amemv-crawler
amemv-crawler copied to clipboard
Published
20 hours ago •
loadchange
loadchange
签名算法无效
签名算法是模拟了一个cpu 他们自己写了一个指令集
其中有一部分是获取doucment.createElement("canvas")然后画一些东西 toDataUri然后放到签名里的
提供一点思路:
function generateSignature(userId) {
let descriptions = `1 flip top
4 push xxx
5 stack top = ()=>push next char in top to stack, and return has more
6 call one arg fn, ...|fn|arg|
8 jump x and run, if error jump x2, else return result
9 push run fn to stack
10 stack top = keys(top)
11 pop top 2 and push their sum
12 push XOR-mask(xxx)
13 delete prop, ...|obj|key|
14 push x
59 convert stack top x values into arr, if x ==0 push []
61 stack top = top[x]
62 mem[0] euler
65 assign prop, ...|obj|key|val|
66 binary op nextChar, ...|a|b|
67 forkRun/apply, ...|v3|v2|v1|. v3.x == run -> forkRun(v3.y,v1,mem) else v3.apply(v2,v2)
68 binary op, ...|a|b| op = if nextInstChar < '<' xxx else nextInstChar + nextInstChar
70 push false
71 push global
72 push int(xxx)
75 pop, if poped false, jump x,
74 jump x
76 push memory[x]
77 get prop, ...|obj|key|
78 create obj with x args. ...|className|x args|
79 push memory[$x]
81 assign prop, key = xxx, ...|obj|val|
82 get prop, key = xxx, ...|obj|
83 pop to memory[x]
84 push true
85 push undefined
86 duplicate top
88 mirror duplicate top 2
89 push fn: fn.x = xxx fn.y = run, ()=> forkRun(fn.y, arguments, memory)
90 push null
91 push h
93 pop to h
0 halt and return top
default push(opCode - 16)`;
const descDB = {};
for (const line of descriptions.split("\n")) {
const arr = line.split(" ").filter(e => e);
descDB[arr[0]] = arr.slice(1).join(" ");
}
var handler = {
get: function(target, name) {
console.log("*** get", name);
return target[name];
},
set: function(target, name, val) {
console.log("set", name);
return (target[name] = val);
},
};
var n = new Proxy(
{
Function,
Date,
tac,
document: new Proxy(
{
createElement(e) {
console.log("*********** createElement ******", e, typeof e);
return document.createElement(e);
},
},
handler
),
RegExp,
Error,
String,
navigator: new Proxy(navigator, handler),
},
handler
);
var e = {};
var r = (function() {
function e(e, a, r) {
return (b[e] || (b[e] = t("x,y", "return x " + e + " y")))(r, a);
}
function a(e, a, r) {
return (k[r] ||
(k[r] = t(
"x,y",
"return new x[y](" +
Array(r + 1)
.join(",x[++y]")
.substr(1) +
")"
)))(e, a);
}
function r(e, a, r) {
var n,
t,
s = {},
b = (s.d = r ? r.d + 1 : 0);
for (s["$" + b] = s, t = 0; t < b; t++) s[(n = "$" + t)] = r[n];
for (t = 0, b = s.length = a.length; t < b; t++) s[t] = a[t];
return c(e, 0, s);
}
function c(t, b, k) {
function u(e) {
console.log("push", e);
v[x++] = e;
}
function f() {
return (g = t.charCodeAt(b++) - 32), t.substring(b, (b += g));
}
function l() {
try {
y = c(t, b, k);
} catch (e) {
(h = e), (y = l);
}
}
for (var h, y, d, g, v = [], x = 0; ; ) {
g = t.charCodeAt(b++) - 32;
console.log(g, descDB[g]);
switch (g) {
case 1:
u(!v[--x]);
break;
case 4:
v[x++] = f();
break;
case 5:
u(
(function(e) {
var a = 0,
r = e.length;
return function() {
var c = a < r;
return c && u(e[a++]), c;
};
})(v[--x])
);
break;
case 6:
(y = v[--x]), u(v[--x](y));
break;
case 8:
