網站:aHR0cHM6Ly93d3cuemhpaHUuY29tLw==
1、網頁抓包分析,找到返回數據接口與加密參數
可以看到search_v3這個就是返回參數的接口,復制對應的cURL(base)到postman進行重新請求
通過重復測試可以知道只需要三個參數就能獲取到數據(x-zse-96、x-zse-93、cookie),其中x-zse-93為固定值、cookie為身份認證信息,只有x-zse-96為動態變化,下滑數據也能得到新的請求信息,驗證x-zse-96為動態參數
2、加密參數破解
老一套,全局搜索和找堆棧都行,我直接找堆棧,查找到對應的js文件,然后搜索,發現有兩個位置有、全部打上斷點,刷新頁面
成功在第二個位置被斷住,分析參數信息
signature: a()(l()(s))
y = E.signature;
h.set("x-zse-96", "2.0_" + y)
由上可以看出signature <==> x-zse-96、接下來打上斷點分析signature的生成
具體為兩此加密,先使用l()函數對s加密,然后使用a()函數對第一次加密后的值進行加密,而s的幾個參數拼接而來
r: 對應版本
c: 請求url后半斷
i: uuid + 時間戳
此處不想扣代碼的直接使用,l()函數為md5加密
3、扣代碼
記一下s的值:101_3_2.0+/api/v4/search_v3?t=general&q=go&correction=1&offset=0&limit=20&filter_fields=&lc_idx=0&show_all_topics=0&search_source=Normal+"AFDeIw78aBOPTrv9RWbHmw_h9YqQp_-2nok=|1626242911" 方便后面進行比較
進入l()函數,跳到一個新的位置,發現這個函數在一個大函數里面。那么使用全局思想,將整個大函數全扣下來,然后調用中間的函數就行。
var md5 = function(e, t, n) {
var r;
return function(i) {
"use strict";
function o(e, t) {
var n = (65535 & e) + (65535 & t);
return (e >> 16) + (t >> 16) + (n >> 16) << 16 | 65535 & n
}
function a(e, t, n, r, i, a) {
return o((c = o(o(t, e), o(r, a))) << (u = i) | c >>> 32 - u, n);
var c, u
}
function c(e, t, n, r, i, o, c) {
return a(t & n | ~t & r, e, t, i, o, c)
}
function u(e, t, n, r, i, o, c) {
return a(t & r | n & ~r, e, t, i, o, c)
}
function s(e, t, n, r, i, o, c) {
return a(t ^ n ^ r, e, t, i, o, c)
}
function l(e, t, n, r, i, o, c) {
return a(n ^ (t | ~r), e, t, i, o, c)
}
function d(e, t) {
var n, r, i, a, d;
e[t >> 5] |= 128 << t % 32,
e[14 + (t + 64 >>> 9 << 4)] = t;
var f = 1732584193
, p = -271733879
, h = -1732584194
, b = 271733878;
for (n = 0; n < e.length; n += 16)
r = f,
i = p,
a = h,
d = b,
f = c(f, p, h, b, e[n], 7, -680876936),
b = c(b, f, p, h, e[n + 1], 12, -389564586),
h = c(h, b, f, p, e[n + 2], 17, 606105819),
p = c(p, h, b, f, e[n + 3], 22, -1044525330),
f = c(f, p, h, b, e[n + 4], 7, -176418897),
b = c(b, f, p, h, e[n + 5], 12, 1200080426),
h = c(h, b, f, p, e[n + 6], 17, -1473231341),
p = c(p, h, b, f, e[n + 7], 22, -45705983),
f = c(f, p, h, b, e[n + 8], 7, 1770035416),
b = c(b, f, p, h, e[n + 9], 12, -1958414417),
h = c(h, b, f, p, e[n + 10], 17, -42063),
p = c(p, h, b, f, e[n + 11], 22, -1990404162),
f = c(f, p, h, b, e[n + 12], 7, 1804603682),
b = c(b, f, p, h, e[n + 13], 12, -40341101),
h = c(h, b, f, p, e[n + 14], 17, -1502002290),
f = u(f, p = c(p, h, b, f, e[n + 15], 22, 1236535329), h, b, e[n + 1], 5, -165796510),
b = u(b, f, p, h, e[n + 6], 9, -1069501632),
h = u(h, b, f, p, e[n + 11], 14, 643717713),
p = u(p, h, b, f, e[n], 20, -373897302),
f = u(f, p, h, b, e[n + 5], 5, -701558691),
b = u(b, f, p, h, e[n + 10], 9, 38016083),
h = u(h, b, f, p, e[n + 15], 14, -660478335),
p = u(p, h, b, f, e[n + 4], 20, -405537848),
f = u(f, p, h, b, e[n + 9], 5, 568446438),
b = u(b, f, p, h, e[n + 14], 9, -1019803690),
h = u(h, b, f, p, e[n + 3], 14, -187363961),
p = u(p, h, b, f, e[n + 8], 20, 1163531501),
f = u(f, p, h, b, e[n + 13], 5, -1444681467),
