{"id":13488273,"url":"https://github.com/ChenZixinn/spider_reverse","last_synced_at":"2025-03-28T00:33:27.350Z","repository":{"id":171901063,"uuid":"648531260","full_name":"ChenZixinn/spider_reverse","owner":"ChenZixinn","description":"爬虫逆向案例，已完成：TLS指纹｜瑞数｜震坤行 | 网易易盾 | 微信小程序反编译逆向(百达星系) | 同花顺 | rpc解密 | 加速乐 | 极验滑块验证码 | 巨量算数 | Boss直聘 | 企查查 | 中国五矿 | qq音乐 | 产业政策大数据平台 | 企知道 | 雪球网(acw_sc__v2) | 1688 | 七麦数据 | whggzy | 企名科技 | mohurd | 艺恩数据 | 欧科云链","archived":false,"fork":false,"pushed_at":"2024-08-23T08:33:33.000Z","size":15884,"stargazers_count":580,"open_issues_count":2,"forks_count":142,"subscribers_count":13,"default_branch":"main","last_synced_at":"2024-10-31T00:36:31.419Z","etag":null,"topics":["crawler","python","requests","spider"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ChenZixinn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-02T07:29:55.000Z","updated_at":"2024-10-29T09:37:35.000Z","dependencies_parsed_at":"2023-10-26T05:30:55.730Z","dependency_job_id":"70e88621-8483-4171-8b84-b789e2d9b591","html_url":"https://github.com/ChenZixinn/spider_reverse","commit_stats":null,"previous_names":["chenzixinn/spiderreverse","chenzixinn/spider_reverse"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChenZixinn%2Fspider_reverse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChenZixinn%2Fspider_reverse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChenZixinn%2Fspider_reverse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChenZixinn%2Fspider_reverse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ChenZixinn","download_url":"https://codeload.github.com/ChenZixinn/spider_reverse/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245949254,"owners_count":20698911,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crawler","python","requests","spider"],"created_at":"2024-07-31T18:01:12.832Z","updated_at":"2025-03-28T00:33:22.309Z","avatar_url":"https://github.com/ChenZixinn.png","language":"Python","readme":"# 爬虫逆向\n\n\n\n本项目记录一些学习爬虫逆向的案例，仅供学习参考，请勿用于非法用途。\n\n目前已完成：**[TLS](#tls)、[震坤行](#zkh)、[网易易盾](#yidun)、[微信小程序反编译逆向（百达星系）](#wechat)、[极验滑块验证码](#jiyan)、[同花顺](#tonghuashun)、[rpc实现解密](#rpc)、[工业和信息化部政务服务平台(加速乐)](#jiasule)、[巨量算数](#juliang)、[Boss直聘](#boss)、[企查查](#qichacha)、[中国五矿](#wukuang)、[qq音乐](#qqmusic)、[产业政策大数据平台](#cyzc)、[企知道](#qizhidao)、[雪球网(acw_sc__v2)](#xueqiu)、[1688](#1688)、[七麦数据](#qimai)、[whggzy](#whggzy)、[企名科技](#qiming)、[全国建筑市场监管公告平台](#mohurd)、[艺恩数据](#endata)、[欧科云链(oklink)](#oklink)、[度衍(uyan)](#uyan)、[凤凰云智影院管理平台](#fenghuang)、[DrissionPage过瑞数6](#dp_rs6)**\n\n点击以上链接可跳转到对应文档位置，代码路径格式为**\"月份/网站名称/\"**。\n\n\n\n### 环境安装：\n\nnpm install \n\npip install -r requirements.txt\n\n\n\n### \u003cspan id='whggzy'\u003e一、whggzy（接口参数）\u003c/span\u003e\n\n#### 1.1 搜索响应数据找到接口\n\n接口为 “http://www.whggzy.com/front/search/category”\n\n![image-20230602094847529](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602094847529.png)\n\n\n\n#### 1.2 设置header和data\n\n将接口的headers和data传入，并进行测试\n\n```python\nheaders = {\n # 这两个参数是必须的\n \"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\",\n \"Referer\": \"http://www.whggzy.com/PurchaseAdvisory/index.html\",\n}\n\n# 通过查看参数发现data传的是字符串，所以这个通过字符串的方式发送data，而不是字典\ndata = {\n \"categoryCode\": \"MostImportant\",\n \"pageNo\": 1,\n \"pageSize\": 15\n}\n```\n\n**访问后报错**\n\n\n\n#### 1.3 断点调试\n\n在源代码-\u003exhr/提取断点中加入断点，观察到headers的参数，且data参数为字符串\n\n![image-20230602095429289](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602095429289.png)\n\n\n\n##### 完整代码\n\n```python\nimport requests\n\nurl = \"http://www.whggzy.com/front/search/category\"\n\nheaders = {\n # 这两个参数是必须的\n \"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\",\n \"Referer\": \"http://www.whggzy.com/PurchaseAdvisory/index.html\",\n\n # 通过xhr断点找到接口的headers包含一下几个\n 'Accept': \"*/*\",\n 'Content-Type': \"application/json\",\n 'X-Requested-With': \"XMLHttpRequest\",\n\n\n}\n\n# 通过查看参数发现data传的是字符串，所以这个通过字符串的方式发送data，而不是字典\ndata = '''{\n \"categoryCode\": \"MostImportant\",\n \"pageNo\": 1,\n \"pageSize\": 15\n}'''\n\nprint(requests.post(url, headers=headers, data=data).text)\n\n```\n\n\n\n\n\n### \u003cspan id='qiming'\u003e二、企名科技(数据加密)\u003c/span\u003e\n\nurl: https://www.qimingpian.com/finosda/project/pinvestment\n\n#### 2.1 搜索数据\n\n搜索不到数据，判断为通过ajax数据加密\n\n找到接口：\n\n![image-20230602114517059](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602114517059.png)\n\n\n\n#### 2.2 断点调试\n\n找到js文件\n\n![image-20230602114651972](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602114651972.png)\n\n\n\n找到加密数据的方法：\n\n![image-20230602104759972](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602104759972.png)\n\n\n\n```js\n// 还需要找到o方法和decode方法，整合成js文件\nfunction s(e) {\n return JSON.parse(o(\"5e5062e82f15fe4ca9d24bc5\", a.a.decode(e), 0, 0, \"012345677890123\", 1))\n}\n```\n\n\n\n#### 2.3 调用接口获取数据，放入js方法中解密\n\n```python\nimport json\n\nimport execjs\nimport requests\n\nurl = 'https://vipapi.qimingpian.cn/DataList/productListVip'\n\nheaders = {}\n\ndata = {}\n\n# 打开js文件\nwith open(\"./demo2_qiming.js\", \"r\") as f:\n jscode = f.read()\n\n# 调用api接口拿到加密数据\nresp = requests.get(url, headers=headers, data=data).json()\n\n# 调用js文件\nctx = execjs.compile(jscode).call('s', resp[\"encrypt_data\"])\n\nprint(ctx)\nprint(f\"type:{type(ctx)}\")\n```\n\n\n\n### \u003cspan id='mohurd'\u003e三、全国建筑市场监管公告平台\u003c/span\u003e\n\nurl： aHR0cHM6Ly9qenNjLm1vaHVyZC5nb3YuY24vZGF0YS9jb21wYW55\n\n\n\n#### 3.1 获取数据\n\n接口：https://jzsc.mohurd.gov.cn/APi/webApi/dataservice/query/comp/list?pg=0\u0026pgsz=15\u0026total=0\n\n\n\n数据经过加密，data: 95780ba09437300...\n\n\n\n#### 3.2 查找js\n\n通过接口名称找到js文件，在js文件里搜索JSON.parse，打断点进行调试\n\n![image-20230602142415295](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602142415295.png)\n\n\n\n#### 3.3 js解密\n\n常见js算法：crypto-js、jsdom、hash、md5、逆向算法\n\n判断使用的加密是CryptoJS，使用npm安装库后导入，替换原始js里使用的方法\n\n```js\nconst CryptoJS = require('crypto-js')\n// 常见js算法：jsdom hash md5 逆向算法\n\nfunction m(t) {\n // d.a是CryptoJS\n var f = CryptoJS.enc.Utf8.parse(\"jo8j9wGw%6HbxfFn\")\n var h = CryptoJS.enc.Utf8.parse(\"0123456789ABCDEF\")\n var e = CryptoJS.enc.Hex.parse(t),\n\n n = CryptoJS.enc.Base64.stringify(e),\n a = CryptoJS.AES.decrypt(n, f, {\n iv: h,\n mode: CryptoJS.mode.CBC,\n padding: CryptoJS.pad.Pkcs7\n }),\n r = a.toString(CryptoJS.enc.Utf8);\n return r.toString()\n}\n```\n\n\n\n### \u003cspan id='endata'\u003e四、endata（js混淆）\u003c/span\u003e\n\nurl: https://www.endata.com.cn/BoxOffice/BO/Year/index.html\n\n#### 4.1 获取数据\n\n```python\nurl = \"https://www.endata.com.cn/API/GetData.ashx\"\nheaders = {} # 略\ndata = {} # 略\nori_data = requests.post(url, headers=headers, data=data).text\n\n\"\"\"\nout:\nAFB3D177A5D1D916CFEFBE70FEFC0C59C0463AE137DE1A099C4B169B8AB9DBC33EE55B1...（加密数据）\n\"\"\"\n```\n\n\n\n#### 4.2 搜索加密接口\n\n![](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602153850946.png)\n\n\n\n#### 4.3 js\n\n通过断点找到加密的方法，方法经过了js混淆，直接复制方法，执行这个方法，根据提示补齐所有缺失的属性。\n\n![image-20230602154006084](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602154006084.png)\n\n\n\n#### 4.4 navigator\n\njs代码中存在一个navigator属性，为环境属性，需要手动写入\n\n```js\nglobal.navigator = {'userAgent': \"node.js\"}\n```\n\n\n\n\n\n#### 4.5 结合接口完成代码\n\n```python\n\"\"\"js混淆\"\"\"\nimport execjs\nimport requests\n\nurl = \"https://www.endata.com.cn/API/GetData.ashx\"\nheaders = {\n\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n\n}\ndata = {\n \"year\": 2023,\n \"MethodName\": \"BoxOffice_GetYearInfoData\"\n}\nori_data = requests.post(url, headers=headers, data=data).text\n\nwith open(\"./endata.js\", 'r') as f:\n js_code = f.read()\n\nresult = execjs.compile(js_code).call(\"webInstace.shell\", ori_data)\n\nprint(result)\n\n# (webInstace.shell(data));\n\n```\n\n\n\n### \u003cspan id='1688'\u003e五、1688\u003c/span\u003e\n\nurl: https://sale.1688.com/factory/category.html?spm=a260k.22464671.home2019category.1.6e517a6exMGJcG\u0026mainId=10166\n\n#### 5.1 查看接口\n\n有加密参数，找这个参数的js文件\n\n![](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602100140806.png)\n\n![](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231022161547651.png)\n\n#### 5.2 搜索加密参数\n\n**sign参数的组成：**token \u0026 时间戳 \u0026 g \u0026 请求参数，数据均没有变化\n\n再经过h函数\n\n![image-20230602100323351](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602100323351.png)\n\n\n\n#### 5.3 得到sign\n\n```python\n# 请求的参数\ndata = '{\"cid\":\"FactoryRankServiceWidget:FactoryRankServiceWidget\",\"methodName\":\"execute\",\"params\":\"{\\\\\"extParam\\\\\":{\\\\\"methodName\\\\\":\\\\\"readRelatedRankEntries\\\\\",\\\\\"cateId\\\\\":\\\\\"10166\\\\\",\\\\\"size\\\\\":\\\\\"15\\\\\",\\\\\"pageNo\\\\\":\\\\\"1\\\\\",\\\\\"pageSize\\\\\":\\\\\"20\\\\\",}}\"}'\n\n# sign = token \u0026 时间戳 \u0026 g \u0026 请求参数\ntoken = \"2a3e896698e27affa623d6ecd90aca5e\"\ni = int(time.time() * 1000)\ng = \"12574478\"\n# 拼接出字符串\nj = f\"{token}\u0026{i}\u0026{g}\u0026{str(data)}\"\n\n# 使用js文件生成sign\nwith open(\"./h.js\", \"r\", encoding=\"utf-8\") as f:\n js_code = f.read()\nsign = execjs.compile(js_code).call(\"h\", j)\n\n```\n\n\n\n#### 5.4 访问接口\n\n```python\n# 设置header和params\nheaders = {\n \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\",\n \"Referer\": \"https://sale.1688.com/\",\n # 这里需要传入cookie，不然会提示token为空\n \"Cookie\":\"...\",\n}\n# 这里的data、时间戳要和sign里的data一样\nparams = {\"jsv\": \"2.6.1\", \"appKey\": \"12574478\", \"t\": str(i), \"sign\": sign, \"v\": \"1.0\", \"type\": \"jsonp\", \"isSec\": 0,\n \"timeout\": 20000, \"api\": \"mtop.taobao.widgetService.getJsonComponent\", \"dataType\": \"jsonp\",\n \"jsonpIncPrefix\": \"mboxfc\", \"callback\": \"mtopjsonpmboxfc3\", \"data\": data}\n\nurl = \"https://h5api.m.1688.com/h5/mtop.taobao.widgetservice.getjsoncomponent/1.0/\"\nprint(requests.get(url, headers=headers, params=params).text)\n```\n\n\n\n\n\n\n\n### 六、cninfo TODO\n\nurl: https://webapi.cninfo.com.cn/#/marketDataDate\n\n\n\n#### 6.1 加密字段\n\n为base64加密\n\n![image-20230602102009457](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602102009457.png)\n\n\n\n#### 6.2 搜索js文件\n\n通过标头名或者路径搜索，找到js文件；该方法使用了js混淆。