodejs的环境里没有window对象的问题了,虽然nodejs没有window,但是有个global,包含了大部分window的方法。尝试把代码里的window替换成global,运行报错,提示没有window对象,看来是加密的代码里有对window加密调用,从第一行代码里的"\x65\x76\x61\x6c"大概可以猜到是如何加密的,可能是对字符串进行了utf8编码,于是对字符串"window"进行utf8编码之后得到\x77\x69\x6E\x64\x6F\x77,搜索之后发现代码里并没有,然后在观察第一行代码的最后:(/(..)/g, "\\x$1"),可以看出是把\x替换成了空格,于是将\x77\x69\x6E\x64\x6F\x77里的\x替换为空格后得到77696E646F77,果然有,将其替换为676C6F62616C也就是global编码后的结果,再次运行,还是报错,这次是没有userAgent,这就简单了,只要给global对象添加userAgent属性就可以了:

global.navigator = {
  userAgent: 'Mozilla/5.0 (Linux; Android 4.4.4; en-us; Nexus 5 Build/JOP40D) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2307.2 Mobile Safari/537.36'
}

最后的破解代码:

global.navigator = {
  userAgent: "Mozilla/5.0 (Linux; Android 4.4.4; en-us; Nexus 5 Build/JOP40D) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2307.2 Mobile Safari/537.36"
};

