JS逆向高級(jí)爬蟲

JS逆向的目的是通過運(yùn)行本地JS的文件或者代碼,以實(shí)現(xiàn)脫離他的網(wǎng)站和瀏覽器,并且還能拿到和瀏覽器加密一樣的效果。

10.1、編碼算法

【1】摘要算法：一切從MD5開始

MD5是一個(gè)非常常見的摘要(hash)邏輯. 其特點(diǎn)就是小巧. 速度快. 極難被破解. 所以, md5依然是國內(nèi)非常多的互聯(lián)網(wǎng)公司選擇的密碼摘要算法.

1. 這玩意不可逆. 所以. 摘要算法就不是一個(gè)加密邏輯.

2. 相同的內(nèi)容計(jì)算出來的摘要是一樣的

3. 不同的內(nèi)容(哪怕是一丟丟丟丟丟不一樣) 計(jì)算出來的結(jié)果差別非常大

在數(shù)學(xué)上. 摘要其實(shí)計(jì)算邏輯就是hash.

hash(數(shù)據(jù)) => 數(shù)字

1. 密碼
2. 一致性檢測  

md5的python實(shí)現(xiàn):

from hashlib import md5obj = md5()
obj.update("yuan".encode("utf-8"))
# obj.update("alex".encode('utf-8'))  # 可以添加多個(gè)被加密的內(nèi)容bs = obj.hexdigest()
print(bs)

我們把密文丟到網(wǎng)頁里. 發(fā)現(xiàn)有些網(wǎng)站可以直接解密. 但其實(shí)不然. 這里并不是直接解密MD5. 而是"撞庫".

就是它網(wǎng)站里存儲(chǔ)了大量的MD5的值. 就像這樣:

而需要進(jìn)行查詢的時(shí)候. 只需要一條select語句就可以查詢到了. 這就是傳說中的撞庫.

如何避免撞庫: md5在進(jìn)行計(jì)算的時(shí)候可以加鹽. 加鹽之后. 就很難撞庫了.

from hashlib import md5salt = "我是鹽.把我加進(jìn)去就沒人能破解了"
obj = md5(salt.encode("utf-8"))  # 加鹽
obj.update("alex".encode("utf-8"))bs = obj.hexdigest()
print(bs)

擴(kuò)展; sha256

from hashlib import sha1, sha256
sha = sha256(b'salt')
sha.update(b'alex')
print(sha.hexdigest())

不論是sha1, sha256, md5都屬于摘要算法. 都是在計(jì)算hash值. 只是散列的程度不同而已. 這種算法有一個(gè)特性. 他們是散列. 不是加密. 而且, 由于hash算法是不可逆的, 所以不存在解密的邏輯.

【2】url編碼

import urllib.parse# s = 'a'
s = ' 123'
ret = urllib.parse.quote(s)
print(ret)
s = urllib.parse.unquote(ret)
print(s)params = {'name': '張三', 'age': 20, 'address': '北京市海淀區(qū)'}
query_string = urllib.parse.urlencode(params)
print(query_string)query_string = 'name=%E5%BC%A0%E4%B8%89&age=20&address=%E5%8C%97%E4%BA%AC%E5%B8%82%E6%B5%B7%E6%B7%80%E5%8C%BA'
params = urllib.parse.parse_qs(query_string)
print(params, type(params))

【3】 base64編碼

（1）base64是什么

Base64編碼，是由64個(gè)字符組成編碼集：26個(gè)大寫字母A_{Z，26個(gè)小寫字母a}z，10個(gè)數(shù)字0~9，符號(hào)“+”與符號(hào)“/”。Base64編碼的基本思路是將原始數(shù)據(jù)的三個(gè)字節(jié)拆分轉(zhuǎn)化為四個(gè)字節(jié)，然后根據(jù)Base64的對(duì)應(yīng)表，得到對(duì)應(yīng)的編碼數(shù)據(jù)。

當(dāng)原始數(shù)據(jù)湊不夠三個(gè)字節(jié)時(shí)，編碼結(jié)果中會(huì)使用額外的**符號(hào)“=”**來表示這種情況。

（2）base64原理

一個(gè)Base64字符實(shí)際上代表著6個(gè)二進(jìn)制位(bit)，4個(gè)Base64字符對(duì)應(yīng)3字節(jié)字符串/二進(jìn)制數(shù)據(jù)。