\n\n![image-20230602102531128](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230602102531128.png)\n\n\n\n### \u003cspan id='qimai'\u003e七、七麦数据\u003c/span\u003e\n\nurl: https://www.qimai.cn/rank\n\n\n\n#### 7.1找到接口\n\n通过英文搜索到接口（中文有编码）\n\n![image-20230604223717940](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230604223717940.png)\n\n#### 7.2 搜索js文件\n\n##### 找到js文件\n\n接口的参数名搜索js，参数名：**analysis**，找到对应的js文件\n\n\n\n##### 添加断点\n\n在js文件中添加接口url的路径：/rank/indexPlus/brand_id/1\n\n\n\n##### 单步调试找到加密位置\n\n![image-20230604225151994](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230604225151994.png)\n\n\n\n#### 7.3 编写js\n\njs使用了js混淆，需要根据调试根据判断使用了什么方法，具体请看注解\n\n```js\n// 注释的代码为原始代码\n\nfunction v(t) {\n // 找到这里使用的方法\n // t = z[V1](t)[T](/%([0-9A-F]{2})/g, function(n, t) {\n t = encodeURIComponent(t).replace(/%([0-9A-F]{2})/g, function (n, t) {\n // 这里的Y1是个固定字符\n // return o(Y1 + t)\n return o(\"0x\" + t)\n });\n try {\n // boat方法\n // return z[Q1](t)\n return btoa(t)\n } catch (n) {\n // 找到这个方法\n // return z[W1][K1](t)[U1](Z1)\n return Buffer.from(t).toString(\"base64\")\n }\n}\n\n\nfunction o(n) {\n let f2 = '66';\n let s2 = '72';\n let d2 = '6f';\n let m2 = '6d';\n let l2 = '43';\n let v2 = '68';\n let p2 = '61';\n let h2 = '64';\n let y2 = '65';\n t = \"\",\n\n [f2, s2, d2, m2, l2, v2, p2, s2, l2, d2, h2, y2].forEach(function (n) {\n t += unescape(\"%u00\" + n)\n });\n var t, e = t;\n // 调试时这里的e一直是undefined，通过打断点再调试确定为这个方法\n // return z[b2][e](n)\n return String.fromCharCode(n)\n}\n\nfunction h(n, t) {\n t = t || u();\n // 替换方法和值\n // for (var e = (n = n[$1](_))[R], r = t[R], a = q1, i = H; i \u003c e; i++)\n for (var e = (n = n.split(\"\")).length, r = t.length, a = \"charCodeAt\", i = 0; i \u003c e; i++)\n n[i] = o(n[i][a](0) ^ t[(i + 10) % r][a](0));\n // return n[I1](_)\n return n.join(\"\")\n}\n\nfunction url(pass) {\n var s = 1359\n var H = 0\n var e, r = +new Date() - (s || H) - 1661224081041, a = [];\n var v1 = \"@#\"\n // 固定值\n var d = \"xyz517cda96abcd\"\n\n // a = a[Ot]()[I1](_),\n a = a.sort().join(\"\")\n\n // 这里调用了一个去掉域名的方法，但我们传的是后面的接口路径，所以直接使用\n // a = (a += v + t[Jt][T](t[Mt], _)) + (v + r) + (v + 3),\n a = (a += v1 + pass) + (v1 + r) + (v1 + 3)\n\n // 在调试工具里找到这两个方法，复制到上面\n // e = (0,\n // i[jt])((0,\n // i[qt])(a, d))\n e = (0,\n v)((0,\n h)(a, d))\n return e\n}\n\nconst pass = \"/rank/indexPlus/brand_id/1\"\nconsole.log(url(pass));\n```\n\n\n\n### \u003cspan id='oklink'\u003e八、oklink\u003c/span\u003e\n\n#### 8.1 查看接口\n\n![image-20230605145711223](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230605145711223.png)\n\n\n\n\n\n#### 8.2 搜索js文件\n\n\n\n##### 找到加密的位置\n\n找到方法，再进行搜索\n\n![image-20230605150642725](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230605150642725.png)\n\n\n\n#### 8.3 js实现\n\n找到webpack打包的代码，改写后补齐所有方法\n\n##### 原代码\n\n```js\n{\n key: \"encryptApiKey\",\n value: function() {\n var t = this.API_KEY\n , e = t.split(\"\")\n , n = e.splice(0, 8);\n return t = e.concat(n).join(\"\")\n }\n}, {\n key: \"encryptTime\",\n value: function(t) {\n var e = (1 * t + a).toString().split(\"\")\n , n = parseInt(10 * Math.random(), 10)\n , r = parseInt(10 * Math.random(), 10)\n , o = parseInt(10 * Math.random(), 10);\n return e.concat([n, r, o]).join(\"\")\n }\n}, {\n key: \"comb\",\n value: function(t, e) {\n var n = \"\".concat(t, \"|\").concat(e);\n return window.btoa(n)\n }\n}, \n{\n key: \"getApiKey\",\n value: function() {\n var t = (new Date).getTime()\n , e = this.encryptApiKey();\n return t = this.encryptTime(t),\n this.comb(e, t)\n }\n}\n```\n\n\n\n##### 改写\n\n```js\nfunction encryptApiKey() {\n let API_KEY = \"a2c903cc-b31e-4547-9299-b6d07b7631ab\"\n var t = API_KEY\n , e = t.split(\"\")\n , n = e.splice(0, 8);\n return t = e.concat(n).join(\"\")\n}\n\nfunction encryptTime(t) {\n let a = 1111111111111\n var e = (1 * t + a).toString().split(\"\")\n , n = parseInt(10 * Math.random(), 10)\n , r = parseInt(10 * Math.random(), 10)\n , o = parseInt(10 * Math.random(), 10);\n return e.concat([n, r, o]).join(\"\")\n}\n\nfunction comb(t, e) {\n var n = \"\".concat(t, \"|\").concat(e);\n return Buffer.from(n).toString(\"base64\")\n}\n\nfunction getApiKey() {\n var t = (new Date).getTime()\n , e = encryptApiKey();\n return t = encryptTime(t),\n comb(e, t)\n}\n\ngetApiKey()\n```\n\n\n\n#### 8.4 python代码实现\n\n```python\n\ndef get_api_key():\n \"\"\"获取加密字符串\"\"\"\n times = int(time.time() * 1000)\n\n # 固定的加密值\n api_key = \"a2c903cc-b31e-4547-9299-b6d07b7631ab\"\n\n # encryptApiKey()\n key1 = api_key[0:8]\n key2 = api_key[8:]\n # 交换位置\n new_key = key2 + key1\n\n # encryptTime()\n a = 1111111111111\n\n new_time = str(1 * times + a)\n random1 = str(random.randint(0, 9))\n random2 = str(random.randint(0, 9))\n random3 = str(random.randint(0, 9))\n # 拼接\n cur_time = new_time + random1 + random2 + random3\n\n # 合并前面生成的两个值，并用base64加密\n this_key = new_key + \"|\" + cur_time\n n_k = this_key.encode(\"utf-8\")\n x_apikey = base64.b64encode(n_k)\n return x_apikey\n```\n\n\n\n### 九、去哪儿机票服务\n\nurl:https://m.flight.qunar.com/h5/flight/\n\n#### 8.1、接口的加密\n\n8.1.1、请求参数：**\\_\\_m\\_\\_**\n\n![image-20230605172141802](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230605172141802.png)\n\n8.1.2、请求头参数：**键值对加密**\n\n![image-20230605172331402](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230605172331402.png)\n\n#### 8.2、请求参数\n\n##### 8.2.1 通过js查找算法\t\n\nf()为**md5**加密\n\n![image-20230605223339438](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230605223339438.png)\n\n\n\nu()为**SHA1**加密\n\n![image-20230605223535368](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230605223535368.png)\n\n##### 8.2.2 js代码解析\n\n```js\n// 所有方法\n\n// 加密算法\nfunction encryptFunction() {\n /**\n * 调试进入这两个算法中，找到他们对应的算法，找关键字，例如算法名称\n * f：md5\n * n: SHA1\n */\n return [function (e) {\n // t % 2 == 0执行这个方法\n // e = t时间戳 + n字符串\n var t = (0,\n u.default)(e).toString();\n return (0,\n f.default)(t).toString()\n }\n // t % 2 == 1执行这个方法\n , function (e) {\n var t = (0,\n f.default)(e).toString();\n return (0,\n u.default)(t).toString()\n }\n ]\n}\n\nfunction dencryptCode(t) {\n return t.map(function (e) {\n return String.fromCharCode(e - 2)\n }).join(\"\")\n}\n\nfunction getQtTime(t) {\n /*\n * 如果有t这里直接返回t\n * 没t这里把时间戳分割后的char值-2转为字符串\n */\n return t ? Number(t.split(\",\").map(function (e) {\n return String.fromCharCode(e - 2)\n }).join(\"\")) : 0\n}\n\n// 获取字符串方法\nfunction getTokenStr() {\n var t = this.dencryptCode(this.tokenStr);\n // 这里选择了页面中一个id为t的元素的值\n var n = document.getElementById(t).innerHTML;\n // 这里会返回元素的值或者方法的值\n return n ? n : (0,\n s.default)(this.dencryptCode(this.cookieToken))\n}\n\n\n// 获取参数的方法\nfunction encrypt() {\n // t是页面元素的值\n var t = this.getTokenStr()\n // 这里n是时间戳\n , n = this.getQtTime((0,\n s.default)(this.dencryptCode(this.qtTime)))\n // r是对时间戳取模\n , r = n % 2;\n return encryptFunction()[r](t + n)\n}\n\n// 加密的方法\nfunction encryptToken(t) {\n return (0,\n f.default)(t).toString()\n}\n```\n\n\n\n##### 8.2.3 python生成该参数\n\n根据前面解析js代码，得到m参数的生成逻辑\n\n```python\nimport hashlib\nimport time\n\ndef md5_hash(text):\n # 创建MD5哈希对象\n md5_hasher = hashlib.md5()\n # 更新哈希对象以包含待加密的文本\n md5_hasher.update(text.encode('utf-8'))\n # 返回MD5加密后的结果\n return md5_hasher.hexdigest()\n\ndef sha1_hash(text):\n # 创建SHA1哈希对象\n sha1_hasher = hashlib.sha1()\n # 更新哈希对象以包含待加密的文本\n sha1_hasher.update(text.encode('utf-8'))\n # 返回SHA1加密后的结果\n return sha1_hasher.hexdigest()\n\n\ndef get_m():\n # .data[\"__m__\"] = u.default.encryptToken(u.default.encrypt());\n # 获取需要被加密的参数，即u.default.encrypt()\n\n # 页面存储的token\"00008a002f1051a169b06202\"\n t = \"00008a002f1051a169b06202\"\n # 时间戳\n n = int(time.time() * 1000)\n # n = 1686020493263\n # 时间戳取余\n r = n % 2\n\n p1 = t + str(n)\n\n # 根据r决定先用SHA1还是MD5\n if r == 0:\n # SHA1\n p1 = sha1_hash(p1)\n # MD5\n p1 = md5_hash(p1)\n else:\n # MD5\n p1 = md5_hash(p1)\n # SHA1\n p1 = sha1_hash(p1)\n # 最后再用一次MD5加密\n p1 = md5_hash(p1)\n\n return p1\n\n# fbc1646d57a2b22ceb5f5ef60018f67d\nprint(get_m())\n```\n\n\n\n#### 8.3、请求头参数\n\n##### 8.3.1 js代码解析\n\n```js\n// 生成key的方法，传入的参数是时间戳\nfunction getRandomKey(t) {\n var n = \"\";\n // 从时间戳的第四位开始截取\n var r = (\"\" + t).substr(4);\n // 时间戳每一位映射的acsii编码\n r.split(\"\").forEach(function (e) {\n n += e.charCodeAt()\n });\n // md5加密\n var i = (0,\n f.default)(n).toString();\n // -6:\n return i.substr(-6)\n}\n\n// headers的主要生成方法\nfunction getToken() {\n // dict\n var t = {};\n // this.getQtTime((0,s.default)(this.dencryptCode(this.qtTime))) 依然是时间戳\n \t// value是__m__参数一样的加密方法\n t[this.getRandomKey(this.getQtTime((0,\n s.default)(this.dencryptCode(this.qtTime))))] = this.encrypt();\n return t\n}\n```\n\n##### 8.3.2 python实现\n\n```python\ndef get_random_key(t):\n \"\"\" 获取请求头参数的key \"\"\"\n # 截取4开始的字符串\n t = str(t)[4:]\n n = \"\"\n # 转为ascii编码并拼接\n for i in t:\n n += str(ord(i))\n # md5解密\n key = md5_hash(n)\n # 返回最后6位\n return key[-6:]\n\n\ndef get_headers():\n \"\"\" 获取请求头参数键值对\"\"\"\n t = int(time.time() * 1000)\n\t\t# 获取key\n key = get_random_key(t)\n # 获取值\n value = get_m(t)\n return {key:value}\n```\n\n\n\n### 十、美团\n\nurl: https://gz.meituan.com/meishi/\n\n#### 10.1、接口的加密\n\n_token为加密参数。\n\n![image-20230609204919138](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230609204919138.png)\n\n\n\n#### 10.2、查找js\n\n查找到token的生成位置，找到加密的方法\n\n![image-20230609210113287](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230609210113287.png)\n\n\n\n#### 10.3、生成参数\n\n_token参数为iP类进行加密后得到的，但目前只能得出iP的sign参数，对iP进行加密后没办法得到最终的值，**如果你知道怎么做欢迎提交issue给我**。\n\n\n\n**iP.sign**为参数排序后进行base64加密。