京东h5st 4.7参数逆向分析教学文档<\/h1>

一、前言<\/h2>
京东h5st参数是京东网站重要的反爬机制，目前已经升级到4.7版本并逐渐VMP化。本文档将详细分析h5st 4.7参数的生成过程，包括定位方法、逆向分析流程和关键加密函数解析。<\/p>

二、逆向目标<\/h2>

目标参数：京东h5st 4.7<\/li>
目标网站：aHR0cHM6Ly93d3cuamQuY29tLw==（京东官网）<\/li>

相关参数：h5st、x-api-eid-token（风控参数）<\/li> <\/ul>

三、流程分析<\/h2>

1. 抓包分析<\/h3>

通过抓包可观察到：<\/p>

h5st参数版本号为4.7<\/li>

x-api-eid-token由接口返回，由大量浏览器环境和指纹信息生成（可先写死）<\/li> <\/ul>

2. h5st参数定位<\/h3>

定位方法：<\/p>

搜索大法或堆栈追踪快速定位生成位置<\/li>

关键调用链：

colorParamSign<\/code> → window.PSign.sign<\/code>异步函数<\/li>
<\/ol>
四、逆向分析<\/h2>
1. 参数生成入口<\/h3>
h5st参数生成位于VMP文件中，主要特征：<\/p>

加密流程和函数大部分VMP化<\/li>
保留了一些特征点（CryptoJS, AES, SHA, Base64等）<\/li>
<\/ul>
2. 分析方法<\/h3>
方法一<\/strong>：在所有vmp操作的call位置打日志断点（不推荐，日志点过多）<\/p>
方法二<\/strong>：在关键加密函数位置断点分析（推荐）：<\/p>

搜索常见加密函数特征<\/li>
找到约10处加密\/编码操作函数<\/li>
这些函数格式统一，采用ob模式混淆<\/li>
<\/ol>
3. 加密函数结构<\/h3>
加密函数导出结构：<\/p>
传入一个对象接收导出的加密函数<\/span>
<\/span><\/span>初始将o函数的返回值赋值给HS对象<\/span>
<\/span><\/span>后续传入HS对象到o函数再进行导出<\/span>
<\/span><\/span><\/code><\/pre>HS对象包含所有加密函数，可通过以下方式获取：<\/p>

在拼接生成h5st的位置断点<\/li>
输出HS对象<\/li>
在关键加密函数（AES、哈希、Base64）处下断点<\/li>
<\/ol>
4. 关键加密流程<\/h3>
AES加密<\/h4>

参数：n, a（可能是key和iv）<\/li>
测试发现与标准AES结果不一致（存在魔改）<\/li>
示例代码：<\/li>
<\/ul>
const<\/span> CryptoJS<\/span> =<\/span> require<\/span>('crypto-js'<\/span>);
<\/span><\/span>var<\/span> Bytes<\/span> =<\/span> {
<\/span><\/span>  words<\/span>:<\/span> [1598895705<\/span>, 1063548518<\/span>, 1312043094<\/span>, 1296456536<\/span>],
<\/span><\/span>  sigBytes<\/span>:<\/span> 16<\/span>
<\/span><\/span>};
<\/span><\/span>var<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.stringify<\/span>(Bytes<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(key<\/span>);
<\/span><\/span>var<\/span> Bytes<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(key<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(Bytes<\/span>);
<\/span><\/span><\/code><\/pre>Base64编码<\/h4>

对AES加密结果进行编码<\/li>
也是魔改版本<\/li>
<\/ul>
加密数据来源<\/h4>

test<\/code>参数来自request_algo<\/code>接口返回<\/li>
rd<\/code>和加密函数都是动态的<\/li>
<\/ul>
expandParams<\/h4>

