max/YouTube-Manager
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Add JS runtime #12

New Issue
Open
opened 2025-10-24 21:18:25 +02:00 by max · 0 comments
max commented 2025-10-24 21:18:25 +02:00
Owner
Copy Link

For deciphering the cipher it was possible to extract the operations from the player js to deciper the signature. This is changes so much that it is not possible to use that implementation. Idea add JS runtime to run the script in sandbox format to decipher the signature.

Jint: https://github.com/sebastienros/jint

Reverse engineer

At start of script there is an variable set with an string that is split on ';', the code is getting function names and variable names based on index from that variable to use. Its quite hard to tell what happens exactly.

Example

var D = 'true;G;indexOf;splice;youtube.player.web_20251022_22_RC00;local;length;set;path;T;L;=;startsWith;slice;Br4M87pQ_yQn58B4OD-_w8_;pow;call;,,(][[;;url;toString;/;cmo=td;Untrusted URL;/videoplayback;rr;now;scheme;clone;forEach;fromCharCode;]\\;V;push;unshift;%3D;get;split;Ov;//;qL;join;C;AN;match;redirector.googlevideo.com;qP;M8;s;\\.a1\\.googlevideo\\.com$;cmo;file;/api/manifest;8;1969-12-31T14:16:00.000-09:45;playerfallback;mn;pop;n;://;uw;Cv;:;fallback_count;/initplayback;prototype;\\.googlevideo\\.com$;1969-12-31T21:45:25.000-02:15;1970-01-01T10:30:42.000+10:30;fvip;index.m3u8;1;,;cmo=;signatureCipher;www.youtube.com;sp;1969-12-31T20:00:37.000-04:00;&;rr?[1-9].*\\.c\\.youtube\\.com$;https://local;1969-12-31T20:30:55.000-03:30;http://local;replace;/file/index.m3u8;reverse;assign;cmo=pf;1970-01-01T01:30:01.000+01:30;[]""\\/,;?;break;undefined;---;r;1969-12-31T15:15:06.000-08:45;a1.googlevideo.com'.split(";")

Results in:

0: true
1: G
2: indexOf
3: splice
4: youtube.player.web_20251022_22_RC00
5: local
6: length
7: set
8: path
9: T
10: L
11: =
12: startsWith
13: slice
14: Br4M87pQ_yQn58B4OD-w8
15: pow
16: call
17: ,,(][[
18:
19: url
20: toString
21: /
22: cmo=td
23: Untrusted URL
24: /videoplayback
25: rr
26: now
27: scheme
28: clone
29: forEach
30: fromCharCode
31: ]
32: V
33: push
34: unshift
35: %3D
36: get
37: split
38: Ov
39: //
40: qL
41: join
42: C
43: AN
44: match
45: redirector.googlevideo.com
46: qP
47: M8
48: s
49: .a1.googlevideo.com$
50: cmo
51: file
52: /api/manifest
53: 8
54: 1969-12-31T14:16:00.000-09:45
55: playerfallback
56: mn
57: pop
58: n
59: ://
60: uw
61: Cv
62: :
63: fallback_count
64: /initplayback
65: prototype
66: .googlevideo.com$
67: 1969-12-31T21:45:25.000-02:15
68: 1970-01-01T10:30:42.000+10:30
69: fvip
70: index.m3u8
71: 1
72: ,
73: cmo=
74: signatureCipher
75: www.youtube.com
76: sp
77: 1969-12-31T20:00:37.000-04:00
78: &
79: rr?[1-9].*.c.youtube.com$
80: https://local
81: 1969-12-31T20:30:55.000-03:30
82: http://local
83: replace
84: /file/index.m3u8
85: reverse
86: assign
87: cmo=pf
88: 1970-01-01T01:30:01.000+01:30
89: []""/,
90: ?
91: break
92: undefined
93: ---
94: r
95: 1969-12-31T15:15:06.000-08:45
96: a1.googlevideo.com

Search in code where the index for value 'n' (this example would be D[58]) is used and that is the decipher function. Same with signatureCipher (index 74)