\n\n```python\ndef decode_sign(token_str):\n token_str = token_str.replace(\" \", \"\")\n\n # base编码\n # token_str = f\"\\\"{str(token_str)}\\\"\"\n # token_str = str(token_str)\n # token_str = f\"'{token_str}'\"\n\n print(f\"str:::{token_str}\")\n\n encode1 = str(token_str).encode()\n # 参数压缩成特殊的编码\n compress = zlib.compress(encode1)\n b_encode = base64.b64encode(compress)\n # 转变 str\n e_sign = str(b_encode, encoding=\"utf-8\")\n return e_sign\n \n# 查询参数\nparams = {\n 'cityName': '广州',\n 'cateId': 0,\n 'areaId': 0,\n 'sort': '',\n 'dinnerCountAttrId': '',\n 'page': 1,\n 'userId': '234746173',\n 'uuid': 'cab1469b7bd84ca09ea5.1686484028.1.0.0',\n 'platform': 1,\n 'partner': 126,\n 'originUrl': 'https://gz.meituan.com/meishi/',\n 'riskLevel': 1,\n 'optimusCode': 10\n}\n\n# 生成sign\nparams_str = \"\\\"\"\n# 对key进行排序\nkeys = [i for i in params.keys()]\nkeys.sort()\n# 拼接\nfor key in keys:\n params_str += f\"{key}={params.get(key)}\u0026\"\nparams_str = params_str[:-1]\nparams_str += \"\\\"\"\n# 加密\nsign = decode_sign(params_str)\n\n# iP\niP = {\n 'rId': 100900,\n 'ver': \"1.0.6\",\n # 'ts': 1686369166338,\n # 'cts': 1686369167064,\n \"ts\":1686485181487,\n \"cts\":1686485200311,\n 'brVD': [\n 1920,\n 150\n ],\n 'brR': [\n [\n 1920,\n 1080\n ],\n [\n 1920,\n 981\n ],\n 30,\n 30\n ],\n 'bI': [\n 'https://gz.meituan.com/meishi/',\n ''\n ],\n 'mT': [],\n 'kT': [],\n 'aT': [],\n 'tT': [],\n 'aM': '',\n 'sign': sign\n}\n```\n\n\n\n\n\n### 十一、天安财险\n\n![image-20230705221116122](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230705221116122.png)\n\n- 完成登陆请求中的json_key参数加密方法\n- 解析返回的接口\n\n [tianaw.js](2023_06/tianaw.js)\n\n\n\n### \u003cspan id='qizhidao'\u003e十二、企知道\u003c/span\u003e\n\nurl：https://patents.qizhidao.com/\n\n\n\n#### 12.1 反debug\n\n这个网站的反debug是带参数的，直接设置跳过会导致返回不了结果卡死。需要通过脚本返回空的值，注意：需要等页面加载后再执行。\n\n```js\nfunc_constructor_ = Function.prototype.constructor;\nFunction.prototype.constructor = function (a) {\n if (a == 'debugger') {\n return function(){};\n }\n return func_constructor_(a);\n};\n```\n\n![image-20230723113329633](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723113329633.png)\n\n\n\n#### 12.2、构造请求接口\n\n复制接口的cURL到https://curlconverter.com/自动构造，代码有点长这里只放片段：\n\n```python\nimport requests\n\ncookies = {\n # ...\n}\n\nheaders = {\n 'authority': 'app.qizhidao.com',\n \t# ...\n}\n\njson_data = {\n 'text_ver': 'N',\n # ...\n 'statement': '华为',\n 'filter': '',\n 'pageCount': 21073,\n 'checkResult': True,\n}\n\nresponse = requests.post(\n 'https://app.qizhidao.com/qzd-bff-patent/patent/simple-version/search',\n cookies=cookies,\n headers=headers,\n json=json_data,\n).json()\n\n# 返回结果：\n# {'code': 0, 'status': 0, 'success': True, 'msg': '成功', 'data1': 'ikEaI3qCl29i...', 'hasUse': 2}\n```\n\n\n\n#### 12.3 解密\n\n##### 12.3.1 参数解释\n\n**data1**：这个是加密后的参数，需要解密。AES加密\n\n**hasUse**：加密的key的位置。key是个字典，2代表第二个value\n\n\n\n##### 12.3.2 查找加密js\n\n- 搜索”encrypt“\n\n![image-20230723115442814](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723115442814.png)\n\n- 搜索接口\n\n![image-20230723120236468](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723120236468.png)\n\n\u003e 交集在**186ef37.js**\n\n\n\n##### 12.3.3 断点调试\n\n![image-20230723120510583](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723120510583.png)\n\n```js\n// 第一个参数是密文，第二个参数是加密的key\n// AES加密\n_0xecb012 = function(_0x23e639, _0x5b5a7f) {\n return function(_0x1a0f85, _0x3f0bf9) {\n var _0x17296a = a0_0xe452\n , _0x49db2a = _0x2ecfe6['a']['enc']['Utf8']['parse'](_0x3f0bf9 || '46cc793c53' + _0x17296a(0x1f7))\n , _0x5bc6c6 = _0x2ecfe6['a'][_0x17296a(0x1dc)]['decrypt'](_0x1a0f85, _0x49db2a, {\n // 加密模式是ECB\n 'mode': _0x2ecfe6['a'][_0x17296a(0x22f)][_0x17296a(0x27a)],\n 'padding': _0x2ecfe6['a'][_0x17296a(0x242)][_0x17296a(0x27f)]\n });\n return _0x2ecfe6['a'][_0x17296a(0x23b)][_0x17296a(0x238)][_0x17296a(0x1f9)](_0x5bc6c6)[_0x17296a(0x1d6)]();\n }(_0x23e639, _0x5b3606[_0x5b5a7f]);\n```\n\n\n\n通过观察发现key不是固定的，存储在一个字典中。通过接口返回的值hasUse选择对应的key。\n\n![image-20230723121116914](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723121116914.png)\n\n#### 12.4 构造解密函数\n\n```python\ndef AES_decrypt(data, hasUse:int):\n key_list = [b\"xc46VoB49X3PGYAg\", b\"KE3pb84wxqLTZEG3\", b\"18Lw0OEaBBUwHYNT\", b\"jxxWWIzvkqEQcZrd\", b\"40w42rjLEXxYhxRn\",\n b\"K6hkD03WNW8N1fPM\", b\"I8V3IwIhrwNbWxqz\", b\"3JNNbxAP4zi5oSGA\", b\"7pUuESQl8aRTFFKK\", b\"KB4GAHN6M5soB3WV\"]\n # 解码\n html = base64.b64decode(data)\n # mode为ECB的AES加密\n aes = AES.new(key_list[hasUse-1], AES.MODE_ECB)\n # 解密\n info = aes.decrypt(html)\n # 填充\n decrypt = unpad(info, AES.block_size).decode()\n return decrypt\n```\n\n\n\n#### 12.5 结果\n\n[完整代码](./other/demo3_qizhidao/crawler_qizhidao.py)\n\n![image-20230723123350450](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723123350450.png)\n\n\n\n### 十三、空气质量指数（反debug）\n\nurl：https://www.aqistudy.cn/historydata/monthdata.php?city=%E5%8C%97%E4%BA%AC\n\n#### 13.1 反debug\n\n##### 13.1.1 跳过debug\n\n![image-20230622123802952](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230622123802952.png)\n\n##### 13.1.2 弹出开发者工具\n\n![image-20230622124037862](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230622124037862.png)\n\n#### 13.2 请求参数解析\n\n通过js生产请求参数\n\n [aqi.js](2023_06/aqi.js) \n\n![image-20230705220910980](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230705220910980.png)\n\n\n\n\n\n# 案例_2023_07\n\n\n\n## \u003cspan id='xueqiu'\u003e一、雪球网-阿里系cookie加密（acw_sc__v2 ）\u003c/span\u003e\n\n### 1、请求\n\n有两次请求，第一次获取js代码，第二次通过代码生成参数发送请求\n\n尝试本地替换，发现没有进入方法。是在VM中执行的\n\n\n\n### 2、查找js代码\n\n#### 2.1 打断点，查看堆栈\n\n进入debug，可以看到调用的位置，打断点调试，**进入堆栈中的方法**。\n\n![image-20230725000802567](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230725000802567.png)\n\n\n\n#### 2.2 找到参数\n\n参数是**arg2**，查找这个参数。\n\n![image-20230725000921359](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230725000921359.png)\n\n\n\n#### 2.3 找生成参数的js代码\n\n返回原代码，找到生成arg2的代码，把混淆的代码还原。通过对比，只有arg1值是不固定的，在第一次请求中就包含了这个值，通过正则提取，传入js代码里生成就可以得到cookie。\n\n```js\nString['prototype']['hexXor'] = function (_0x4e08d8) {\n var _0x5a5d3b = '';\n for (var _0xe89588 = 0x0; _0xe89588 \u003c this['length'] \u0026\u0026 _0xe89588 \u003c _0x4e08d8['length']; _0xe89588 += 0x2) {\n var _0x401af1 = parseInt(this['slice'](_0xe89588, _0xe89588 + 0x2), 0x10);\n var _0x105f59 = parseInt(_0x4e08d8['slice'](_0xe89588, _0xe89588 + 0x2), 0x10);\n var _0x189e2c = (_0x401af1 ^ _0x105f59)['toString'](0x10);\n if (_0x189e2c['length'] == 0x1) {\n _0x189e2c = '\\x30' + _0x189e2c;\n }\n _0x5a5d3b += _0x189e2c;\n }\n return _0x5a5d3b;\n}\n\nString['prototype']['unsbox'] = function () {\n var _0x4b082b = [0xf, 0x23, 0x1d, 0x18, 0x21, 0x10, 0x1, 0x26, 0xa, 0x9, 0x13, 0x1f, 0x28, 0x1b, 0x16, 0x17, 0x19, 0xd, 0x6, 0xb, 0x27, 0x12, 0x14, 0x8, 0xe, 0x15, 0x20, 0x1a, 0x2, 0x1e, 0x7, 0x4, 0x11, 0x5, 0x3, 0x1c, 0x22, 0x25, 0xc, 0x24];\n var _0x4da0dc = [];\n var _0x12605e = '';\n for (var _0x20a7bf = 0x0; _0x20a7bf \u003c this['length']; _0x20a7bf++) {\n var _0x385ee3 = this[_0x20a7bf];\n for (var _0x217721 = 0x0; _0x217721 \u003c _0x4b082b['length']; _0x217721++) {\n if (_0x4b082b[_0x217721] == _0x20a7bf + 0x1) {\n _0x4da0dc[_0x217721] = _0x385ee3;\n }\n }\n }\n _0x12605e = _0x4da0dc['join']('');\n return _0x12605e;\n}\n\nfunction get_cookie(arg1) {\n\n // 这个值是变化的\n // var arg1 = 'E7FC4E89FD5A4E550E19A8BE2061BD16BE4C0DB3';\n\n var _0x23a392 = arg1['unsbox']();\n\n var _0x5e8b26 = '3000176000856006061501533003690027800375'\n// arg2 = _0x23a392[_0x55f3('0x1b', '\\x7a\\x35\\x4f\\x26')](_0x5e8b26);\n arg2 = _0x23a392['hexXor'](_0x5e8b26);\n\n return arg2\n}\n\nconsole.log(get_cookie('E7FC4E89FD5A4E550E19A8BE2061BD16BE4C0DB3'));\n```\n\n\n\n### 3、发起请求、生成cookie\n\n[代码](2023_07/day2_cookie加密等/spider_xueqiu/ali.py)\n\n```python\nimport re\n\nimport execjs\nimport requests\n\nheaders = {\n# ...\n}\n\n# 获取到第一次请求的值，返回生成cookie的代码，里面包含了需要的参数 arg1\nresponse = requests.get('https://xueqiu.com/today', headers=headers).text\n\n# with open(\"./ali.html\", 'w', encoding='utf-8') as f:\n# f.write(response)\n\n# 正则提取arg1的值\n# Regular expression pattern to match the argument assignment\npattern = r\"var arg1='([A-F0-9]+)';\"\n\n# Search for the pattern in the JavaScript code\narg1 = re.search(pattern, response).group(1)\n\nwith open(\"./xueqiu.js\") as f:\n js_code = f.read()\n\ncookie_acw_sc__v2 = execjs.compile(js_code).call(\"get_cookie\", arg1)\nprint(cookie_acw_sc__v2)\n\ncookies = {\n 'acw_sc__v2': cookie_acw_sc__v2,\n\t\t# ...\n}\n\nheaders = {\n #...\n}\n\nresponse = requests.get('https://xueqiu.com/today', cookies=cookies, headers=headers).text\nprint(response)\n\n```\n\n\n\n## \u003cspan id='cyzc'\u003e二、产业政策大数据平台（带参数的反debug、进制流加密）\u003c/span\u003e\n\nurl：http://www.spolicy.com/\n\n\n\n### 1、查看调用堆栈，找到第一个方法\n\n![image-20230723101606586](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230723101606586.png)\n\n```js\n// 调用的方法\n[f(-302, -39, -274, -178, \"mK8a\") + o(430, 0, \"sXA$\") + \"r\"](t[c(-294, \"o#Hz\", 0, -62)](t[h(1402, 1326, 1439, \"wJdL\")], t[h(1596, 1182, 1426, \"2QAW\")]))[c(-180, \"mK8a\", 0, -159)](t[h(1113, 950, 1143, \"Es!I\")])\n\n// 逐步拆解\n\n[f(-302, -39, -274, -178, \"mK8a\") + o(430, 0, \"sXA$\") + \"r\"]\n// =\u003e ['constructor']\n\n(t[c(-294, \"o#Hz\", 0, -62)](t[h(1402, 1326, 1439, \"wJdL\")], t[h(1596, 1182, 1426, \"2QAW\")]))\n// =\u003e debugger\n\n[c(-180, \"mK8a\", 0, -159)]\n// =\u003e call\n\n(t[h(1113, 950, 1143, \"Es!I\")])\n// =\u003e action\n```\n\n\n\n### 2、执行脚本跳过debugger\n\n```js\nfunc_constructor_ = Function.prototype.constructor;\nFunction.prototype.constructor = function (a) {\n if (a == 'debugger') {\n return function(){};\n }\n return func_constructor_(a);\n};\n```\n\n![image-20230725233312016](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230725233312016.png)\n\n\n\n\n\n### 3、 XHR断点找到接口\n\nxhr中添加接口的路径：**/info_api/policyType/showPolicyType**\n\n\n\n找到**interceptors.response.use**的位置，返回的结果中存在了加密数据**data**。