某麦数据analysis参数逆向分析
**说明:**获取数据的url为 https://api.qimai.cn/rank/release?analysis=dQ59QSxacUR9ZHlEdTByQSlwfxZ8ZHVJfGR1QCldeR15dVFIfVkASH1kdVZubxxHb1MEDXATH0JRVg8YSgFYUwBDVXATCQIFDlEFCVUCBFBwEwE%3D&is_preorder=all&date=2020-12-11&sdate=2020-12-11&edate=2020-12-11&genre=36&country=cn&page=2
analysis为每次请求就会变化的参数
1.
在目标要发送请求前打上断点,拦截请求
-
在函数调用栈中,分析加密参数的大概位置,就在get调用栈位置
-
在此处打上断点,之后一步一步执行,
-
然后这个位置就是主要的加密函数的位置
-
图中的位置就是生成的analysis参数
总结
加密原理
说明:第一页的请求和后面的请求参数是不一样的,第一页的是 var i = ‘@#/rank/release@#’+r+’@#1’ 没有前面一串的数据
按顺序拼接请求参数
params:
country: "cn"
date: "2020-12-10"
edate: "2020-12-10"
genre: "36"
is_preorder: "all"
page: 2
sdate: "2020-12-10"
拼接为 22020-12-102020-12-102020-12-1036allcn 参数有sort处理
进行base64加密 为 MjIwMjAtMTItMTAyMDIwLTEyLTEwMjAyMC0xMi0xMDM2YWxsY24=
//字符串拼接 D暂时未写死参数D = 5449 D参数说明获取请求的cookie中时间戳参数与请求的时间戳相减生成
var r = (new Date()).valueOf() - D - 1515125653845
var i = '@#/rank/release@#'+r+'@#1'
完整的拼接为 MjIwMjAtMTItMTAyMDIwLTEyLTEwMjAyMC0xMi0xMDM2YWxsY24=@#/rank/release@#92461336010@#1
进行字符串处理
// t为上一步拼接字符串 n为写死 00000008d78d46a
function j(t, n) {
var h = 0, q=10
n || (n = d()),
t = t.split("");
for (var a = t.length, e = n.length, r = "charCodeAt", s = 0; s < a; s++)
t[s] = String.fromCharCode(t[s][r](h) ^ n[(s + q) % e][r](h));
return t.join("")
}
获取到特殊字符串之后进行base64 加密 “dQ59QSxacUR9ZHlEdTB2QSlwfxZ8ZHVJfGR1TyldeR15dVFIfVkASH10dVZubxxHb1MEDXATH0JRVg8YSgFYUwBDVXATCQIEDlUEC1IEB1FwEwE=”
最后进行 encodeURIComponent(a)函数处理得到analysis参数
详细的js代码
可以自己封装成js函数,使用Python的execjs执行该函数,主要的处理位置都已经在代码里了
var codeHandler = (function(){
var base64Chars = [
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/'
],
encode = {
'base64':codeBase64
},
decode = {
'base64':decodeBase64
}
handleFormat = {
'utf-8':toUTF8Binary
};
function stringToBinary(str , size , encodeType ){
// str-字符串 , size - 转换后的二进制位数 ,encodeType - 采用什么格式去保存二进制编码
var i,
len,
binary = '';
for ( i = 0 , len = str.length ; i < len ; i++ ){
binary = binary + handleFormat[encodeType.toLowerCase()](str.charCodeAt(i));
}
return binary;
}
// 转换为以UTF-8格式的二进制数据
function toUTF8Binary(unicode){
var len,
binary = '',
star = 0,
bitStream = unicode.toString(2), // 转换为二进制比特流
bitLen = bitStream.length,
i;
if( unicode >= 0x000000 && unicode <= 0x00007F ){
binary = bitStream;
for( i = 0 , len = 8 ; i < len-bitLen ; i ++ ){
binary = 0 +binary; // 不足8位补0
}
}else if( unicode >=0x000080 && unicode <=0x0007FF ){
binary = bitStream;
for( i = 0 , len = 11 ; i < len-bitLen ; i ++ ){
binary = 0 +binary; // 不足11位补0
}
binary = '110'+binary.substr(0,5) + '10' + binary.substr(5,6);
}
else if( unicode >=0x000800 && unicode <=0x00FFFF ){
binary = bitStream;
for( i = 0 , len = 16 ; i < len-bitLen ; i ++ ){
binary = 0 +binary; // 不足16位补0
};
binary = '1110' +
binary.substr(0,4) +
'10' +
binary.substr(4,6) +
'10' +
binary.substr(10,6);
}
else if( unicode >=0x010000 && unicode <=0x10FFFF ){
binary = bitStream;
for( i = 0 , len = 21 ; i < len-bitLen ; i ++ ){
binary = 0 +binary; // 不足21位补0
}
binary = '11110' +
binary.substr(0,3) +
'10' +
binary.substr(3,6) +
'10' +
binary.substr(9,6) +
'10' +
binary.substr(15,6);
}
return binary;
}
// 编码成base64格式
