酷某音乐WASM逆向分析教学文档<\/h1>

1. 逆向目标分析<\/h2>
目标网站：酷某音乐（aHR0cHM6Ly93d3cua3Vnb3UuY29tLw==）<\/p>
主要逆向参数：<\/p>
mid<\/code><\/li>
uuid<\/code><\/li>
signature<\/code><\/li>
params<\/code><\/li>
pk<\/code><\/li>
sid<\/code><\/li>
edt<\/code><\/li>
<\/ul>
2. 抓包分析流程<\/h2>

进入首页，输入手机号点击发送验证码<\/li>
关键接口分析：

send_mobile<\/code>：首次请求后在响应头返回ssa-code<\/code><\/li>
get_verfy_info<\/code>：携带ssa-code<\/code>参数，返回全局唯一的sessionid<\/code><\/li>
v4\/verify_user_info<\/code>：易盾点选\/滑块验证码验证接口<\/li>
再次调用send_mobile<\/code>，status:1<\/code>表示发送成功<\/li>
<\/ul>
<\/li>
<\/ol>
3. 参数逆向详解<\/h2>
3.1 mid和uuid参数<\/h3>
生成逻辑：<\/strong><\/p>

从cookie中获取kg_mid<\/code><\/li>
若不存在则生成浏览器指纹信息并通过md5算法生成<\/li>
<\/ol>
Hook方法：<\/strong><\/p>
(function<\/span>() {
<\/span><\/span>    'use strict'<\/span>;
<\/span><\/span>    var<\/span> cookieTemp<\/span> =<\/span> ''<\/span>;
<\/span><\/span>    Object.defineProperty<\/span>(document, 'cookie'<\/span>, {
<\/span><\/span>        set<\/span>:<\/span> function<\/span>(val<\/span>) {
<\/span><\/span>            if<\/span> (val<\/span>.indexOf<\/span>('kg_mid'<\/span>) !=<\/span> -<\/span>1<\/span>) {
<\/span><\/span>                debugger<\/span>;
<\/span><\/span>            }
<\/span><\/span>            console<\/span>.log<\/span>('Hook捕获到cookie设置->'<\/span>, val<\/span>);
<\/span><\/span>            cookieTemp<\/span> =<\/span> val<\/span>;
<\/span><\/span>            return<\/span> val<\/span>;
<\/span><\/span>        },
<\/span><\/span>        get<\/span>:<\/span> function<\/span>() {
<\/span><\/span>            return<\/span> cookieTemp<\/span>;
<\/span><\/span>        },
<\/span><\/span>    });
<\/span><\/span>})();
<\/span><\/span><\/code><\/pre>uuid生成算法：<\/strong><\/p>
Guid<\/span>:<\/span> function<\/span>() {
<\/span><\/span>    function<\/span> S4<\/span>() {
<\/span><\/span>        return<\/span> (((1<\/span> +<\/span> Math.random<\/span>()) *<\/span> 0x10000<\/span>) |<\/span> 0<\/span>).toString<\/span>(16<\/span>).substring<\/span>(1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> (S4<\/span>() +<\/span> S4<\/span>() +<\/span> "-"<\/span> +<\/span> S4<\/span>() +<\/span> "-"<\/span> +<\/span> S4<\/span>() +<\/span> "-"<\/span> +<\/span> S4<\/span>() +<\/span> "-"<\/span> +<\/span> S4<\/span>() +<\/span> S4<\/span>() +<\/span> S4<\/span>());
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 signature参数<\/h3>
生成逻辑：<\/strong><\/p>