\n\n![image-20230726000638651](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230726000638651.png)\n\n\n\n### 4、找生成的方法，生成加密方法\n\n找到生成o的位置：\n\n![image-20230727000547059](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230727000547059.png)\n\n\n\n找到生成的方法：\n\n![image-20230727000609949](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230727000609949.png)\n\n\n\n这里缺少了Writer，断点进入，这个代码是在vm中的生成的，找到函数的位置，扣下来完整的代码，用变量接收：\n\n```js\nvar writer_;\ncommonjsGlobal = global;\n!function (g) {\n var r, e, t, i;\n r = {...},\n e = {},\n t = [16],\n i = function t(n) {\n var o = e[n];\n return o || r[n][0].call(o = e[n] = {\n exports: {}\n }, t, o, o.exports),\n o.exports\n }(t[0]),\n i.util.global.protobuf = i,\n module \u0026\u0026 module.exports \u0026\u0026 (module.exports = i)\n // 方法存放在i变量中\n writer_ = i;\n}()\n\n\nfunction PolicyInfoByTypeIdParam_encode(m, w) {\n if (!w)\n w = writer_.Writer.create()\n if (m.policyType != null \u0026\u0026 Object.hasOwnProperty.call(m, \"policyType\"))\n w.uint32(10).string(m.policyType)\n if (m.centralId != null \u0026\u0026 Object.hasOwnProperty.call(m, \"centralId\"))\n w.uint32(18).string(m.centralId)\n if (m.province != null \u0026\u0026 Object.hasOwnProperty.call(m, \"province\"))\n w.uint32(26).string(m.province)\n if (m.city != null \u0026\u0026 Object.hasOwnProperty.call(m, \"city\"))\n w.uint32(34).string(m.city)\n if (m.downtown != null \u0026\u0026 Object.hasOwnProperty.call(m, \"downtown\"))\n w.uint32(42).string(m.downtown)\n if (m.garden != null \u0026\u0026 Object.hasOwnProperty.call(m, \"garden\"))\n w.uint32(50).string(m.garden)\n if (m.sort != null \u0026\u0026 Object.hasOwnProperty.call(m, \"sort\"))\n w.uint32(56).uint32(m.sort)\n if (m.pageNum != null \u0026\u0026 Object.hasOwnProperty.call(m, \"pageNum\"))\n w.uint32(64).uint32(m.pageNum)\n if (m.pageSize != null \u0026\u0026 Object.hasOwnProperty.call(m, \"pageSize\"))\n w.uint32(72).uint32(m.pageSize)\n if (m.homePageFlag != null \u0026\u0026 Object.hasOwnProperty.call(m, \"homePageFlag\"))\n w.uint32(80).uint32(m.homePageFlag)\n return w\n}\n\n\n\n/**\n * 接收类型和页号，返回请求所需的参数\n * @param type 类型，str\n * @param page 页号，int\n * @returns {*} 加密后的数据，字典格式，数据在\"data\"\n */\nfunction get_data(type, page) {\n var data = {\n \"policyType\": type,\n \"province\": \"\",\n \"city\": \"\",\n \"downtown\": \"\",\n \"garden\": \"\",\n \"centralId\": \"\",\n \"sort\": 0,\n \"homePageFlag\": 1,\n \"pageNum\": page,\n \"pageSize\": 7\n }\n result = PolicyInfoByTypeIdParam_encode(data).finish().slice()\n\n return result;\n}\n\nconsole.log(get_data(\"3\", 1))\n```\n\n\n\n### 5、携带加密参数发起请求\n\n```python\nimport execjs\nimport requests\n\ncookies = {\n # 略\n}\n\nheaders = {\n 'Accept': 'application/json, text/plain, */*',\n # ... 略\n}\n\nwith open(\"./spolicy.js\") as f:\n js_code = f.read()\n\n# 获取type4的，第一页的请求加密参数\ndata = execjs.compile(js_code).call(\"get_data\", \"4\", 1)\nprint(data)\n\nresponse = requests.post(\n 'http://www.spolicy.com/info_api/policyType/showPolicyType',\n cookies=cookies,\n headers=headers,\n # 转为bytes\n data=bytes(data[\"data\"]),\n verify=False,\n).json()\n\nprint(response)\n\n```\n\n\n\n\n\n## \u003cspan id='wukuang'\u003e三、中国五矿（单文件webpack）\u003c/span\u003e\n\n\n\nurl：https://ec.minmetals.com.cn/open/home/purchase-info\n\n### 1、接口解析\n\n每次请求都有两个接口，**public**获取公钥，用于后面加密参数；**by-lx-page**是数据接口，参数param是加密后的请求参数\n\n![image-20230730115501441](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730115501441.png)\n\n\n\n### 2、解密js\n\n#### 2.1、搜索js文件\n\n搜索**/open/homepage/public**（public公钥接口路径）找到js文件位置\n\n![image-20230730115747471](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730115747471.png)\n\n#### 2.2、在生成位置找到加载器\n\n![image-20230730110315271](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730110315271.png)\n\n#### 2.3、加载器\n\n只要加载器部分，下面的函数可以只复制需要的\n\n![image-20230730110359241](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730110359241.png)\n\n#### 2.4、补充模块\n\n补充需要的模块，在这里搜索9816，复制到代码中\n\n![image-20230730111507516](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730111507516.png)\n\n#### 2.5、报错信息\n\n运行时报错，原因是缺少模块，打印出e，看看报错前的模块名，补充模块\n\n```shel\n/minmetals.js:52\nreturn A[e].call(t.exports, t, t.exports, g),\n ^\nTypeError: Cannot read property 'call' of undefined\n\n```\n\n#### 2.6、补齐代码\n\n之后补齐所有代码，有两个部分是变化的，**public**公钥和**e**请求参数部分，后续通过python传入\n\n```js\n// ....其他代码省略\nfunction get_param(public_key, param) {\n // public_key\n r = public_key\n // e: params\n e = param\n t.setPublicKey(r),\n a = m(m({}, e), {}, {\n // 这里是md5加密，不用扣代码了，直接写一个\n sign: md5Hash(JSON.stringify(e)),\n timeStamp: +new Date\n });\n s = t.encryptLong(JSON.stringify(a))\n return s\n}\n\n// 公钥\nr = 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSiymi3Afc6HgSatBwseBv/Q87Ul18dAPavud/9Jbr+w2xIoD9t/f1k8A/cv2apGmPwKnudecWa5IfXPVUvoqjG8GsTBR9kL4QKkBveZx46wx2KZEBSbjx9Ok92hgr6sCEHT4sO53VF6rhzYJ4WaqsugGdL3CrZEGV3x7MuvZ0tQIDAQAB'\n// 请求参数\ne = {\n \"inviteMethod\": \"\",\n \"businessClassfication\": \"\",\n \"mc\": \"\",\n \"lx\": \"ZBGG\",\n \"dwmc\": \"\",\n \"pageIndex\": 1\n}\nget_param(r, e)\n```\n\n\n\n#### 3、编写程序\n\n分为两个步骤，1是获取public公钥，2是将参数和公钥进行加密，发起请求\n\n```python\nimport execjs\nimport requests\n# 获取public\nimport requests\n\ncookies = {\n # ...\n}\nheaders = {\n # ...\n}\n\n# 获取public_key\npublic_key = requests.post('https://ec.minmetals.com.cn/open/homepage/public', cookies=cookies, headers=headers).text\nprint(public_key)\n\n\n# 获取parms加密参数\nwith open(\"./minmetals.js\") as f:\n js_code = f.read()\n\nparam = {\n \"inviteMethod\": \"\",\n \"businessClassfication\": \"\",\n \"mc\": \"\",\n \"lx\": \"ZBGG\",\n \"dwmc\": \"\",\n \"pageIndex\": 2\n}\nparam = execjs.compile(js_code).call(\"get_param\", public_key, param)\n\njson_data = {\n 'param': param\n}\n\nresponse = requests.post(\n 'https://ec.minmetals.com.cn/open/homepage/zbs/by-lx-page',\n cookies=cookies,\n headers=headers,\n json=json_data,\n).json()\n\nprint(response)\n```\n\n\n\n\n\n## \u003cspan id='qqmusic'\u003e四、QQ音乐\u003c/span\u003e\n\nurl:https://y.qq.com/n/ryqq/search\n\n#### 1、接口解析\n\n![image-20230730123000503](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730123000503.png)\n\n接口中**sign**参数为加密参数\n\n\n\n#### 2、还原js\n\n##### 2.1、搜索sign找到js文件\n\n![image-20230730122850019](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730122850019.png)\n\n\n\n##### 2.2、加密方法\n\n加密的方法是o()，找到o的生成位置\n\n **加载器**\n\nn为加载器，把n的代码复制（webpack）\n\n![image-20230730124305966](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730124305966.png)\n\n\n\n```js\nvar loader_;\n!function(e) {\n // ...\n // f是加载器，用全局变量接收\n loader_ = f;\n}([])\n```\n\n\n\n**加载器方法**\n\n这里是具体方法，把整个代码复制，在原来的代码中导入\n\n![image-20230730124318895](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730124318895.png)\n\n```js\n// 加载这个方法的所有代码\nrequire(\"module\")\nvar loader_;\n!function(e) {\n // ...\n // f是加载器，用全局变量接收\n loader_ = f;\n}([])\n```\n\n\n\n##### 2.3、测试\n\n使用相同的参数，网页中返回的加密参数值为：\"zzb5f83fe81ctmp7buyrgfgmht5hfggeb4159a0\"\n\n```js\n// ....\n\n// 对比和网页的加密结果是否一致\norigin_result = \"zzb5f83fe81ctmp7buyrgfgmht5hfggeb4159a0\"\nresult = loader_(350).default(t_data)\n\n// 并不一致\n// zzb5f83fe81ctmp7buyrgfgmht5hfggeb4159a0\n// zzb2938d59cvfb4kyj1do3c4ldgj6o9qe0f41793\n```\n\n\n\n##### 2.4、补充环境\n\n加密方法是一样的，但是结果不一样，考虑是环境的问题，补充一些环境再测试\n\n![image-20230730124957945](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230730124957945.png)\n\n```js\nnavigator = {\n canGoBack: true,\n canGoForward: false,\n currentEntry: {\n \"id\": \"661fc912-9d2d-45e5-a144-fae79c979d88\",\n \"index\": 5,\n \"key\": \"0c8d1b22-53bb-4d51-98e0-5830e055d2b9\",\n \"ondispose\": null,\n \"sameDocument\": true,\n \"url\": \"https://y.qq.com/n/ryqq/search?w=%E5%91%A8%E6%9D%B0%E4%BC%A6\u0026t=song\u0026remoteplace=txt.yqq.top\"\n },\n \"oncurrententrychange\": null,\n \"onnavigate\": null,\n \"onnavigateerror\": null,\n \"onnavigatesuccess\": null,\n \"transition\": null\n}\nlocation = {\n \"ancestorOrigins\": {},\n \"href\": \"https://y.qq.com/n/ryqq/search?w=%E5%91%A8%E6%9D%B0%E4%BC%A6\u0026t=song\u0026remoteplace=txt.yqq.top\",\n \"origin\": \"https://y.qq.com\",\n \"protocol\": \"https:\",\n \"host\": \"y.qq.com\",\n \"hostname\": \"y.qq.com\",\n \"port\": \"\",\n \"pathname\": \"/n/ryqq/search\",\n \"search\": \"?w=%E5%91%A8%E6%9D%B0%E4%BC%A6\u0026t=song\u0026remoteplace=txt.yqq.top\",\n \"hash\": \"\"\n}\n// ....\n\nconsole.log(\"zzb5f83fe81ctmp7buyrgfgmht5hfggeb4159a0\");\nconsole.log(loader_(350).default(t_data));\n\n//zzb5f83fe81ctmp7buyrgfgmht5hfggeb4159a0\n//zzb5f83fe81ctmp7buyrgfgmht5hfggeb4159a0\n```\n\n\n\n#### 3、编写代码\n\n```python\nimport time\n\nimport execjs\nimport requests\n\n# cookies和headers一定要正确才能请求到\ncookies = {\n # ...\n}\n\nheaders = {\n # ...\n}\n\n# 请求参数\nsinger = \"周杰伦\"\npage_num = 1\ndata = '{\"comm\":{\"cv\":4747474,\"ct\":24,\"format\":\"json\",\"inCharset\":\"utf-8\",\"outCharset\":\"utf-8\",\"notice\":0,\"platform\":\"yqq.json\",\"needNewCode\":1,\"uin\":\"1152921504860531892\",\"g_tk_new_20200303\":1531704962,\"g_tk\":1531704962},\"req_1\":{\"method\":\"DoSearchForQQMusicDesktop\",\"module\":\"music.search.SearchCgiService\",\"param\":{\"remoteplace\":\"txt.yqq.top\",\"searchid\":\"68939297501935721\",\"search_type\":0,\"query\":\"'+singer+'\",\"page_num\":'+str(page_num)+',\"num_per_page\":10}}}'\n\n# 获取sign加密参数\nwith open(\"./loader.js\") as f:\n js_code = f.read()\n\ntime_str = round(time.time() * 1000)\nsign = execjs.compile(js_code).call(\"get_sign\", data)\n\nparams = {\n # 时间戳\n '_': time_str,\n # 加密参数\n 'sign': sign,\n}\n\n# 这里data要编码\nresponse = requests.post('https://u.y.qq.com/cgi-bin/musics.fcg', params=params, cookies=cookies, headers=headers, data=data.encode()).json()\n\nprint(response)\n```\n\n\n\n# 案例_2023_08\n\n\n\n## \u003cspan id='qichacha'\u003e一、企查查\u003c/span\u003e\n\n#### 1、加密参数\n\n企查查的加密参数为接口的**请求标头**中的参数，key和value都不是固定的。