function base64Parse(binary24,flag){
var i,
len,
result = '',
decode;
if(flag == 1){
for( i = 0 ; i < 4 ; i++){
decode = parseInt(binary24.substr(i*6,6),2);
result = result + base64Chars[decode];
}
}
else{
for ( i=0 , len = Math.floor(flag/6) ;i<len+1; i++){
decode = parseInt(binary24.substr(i*6,6),2);
result = result + base64Chars[decode];
}
for( i = 0; i < 3-len ;i ++){
result = result + '=';
}
}
return result;
}
// 解析为base64格式的二进制数据
function codeBase64(str){
var i,
len,
rem,
mer,
result = '',
strBinaryAry = [],
binary = stringToBinary(str , 8 , 'utf-8'); // base64是基于utf-8格式保存的二进制数据转换的
len = binary.length;
mer = Math.floor(len / 24);
rem = len % 24;
for( i = 0 ; i < mer ; i++){
result = result + base64Parse(binary.substr(i*24,24),1);
}
remCode = binary.substr(len-rem,rem);
if( rem > 0 ){
for( i =0 ; i < 24-rem ; i++){
remCode = remCode + 0;
}
result = result + base64Parse(remCode,rem)
}
return result;
}
// 解码base64格式的数据
function decodeBase64(str){
var i,
j,
k,
len,
t = 0,
curbinary,
start = 0 ,
flag = [
{
str:'0',
len:8
},
{
str:'110',
len:11
},
{
str:'1110',
len:16
},
{
str:'11110',
len:21
}],
binary= '',
newStr = '';
for( i = 0 , len = str.length ; i < len ; i++){
var curbinary = base64Chars.indexOf(str.charAt(i)).toString(2);
if( curbinary != '-1'){
for( j = 0 ; curbinary.length <6 ; j++){
curbinary = 0 + curbinary;
}
binary = binary + curbinary;
}
if( i >= len-2 && str.charAt(i) == '='){
++t;
}
}
if( t == 0 ){
len = binary.length;
}
else{
len = binary.length - (6-2*t)
}
for( ; start < len ;){
for( j = 0 ; j < 4 ; j++){
if(binary.indexOf( flag[j].str ,start) == start){
if(flag[j].len == 8){
newStr = newStr +
String.fromCharCode(parseInt(binary.substr(start,8),2));
}
else if(flag[j].len == 11){
newStr = newStr +
String.fromCharCode(parsetInt(binary.substr(start+3,5) +
binary.substr(start+10,6),2));
}
else if(flag[j].len == 16){
newStr = newStr +
String.fromCharCode(parsetInt(binary.substr(start+4,4) +
binary.substr(start+10,6) +
binary.substr(start+18,6),2));
}
else if(flag[j].len == 21){
newStr = newStr +
String.fromCharCode(parseInt(binary.substr(start+5,3) +
binary.substr(start+10,6) + binary.substr(start+18,6) +
binary.substr(start+26,6),2));
}
start = start + flag[j].len;
break;
}
}
}
binary = null;
return newStr;
}
return {
encode:function(str ,type){
return encode[type](str);
},
decode:function(str, type){
return decode[type](str);
}
};
})();
function j(t, n) {
var h = 0, q=10
n || (n = d()),
t = t.split("");
for (var a = t.length, e = n.length, r = "charCodeAt", s = 0; s < a; s++)
t[s] = String.fromCharCode(t[s][r](h) ^ n[(s + q) % e][r](h));
return t.join("")
}
function tim() {
//D参数写死即可
var D = 752;
var r = (new Date()).valueOf() - D - 1515125653845
var i = '@#/rank/release@#'+r+'@#1'
return i
}
//MjIwMjAtMTItMTAyMDIwLTEyLTEwMjAyMC0xMi0xMDM2YWxsY24=@#/rank/release@#92462858273@#1
// main()
var pa = "2020-12-102020-12-102020-12-10364allcn"
var pa_base = codeHandler.encode(pa,'base64')+tim()
console.log(pa_base)
var L = '00000008d78d46a'
var n = j(pa_base, L)
console.log(n)
var a = codeHandler.encode(n,'base64');
console.log(encodeURIComponent(a))