将url中的parm<\/code>参数与data<\/code>参数拼接<\/li>
调用K.unshift(y)<\/code>和K.push(y)<\/code>在数组开头和结尾插入固定字符串<\/li>
通过join<\/code>拼接成字符串<\/li>
进行md5加密生成signature<\/code><\/li>
<\/ol>
3.3 params和pk参数<\/h3>
AES加密流程：<\/strong><\/p>
function<\/span> AES_Encrypt<\/span>(data<\/span>) {
<\/span><\/span>    \/\/ 将输入数据转换为JSON字符串
<\/span><\/span><\/span><\/span>    const<\/span> jsonString<\/span> =<\/span> JSON<\/span>.stringify<\/span>(data<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 生成随机密钥(Key)
<\/span><\/span><\/span><\/span>    const<\/span> generateRandomKey<\/span> =<\/span> (length<\/span>) => {
<\/span><\/span>        const<\/span> chars<\/span> =<\/span> "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"<\/span>;
<\/span><\/span>        let<\/span> randomKey<\/span> =<\/span> ''<\/span>;
<\/span><\/span>        for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>            randomKey<\/span> +=<\/span> chars<\/span>.charAt<\/span>(Math.floor<\/span>(Math.random<\/span>() *<\/span> chars<\/span>.length<\/span>));
<\/span><\/span>        }
<\/span><\/span>        return<\/span> randomKey<\/span>;
<\/span><\/span>    };
<\/span><\/span>    
<\/span><\/span>    \/\/ 如果未提供密钥，则生成一个16字符的随机密钥
<\/span><\/span><\/span><\/span>    key<\/span> =<\/span> generateRandomKey<\/span>(16<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 使用MD5对密钥进行编码，并截取前32字符作为实际密钥
<\/span><\/span><\/span><\/span>    const<\/span> md5Key<\/span> =<\/span> md5_encode<\/span>(key<\/span>).substring<\/span>(0<\/span>, 32<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 如果未提供向量(IV)，则使用密钥的最后16字符
<\/span><\/span><\/span><\/span>    iv<\/span> =<\/span> md5Key<\/span>.substring<\/span>(md5Key<\/span>.length<\/span> -<\/span> 16<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 将密钥和向量转换为CryptoJS的Utf8对象
<\/span><\/span><\/span><\/span>    const<\/span> cryptoKey<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(md5Key<\/span>);
<\/span><\/span>    const<\/span> cryptoIv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(iv<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 使用AES算法进行加密
<\/span><\/span><\/span><\/span>    const<\/span> encrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(jsonString<\/span>, cryptoKey<\/span>, {
<\/span><\/span>        iv<\/span>:<\/span> cryptoIv<\/span>,
<\/span><\/span>        mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>,
<\/span><\/span>        padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span>
<\/span><\/span>    });
<\/span><\/span>    
<\/span><\/span>    \/\/ 将加密结果转换为Hex字符串
<\/span><\/span><\/span><\/span>    const<\/span> encryptedHexStr<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Hex<\/span>.stringify<\/span>(CryptoJS<\/span>.enc<\/span>.Base64<\/span>.parse<\/span>(encrypted<\/span>.toString<\/span>()));
<\/span><\/span>    
<\/span><\/span>    return<\/span> {
<\/span><\/span>        key<\/span>:<\/span> key<\/span>,
<\/span><\/span>        encryptedStr<\/span>:<\/span> encryptedHexStr<\/span>
<\/span><\/span>    };
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>pk参数RSA加密：<\/strong><\/p>
const<\/span> RSA<\/span> =<\/span> require<\/span>('.\/rsa'<\/span>); \/\/ 引入保存的rsa.js文件
<\/span><\/span><\/span><\/span>
<\/span><\/span>function<\/span> rsa_encode<\/span>(word<\/span>){
<\/span><\/span>    word<\/span> =<\/span> JSON<\/span>.stringify<\/span>(word<\/span>)
<\/span><\/span>    \/\/ 使用的公钥
<\/span><\/span><\/span><\/span>    const<\/span> publicKey<\/span> =<\/span> "B1B1EC76A1BBDBF0D18E8CD9A87E53FA3881E2F004C67C9DDA2CA677DBEFA3D61DF8463FE12D84FF4B4699E02C9D41CAB917F5A8FB9E35580C4BDF97763A0420A476295D763EE10174E6F9EBF7DF8A77BA5B20CDA4EE705DEF5BBA3C88567B9656E52C9CD5CD95CA735FF2D25F762B133273EEEB7B4F3EA8B6DA29040F3B67CD"<\/span>;
<\/span><\/span>    \/\/ 使用encrypt函数进行加密
<\/span><\/span><\/span><\/span>    const<\/span> encryptedMessage<\/span> =<\/span> RSA<\/span>.encrypt<\/span>(word<\/span>);
<\/span><\/span>    return<\/span> encryptedMessage<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.4 sid和edt参数<\/h3>
生成逻辑：<\/strong><\/p>
var<\/span> t<\/span> =<\/span> new<\/span> wasm_bindgen<\/span>.EData<\/span>;
<\/span><\/span>e<\/span>.sid<\/span> =<\/span> t<\/span>.get_sid<\/span>(), 
<\/span><\/span>e<\/span>.edt<\/span> =<\/span> c<\/span>
<\/span><\/span><\/code><\/pre>WASM环境检测点：<\/strong><\/p>