\n\n还有一个参数是**X-Pid**，可以在页面返回的数据中找到。\n\n![image-20230811204543466](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230811204543466.png)\n\n\n\n#### 2、逆向js\n\n由于这个参数设置了headers的key和value，所以在代码里搜 **\"headers[\"** 或者 **\"headers.\"** 找到加密的位置。\n\n![image-20230808211628612](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230808211628612.png)\n\n加密的位置就在这里，然后去扣所有的代码，最后会生成[js文件](./2023_08/spider_qichacha/qichacha_.js)，调用run方法即可生成接口参数。\n\n\n\n#### 3、所需的参数\n\n可以看到最后生成的方法中需要两个参数，一个是**path**，一个是**tid**，最后的**json_data**是post请求的参数。\n\n```js\nfunction run(path, tid, json_data){}\n```\n\n\n\n**path**：即请求的路径，例如请求接口：`https://www.qcc.com/api/datalist/mainmember?keyNo=....`，path参数即为`/api/datalist/mainmember?keyNo=....`\n\n**tid**：tid在请求的页面中，可以使用正则表达式提取出来。\n\n![image-20230809135628734](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230809135628734.png)\n\n\n\n**pid**：就在tid旁边，这个参数放在headers里，key是**x-pid**\n\n至此就可以对企查查的接口进行爬取。\n\n\n\n#### 举两个例子\n\n```python\nimport re\n\nimport execjs\nimport requests\n\n# TODO 这里补充一下cookies\ncookies = {\n}\n\n\ndef build_api_headers(url, key_no, pid, tid, json_data=None):\n \"\"\"\n 构造请求头\n Args:\n url: 链接，包含参数\n key_no: 企业编号\n pid: 页面的加密参数pid\n tid: 页面的加密参数tid\n json_data: post请求的json数据\n Returns:\n response对象\n \"\"\"\n headers = {'authority': 'www.qcc.com', 'accept': 'application/json, text/plain, */*',\n 'accept-language': 'zh-CN,zh;q=0.9', 'cache-control': 'no-cache', 'content-type': 'application/json',\n 'origin': 'https://www.qcc.com', 'pragma': 'no-cache',\n 'sec-ch-ua': '\"Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"115\", \"Chromium\";v=\"115\"',\n 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '\"macOS\"', 'sec-fetch-dest': 'empty',\n 'sec-fetch-mode': 'cors', 'sec-fetch-site': 'same-origin',\n 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36',\n 'x-requested-with': 'XMLHttpRequest', \"referer\": f'https://www.qcc.com/firm/{key_no}.html', 'x-pid': pid}\n\n # 正则取出'/api'及其后面的所有内容\n path = re.findall(r'(/api.*)', url)[0]\n\n print(f\"path: {path}\")\n # 执行qichacha.js中的run方法\n with open('./qichacha_.js', 'r', encoding='utf-8') as f:\n js = f.read()\n if json_data:\n ctx = execjs.compile(js).call('run', path, tid, json_data)\n else:\n ctx = execjs.compile(js).call('run', path, tid)\n # ctx是个字典，便利出所有的key和value，添加到headers中，不要覆盖原来的headers\n for k, v in ctx.items():\n headers[k] = v\n return headers\n\n\ndef post_api(url, key_no, pid, tid, json_data=None):\n \"\"\"\n 请求企查查api接口，post请求\n Args:\n url: 链接，包含参数\n key_no: 企业编号\n pid: 页面的加密参数pid\n tid: 页面的加密参数tid\n json_data: post请求的json数据\n Returns:\n response对象\n \"\"\"\n headers = build_api_headers(url, key_no, pid, tid, json_data)\n\n response = requests.post(url, cookies=cookies, headers=headers, json=json_data)\n return response\n\n\ndef get_api(url, key_no, pid, tid, json_data=None):\n \"\"\"\n get请求企查查api接口\n Args:\n url: 链接，包含参数\n key_no: 企业编号\n pid: 页面的加密参数pid\n tid: 页面的加密参数tid\n\n Returns:\n response对象\n \"\"\"\n headers = build_api_headers(url, key_no, pid, tid, json_data)\n\n response = requests.get(url, cookies=cookies, headers=headers)\n return response\n\n\nif __name__ == '__main__':\n # 以某企业为例\n key_no = '5dffb644394922f9073544a08f38be9f'\n pid = 'e19fd3c7ed52c1725cfff3226ba8af8c'\n tid = 'd471a1659954b0cf6eb558c770dfdb3b'\n\n # 请求可能需要会员，如果没有会员可以访问其他不需要会员的接口\n # get请求\n page_index = 1\n get_url = f'https://www.qcc.com/api/datalist/mainmember?keyNo={key_no}\u0026nodeName=IpoEmployees\u0026pageIndex={page_index}'\n main_member = get_api(get_url, key_no, pid, tid).json()\n print(main_member)\n\n # post请求\n post_url = 'https://www.qcc.com/api/datalist/financiallist'\n json_data = {\n 'keyNo': '5dffb644394922f9073544a08f38be9f',\n 'type': 'cm',\n 'reportType': 1,\n 'reportPeriodTypes': [\n 0,\n 4,\n ],\n 'currency': '',\n 'rate': 1,\n }\n financial = post_api(post_url, key_no, pid, tid, json_data=json_data).json()\n print(financial)\n\n```\n\n\n\n\n\n## \u003cspan id='uyan'\u003e二、uyanip注册\u003c/span\u003e\n\nurl：https://www.uyanip.com/register\n\n### 一、注册流程\n\n1、接收图片，识别出验证码，拿到Cookies\n\n2、发送短信，拿到token\n\n3、发送注册请求\n\n\n\n#### 二、请求接口\n\n#### 2.1、获取图片和Cookies\n\n```python\ndef get_img():\n \"\"\"\n 获取验证码\n :return: 返回cookies和验证码\n \"\"\"\n headers = {} # 省略\n \tresponse = requests.get('https://api.duyandb.com/auth/register/captcha', headers=headers)\n print(response.cookies)\n # 检查响应状态码是否为 200\n if response.status_code == 200:\n # 将响应的内容解析为图片\n image = Image.open(BytesIO(response.content))\n captcha_code = ocr.classification(image)\n else:\n print(\"请求失败，状态码：\", response.status_code)\n return None\n # 这里的coockies用于下一次请求\n return {\n \"cookies\":response.cookies, \"captcha_code\":captcha_code\n }\n```\n\n#### 2.2、发送验证码\n\n```python\n\ndef send_code(phone_number:str, captcha_code, cookies):\n \"\"\"\n 发送短信验证码\n :param phone_number: 手机号\n :param captcha_code: 图片验证码\n :param cookies: 图片验证码拿到的Cookies\n :return: {'data':'', 'errCode': 0}\n \"\"\"\n \"\"\"\n 发送验证码\n :param phone_number: 手机号\n :return: {'data':'', 'errCode': 0}\n \"\"\"\n headers={} # 省略\n\n # 这里传入手机号和图片验证码\n json_data = {\n 'value': phone_number,\n 'captchaCode': captcha_code,\n }\n\n response = requests.post('https://api.duyandb.com/auth/register/smscode', cookies=cookies, headers=headers,\n json=json_data)\n # 返回data和状态码，状态码为0则请求成功\n return response.json()\n```\n\n\n\n#### 2.3、发送注册请求\n\n手机验证码发送成功后，就可以请求注册接口了\n\n```python\n\ndef register(phone_number:str):\n \"\"\"\n 注册\n :param phone_number: 手机号 \n :return: 成功或None\n \"\"\"\n headers = {} # 省略\n \n # 获取图片验证码和Cookies\n img_obj = get_img()\n if img_obj:\n # 发送短信，返回token。验证码错误会失败\n code_obj = send_code(phone_number, img_obj['captcha_code'], img_obj[\"cookies\"])\n if code_obj[\"errCode\"] != 0:\n print(code_obj['data'])\n return None\n print(f\"code_obj:{code_obj}\")\n # 手机验证码\n phone_code = ''\n phone_code = input(\"请输入手机验证码：\")\n\n json_data = {\n # 这里需要传入短信验证码接口返回的token\n 'vtoken': code_obj['data'],\n # 手机号\n 'phone': phone_number,\n # 手机短信验证码\n 'smscode': phone_code,\n 'password': 'mima123456',\n 'confirmPassword': 'mima123456',\n # 随机用户名\n 'nickname': generate_username(),\n 'pinvitationCode': '',\n 'type': 0,\n }\n # 发送注册请求\n response = requests.put('https://api.duyandb.com/auth/register/submit', headers=headers, json=json_data)\n # 成功会返回{'errCode':0, 'data': ''}\n return response.json()\n```\n\n\n\n#### 2.4、注册\n\n如果你有短信验证码的接口这里可以进行批量注册。另外代码中没有添加代理，如果需要批量注册可能需要增加代理。\n\n```python\nif __name__ == '__main__':\n result = register('17118060285')\n if result and result.get('errCode') == 0:\n print(\"注册成功\")\n else:\n print('注册失败，请重试')\n\n```\n\n\n\n## \u003cspan id='fenghuang'\u003e三、凤凰云智管理平台（逆向登陆）\u003c/span\u003e\n\n### 1、数据接口\n\npassword是加密的\n\n![image-20230817232654341](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230817232654341.png)\n\n\n\n### 2、加密的位置\n\n使用xhr断点或者堆栈找到加密的位置\n\n![image-20230817232619155](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230817232619155.png)\n\n```js\n// 加密的js代码\nvar i = r(n(2132));\ni.default.setMaxDigits(130);\nvar c = new i.default.RSAKeyPair(\"10001\",\"\", s['prod']);\ni.default.encryptedString(c, encodeURIComponent(e))\n```\n\n下面我们来补全这些代码\n\n\n\n### 3、还原js\n\n![image-20230817235447380](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230817235447380.png)\n\n\n\n这里的n是加载器，下标2132这个方法就是i。\n\n首先先把加载器的代码拿下来，然后再去找2132对应的方法，把方法放进数组里。\n\n\n\n#### 3.1、加载器\n\n点击n的位置跳转到代码，前面部分是加载器，后面是所有的方法。这里只拿加载器，就是最开头的部份，后面跟着的数组是方法。\n\n![image-20230817235525704](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230817235525704.png)\n\n\n\n\n\n#### 3.2、方法\n\n下一部是把这个方法里的代码复制到加载器的数组里，\n\n![image-20230817235705203](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230817235705203.png)\n\n\n\n```js\n// 全局变量\nvar loader;\n// 加载器\n!function(e){\n // ...\n // 里面的方法都赋值给了o，所以这里用全局变量接收o\n loader = o;\n}([\n // 这里面放方法，这个代码在第二步里找\n function(e, t) {}\n])\n\nloader(0) // 这里就拿到了n(2132)对应的方法\n```\n\n\n\n\n\n#### 3.3、替换掉原来的参数\n\n最终的js代码是这样的。[yuekeyun.js](2023_08/spider_yuekeyun/yuekeyun.js) \n\n```js\n// 全局变量\nvar loader;\n// 加载器\n!function(e){\n // ...\n // 里面的方法都赋值给了o，所以这里用全局变量接收o\n loader = o;\n}([\n // 这里面放方法，这个代码在第二步里找\n function(e, t) {}\n])\n\n// 公钥\ns = {\n \"prod\": \"837ec9791ee734418f44220b56cd22252c53309f59c560ff231d71e2579d38ea7a4408b017b1af85c6683111da151af25dddc53904a01e219bd56495a1add8cb70e54428bb87d95cd40478f6f800414be8a334ac779f4b819ae94fec240dc2ace1f99df64de88eef7bcbde4aabbdeac0e70a55e61331a9ea3d0546fe647977f9\",\n}\n\n// loader(0)是RSA加密的函数\nvar i = loader(0);\nfunction get_password(e) {\n i.setMaxDigits(130);\n var c = new i.RSAKeyPair(\"10001\", \"\", s['prod']);\n // e参数是密码\n return i.encryptedString(c, encodeURIComponent(e));\n}\n```\n\n\n\n## \u003cspan id='boss'\u003e四、boss直聘\u003c/span\u003e\n\n\n\n### 一、接口和加密参数\n\n```python\n# 接口路径\nurl = 'https://www.zhipin.com/wapi/zpgeek/search/joblist.json'\n\ncookies = {\n\t\t# 略\n # __zp_stoken__这个cookies就是加密的参数\n '__zp_stoken__': 'ad34eWCUTC1I3FyZ7fGIuWAAsARcpQh5BZiZBcEhYbzhQO28Xb3l%2FZkN0Om9sLyV5LXtlQGx3HWUkfTs3LEIocAZwThoHVhsNFVsdeAxUJTtfHCFwXzpxYkR0YGsoCAMyb0JXPz99EG9pPD4%3D',\n}\n\nheaders = {\n # 略\n}\nparams = {\n \t# 略\n \t# 关键词\n 'query': 'python',\n 'city': '101280600',\n 'multiSubway': '',\n # 分页\n 'page': '2',\n 'pageSize': '30',\n}\n\nresponse = requests.get(url, params=params, cookies=cookies, headers=headers)\n```\n\n\n\n### 二、逆向js\n\n[js代码](./2023_08/spider_boss/boss_zptoken.js)\n\n#### 1、找js文件\n\n通过关键字搜索 **\\__zp_stoken__**，找到生成参数的js。