Supplement the JS of a video website to decrypt the video

Preface ：

Not long ago , A group friend posted a video in the Group m3u8 file , Among them key yes 16 byte , But it just can't be downloaded . But with m3u8 When the Downloader Downloads , Can't download it , I began to suspect that there was a request for head test , I requested it with code , It is found that normal requests can be made . That should be encryption .

1. Lay down ts,m3u8 or key The breakpoint

Find out where there is encryption , Follow in . I found this js

This js It's loaded later , You can see , Generally, it is automatically loaded later js, There is something fishy inside .

2. Find decryption js

Find this function here , Decryption is here

find js after , Here we will not analyze the algorithm , Directly intend to supplement the environment . This will make us js download , To vscode Run it inside and have a look . He will report a mistake self and window Undefined . Let's make up this ,self Directly assign an empty object ,window=this;

And run it , Found no error reported . We want to call this e.onmessage function . What to do then ？

3. Call the function to decrypt

I think so webpack pack , There is a loader . All functions are in o Inside the object , Here we put o Object export , To call .

Let's run it here , Look at the effect .

You can see , All functions have been exported . So we can call normally .

4. Look at the incoming parameters

We can see , These parameters are passed in

This key and iv It's a little strange. . Here we use this directly key and iv To decrypt , It is found that it can be decrypted normally .

5 see iv and key How to generate

Here is the old step , Make breakpoints , then , Step by step . Let's put the encryption method directly here

key = new Uint32Array([(r.getUint32(0) ^ a[0]) >>> 0, (r.getUint32(4) ^ a[1]) >>> 0, (r.getUint32(8) ^ a[2]) >>> 0, (r.getUint32(12) ^ a[3]) >>> 0])

IV[0] = parseInt(r.attributes.IV[0], 16),
IV[1] = parseInt(r.attributes.IV[1], 16),
IV[2] = parseInt(r.attributes.IV[2], 16),
IV[3] = parseInt(r.attributes.IV[3], 16),

key Generated a Of , Is in window One of the attributes in it .

I didn't study this , It's dead .

The environment here has been improved , Just call it directly , After decryption, there is no flower screen .

OK, That's it today , Communication group 902854353