b = u(b, f, p, h, e[n + 2], 9, -51403784),
h = u(h, b, f, p, e[n + 7], 14, 1735328473),
f = s(f, p = u(p, h, b, f, e[n + 12], 20, -1926607734), h, b, e[n + 5], 4, -378558),
b = s(b, f, p, h, e[n + 8], 11, -2022574463),
h = s(h, b, f, p, e[n + 11], 16, 1839030562),
p = s(p, h, b, f, e[n + 14], 23, -35309556),
f = s(f, p, h, b, e[n + 1], 4, -1530992060),
b = s(b, f, p, h, e[n + 4], 11, 1272893353),
h = s(h, b, f, p, e[n + 7], 16, -155497632),
p = s(p, h, b, f, e[n + 10], 23, -1094730640),
f = s(f, p, h, b, e[n + 13], 4, 681279174),
b = s(b, f, p, h, e[n], 11, -358537222),
h = s(h, b, f, p, e[n + 3], 16, -722521979),
p = s(p, h, b, f, e[n + 6], 23, 76029189),
f = s(f, p, h, b, e[n + 9], 4, -640364487),
b = s(b, f, p, h, e[n + 12], 11, -421815835),
h = s(h, b, f, p, e[n + 15], 16, 530742520),
f = l(f, p = s(p, h, b, f, e[n + 2], 23, -995338651), h, b, e[n], 6, -198630844),
b = l(b, f, p, h, e[n + 7], 10, 1126891415),
h = l(h, b, f, p, e[n + 14], 15, -1416354905),
p = l(p, h, b, f, e[n + 5], 21, -57434055),
f = l(f, p, h, b, e[n + 12], 6, 1700485571),
b = l(b, f, p, h, e[n + 3], 10, -1894986606),
h = l(h, b, f, p, e[n + 10], 15, -1051523),
p = l(p, h, b, f, e[n + 1], 21, -2054922799),
f = l(f, p, h, b, e[n + 8], 6, 1873313359),
b = l(b, f, p, h, e[n + 15], 10, -30611744),
h = l(h, b, f, p, e[n + 6], 15, -1560198380),
p = l(p, h, b, f, e[n + 13], 21, 1309151649),
f = l(f, p, h, b, e[n + 4], 6, -145523070),
b = l(b, f, p, h, e[n + 11], 10, -1120210379),
h = l(h, b, f, p, e[n + 2], 15, 718787259),
p = l(p, h, b, f, e[n + 9], 21, -343485551),
f = o(f, r),
p = o(p, i),
h = o(h, a),
b = o(b, d);
return [f, p, h, b]
}
function f(e) {
var t, n = "", r = 32 * e.length;
for (t = 0; t < r; t += 8)
n += String.fromCharCode(e[t >> 5] >>> t % 32 & 255);
return n
}
function p(e) {
var t, n = [];
for (n[(e.length >> 2) - 1] = void 0,
t = 0; t < n.length; t += 1)
n[t] = 0;
var r = 8 * e.length;
for (t = 0; t < r; t += 8)
n[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32;
return n
}
function h(e) {
var t, n, r = "";
for (n = 0; n < e.length; n += 1)
t = e.charCodeAt(n),
r += "0123456789abcdef".charAt(t >>> 4 & 15) + "0123456789abcdef".charAt(15 & t);
return r
}
function b(e) {
return unescape(encodeURIComponent(e))
}
function v(e) {
return function(e) {
return f(d(p(e), 8 * e.length))
}(b(e))
}
function O(e, t) {
return function(e, t) {
var n, r, i = p(e), o = [], a = [];
for (o[15] = a[15] = void 0,
i.length > 16 && (i = d(i, 8 * e.length)),
n = 0; n < 16; n += 1)
o[n] = 909522486 ^ i[n],
a[n] = 1549556828 ^ i[n];
return r = d(o.concat(p(t)), 512 + 8 * t.length),
f(d(a.concat(r), 640))
}(b(e), b(t))
}
function g(e, t, n) {
return t ? n ? O(t, e) : h(O(t, e)) : n ? v(e) : h(v(e))
}
return g
/*
void 0 === (r = function() {
return g
}
.call(t, n, t, e)) || (e.exports = r)
*/
}()
}
測試一下:
可以看到確實為md5加密,接下來分析a()函數,同理也是全局思想
此處比較重要的一點是此函數需要進行參數的傳入
可以看到此函數是這個樣子的,打上斷點分析參數,將參數傳進去
加密看下效果:
一致,完成。
結果:
總結
全局思想,對於很多函數內部函數,很不好扣,或者說一扣起來就得扣半天,此時使用全局思想就好很多