\n\n```js\n// cookies的值\nr = (new e).z(t, parseInt(n) + 60 * (480 + (new Date).getTimezoneOffset()) * 1e3)\n```\n\n\n\n#### 2、断点找加密的方法\n\n通过搜索cookies加密的参数可以找到js文件，断点到加密的位置，把js文件复制下来。\n\n![image-20230827145729574](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230827145729574.png)\n\n\n\n#### 3、调用的方法\n\n调试后发现是在**window['ABD']\\['prototype']**里，最后我们要调用的方法是：\n\n```js\n// seek和ts也在cookies中\nwindow[\"ABC\"][\"prototype\"].z(seek, ts)\n```\n\n\n\n![image-20230827150020204](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230827150020204.png)\n\n![image-20230827150036055](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230827150036055.png)\n\n\n\n#### 4、js执行的问题\n\n执行js的时候发现很多属性没有，这是很多环境不存在导致的，需要把环境补上。具体可查看代码\n\n```js\nconst{JSDOM}=require(\"jsdom\");\nconst dom = new JSDOM(`\u003c!DOCTYPE html\u003e\u003cp\u003eHello world\u003c/p\u003e`, {\n url: 'https://www.zhipin.com/'\n});\n\nwindow=dom.window;\ndocument=window.document;\nnavigator=window.navigator; \nlocation=window.location; \nhistory=window.history; \nscreen=window.screen; \n```\n\n\n\n#### 5、封装\n\n```js\n/**\n * 生成zp_token cookies参数\n * @param sseed cookies中的__zp_sseed__参数\n * @param sts cookies中的__zp_sts__参数\n * @returns __zp_token__ __zp_token__参数\n */\nfunction get_zp_token(sseed, sts) {\n return window[\"ABC\"][\"prototype\"].z(sseed, parseInt(sts) + 60 * (480 + (new Date).getTimezoneOffset()) * 1e3)\n}\n```\n\n\n\n# 案例_2023_09\n\n\n\n## \u003cspan id='juliang'\u003e一、巨量算数\u003c/span\u003e\n\n### 1、接口参数分析\n\n![image-20230901171313113](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230901171313113.png)\n\n\n\n- **msToken**: 用于加密的参数，可以在**area**接口中获取\n- **X-Bogus**: 加密生成的参数\n- **_signature**: 加密生成的参数\n\n\n\n### 2、逆向js\n\n#### 2.1 添加XHR断点\n\n可以添加X-Bogus或者__signature，这里以最后一个参数为例：\n\n##### ![image-20230901171837094](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230901171837094.png)\n\n\n\n#### 2.2 添加条件断点\n\n这里需要注意是添加到后面的方法上，不要直接添加在断点的位置（**添加到上图中红框黄色箭头的位置**）。\n\n添加条件断点是因为这里会执行比较多的参数，我们只需要x-bogus和signature，根据返回的长度来决定是否debugger。**x-bogus会返回长度28的str，signature是147.**\n\n```js\n// _signature\n_0x2c5e7b['apply'](_0x275c89, _0x301f8b).length === 147\n\n// X-Bogus\n_0x2c5e7b['apply'](_0x275c89, _0x301f8b).length === 28\n```\n\n\n\n#### 2.3 扣js\n\n[巨量.js](2023_09/trendinsight/juliang.js)\n\n断点后我们直接进入方法，在两个断点中可以分别查看看**方法和参数**，将所有代码扣下来，将两个加密的方法用变量接收，并且**补齐环境**，包括**document.cookie**。\n\n```js\nfunction get_param(msToken, url, body) {\n /**\n * 生成请求的参数\n * @type {string} msToken,X-Bogus,_signature\n */\n // body转为str\n body_str = JSON.stringify(body)\n xb = xb_func('msToken=' + msToken, body_str)\n return {\n 'msToken': msToken,\n 'X-Bogus': xb,\n '_signature': sign_func({\n 'body': body,\n 'url': url + 'msToken=' + msToken + '\u0026X-Bogus=' + xb\n }, undefined, 'forreal')\n }\n}\n```\n\n\n\n### 3、构造请求\n\n这里分为两步：\n\n1. 首先是**获取msToken**，在**area**这个接口中，**携带cookie**请求后即可获取；\n2. 其次是接口数据获取，需要将msToken传入js文件中**生成x-bogus参数和signature参数**，然后发起请求。\n\n**tips：**cookie具有时效性，如果请求失效或者signature的值错误，可能是cookie的问题。\n\n[代码：](2023_09/trendinsight/juliang.py)\n\n```python\nimport re\n\nimport execjs\nimport requests\n\ncookies = {\n\t\t# ...\n}\n\n\ndef get_ms_token() -\u003e str:\n \"\"\"\n 获取msToken参数，需要cookies\n :return: msToken\n \"\"\"\n headers = {\n # ...\n }\n\n params = {\n 'dates': 'daily-20230831_weekly-20230827_monthly-202307',\n 'area': '[\"11\"]',\n 'category_id': '1',\n }\n\t\t\n # 请求area接口，获取msToken\n response = requests.get('https://trendinsight.oceanengine.com/area', params=params, cookies=cookies,\n headers=headers).text\n if 'msToken' in response:\n ms_token = re.search(r'msToken=(.*?);', response).group(1)\n return ms_token\n else:\n return ''\n\n\ndef get_poi_list() -\u003e dict:\n \"\"\"\n 获取数据\n :return: json格式的数据\n \"\"\"\n # 获取msToken\n ms_token = get_ms_token()\n if not ms_token:\n print(\"not msToken\")\n return {}\n headers = {\n # ...\n }\n\n # 请求参数，根据需要调整\n json_data = {\n\t\t\t# ...\n }\n\n url = 'https://trendinsight.oceanengine.com/api/open/area/get_poi_list'\n\n # 读取./juliang.js调用get_params方法，获取两个加密参数\n with open('./juliang.js', 'r') as f:\n js_code = f.read()\n ctx = execjs.compile(js_code)\n params_dict = ctx.call('get_param', ms_token, url, json_data)\n x_bogus = params_dict['X-Bogus']\n _signature = params_dict['_signature']\n\n # 发起请求\n response = requests.post(\n f'{url}?msToken={ms_token}\u0026X-Bogus={x_bogus}\u0026_signature={_signature}',\n cookies=cookies,\n headers=headers,\n json=json_data,\n )\n return response.json()\n\n\nif __name__ == '__main__':\n print(get_poi_list())\n\n```\n\n\n\n\n\n## \u003cspan id='jiyan'\u003e二、极验滑块\u003c/span\u003e\n\nurl：https://www.geetest.com/demo/slide-float.html\n\n极验3滑块验证码，版本：7.9.1。\n\n### 1、分析各请求\n\n#### 1.1 获取gt、challenge参数：\n\nhttps://www.geetest.com/demo/gt/register-slide?t=1694237711524\n\n```js\n// 响应\n{\n \"success\": 1,\n \"challenge\": \"18318454a32f0cfd280c5ba9d5f68fcd\",\n \"gt\": \"019924a82c70bb123aae90d483087f94\",\n \"new_captcha\": true\n}\n```\n\n\n\n#### 1.2 请求c、s参数\n\nhttps://apiv6.geetest.com/get.php...\n\n```js\n{\n \"status\": \"success\",\n \"data\": {\n \"c\": [\n 12,\n 58,\n 98,\n 36,\n 43,\n 95,\n 62,\n 15,\n 12\n ],\n \"s\": \"61752c3a\",\n // ...\n }\n}\n```\n\n\n\n#### 1.3 取背景图和各种参数\n\nhttps://api.geetest.com/get.php\n\n```js\n{\n \"gt\": \"019924a82c70bb123aae90d483087f94\",\n \"challenge\": \"18318454a32f0cfd280c5ba9d5f68fcd8z\",\n \"id\": \"a18318454a32f0cfd280c5ba9d5f68fcd\",\n \"bg\": \"pictures/gt/cd0bbb6fe/bg/51e3c23b0.jpg\",\n \"fullbg\": \"pictures/gt/cd0bbb6fe/cd0bbb6fe.jpg\",\n \"height\": 160,\n \"slice\": \"pictures/gt/cd0bbb6fe/slice/51e3c23b0.png\",\n \"api_server\": \"https://api.geetest.com\",\n \"static_servers\": [\n \"static.geetest.com/\",\n \"dn-staticdown.qbox.me/\"\n ],\n \"c\": [\n 12,\n 58,\n 98,\n 36,\n 43,\n 95,\n 62,\n 15,\n 12\n ],\n \"s\": \"51363072\",\n \"gct_path\": \"/static/js/gct.b71a9027509bc6bcfef9fc6a196424f5.js\"\n // ...\n}\n```\n\n\n\n### 2、生成w值\n\n#### 2.1 验证码参数\n\n通过轨迹和其他参数最终会生成w值。\n\n![image-20230911225637080](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230911225637080.png)\n\n\n\n#### 2.2 找到对应的js\n\n点击验证码会请求js文件，然后搜索w的unicode编码**\"/u0077\"**，可以找到代码。\n\n![image-20230911230056561](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230911230056561.png)\n\n\n\n#### 2.3 关键参数\n\n在这个js里会用到前面接口生成的**c、s、gt、challenge**，还需要**轨迹、滑动时间、滑动距离**。代码比较多比较杂，这里直接展示最终的参数生成代码，只需传入对应的参数。\n\n```js\nfunction generate_w(params){\n /**\n * 生成w, params需要传入distance, passtime, track, c, s, gt, challenge\n */\n var u = new U()[\"encrypt\"](rt_) // 这里的rt是一个随机值，但是需要和下面保持一致\n o = {\n \"lang\": \"zh-cn\",\n \"userresponse\": H(params['distance'], params['challenge']), // 把滑动距离和challenge传入H函数，得到userresponse\n \"passtime\": params['passtime'], // 滑动时间，要和轨迹里的滑动时间一致\n \"imgload\": 155, // 加载时间，可以是随机值\n \"aa\": sign_aaa(params['track'], params['c'], params['s']), // 传入轨迹、c、s，生成aa\n \"ep\": sign_ep(), // 一些版本号(7.9.1)，时间等信息\n \"h9s9\": \"1816378497\", // 固定值\n \"rp\": md5Hash(params['gt'] + params['challenge'].slice(0, 32) + params['passtime']) // 传入gt、challenge、passtime，md5生成rp\n }\n var l = V['encrypt'](gt['stringify'](o), rt_)\n var h = m[\"$_FCp\"](l)\n return h + u\n}\n```\n\n\n\n### 3、需要注意的问题\n\n#### 3.1 滑块距离\n\n滑块可以使用ddddorc库进行识别，识别出来的**距离需要-10**，因为距离不是从最左侧开始计算的。\n\n\n\n#### 3.2 请求的接口、参数\n\n接口请求都需要访问一次，不然可能会报错，尤其是**get.php、ajax.php**等接口。\n\n**challenge、gt、c、s**等参数都在接口中，需要注意参数可能变化，需要使用最新的值。\n\n\n\n## \u003cspan id='jiasule'\u003e三、加速乐\u003c/span\u003e\n\nurl：aHR0cHM6Ly9iZWlhbi5taWl0Lmdvdi5jbi9pbmRleCMvSW50ZWdyYXRlZC9pbmRleA\n\n### 1、分析请求\n\nindex页面一共会访问三次\n\n#### 1.1 第一次请求\n\n返回一段js代码，会生成**__jsl_clearance_s**的cookie参数。\n\n请求中会返回**__jsluid_s**的cookie，可以使用session或者将这个值保存。\n\n\n\n#### 1.2 第二次请求\n\n携带前面生成的两个cookie参数，返回一段加密js代码。\n\n代码使用了ob混淆，可以使用在线工具还原。https://ob.nightteam.cn/\n\n\n\n一共有三份代码，分别是**sha1、sha256、md5**加密，将加密部分抽离即可。\n\n\n\njs代码最后有一个json格式的参数，加密时需要用到，可以使用正则提取。\n\n**ha**参数就是加密的方式。\n\n\n\n#### 1.3 第三次请求\n\n携带第二次js代码加密生成的cookie就可以获取到数据。\n\n\n\n### 2、代码还原\n\n使用chrome本地替换的方式对代码进行调试，还原过程比较简单。因为有三份加密代码，所以要将代码封装起来用参数判断，最后代码如下：\n\n```js\n_0x8b2003 = new Date(); \nfunction hash_md5(_0x4838bf){}\nfunction hash_sha256(_0x14757c){}\nfunction hash_sha1(_0xa1962c){}\n\n\nfunction get_cookie(data) {\n _0x190080 = data\n // 判断加密参数\n if (data['ha']=='md5') {\n hash = hash_md5\n }else if (data['ha']=='sha1') {\n hash = hash_sha1\n }else if (data['ha']=='sha256') {\n hash = hash_sha256\n }else{\n throw new Error('hash not found')\n }\n\n function _0x247acb(_0x315328, _0x4b6f80) {\n\t\t\t// ... 略\n if (hash(_0x4e03cb) == _0x315328) {\n return [_0x4e03cb, new Date() - _0x8b2003];\n }\n\n }\n \n var cookie_value = _0x247acb(_0x190080['ct'], _0x190080[\"bts\"]);\n \n return cookie_value\n}\n```\n\n\n\n## \u003cspan id='rpc'\u003e四、rpc实现js解密\u003c/span\u003e\n\n### 1、介绍\n\nrpc实现js解密的思路即在浏览器和本地之间实现websocket通信，本地远程调用浏览器的方法，返回函数的结果（加密函数等），即可获取页面的加密参数。\n\n使用此方法可以快速解决部分反爬的问题，省去了扣js、补环境等操作。\n\n\n\n### 2、实现步骤\n\n#### 2.1 定义方法\n\n**示例网站（Base64）：**aHR0cDovL3d3dy5mYW5nZGkuY29tLmNuL3NlcnZpY2UvYnVsbGV0aW5fbGlzdC5odG1sP3R5cGVhPTNiODgwMzdiYjhiM2Y5MDgmbmFtZT0lRTglQTElOEMlRTQlQjglOUElRTUlOEElQTglRTYlODAlODE=\n\n\n\n在浏览器终端，通过断点调试的方式找到方法，然后将加密方法定义到windows中，方便调用。\n\n```js\nwindows.my_crypto = _$vQ; // _$vQ为加密的方法，需要一个参数\n```\n\n![image-20230928133628611](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230928133628611.png)\n\n\n\n#### 2.2 浏览器嵌入服务端代码\n\n在终端中执行或者使用代码段等方式嵌入代码。\n\n```js\n!