global["\x65\x76\x61\x6c"](global["\x65\x76\x61\x6c"](global["\x65\x76\x61\x6c"]('"' + "227661722076203d206e756c6c3b766172205f505f203d2066756e6374696f6e2028782c20642c206e29207b69662821676C6F62616C5b5c225c5c7836655c5c7836315c5c7837365c5c7836395c5c7836375c5c7836315c5c7837345c5c7836665c5c7837325c225d5b5c225c5c7837355c5c7837335c5c7836355c5c7837325c5c7834315c5c7836375c5c7836355c5c7836655c5c7837345c225d292072657475726e3b7661722067203d207a28293b6966285c2f5c5c5c2f5c2f5b5c225c5c7837345c5c7836355c5c7837335c5c7837345c225d287829207c7c202167292072657475726e20783b7661722073203d20785b5c225c5c7837325c5c7836355c5c7837305c5c7836635c5c7836315c5c7836335c5c7836355c225d285c2f5b412d5a302d395d7b327d5c2f672c2066756e6374696f6e2028243029207b766172206363203d20675b315d5b20676C6F62616C5b5c225c5c7837305c5c7836315c5c7837325c5c7837335c5c7836355c5c7834395c5c7836655c5c7837345c225d2824302c203078313029205e20675b305d205d3b7661722068203d2063635b5c225c5c7837345c5c7836665c5c7835335c5c7837345c5c7837325c5c7836395c5c7836655c5c7836375c225d28307838202a2032293b72657475726e20272527202b20286363203c2030783130203f205c225c5c7833305c22202b2068203a2068295b5c225c5c7837345c5c7836665c5c7835355c5c7837305c5c7837305c5c7836355c5c7837325c5c7834335c5c7836315c5c7837335c5c7836355c225d28293b7d293b72657475726e20676C6F62616C5b5c225c5c7836345c5c7836355c5c7836335c5c7836665c5c7836345c5c7836355c5c7835355c5c7835325c5c7834395c5c7834335c5c7836665c5c7836645c5c7837305c5c7836665c5c7836655c5c7836355c5c7836655c5c7837345c225d2873293b7d3b66756e6374696f6e207a2829207b72657475726e2076203d205b39372c7b39323a302c38353a312c33353a322c37383a332c39303a342c3135333a352c343a362c34303a372c3131333a382c3130323a392c34373a31302c36363a31312c3138333a31322c3135323a31332c3231303a31342c38303a31352c3235353a31362c3138353a31372c34393a31382c3231333a31392c3230373a32302c39363a32312c39343a32322c31363a32332c36393a32342c3133313a32352c3235343a32362c3137333a32372c36313a32382c3235313a32392c32303a33302c3134313a33312c3234353a33322c3234373a33332c3134363a33342c3132343a33352c3131373a33362c38343a33372c32393a33382c3233333a33392c32343a34302c3235323a34312c3137383a34322c3231343a34332c3232353a34342c3137303a34352c3136343a34362c3233353a34372c3233323a34382c3130373a34392c38373a35302c37323a35312c3132333a35322c34383a35332c34363a35342c3134303a35352c32383a35362c35373a35372c3137373a35382c3139373a35392c3131313a36302c33303a36312c39373a36322c33373a36332c3133393a36342c3136363a36352c373a36362c3135373a36372c31353a36382c3233303a36392c3132393a37302c3139333a37312c3133303a37322c31343a37332c37353a37342c37313a37352c33363a37362c39393a37372c3133353a37382c3232333a37392c353a38302c303a38312c3138363a38322c33323a38332c3231393a38342c3135303a38352c3133383a38362c35313a38372c34343a38382c3234323a38392c37373a39302c34313a39312c35363a39322c3137313a39332c3133363a39342c3135363a39352c34323a39362c3132383a39372c3231363a39382c3232303a39392c3136323a3130302c3130393a3130312c3130363a3130322c39353a3130332c3232323a3130342c3130303a3130352c38393a3130362c3137343a3130372c39333a3130382c3131393a3130392c3135353a3131302c3134383a3131312c34333a3131322c3230363a3131332c3139313a3131342c38333a3131352c37343a3131362c32353a3131372c3136393a3131382c3231353a3131392c333a3132302c3230383a3132312c36333a3132322c38323a3132332c3133343a3132342c3135343a3132352c36303a3132362c3137353a3132372c37333a3132382c3138343a3132392c3231383a3133302c37303a3133312c3139303a3133322c3139353a3133332c3139363a3133342c3132353a3133352c3233313a3133362c3134323a3133372c36383a3133382c3234343a3133392c34353a3134302c3233383a3134312c3138393a3134322c3230343a3134332c35383a3134342c3232363a3134352c3130343a3134362c3130313a3134372c3230393a3134382c3234333a3134392c35353a3135302c3135313a3135312c3138323a3135322c3136333a3135332c3235333a3135342c31383a3135352c3139323a3135362c3230303a3135372c31303a3135382c33343a3135392c39383a3136302c3132303a3136312c3130383a3136322c3134353a3136332c3137363a3136342c3131343a3136352c31333a3136362c3137323a3136372c3134343a3136382c31313a3136392c35303a3137302c3135383a3137312c36373a3137322c3131303a3137332c32373a3137342c3132323a3137352c33313a3137362c39313a3137372c3133333a3137382c3132373a3137392c36323a3138302c35323a3138312c3138313a3138322c393a3138332c3131353a3138342c35343a3138352c32323a3138362c35393a3138372c3230323a3138382c3234383a3138392c3131323a3139302c3134393a3139312c313a3139322c3136373a3139332c3232383a3139342c3231373a3139352c33333a3139362c32333a3139372c3230313a3139382c3133323a3139392c31323a3230302c3131383a3230312c3134373a3230322c3231313a3230332c3233393a3230342c31373a3230352c3132313a3230362c32363a3230372c3233343a3230382c3138373a3230392c3130333a3231302c323a3231312c32313a3231322c3133373a3231332c383a3231342c3136383a3231352c33383a3231362c3137393a3231372c3135393a3231382c3138303a3231392c37363a3232302c3234303a3232312c35333a3232322c37393a3232332c36353a3232342c38363a3232352c3136313a3232362c3232393a3232372c3234363a3232382c33393a3232392c3139393a3233302c3232343a3233312c3234393a3233322c3139343a3233332c3232373a3233342c31393a3233352c38383a3233362c3232313a3233372c36343a3233382c3132363a3233392c3138383a3234302c3131363a3234312c3136353a3234322c3230353a3234332c3134333a3234342c3233373a3234352c3233363a3234362c3130353a3234372c363a3234382c3139383a3234392c3136303a3235302c3231323a3235312c3230333a3235322c3235303a3235332c38313a3235342c3234313a3235357d5d3b7d3b22"["\x72\x65\x70\x6c\x61\x63\x65"](/(..)/g, "\\x$1") + '"')));

...

// 抓取页面并正则匹配到加密后的播放地址:BF2B2B4AD08A8AED0BC83E2B38C5BDF51636C55E89C53E3CB9C5AF05FA0578BDC3FAC5BDF5168A7D4F0C29B9B9E1365829364F0AC37D580A58C3ED7DE1C3C30AE189B9E10B5136
var source = global._P_('BF2B2B4AD08A8AED0BC83E2B38C5BDF51636C55E89C53E3CB9C5AF05FA0578BDC3FAC5BDF5168A7D4F0C29B9B9E1365829364F0AC37D580A58C3ED7DE1C3C30AE189B9E10B5136');
// source ==> http://7fvgtj.com2.z0.glb.qiniucdn.com/86e3bba293261d8919d78add1a0baf52

完。

来试试吧:http://csser.me/echo

分享

评论