使用魔改AES加密生成<\/li>
key值不同<\/li>
明文主要是环境值（可先固定）<\/li>
<\/ul>
5. SHA256加密<\/h3>
加密明文结构：<\/p>
test函数生成的加密结果 + 
colorParamSign的拼接 + 
test函数生成的加密结果
<\/code><\/pre>
示例明文：<\/p>
'5571a8dda12c510ad1922b90d6b048aba648d9a8c2fc679927fc1e7102520489appid:search-pc-java&body:64ef977e15f853295527f3ce1f15fc980963c43f27c40066d26dd19b542d0bd4&client:pc&clientVersion:1.0.0&functionId:pc_search_s_new&t:17152462710115571a8dda12c510ad1922b90d6b048aba648d9a8c2fc679927fc1e7102520489'
<\/code><\/pre>
加密结果示例：<\/p>
626bad7f7ebe126bb799ac619409778c8808864ad364bcb3d6a42bfb14af47b7
<\/code><\/pre>
6. h5st参数拼接<\/h3>
最终h5st参数由以下部分组成：<\/p>

e<\/code>：SHA256加密结果<\/li>
t<\/code>：时间戳<\/li>
r<\/code>：由时间戳转换生成<\/li>
n<\/code>：第一次AES加密+魔改Base64编码结果<\/li>
_fingerprint<\/code>：可先写死（算法生成）<\/li>
_appid<\/code>：可先写死（页面获取）<\/li>
_token<\/code>：来自request_algo<\/code>接口返回<\/li>
<\/ul>
时间戳转换函数：<\/p>
function<\/span> format<\/span>() {
<\/span><\/span>  var<\/span> e<\/span> =<\/span> arguments<\/span>.length<\/span> ><\/span> 0<\/span> &&<\/span> void<\/span> 0<\/span> !==<\/span> arguments<\/span>[0<\/span>] ?<\/span> arguments<\/span>[0<\/span>] :<\/span> Date.now<\/span>(),
<\/span><\/span>    t<\/span> =<\/span> arguments<\/span>.length<\/span> ><\/span> 1<\/span> &&<\/span> void<\/span> 0<\/span> !==<\/span> arguments<\/span>[1<\/span>] ?<\/span> arguments<\/span>[1<\/span>] :<\/span> "yyyy-MM-dd"<\/span>,
<\/span><\/span>    r<\/span> =<\/span> new<\/span> Date(e<\/span>),
<\/span><\/span>    n<\/span> =<\/span> t<\/span>,
<\/span><\/span>    a<\/span> =<\/span> {
<\/span><\/span>      "M+"<\/span>:<\/span> r<\/span>.getMonth<\/span>() +<\/span> 1<\/span>,
<\/span><\/span>      "d+"<\/span>:<\/span> r<\/span>.getDate<\/span>(),
<\/span><\/span>      "D+"<\/span>:<\/span> r<\/span>.getDate<\/span>(),
<\/span><\/span>      "h+"<\/span>:<\/span> r<\/span>.getHours<\/span>(),
<\/span><\/span>      "H+"<\/span>:<\/span> r<\/span>.getHours<\/span>(),
<\/span><\/span>      "m+"<\/span>:<\/span> r<\/span>.getMinutes<\/span>(),
<\/span><\/span>      "s+"<\/span>:<\/span> r<\/span>.getSeconds<\/span>(),
<\/span><\/span>      "w+"<\/span>:<\/span> r<\/span>.getDay<\/span>(),
<\/span><\/span>      "q+"<\/span>:<\/span> Math.floor<\/span>((r<\/span>.getMonth<\/span>() +<\/span> 3<\/span>) \/<\/span> 3<\/span>),
<\/span><\/span>      "S+"<\/span>:<\/span> r<\/span>.getMilliseconds<\/span>()
<\/span><\/span>    };
<\/span><\/span>  return<\/span> \/(y+)\/i<\/span>.test<\/span>(n<\/span>) &&<\/span> (n<\/span> =<\/span> n<\/span>.replace<\/span>(RegExp.$1<\/span>, ""<\/span>.concat<\/span>(r<\/span>.getFullYear<\/span>()).substr<\/span>(4<\/span> -<\/span> RegExp.$1<\/span>.length<\/span>))), 
<\/span><\/span>  w_<\/span>(a<\/span>).forEach<\/span>((function<\/span>(e<\/span>) {
<\/span><\/span>    if<\/span> (new<\/span> RegExp("("<\/span>.concat<\/span>(e<\/span>, ")"<\/span>)).test<\/span>(n<\/span>)) {
<\/span><\/span>      var<\/span> t<\/span>, r<\/span> =<\/span> "S+"<\/span> ===<\/span> e<\/span> ?<\/span> "000"<\/span> :<\/span> "00"<\/span>;
<\/span><\/span>      n<\/span> =<\/span> n<\/span>.replace<\/span>(RegExp.$1<\/span>, 1<\/span> ==<\/span> RegExp.$1<\/span>.length<\/span> ?<\/span> a<\/span>[e<\/span>] :<\/span> j_<\/span>(t<\/span> =<\/span> ""<\/span>.concat<\/span>(r<\/span>)).call<\/span>(t<\/span>, a<\/span>[e<\/span>]).substr<\/span>(""<\/span>.concat<\/span>(a<\/span>[e<\/span>]).length<\/span>))
<\/span><\/span>    }
<\/span><\/span>  })), n<\/span>
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>console<\/span>.log<\/span>(format<\/span>(1715246309293<\/span>, "yyyyMMddhhmmssSSS"<\/span>)) \/\/ 输出：20240509171829293
<\/span><\/span><\/span><\/code><\/pre>五、HS对象处理<\/h2>
虽然代码有ob混淆，但可以直接手动扣取：<\/p>