For deciphering the cipher it was possible to extract the operations from the player js to deciper the signature. This is changes so much that it is not possible to use that implementation. Idea add JS runtime to run the script in sandbox format to decipher the signature. Jint: https://github.com/sebastienros/jint ### Reverse engineer At start of script there is an variable set with an string that is split on ';', the code is getting function names and variable names based on index from that variable to use. Its quite hard to tell what happens exactly. #### Example ```javascript var D = 'true;G;indexOf;splice;youtube.player.web_20251022_22_RC00;local;length;set;path;T;L;=;startsWith;slice;Br4M87pQ_yQn58B4OD-_w8_;pow;call;,,(][[;;url;toString;/;cmo=td;Untrusted URL;/videoplayback;rr;now;scheme;clone;forEach;fromCharCode;]\\;V;push;unshift;%3D;get;split;Ov;//;qL;join;C;AN;match;redirector.googlevideo.com;qP;M8;s;\\.a1\\.googlevideo\\.com$;cmo;file;/api/manifest;8;1969-12-31T14:16:00.000-09:45;playerfallback;mn;pop;n;://;uw;Cv;:;fallback_count;/initplayback;prototype;\\.googlevideo\\.com$;1969-12-31T21:45:25.000-02:15;1970-01-01T10:30:42.000+10:30;fvip;index.m3u8;1;,;cmo=;signatureCipher;www.youtube.com;sp;1969-12-31T20:00:37.000-04:00;&;rr?[1-9].*\\.c\\.youtube\\.com$;https://local;1969-12-31T20:30:55.000-03:30;http://local;replace;/file/index.m3u8;reverse;assign;cmo=pf;1970-01-01T01:30:01.000+01:30;[]""\\/,;?;break;undefined;---;r;1969-12-31T15:15:06.000-08:45;a1.googlevideo.com'.split(";") ``` Results in: 0: true 1: G 2: indexOf 3: splice 4: youtube.player.web_20251022_22_RC00 5: local 6: length 7: set 8: path 9: T 10: L 11: = 12: startsWith 13: slice 14: Br4M87pQ_yQn58B4OD-_w8_ 15: pow 16: call 17: ,,(][[ 18: 19: url 20: toString 21: / 22: cmo=td 23: Untrusted URL 24: /videoplayback 25: rr 26: now 27: scheme 28: clone 29: forEach 30: fromCharCode 31: ]\ 32: V 33: push 34: unshift 35: %3D 36: get 37: split 38: Ov 39: // 40: qL 41: join 42: C 43: AN 44: match 45: redirector.googlevideo.com 46: qP 47: M8 48: s 49: \.a1\.googlevideo\.com$ 50: cmo 51: file 52: /api/manifest 53: 8 54: 1969-12-31T14:16:00.000-09:45 55: playerfallback 56: mn 57: pop 58: n 59: :// 60: uw 61: Cv 62: : 63: fallback_count 64: /initplayback 65: prototype 66: \.googlevideo\.com$ 67: 1969-12-31T21:45:25.000-02:15 68: 1970-01-01T10:30:42.000+10:30 69: fvip 70: index.m3u8 71: 1 72: , 73: cmo= 74: signatureCipher 75: www.youtube.com 76: sp 77: 1969-12-31T20:00:37.000-04:00 78: & 79: rr?[1-9].*\.c\.youtube\.com$ 80: https://local 81: 1969-12-31T20:30:55.000-03:30 82: http://local 83: replace 84: /file/index.m3u8 85: reverse 86: assign 87: cmo=pf 88: 1970-01-01T01:30:01.000+01:30 89: []""\/, 90: ? 91: break 92: undefined 93: --- 94: r 95: 1969-12-31T15:15:06.000-08:45 96: a1.googlevideo.com Search in code where the index for value 'n' (this example would be D[58]) is used and that is the decipher function. Same with signatureCipher (index 74)
max added the
Reviewed
Confirmed
1
Compat/Breaking
Priority
Critical
1
 labels 2025-10-24 21:18:25 +02:00
max self-assigned this 2025-10-24 21:18:25 +02:00
max added this to the YouTube Manager project 2025-10-24 21:18:25 +02:00
max moved this to In progress in YouTube Manager on 2025-10-24 21:18:27 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Compat/Breaking
Priority
Critical
1
Reviewed
Confirmed
1
Milestone
No items
No Milestone
Projects
Clear projects
No project YouTube Manager
Assignees
Clear assignees
max
No Assignees max
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: max/YouTube-Manager#12
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?