(function () {\n // 监听端口\n var ws = new WebSocket(\"ws://127.0.0.1:5678\"); // 自定义端口\n\n ws.onmessage = function (evt) {\n console.log(\"receive msg: \" + evt.data);\n // 退出\n if (evt.data === \"quit\") {\n ws.close();\n } else {\n // 调用方法，此处的my_crypto改为定义的函数名\n ws.send(my_crypto(evt.data))\n }\n };\n})()\n```\n\n\n\n\n\n#### 2.3 python调用\n\n```python\nimport sys\nimport asyncio\nimport websockets\n\n\nasync def receive_massage(websocket):\n while True:\n # 输入参数\n send_text = input(\"Enter param please: \")\n if send_text == \"quit\":\n await websocket.send(send_text)\n await websocket.close()\n print('quit')\n sys.exit()\n else:\n # 发送参数\n await websocket.send(send_text)\n # 返回结果\n response_text = await websocket.recv()\n print(\"\\n result：\", response_text)\n\n\nstart_server = websockets.serve(receive_massage, '127.0.0.1', 5678) # 自定义端口\nasyncio.get_event_loop().run_until_complete(start_server)\nasyncio.get_event_loop().run_forever()\n```\n\n\n\n\n\n#### 2.4 结果\n\n输入参数，浏览器调用方法执行函数，返回结果\n\n```\nEnter param please: hello\n\nresult： http://www.xxxxxxx.com.cn/xxxxxx/hello?MmEwMD=4PCeybQd55uKYvUSSmDMRog5lWDWPHMOxmxIXWJlR55hSD_g1sJthJJJiTjbRm686KiRBYNY41.hVzO_6f1JmHlRl9d3h9HIgACnzKG5pcDI3NVYvoLoFjC2V.EolPuiI5rUi03HA1C32CKC2JMoteoVc.0IFoO_YL9_nSTo7I4jeEIObQr4XNjytzCPwl2C8ydfVBETAIdAiT5_2gAHrTUReojI7O.lr50sXQfusIkswqG1.4byu903XQju.VACsrgydmKPmXAQCQXQ7hfZjDwMS_UrVCB_pZptj.BJyDIK2w5HpCjxvBYYlcV5cfsI5JYThkZ2C8ANvIhOhtD1Dw6esCSVnc_F1YeHilQcqen9Gn9SSa.wB92txGz_rucFEE2a.oLL3XaRl7WFExc0suFrQwy.bqaxIhwKpbb9pLcPJX9UFu6PES_oM6_MPCwQrrvz\n```\n\n\n\n## \u003cspan id='tonghuashun'\u003e五、同花顺（hook cookie、补环境）\u003c/span\u003e\n\n\n\nurl：aHR0cDovL3EuMTBqcWthLmNvbS5jbi8=\n\n### 1、hook cookie\n\nhook cookie的方式有很多，油猴、代码注入等，这一次使用的工具是[v_jstools](https://raw.githubusercontent.com/cilame/v_jstools)，后面补环境的时候也是用它。\n\n当然你也可以使用其他的方式，hook的js代码：\n\n\n\n#### 1.1 hook 代码\n\n```js\n(function() {\n // 严谨模式检查所有错误\n 'use strict';\n // document 为要hook的对象这里是hook的cookie\n\tvar cookieTemp = \"\";\n Object.defineProperty(document, 'cookie', {\n\t\t// hook set方法也就是赋值的方法\n\t\tset: function(val) {\n\t\t\t\t// 这样就可以快速给下面这个代码行下断点\n\t\t\t\t// 从而快速定位设置cookie的代码\n\t\t\t\tconsole.log('Hook捕获到cookie设置-\u003e', val);\n debugger;\n\t\t\t\tcookieTemp = val;\n\t\t\t\treturn val;\n\t\t},\n\t\t// hook get 方法也就是取值的方法\n\t\tget: function()\n\t\t{\n\t\t\treturn cookieTemp;\n\t\t}\n });\n})();\n```\n\n\n\n#### 1.2 跟栈\n\n看到这个值是**v**的时候就是我们的目标cookie了，往上跟栈找到它的代码，就在如下的位置。\n\n![image-20230929142319248](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230929142319248.png)\n\n\n\n最终会看到这个方法，它就是生成cookie的：\n\n```js\nvar TOKEN_SERVER_TIME = 1695968000.498;\n\n!function(n, t) {\n // .... 省略\n function O() {\n S[R]++,\n S[p] = Jn.serverTimeNow(),\n S[d] = Jn.timeNow(),\n S[B] = Vn,\n S[I] = nt.getMouseMove(),\n S[y] = nt.getMouseClick(),\n S[_] = nt.getMouseWhell(),\n S[C] = nt.getKeyDown(),\n S[E] = nt.getClickPos().x,\n S[A] = nt.getClickPos().y;\n var n = S.toBuffer();\n return zn.encode(n)\n }\n // ....\n}(/* ... */)\n```\n\n\n\n把上述文件的js代码全部复制，把加密方法用全局变量接收：\n\n```js\nvar Heixin;\n/*\n在上述代码中把加密方法赋值给全局变量\nHeixin = O\n*/\n\nfunction get_v(){\n return Hexin()\n}\n```\n\n这里如果运行，会发现有很多环境没有。下一步开始补环境。\n\n\n\n### 2、补环境\n\n补环境我们用v_jstools工具来补。安装在开头的超链接中，clone后拖到扩展中心即可（开发者模式）。\n\n\n\n#### 2.1 配置工具\n\n##### 2.1.1 功能开关按如下配置打开：\n\n![image-20230929143021930](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230929143021930.png)\n\n\n\n##### 2.1.2 配置页面\n\n点击工具，点击打开配置页面，然后勾选如下配置：\n\n![image-20230929143227611](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230929143227611.png)\n\n\n\n##### 2.1.3 生成环境\n\n先清空cookie，然后打开开发者工具，刷新页面。控制台应该会有很多输出，打开扩展工具菜单，点击生成临时环境，即可复制环境代码，粘贴到最开始的代码上方即可。\n\n\n\n### 3、发起请求\n\n加密的cookie在cookies中，也在名为hexin-x的headers参数中，请求时带上即可。\n\n请求的代码就不便展示啦....\n\n\n\n# 案例_2023_10\n\n\n\n## \u003cspan id='wechat'\u003e一、微信小程序（百达星系）\u003c/span\u003e\n\n\n\n微信：3.8.1版本\n\n\n\n### 1、准备工作\n\n#### 1.1 包路径\n\n```shell\ncd ～/Library/Containers/com.tencent.xinWeChat/Data/.wxapplet/packages/\n```\n\n文件夹名为：**wx\\*\\*\\***（每个小程序对应一个文件夹，可以根据修改日期判断），打开后里面有几个**.wxapkg**后缀的文件，这是小程序的包，稍后需要反编译。\n\n(Windows路径请百度)\n\n\n\n#### 1.2 关闭sip\n\n参考：https://sspai.com/post/55066#\n\n\n\n#### 1.3 反编译\n\n工具：unveilr.exe https://www.aliyundrive.com/s/Ckkm4xeJwSB 提取码: 48fs\n\n\n\n### 2、反编译\n\n\n\n#### 2.1 工具介绍\n\n反编译工具有wxappUnpacker等，但是项目比较老，运行会报错。所以用到了unveilr.exe这个工具，只找到了windows上运行的版本，可以使用虚拟机或者windows系统进行反编译。\n\n\n\n#### 2.2 编译\n\n将packages/***.wxapkg文件都放到一个文件夹中，执行：\n\n```shell\nunveilr.exe /testpkg # /testpkg替换为你存放文件的路径\n```\n\n\n\n#### 2.3 编译\n\n完成后会生成一个文件夹**\\_\\_APP\\_\\_**\n\n\n\n### 3、调试js\n\n\n\n#### 3.1 导入到微信开发者工具\n\n打开微信开发者工具，选择导入项目，将APP文件夹导入。\n\n\n\n#### 3.2 编译项目\n\n取消勾选**\"将JS编译成ES5\"**，勾选**\"不校验合法域名...\"**，点击编译\n\n![image-20230930130104720](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20230930130104720.png)\n\n\n\n### 4、逆向\n\n以list接口为例。\n\n\n\n#### 4.1 加密参数\n\n加密参数在headers中：\n\n**MessageId**\n\n**Signature**\n\n\n\n#### 4.2 扣js\n\n全局搜索MessageId和Signature参数，加密方法都在**common.js**文件中，逆向过程没有什么难点，只提几个注意事项：\n\n- **c()**方法为MD5加密，可以导入库进行加密，不用扣代码；\n- **Signature**需要**MessageId**作为参数，所以先扣MessageId，当然先随便写个参数也无所谓。\n- **t.url**为请求接口的url，可以封装成方法直接传入。\n\n\n\n```js\n// 导入md5\nconst CryptoJS = require('crypto-js')\n\n// url = \"https://api.betterwood.com/hotel/brand/museum/list\"\n\n/**\n * 传入接口的完整url，返回headers中的参数\n * @param url 接口的完整url\n * @returns {{Signature: *, MessageId}}\n */\nfunction get_headers(url) {\n // MessageId\n H = function (t) {\n for (var n = [8, 13, 18, 23], e = 0; e \u003c n.length; e++)\n t = t.slice(0, n[e]) + \"-\" + t.slice(n[e]);\n return t\n }\n x = function () {\n for (var t = arguments.length \u003e 0 \u0026\u0026 void 0 !== arguments[0] ? arguments[0] : \"\", n = [], e = \"0123456789abcdef\", r = 0; r \u003c 36; r++) {\n var o = Math.floor(16 * Math.random());\n n[r] = e.substring(o, o + 1)\n }\n n[14] = \"4\";\n var i = 3 \u0026 Number(n[19]) | 8;\n n[19] = e.substring(i, i + 1),\n n[8] = n[13] = n[18] = n[23] = \"-\";\n var u = n.join(\"\")\n , a = H(CryptoJS.MD5(u + (new Date).getTime() + t).toString());\n return a\n }\n MessageId = x()\n\n\n // Signature\n L = function (t, n, e, r, o, i, u, a, s) {\n var d = \"\";\n return d = a ? \"AppVersion=\".concat(o, \"Authorization=\").concat(a, \"Channel=\").concat(i, \"ClientType=\").concat(r, \"DeviceManufacture=\").concat(n, \"DeviceModel=\").concat(e, \"MessageId=\").concat(u, \"OsVersion=\").concat(t, \"AppKey=C49E2654AAA94F5085A9C12FE2CAB09CUrl=\").concat(s) : \"AppVersion=\".concat(o, \"Channel=\").concat(i, \"ClientType=\").concat(r, \"DeviceManufacture=\").concat(n, \"DeviceModel=\").concat(e, \"MessageId=\").concat(u, \"OsVersion=\").concat(t, \"AppKey=C49E2654AAA94F5085A9C12FE2CAB09CUrl=\").concat(s),\n d = CryptoJS.MD5(d.replace(/\\s*/g, \"\")).toString().substring(4, 28).toLocaleUpperCase()\n }\n var o = {\n \"content-type\": \"application/json\",\n \"Channel\": \"bdw\",\n \"AppVersion\": \"2.3.6\",\n \"BusinessType\": 1,\n \"MessageId\": MessageId,\n \"ClientType\": \"5\",\n \"OsVersion\": \"iOS 10.0.1\",\n \"DeviceManufacture\": \"devtools\",\n \"DeviceModel\": \"iPhone 5\"\n }\n , i = o.OsVersion\n , u = o.DeviceManufacture\n , c = o.DeviceModel\n , a = o.ClientType\n , d = o.AppVersion\n , l = o.Channel\n , p = o.MessageId\n , h = o.Authorization\n , g = encodeURIComponent(url.split(\"betterwood.com\")[1].split(\"?\")[0])\n , Signature = L(i, u, c, a, d, l, p, h, g);\n\n return {\n 'Signature': Signature,\n 'MessageId': MessageId,\n }\n}\n```\n\n\n\n#### 4.3 构建请求\n\n```python\nimport execjs\nimport requests\n\n# 需要两个参数\n# MessageId = ''\n# Signature = ''\nurl = 'https://api.betterwood.com/hotel/brand/museum/list'\n\n# 执行js\nwith open('./betterwood.js', 'r') as f:\n read = f.read()\nv = execjs.compile(read).call('get_headers', url)\nMessageId = v['MessageId']\nSignature = v['Signature']\n```\n\n\n\n\n\n## 二、\u003cspan id='yidun'\u003e网易易盾滑块验证码\u003c/span\u003e\n\n网站：aHR0cDovL2FwcC5taWl0LWVpZGMub3JnLmNuL21paXR4eGdrL2dvbmdnYW8veHhnay9xdWVyeUNwUGFyYW1QYWdlP2RhdGFUYWc9WiZnaWQ9VzAxNDczMDgmcGM9MzIw\n\n\n\n### 1、工具准备\n\n#### 1.1 js替换\n\n使用**reres**插件进行替换，因为链接是变化的，浏览器不支持正则匹配。\n\n```json\n[\n\t{\n\t\t\"req\": \"http:\\\\/\\\\/cstaticdun\\\\.126\\\\.net\\\\/([\\\\d.]+)\\\\/core\\\\.v([\\\\d.]+)\\\\.min\\\\.js\\\\?v=\\\\d+\",\n\t\t\"res\": \"file:///.../core.js\", \n\t\t\"checked\": true\n\t}\n]\n```\n\nres替换为你实际的代码。\n\n\n\n#### 1.2 解ob混淆工具\n\njs为ob混淆，需要解码，不然后面调试很麻烦。\n\n\n\n#### 1.3 滑块识别\n\n```shell\npip install ddddocr\n```\n\n\u003e https://raw.githubusercontent.com/sml2h3/ddddocr\n\n\n\n\n\n### 2、各接口解释\n\n接口比较多，加密的参数也比较多。d、b接口是用于验证通过后请求页面的cookie的参数(以我自己测试的网站为例)。只请求以下接口即可获取验证结果。\n\n\n\n#### 2.1 getconf 获取配置信息接口\n\n接口： /api/v2/getconf\n\n这个接口获取的是**dt**参数和**acToken**，可以**直接访问**。\n\n```json\n{\n \"data\": {\n \"dt\": \"QZCRDl9Lpl1BBgQRQAKByyc31aO1bp/J\",\n \"ac\": {\n // ...\n \"token\": \"9ca17ae2e6fecda16ae2e6eeb5cb528ab69db8ea65bcaeaf9ad05b9c94a3a3c434898987d2b25ef4b2a983bb2af0feacc3b92ae2f4ee95a132e29aa3b1cd72abae8cd1d44eb0b7bb82f55bb08fa3afd437fffeb3\"\n }\n}\n```\n\n\n\n#### \n\n#### 2.2 get 获取图片接口\n\n接口 /api/v3/get\n\n接口后缀为get。在开始逆向之前，需要先将core*.js文件保存到本地，然后进行替换，由于链接参数会变，而且文件也会变，请使用正则替换（见1.1）。\n\n\n\n##### 2.2.1 cb参数\n\n在启动器找到**core*.js**文件，可以看到是webpack打包的，需要将加载器拿出来，再将生成参数所需的方法放到加载器中，之后的参数也是同理。\n\ncb参数在core*.js文件中搜索即可。\n\n```js\n// webpack加载器\nvar loader;\n!(function (_0x3b7444) {\n function _0x1cb9e6(_0x3fc657) {\n if (_0x3669a8[_0x3fc657]) return _0x3669a8[_0x3fc657][\"exports\"];\n var _0xe69548 = _0x3669a8[_0x3fc657] = {\n \"exports\": {},\n \"id\": _0x3fc657,\n \"loaded\": !1\n };\n return _0x3b7444[_0x3fc657][\"call\"](_0xe69548[\"exports\"], _0xe69548, _0xe69548[\"exports\"], _0x1cb9e6), _0xe69548[\"loaded\"] = !0, _0xe69548[\"exports\"];\n }\n\n var _0x3669a8 = {};\n loader = _0x1cb9e6;\n }([\n // 方法放在这里\n ])\n```\n\n\n\n\n\n##### 2.2.2 fp参数\n\nfp参数也可以进行搜索找到，里面是xxx['fingerprint']，再往上是**windows['gdxidpyhxde']**，hook一下这个变量：\n\n```js\n(function() {\n // 严谨模式检查所有错误\n 'use strict';\n // document 为要hook的对象这里是hook的cookie\n\tvar cookieTemp = \"\";\n Object.defineProperty(window, 'gdxidpyhxde', {\n\t\t// hook set方法也就是赋值的方法\n\t\tset: function(val) {\n\t\t\t\t// 这样就可以快速给下面这个代码行下断点\n\t\t\t\t// 从而快速定位设置cookie的代码\n\t\t\t\tconsole.log('Hook捕获到cookie设置-\u003e', val);\n debugger;\n\t\t\t\tcookieTemp = val;\n\t\t\t\treturn val;\n\t\t},\n\t\t// hook get 方法也就是取值的方法\n\t\tget: function()\n\t\t{\n\t\t\treturn cookieTemp;\n\t\t}\n });\n})();\n```\n\n\n\n##### 2.2.3 id、dt、acToken\n\nid是固定的值，每个网站都有一个固定的id\n\ndt、acToken来自第一个接口，后面如果有同样的名称均来自这个接口，不再赘述。