3個(gè)字符為一組的的base64編碼方式如：

小于3個(gè)字符為一組的編碼方式如：

總結(jié)：base64過程

最后處理完的編碼字符再轉(zhuǎn)字節(jié)中不再有base64以外的任何字符。

（3）base64測試

import base64bs = "you".encode("utf-8")
# 把字節(jié)轉(zhuǎn)化成b64
print(base64.b64encode(bs).decode())bs = "yo".encode("utf-8")
# 把字節(jié)轉(zhuǎn)化成b64
print(base64.b64encode(bs).decode())# 猜測結(jié)果
bs = "y".encode("utf-8")
# 把字節(jié)轉(zhuǎn)化成b64
print(base64.b64encode(bs).decode())

注意, b64處理后的字符串長度. 一定是4的倍數(shù). 如果在網(wǎng)頁上看到有些密文的b64長度不是4的倍數(shù). 會(huì)報(bào)錯(cuò)

例如,

import base64s = "eW91"
ret = base64.b64decode(s)
print(ret)s = "eW91eQ=="
ret = base64.b64decode(s)
print(ret)s = "eW91eQ"
ret = base64.b64decode(s)
print(ret)

解決思路. base64長度要求. 字符串長度必須是4的倍數(shù). 填充一下即可

s = "eW91eQ"
# ret = base64.b64decode(s)
# print(ret)s += ("=" * (4 - len(s) % 4))
print("填充后", s)
ret = base64.b64decode(s).decode()
print(ret)

（4）base64變種

# 方式1
data = res.text.replace("-", "+").replace("_", "/")
base64.b64decode(data)
# 方式2
data = base64.b64decode(res.text, altchars=b"-_")  # base64解碼成字節(jié)流

（5）為什么要base64編碼

base64 編碼的優(yōu)點(diǎn)：

• 算法是編碼，不是壓縮，編碼后只會(huì)增加字節(jié)數(shù)（一般是比之前的多1/3，比如之前是3， 編碼后是4）
• 算法簡單，基本不影響效率
• 算法可逆，解碼很方便，不用于私密傳輸。
• 加密后的字符串只有【0-9a-zA-Z+/=】 ，不可打印字符（轉(zhuǎn)譯字符）也可以傳輸（關(guān)鍵！！！）

有些網(wǎng)絡(luò)傳輸協(xié)議是為了傳輸ASCII文本設(shè)計(jì)的，當(dāng)你使用其傳輸二進(jìn)制流時(shí)（比如視頻/圖片），二進(jìn)制流中的數(shù)據(jù)可能會(huì)被協(xié)議錯(cuò)誤的識(shí)別為控制字符等等，因而出現(xiàn)錯(cuò)誤。那這時(shí)就要將二進(jìn)制流傳輸編碼，因?yàn)橛行?Bit字節(jié)碼并沒有對(duì)應(yīng)的ASCII字符。

比如十進(jìn)制ASCII碼8對(duì)應(yīng)的是后退符號(hào)(backspace), 如果被編碼的數(shù)據(jù)中包含這個(gè)數(shù)值，那么編碼出來的結(jié)果在很多編程語言里會(huì)導(dǎo)致前一個(gè)字符被刪掉。又比如ASCII碼0對(duì)應(yīng)的是空字符，在一些編程語言里代表字符串結(jié)束，后續(xù)的數(shù)據(jù)就不會(huì)被處理了。

用Base64編碼因?yàn)橄薅擞糜诰幋a的字符集，確保編碼的結(jié)果可打印且無歧義。

不同的網(wǎng)絡(luò)節(jié)點(diǎn)設(shè)備交互數(shù)據(jù)需要：設(shè)備A把base64編碼后的數(shù)據(jù)封裝在json字符串里，設(shè)備B先解析json拿到value，再進(jìn)行base64解碼拿到想要的數(shù)據(jù)。

1. 早年制定的一些協(xié)議都是只支持文本設(shè)定的。隨著不斷發(fā)展需要支持非文本了，才搞了一個(gè)base64做兼容

2. 雖然編碼之后的數(shù)據(jù)與加密一樣都具有不可見性，但編碼與加密的概念并不一樣。編碼是公開的，任何人都可以解碼；而加密則相反，你只希望自己或者特定的人才可以對(duì)內(nèi)容進(jìn)行解密。