约10处结构相似的函数<\/li>
混淆部分不多，无需完全还原<\/li>
扣取完成后输出HS对象即可直接调用加密函数<\/li>
<\/ol>
注意<\/strong>：必须校验与浏览器加密结果一致<\/p>
六、结果验证<\/h2>
正确生成的h5st参数：<\/p>

不会出现<Response [403]><\/code>的情况<\/li>
100%可以获取到数据<\/li>
<\/ul>
七、总结<\/h2>

h5st 4.7参数生成流程复杂但可追踪<\/li>
关键点在于HS对象中加密函数的获取<\/li>
虽然部分加密被魔改，但通过断点分析可还原<\/li>
时间戳转换和参数拼接是最后关键步骤<\/li>
验证时需确保各环节结果与浏览器一致<\/li>
<\/ol>
八、注意事项<\/h2>

本文仅供学习交流使用<\/li>
严禁用于商业用途和非法用途<\/li>
不提供完整代码实现<\/li>
所有敏感信息均已做脱敏处理<\/li>
京东可能随时更新参数生成方式，需持续跟踪<\/li>
<\/ol>

京东h5st 4.7参数逆向分析教学文档<\/h1>

一、前言<\/h2> 京东h5st参数是京东网站重要的反爬机制，目前已经升级到4.7版本并逐渐VMP化。本文档将详细分析h5st 4.7参数的生成过程，包括定位方法、逆向分析流程和关键加密函数解析。<\/p>

三、流程分析<\/h2>

四、逆向分析<\/h2>

4. 关键加密流程<\/h3>

八、注意事项<\/h2> 本文仅供学习交流使用<\/li> 严禁用于商业用途和非法用途<\/li> 不提供完整代码实现<\/li> 所有敏感信息均已做脱敏处理<\/li> 京东可能随时更新参数生成方式，需持续跟踪<\/li> <\/ol>

一、前言<\/h2>
京东h5st参数是京东网站重要的反爬机制，目前已经升级到4.7版本并逐渐VMP化。本文档将详细分析h5st 4.7参数的生成过程，包括定位方法、逆向分析流程和关键加密函数解析。<\/p>

八、注意事项<\/h2>

本文仅供学习交流使用<\/li>
严禁用于商业用途和非法用途<\/li>
不提供完整代码实现<\/li>
所有敏感信息均已做脱敏处理<\/li>
京东可能随时更新参数生成方式，需持续跟踪<\/li> <\/ol>