新签名 client_sign #173

lzghzr · 2020-07-19T14:44:23Z

原始数据

{"platform":"android","uuid":"965983d6-2144-4040-b1f6-fbfcbdc0f27e","buvid":"XY721587F2E5639D82213B9BA4211A4FB02AC","seq_id":"1","room_id":"5082","parent_id":"6","area_id":"283","timestamp":"1594740248","secret_key":"axoaadsffcazxksectbbb","watch_time":"300","up_id":"673816","up_level":"33","jump_from":"24001","gu_id":"9ebadb876715e80e2fa2d116207d18e01734ded1026","play_type":"0","play_url":"http://d1--cn-gotcha03.bilivideo.com/live-bvc/126229/live_673816_8552541_2500.flv?cdn=cn-gotcha03&expires=1594743846&len=0&oi=465680638&pt=android&qn=400&trid=abceb8f7b0ad4920949a49f824378f82&sigparams=cdn,expires,len,oi,pt,qn,trid&sign=c0f414cfe0ab6cf1448b6637d5f4d67a&ptype=0&src=5&level=3","s_time":"0","data_behavior_id":"","data_source_id":"","up_session":"l:one:live:record:5082:1594726910","visit_id":"77193bdd8a33d10d239eac2724b50011","watch_status":"%7B%22pk_id%22%3A0%2C%22screen_status%22%3A1%7D","click_id":"f981f115-cdb7-444c-953f-0321389b7081","session_id":"","player_type":"0","client_ts":"1594744851"}

3号算法 SHA512

22cf943cbff34b9e46800fe855b7c5a175e2f392a3b851b2d6d5acb968aecc1e0f21dfe4f7cfbb4570c3eab0563fe0011f1464d56fc3daac6d5f422801086b00

7号算法 SHA3-512

1eb8e33852cb69008520c8179232b5f6d7551a2bbaddc462880dfa9a5fd3406696435a269a9a0a2dce74a5d00651fe8f8224a66db976c4fdf058eb9a891dcf43

2号算法 SHA384

554aeafc7f4a595b071cf1c663c6ba78ebb3c6cacab408f0d9578fa082796982c29a9fea287566364871b19626bee630

6号算法 SHA3-384

dea56c7706c250cfea9289442a0af43a4de67d92577157fa72e521fbb2a38993bdcaec4b3259810e65d45c3a4dd28f4f

8号算法 BLAKE2b512

1bf468dc6d6cd74112a5867317cd818880175a5d4662d1bc7bd162c7d10472aec74ffd2073c358de14a33eaa4c0f1f964aec040a918e7415bf522b092c790f10

经过五次hash得到签名, 我是真不知道五次hash除了恶心人还有什么用

插件作者可以使用 tools.Hash(algorithm: string, data: string | Buffer): string 来计算hash
例如

tools.Hash('BLAKE2b512', 'dea56c7706c250cfea9289442a0af43a4de67d92577157fa72e521fbb2a38993bdcaec4b3259810e65d45c3a4dd28f4f')
// 1bf468dc6d6cd74112a5867317cd818880175a5d4662d1bc7bd162c7d10472aec74ffd2073c358de14a33eaa4c0f1f964aec040a918e7415bf522b092c790f10

附破解算法, 其实就是暴力破解, 得益于现代计算机的性能, 五百万次hash计算也只要不到10秒钟

import { createHash } from 'crypto'

const Hash = (algorithm, data) => createHash(algorithm).update(data).digest('hex')

const algorithms = [
  'BLAKE2b512',
  'BLAKE2s256',
  'MD4',
  'MD5',
  'MD5-SHA1',
  'RIPEMD160',
  'SHA1',
  'SHA224',
  'SHA256',
  'SHA3-224',
  'SHA3-256',
  'SHA3-384',
  'SHA3-512',
  'SHA384',
  'SHA512',
  'SHA512-224',
  'SHA512-256',
  'SHAKE128',
  'SHAKE256',
  'SM3',
  'whirlpool'
]

const input = '{"platform":"android","uuid":"965983d6-2144-4040-b1f6-fbfcbdc0f27e","buvid":"XY721587F2E5639D82213B9BA4211A4FB02AC","seq_id":"1","room_id":"5082","parent_id":"6","area_id":"283","timestamp":"1594740248","secret_key":"axoaadsffcazxksectbbb","watch_time":"300","up_id":"673816","up_level":"33","jump_from":"24001","gu_id":"9ebadb876715e80e2fa2d116207d18e01734ded1026","play_type":"0","play_url":"http://d1--cn-gotcha03.bilivideo.com/live-bvc/126229/live_673816_8552541_2500.flv?cdn=cn-gotcha03&expires=1594743846&len=0&oi=465680638&pt=android&qn=400&trid=abceb8f7b0ad4920949a49f824378f82&sigparams=cdn,expires,len,oi,pt,qn,trid&sign=c0f414cfe0ab6cf1448b6637d5f4d67a&ptype=0&src=5&level=3","s_time":"0","data_behavior_id":"","data_source_id":"","up_session":"l:one:live:record:5082:1594726910","visit_id":"77193bdd8a33d10d239eac2724b50011","watch_status":"%7B%22pk_id%22%3A0%2C%22screen_status%22%3A1%7D","click_id":"f981f115-cdb7-444c-953f-0321389b7081","session_id":"","player_type":"0","client_ts":"1594744851"}'
const output = '1bf468dc6d6cd74112a5867317cd818880175a5d4662d1bc7bd162c7d10472aec74ffd2073c358de14a33eaa4c0f1f964aec040a918e7415bf522b092c790f10'

console.time('hash')
for (let i of algorithms) {
  const hash1 = Hash(i, input)
  for (let j of algorithms) {
    const hash2 = Hash(j, hash1)
    for (let k of algorithms) {
      const hash3 = Hash(k, hash2)
      for (let l of algorithms) {
        const hash4 = Hash(l, hash3)
        for (let m of algorithms) {
          const hash5 = Hash(m, hash4)
          if (hash5 === output) {
            console.timeEnd('hash')
            console.log(i, j, k, l, m)
          }
        }
      }
    }
  }
}
// hash: 4.851s
// SHA512 SHA3-512 SHA384 SHA3-384 BLAKE2b512

The text was updated successfully, but these errors were encountered:

ShmilyChen · 2020-07-19T14:46:32Z

然而，破站一共有12套算法
有一说一，这波操作，没有妈妈

lzghzr · 2020-07-19T14:49:53Z

然而，破站一共有12套算法
有一说一，这波操作，没有妈妈

其他算法都是位数不同, 比如还有sha256, 不加盐的话排列组合跑一遍就行了

lc4t · 2020-07-20T10:48:16Z

除了恶心人没啥用，干脆直接上Bcrypt把用户也恶心一遍

lzghzr pinned this issue Sep 22, 2020

lzghzr closed this as completed Sep 30, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

新签名 client_sign #173

新签名 client_sign #173

lzghzr commented Jul 19, 2020 •

edited

ShmilyChen commented Jul 19, 2020

lzghzr commented Jul 19, 2020

lc4t commented Jul 20, 2020

新签名 client_sign #173

新签名 client_sign #173

Comments

lzghzr commented Jul 19, 2020 • edited

ShmilyChen commented Jul 19, 2020

lzghzr commented Jul 19, 2020

lc4t commented Jul 20, 2020

lzghzr commented Jul 19, 2020 •

edited