if (((g = t.charCodeAt(b++) - 32), l(), (b += g), (g = t.charCodeAt(b++) - 32), y === c))
b += g;
else if (y !== l) return y;
break;
case 9:
v[x++] = c;
break;
case 10:
u(s(v[--x]));
break;
case 11:
(y = v[--x]), u(v[--x] + y);
break;
case 12:
for (y = f(), d = [], g = 0; g < y.length; g++) d[g] = y.charCodeAt(g) ^ (g + y.length);
u(String.fromCharCode.apply(null, d));
break;
case 13:
(y = v[--x]), (h = delete v[--x][y]);
break;
case 14:
v[x++] = t.charCodeAt(b++) - 32;
break;
case 59:
u((g = t.charCodeAt(b++) - 32) ? ((y = x), v.slice((x -= g), y)) : []);
break;
case 61:
u(v[--x][t.charCodeAt(b++) - 32]);
break;
case 62:
(g = v[--x]), (k[0] = (65599 * k[0] + k[1].charCodeAt(g)) >>> 0);
break;
case 65:
(h = v[--x]), (y = v[--x]), (v[--x][y] = h);
break;
case 66:
u(e(t[b++], v[--x], v[--x]));
break;
case 67:
(y = v[--x]), (d = v[--x]), u((g = v[--x]).x === c ? r(g.y, y, k) : g.apply(d, y));
break;
case 68:
u(e((g = t[b++]) < "<" ? (b--, f()) : g + g, v[--x], v[--x]));
break;
case 70:
u(!1);
break;
case 71:
v[x++] = n;
break;
case 72:
v[x++] = +f();
break;
case 73:
u(parseInt(f(), 36));
break;
case 75:
if (v[--x]) {
b++;
break;
}
case 74:
(g = ((t.charCodeAt(b++) - 32) << 16) >> 16), (b += g);
break;
case 76:
u(k[t.charCodeAt(b++) - 32]);
break;
case 77:
(y = v[--x]), u(v[--x][y]);
break;
case 78:
(g = t.charCodeAt(b++) - 32), u(a(v, (x -= g + 1), g));
break;
case 79:
(g = t.charCodeAt(b++) - 32), u(k["$" + g]);
break;
case 81: {
let key = f();
console.log("key", key);
h = v[--x];
v[--x][key] = h;
console.log("assigned", h, "to", v[x + 1]);
break;
}
case 82: {
let key = f();
console.log("key", key);
u(v[--x][key]);
break;
}
case 83:
(h = v[--x]), (k[t.charCodeAt(b++) - 32] = h);
break;
case 84:
v[x++] = !0;
break;
case 85:
v[x++] = void 0;
break;
case 86:
u(v[x - 1]);
break;
case 88:
(h = v[--x]), (y = v[--x]), (v[x++] = h), (v[x++] = y);
break;
case 89:
u(
(function() {
function e() {
return r(e.y, arguments, k);
}
return (e.y = f()), (e.x = c), e;
})()
);
break;
case 90:
v[x++] = null;
break;
case 91:
v[x++] = h;
break;
case 93:
h = v[--x];
break;
case 0:
return v[--x];
default:
u(((g << 16) >> 16) - 16);
}
}
}
var t = n.Function,
s =
Object.keys ||
function(e) {
var a = {},
r = 0;
for (var c in e) a[r++] = c;
return (a.length = r), a;
},
b = {},
k = {};
return r;
})()(
'gr$Daten Иb/s!l y͒yĹg,(lfi~ah`{mv,-n|jqewVxp{rvmmx,&effkx[!cs"l".Pq%widthl"@q&heightl"vr*getContextx$"2d[!cs#l#,*;?|u.|uc{uq$fontl#vr(fillTextx$$龘ฑภ경2<[#c}l#2q*shadowBlurl#1q-shadowOffsetXl#$$limeq+shadowColorl#vr#arcx88802[%c}l#vr&strokex[ c}l"v,)}eOmyoZB]mx[ cs!0s$l$Pb<k7l l!r&lengthb%^l$1+s$jl s#i$1ek1s$gr#tack4)zgr#tac$! +0o![#cj?o ]!l$b%s"o ]!l"l$b*b^0d#>>>s!0s%yA0s"l"l!r&lengthb<k+l"^l"1+s"jl s&l&z0l!$ +["cs\'(0l#i\'1ps9wxb&s() &{s)/s(gr&Stringr,fromCharCodes)0s*yWl ._b&s o!])l l Jb<k$.aj;l .Tb<k$.gj/l .^b<k&i"-4j!+& s+yPo!]+s!l!l Hd>&l!l Bd>&+l!l <d>&+l!l 6d>&+l!l &+ s,y=o!o!]/q"13o!l q"10o!],l 2d>& s.{s-yMo!o!]0q"13o!]*Ld<l 4d#>>>b|s!o!l q"10o!],l!& s/yIo!o!].q"13o!],o!]*Jd<l 6d#>>>b|&o!]+l &+ s0l-l!&l-l!i\'1z141z4b/@d<l"b|&+l-l(l!b^&+l-l&zl\'g,)gk}ejo{cm,)|yn~Lij~em["cl$b%@d<l&zl\'l $ +["cl$b%b|&+l-l%8d<@b|l!b^&+ q$sign ',
[e]
);
return e.sign(userId);
}