\n\n\n\n##### 2.2.4 返回值\n\n```json\n{\n \"bg\": [\n // 图片，取下来计算距离\n \"http://necaptcha.nosdn.127.net/db070c3069f345c1af447b88e861e10b@2x.jpg\",\n \"http://necaptcha1.nosdn.127.net/db070c3069f345c1af447b88e861e10b@2x.jpg\"\n ],\n \"front\": [\n \"http://necaptcha.nosdn.127.net/ab94da01524449dfb38b2f2910b8fddb@2x.png\",\n \"http://necaptcha1.nosdn.127.net/ab94da01524449dfb38b2f2910b8fddb@2x.png\"\n ],\n // 这个token会用到校验的接口中\n \"token\": \"fa1a9c71663e4f1a8acf9ae5b60a085b\",\n \"type\": 2,\n \"zoneId\": \"CN31\"\n}\n```\n\n\n\n\n\n#### 2.3、check 轨迹校验接口\n\n数据校验接口，成功会返回validate值。\n\n\n\n##### 2.3.1 data参数\n\n这个接口主要的参数是data，里面包含了轨迹。\n\n跟栈check接口就可以找到生成位置，直接扣下来即可。\n\n\u003e 其中，atomTraceData是原始轨迹，tranceData是加密后的轨迹。这些参数最好都打断点看一下，确实生成的是否和网站一致。\n\n![image-20231022161547651](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231022161547651.png)\n\n\n\n##### 2.3.2 token值\n\n来自图片接口返回的token。\n\n\n\n### 3、总结\n\n如果返回的接口一直是false，大概率是轨迹的问题。\n\n易盾的验证个人感觉还是比较繁琐的，接口、加密参数都比较多，建议看看b站视频和论坛的文档参考。\n\n\u003e https://blog.csdn.net/weixin_56199707/article/details/129083704?spm=1001.2014.3001.5502\n\u003e\n\u003e https://www.bilibili.com/video/BV15p4y157kv/?spm_id_from=333.337.search-card.all.click\u0026vd_source=a00430ee8bb4e7511d6b31f67038005d\n\n\n\n# 案例_2023_11\n\n## \u003cspan id='zkh'\u003e一、震坤行\u003c/span\u003e\n\n逆向参数生成，获取price接口数据。\n\n需求是获取商品和价格。\n\n### 1、参数解析\n\n直接搜索，可以看到商品的数据，但是**没有价格**。\n\n价格应该是另外的接口请求得到的，在接口列表可以看到一个叫**price**的接口，但是返回的数据是加密的，所有也不确定是不是这个接口（解密后确实是这个接口）。\n\n#### 1.1 接口加密参数\n\n这个接口的加密参数还是比较多。\n\n![](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231125115922887.png)\n\n![image-20231127111406508](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231127111406508.png)\n\n![image-20231127111420391](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231127111420391.png)\n\n\n\n##### 1.1.1 TriceId\n\n这个是一段随机的字符串，每次请求都会带。同一个接口中需要使用同一个。即如果这个接口里用到了TraceId来加密，请使用同一段字符串。\n\n\n\n##### 1.1.2 cipher\n\n这个是请求的参数，请求价格的商品id。例如：\n\n```python\n[\"FU8443\", \"FU8448\"]\n```\n\n将这段参数加密后就是cipher。\n\n\n\n##### 1.1.3 X-Akc\n\n##### 1.1.4 X-Rgn\n\n这两个参数的加密位置在一起，就是对类似TraceId或者一些随机字符串加密。需要注意的是加密的方法要和代码里一样，建议使用相同的js包进行加密。\n\n\n\n##### 1.1.5 rsaKey\n\n##### 1.1.6 rsaGroup\n\n这两个参数通过请求接口获取，用于上述参数的加密，是**公钥**。\n\n\n\n### 2、逆向\n\n#### 2.1 加密代码\n\n因为是headers里的加密参数，可以**搜索headers[\"x-akc\"]**来查找，如果代码是混淆的，则可以通过hook。这里直接搜索找到了加密的位置。\n\n![image-20231125123941293](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231125123941293.png)\n\n这里可以看到三个加密参数。\n\n\n\n#### 2.2 扣代码\n\n##### 2.2.1 traceId\n\n这个参数是随机字符串，用以下方法生成即可。\n\n```JS\ngetTraceId = function (e = 8, t = !0) {\n var n = \"\"\n , n = Math.ceil(1e14 * Math.random()).toString().substr(0, e || 4);\n return t \u0026\u0026 (n += Date.now()),\n n\n}\n```\n\n\n\n##### 2.2.2 x-rgn\n\n**x-rgn和x-akc**需要先访问**rsaKey**接口，它会返回**rsaKey和rsaGroup**。\n\n```python\nparams = {\n 'traceId': self.js.call('getTraceId'),\n }\n\n response = self.session.get('https://www.zkh.com/zkhweb/zkhAuth/rsaKey', params=params, cookies=cookies,\n headers=headers)\n return response.json()\n```\n\n返回参数：\n\n```json\n{\n \"code\": \"0000\",\n \"result\": {\n \"rsaKey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5Ud0C1rtI80azjpEHF44YJucGSBTGjRGCxqIq2b1IUaZuJU3+psQyL1hgOTxPwHn9d4uRuguLZdf0iGvnWChZSVBqwCKvyBjkUbTKXYYjyHpCHe1iO+F0ITrXZhUbKTmBZz845mjsw1vx5tWqr9zgId6Gdo5hL9vG18V9dQsG0QIDAQAB\",\n \"rsaGroup\": 1700884827505\n }\n}\n```\n\n\n\n**x-rgn**参数就是**rsaGroup**。即上述例子中的“1700884827505”\n\n\n\n##### 2.2.3 x-rgn\n\n先看js，需要公钥publicKey，就是2.2.2中请求返回的rsaKey，传入即可。这里它用到了JSEncrypt这个库，在nodejs中下载相同的库使用相同的方法即可。\n\n```js\nconst jsencrypt = require('jsencrypt')\no = rsaKey\nc = rsaGroup\n\nlet s = new jsencrypt();\ns.setPublicKey(o)\nconst encryptedData = s.encrypt(N)\n\nconst headers = {\n 'x-akc': encryptedData,\n 'x-rgn': c.toString() \n};\n```\n\n\n\n##### 2.2.4 cipher\n\n这个是难点，因为它用到的**b.a.encrypt**来自webpack打包的代码，所以需要还原。\n\n这里的k.a可以使用**crypto-js**包。\n\n```js\n// 这里的data是列表，具体请查看1.1.1\ncipher: b.a.encrypt(JSON.stringify(t.data), E, {\n // mode: k.a.mode.ECB,\n // padding: k.a.pad.Pkcs7\n mode: crypto_js.mode.ECB,\n padding: crypto_js.pad.Pkcs7\n }).toString()\n```\n\n\n\n下一步开始找b.a。代码往上看，可以找到b的定义。\n\n```js\nt = n(398), b = n.n(t)\n```\n\n就是说b为webpack中索引398的代码。\n\n开始构造，先找到加载器。然后把398位置的代码放进去。加载器在runtime~catalogNew.*.js里。\n\n![image-20231125130025892](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231125130025892.png)\n\n```js\nvar loader;\n!function(l) {\n // ...\n function i(e) {\n var r;\n return (t[e] || (r = t[e] = {\n i: e,\n l: !1,\n exports: {}\n },\n l[e].call(r.exports, r, r.exports, i),\n r.l = !0,\n r)).exports\n }\n // ...\n //var r = (n = window.webpackJsonp = window.webpackJsonp || []).push.bind(n);\n //n.push = e;\n //for (var n = n.slice(), o = 0; o \u003c n.length; o++)\n // e(n[o]);\n //var s = r;\n //a()\n \n // 把i定义为全局变量，可以在外部调用\n loader = i;\n}([\n // 这里放代码\n 398: function(){}\n]);\n\n```\n\n\n\n398代码中还引用了其他的代码，需要依次导入。另外，部分代码是没有写索引的，需要根据列表中下标的位置判断。例如以下代码，下标是1，因为在数组中1的位置。\n\n![image-20231125130313855](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20231125130313855.png)\n\n\n\n最后使用loader变量加载代码，即可完成这部分加密。\n\n```js\na = loader(398)\n\nlet cipher = a.encrypt(JSON.stringify(data), E, {\n mode: crypto_js.mode.ECB,\n padding: crypto_js.pad.Pkcs7\n}).toString()\nheaders[\"cipher\"] = cipher\n```\n\n\n\n至此就全部完成了。\n\n\n\n# 案例_2024_02\n\n## \u003cspan id='tls'\u003e一、TLS指纹\u003c/span\u003e\n\n### 1、什么是TLS指纹\n\nTLS指纹是一种用于标识和验证传输层安全性（TLS）连接的方法。TLS是一种用于在网络上加密通信的协议，它的前身是SSL（Secure Sockets Layer）。TLS指纹通常是通过对连接的一些特征信息进行哈希计算而生成的唯一标识。\n\nTLS指纹的主要组成部分包括：\n\n1. **TLS版本号：** 描述使用的TLS协议版本，例如TLS 1.2或TLS 1.3。\n2. **加密算法：** 描述在通信中使用的加密算法，包括对称加密、非对称加密等。\n3. **密钥长度：** 描述使用的加密密钥的长度。\n4. **哈希算法：** 描述用于生成消息摘要的哈希算法。\n5. **证书信息：** 描述服务器的证书，包括颁发机构、有效期等。\n\nTLS指纹的生成过程通常是将上述信息进行哈希计算，以产生一个固定长度的字符串，作为该连接的唯一标识。\n\n\n\n### 2、TLS指纹测试\n\n目标网站：https://match.yuanrenxue.cn/api/match/19?page=1\n\n#### 2.1 浏览器访问\n\n```json\n{\n \"status\": \"1\",\n \"state\": \"success\",\n \"data\": [\n {\n \"value\": 7396\n },\n {\n \"value\": 5018\n },\n {\n \"value\": 9546\n },\n {\n \"value\": 4476\n },\n {\n \"value\": 5297\n },\n {\n \"value\": 880\n },\n {\n \"value\": 4644\n },\n {\n \"value\": 5918\n },\n {\n \"value\": 3853\n },\n {\n \"value\": 1572\n }\n ]\n}\n```\n\n\n\n正常返回，使用wireshark查看：\n\n![image-20240203121233150](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20240203121233150.png)\n\n\n\n#### 2.2 使用requests访问\n\n```json\n{\"status\": \"0\", \"error\": \"page no found\"}\n```\n\nrequests发送的指纹是固定的，请求容易被拦截\n\n![image-20240203121141164](https://raw.githubusercontent.com/ChenZixinn/img_repository/master/image-20240203121141164.png)\n\n\n\n### 3、TLS指纹构成\n\n```\nTLS版本号、加密算法、密钥长度、哈希算法、证书信息\nJA3 Fullstring:\n 771,\n 4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,\n 35-0-65281-18-5-16-43-27-10-23-45-13-11-65037-17513-51,\n 29-23-24,\n 0\n\n根据以上数据md5加密生成\nJA3: \n\tde878efbf0d5761f90f1feeaafd3516a\n```\n\n\n\n### 4、伪造指纹\n\n#### 4.1 修改requests源码\n\nrequests底层用urllib3发送请求，urllib3的TLS指纹生成有固定的支持算法，可以通过修改这部份变量，伪造不同的TLS指纹。\n\n```python\nimport requests\n\n# 0、普通请求\nres = requests.get('https://match.yuanrenxue.cn/api/match/19?page=1')\nprint(res.text) # TLS指纹校验不通过\n\n# 1、修改urllib3源码\nimport urllib3\n\nurllib3.util.ssl_.DEFAULT_CIPHERS = \":\".join(\n [\n \"ECDHE+AESGCM\",\n \"ECDHE+CHACHA20\",\n \"DHE+AESGCM\",\n \"DHE+CHACHA20\",\n \"ECDH+AESGCM\",\n \"DH+AESGCM\",\n # 修改掉部分内容\n # \"ECDH+AES\",\n # \"DH+AES\",\n # \"RSA+AESGCM\",\n # \"RSA+AES\",\n \"!aNULL\",\n \"!eNULL\",\n \"!MD5\",\n \"!DSS\",\n ]\n)\n\nres = requests.get('https://match.yuanrenxue.cn/api/match/19?page=1')\nprint(res.text) # 通过\n```\n\n\n\n#### 4.2 curl_cffi库\n\n底层使用curl工具实现\n\n```python\n\n# 2、用curl_cffi通过验证\nfrom curl_cffi import requests\n\nres = requests.get('https://match.yuanrenxue.cn/api/match/19?page=1', impersonate=\"chrome110\") # 指定生成浏览器指纹\nprint(res.text) # 通过\n```\n\n\n\n#### 4.3 (go)CycleTLS\n\n使用这个库可以指定ja3\n\n```go\npackage main\n\nimport (\n\t\"github.com/Danny-Dasilva/CycleTLS/cycletls\"\n\t\"log\"\n)\n\nfunc main() {\n\tcycle := cycletls.Init()\n\tresponse, err := cycle.Do(\"https://tls.browserleaks.com/json\", cycletls.Options{\n\t\tBody: \"\",\n\t\t// 指定ja3 fullstring\n\t\tJa3: \"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,17513-65281-11-51-13-5-10-45-27-16-65037-18-0-23-35-43,29-23-24,0\",\n\t}, \"GET\")\n\tif err != nil {\n\t\tlog.Print(err)\n\t}\n\tlog.Print(response)\n}\n```\n\n\n# 案例_2024-4\n\n## \u003cspan id='dp_rs6'\u003e一、DrissionPage过瑞数6\u003c/span\u003e\n\n### 1、安装DrissionPage\n\n```shell\npip install DrissionPage\n```\n\n### 2、代码\n\n用自动化的方式绕过反爬，代码非常简单：\n\n```python\nfrom DrissionPage import ChromiumOptions, WebPage\nimport base64\n\nurl = base64.b64decode(b'aHR0cHM6Ly93d3cudXJidGl4LmhrLw==').decode('utf-8')\n\n# 启动并访问网站\nco = ChromiumOptions()\npage = WebPage(chromium_options=co)\npage.get(url)\n\n# 开始监听包含'list?AfbF5fe='的接口\npage.listen.start('list?AfbF5fe=')\ni = 0\nfor packet in page.listen.steps():\n print(packet.response.body) # body为json格式数据，raw_body可以得到原始数据\n # 手动退出\n i += 1\n if i \u003e= 7:\n break\npage.close()\n```\n\nDrissionPage同样可以使用在其他反爬中，比起selenium，优点在于不需要复杂的配置，安装即用，并且直接获取数据接口，可操作性很高。\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FChenZixinn%2Fspider_reverse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FChenZixinn%2Fspider_reverse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FChenZixinn%2Fspider_reverse/lists"}