原型链检测<\/li>
DOM层相关检测<\/li>
WebGL原型链检测<\/li>
WebGL相关API操作检测<\/li>
<\/ol>
环境补全要点：<\/strong><\/p>
HTMLCanvasElement<\/span> =<\/span> function<\/span> HTMLCanvasElement<\/span> (){ }
<\/span><\/span>canvas<\/span>.__proto__<\/span>=<\/span>HTMLCanvasElement<\/span>.prototype<\/span>
<\/span><\/span>
<\/span><\/span>function<\/span> WebGLRenderingContext<\/span>() {}
<\/span><\/span>
<\/span><\/span>\/\/ 为WebGLRenderingContext添加Symbol.hasInstance
<\/span><\/span><\/span><\/span>Object.defineProperty<\/span>(WebGLRenderingContext<\/span>, Symbol<\/span>.hasInstance<\/span>, {
<\/span><\/span>    value<\/span>:<\/span> function<\/span> (obj<\/span>) {
<\/span><\/span>        return<\/span> obj<\/span> &&<\/span> typeof<\/span> obj<\/span> ===<\/span> 'object'<\/span> &&<\/span> 
<\/span><\/span>               obj<\/span>.drawingBufferWidth<\/span> !==<\/span> undefined<\/span> &&<\/span> 
<\/span><\/span>               obj<\/span>.drawingBufferHeight<\/span> !==<\/span> undefined<\/span>;
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>异步调用解决方案：<\/strong><\/p>
setTimeout<\/span>(function<\/span>(){
<\/span><\/span>    var<\/span> t<\/span> =<\/span> new<\/span> wasm_bindgen<\/span>.EData<\/span>;
<\/span><\/span>    console<\/span>.log<\/span>(t<\/span>.get_sid<\/span>())
<\/span><\/span>    console<\/span>.log<\/span>(t<\/span>.get_edt<\/span>())
<\/span><\/span>}, 1000<\/span>);
<\/span><\/span><\/code><\/pre>Node.js接口实现：<\/strong><\/p>
const<\/span> express<\/span> =<\/span> require<\/span>('express'<\/span>);
<\/span><\/span>const<\/span> app<\/span> =<\/span> express<\/span>();
<\/span><\/span>const<\/span> port<\/span> =<\/span> 3000<\/span>;
<\/span><\/span>
<\/span><\/span>app<\/span>.get<\/span>('\/getValues'<\/span>, async<\/span> (req<\/span>, res<\/span>) => {
<\/span><\/span>    setTimeout<\/span>(function<\/span>(){
<\/span><\/span>        try<\/span> {
<\/span><\/span>            var<\/span> t<\/span> =<\/span> new<\/span> wasm_bindgen<\/span>.EData<\/span>();
<\/span><\/span>            const<\/span> get_sid<\/span> =<\/span> t<\/span>.get_sid<\/span>();
<\/span><\/span>            const<\/span> get_edt<\/span> =<\/span> t<\/span>.get_edt<\/span>();
<\/span><\/span>            res<\/span>.json<\/span>({ get_sid<\/span>, get_edt<\/span> });
<\/span><\/span>        } catch<\/span> (error<\/span>) {
<\/span><\/span>            res<\/span>.status<\/span>(500<\/span>).json<\/span>({ error<\/span>:<\/span> error<\/span>.message<\/span> });
<\/span><\/span>        }
<\/span><\/span>    }, 1000<\/span>);
<\/span><\/span>});
<\/span><\/span>
<\/span><\/span>app<\/span>.listen<\/span>(port<\/span>, () => {
<\/span><\/span>    console<\/span>.log<\/span>(`Server is running on http:\/\/localhost:<\/span>${<\/span>port<\/span>}<\/span>`<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>4. 关键函数解析<\/h2>
_instanceof<\/code>函数分析<\/h3>
function<\/span> _instanceof<\/span>(left<\/span>, right<\/span>) {
<\/span><\/span>    if<\/span> (right<\/span> !=<\/span> null<\/span> &&<\/span> typeof<\/span> Symbol<\/span> !==<\/span> "undefined"<\/span> &&<\/span> right<\/span>[Symbol<\/span>.hasInstance<\/span>]) {
<\/span><\/span>        return<\/span> !!<\/span>right<\/span>[Symbol<\/span>.hasInstance<\/span>](left<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        return<\/span> left<\/span> instanceof<\/span> right<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>功能说明：<\/strong><\/p>

使用Symbol.hasInstance<\/code>进行类型检查<\/li>
如果right<\/code>有Symbol.hasInstance<\/code>方法，则调用并将left<\/code>传递给right[Symbol.hasInstance]<\/code><\/li>
使用!!<\/code>将结果强制转为布尔值<\/li>
如果不满足条件，则使用JavaScript内置的instanceof<\/code>操作符<\/li>
<\/ol>
5. 实现流程总结<\/h2>

获取mid<\/code>和uuid<\/code>参数<\/li>
生成signature<\/code>参数<\/li>
生成params<\/code>和pk<\/code>参数<\/li>
处理WASM环境并获取sid<\/code>和edt<\/code>参数<\/li>
完成验证码验证流程<\/li>
最终调用send_mobile<\/code>接口发送验证码<\/li>
<\/ol>
6. 注意事项<\/h2>

WASM加载是异步过程，需要正确处理异步调用<\/li>
环境检测严格，需要完整补全浏览器环境<\/li>
原型链继承关系需要正确处理<\/li>
建议使用代理框架处理环境检测问题<\/li>
关键检测点可以通过插桩打印或直接修改返回值进行调试<\/li>
<\/ol>