base64處理圖片數(shù)據(jù)：

import base64
source = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAA7VBMVEUAAADs8v+txP+qwv+4zf/w9f/2+P+hu//Q3f+yyP+4zf/Q3f+kvv+90P+80f+2yv/S4P/T4P/M2//z9/+cuP/V4P9Whv9Uhf9Sg/9Pgf9NgP/8/f9di/9Xh/9lkf5aif9qlP7z9//k7P/c5v+2y/94nv51nP6lv/+LrP6Ep/6BpP5gjf7v9P+wxv/U4f/M2/+sxP+vxv73+f/P3v/J2v+5zf+ivP+fuv9xmf+Ytv6Usv6Hqf58of5vl/7m7v/g6f+zyf6QsP75+//q8P/B0v/W4//C1P6+0P6qwv6ct/76fHZiAAAAGnRSTlMAGAaVR/Py45aC9Mfy2b8t9OPZ2ce/v4L0x/e74/EAAAIZSURBVDjLZVPXYuIwEDSmQ4BLv5O0ku3Yhwu2IZTQe0hy7f8/57QSoYR5sVea1c424wgzl324LRRuH7I507hEJluYucCFEOBGhWzmy7X5+N0WwIjTbrcdBsKulM0z96onGCGE2X6n+cTkj/CqJ480igzkNXp26E9JkABSbBz8i4Bn3EkH840mKHoxs49fZQzt2Kd03FQEzSB3WsejB9Jqf1CJQBM0wCurABWBoub0gkDENwyStTHA62pwSWDtklRQ4FLfjnaiPqVW60hAYeLKNHIREOZuKTL80H6XBFCwn4BAmDOyLiOQUIlOSEjaoS+Ju57NZuul73Fml4w6yAivSLBW3MGfcfBmIegmArg3alICdJHgy1jQt8Z/6CcC4DdGXhLIoiWRACpbLYbDYW80GnXp2GH8ShP+PUvEoHsAIFq9Xm8+kXlIwkkI9pm+05Tm3yWqu9EiB0pkwjWBx2i+tND1XqeZqpPU4VhUbq/ekR8CwTRVoRxf3ifTbeIwcONNsJZ2lxFVKDMv1KNvS2zXdrnD+COvR1PQpTZKNlKD3cLCOJNnivgVxkw169BunlKFaV9/B+LQbqOsByY4IVgDB59dl/cjR9TIJV1Lh7CGqUqH/DDPhhZYOPkdLz6m0X7GrzPHsSe6zJwzxvm+5NeNi8U5ABfn7mz7zHJFrZ6+BY6rd7m8kQtcAtwwXzq4n69/vZbP1+pn6/8fsrRmHUhmpYYAAAAASUVORK5CYII="
s = source.split(",")[1]
with open("a.png", "wb") as f:f.write(base64.b64decode(s))

【4】對(duì)稱加密（AES與DES）

AES是一種對(duì)稱加密，所謂對(duì)稱加密就是加密與解密使用的秘鑰是一個(gè)。

常見的對(duì)稱加密: AES, DES, 3DES. 我們這里討論AES。

安裝：

pip install pycryptodome

AES 加密最常用的模式就是 ECB模式 和 CBC 模式，當(dāng)然還有很多其它模式，他們都屬于AES加密。ECB模式和CBC 模式倆者區(qū)別就是 ECB 不需要 iv偏移量，而CBC需要。

參數(shù)	作用及數(shù)據(jù)類型1. 秘鑰	加密的時(shí)候用秘鑰，解密的時(shí)候需要同樣的秘鑰才能解出來; 數(shù)據(jù)類型為bytes
2. 明文	需要加密的參數(shù); 數(shù)據(jù)類型為bytes
3. 模式	aes 加密常用的有 ECB 和 CBC 模式（我只用了這兩個(gè)模式，還有其他模式）;數(shù)據(jù)類型為aes類內(nèi)部的枚舉量
iv 偏移量	這個(gè)參數(shù)在 ECB 模式下不需要，在 CBC 模式下需要；數(shù)據(jù)類型為bytes"""
長度16: *AES-128*24: *AES-192*32: *AES-256*MODE 加密模式. 常見的ECB, CBCECB：是一種基礎(chǔ)的加密方式，密文被分割成分組長度相等的塊（不足補(bǔ)齊），然后單獨(dú)一個(gè)個(gè)加密，一個(gè)個(gè)輸出組成密文。CBC：是一種循環(huán)模式，前一個(gè)分組的密文和當(dāng)前分組的明文異或或操作后再加密，這樣做的目的是增強(qiáng)破解難度。
"""

CBC加密案例：

from Crypto.Cipher import AES
import base64key = '1234567890123456'.encode()  # 秘鑰
# 秘鑰：必須是16位字節(jié)或者24位字節(jié)或者32位字節(jié)
text = 'alex is dsb!!!!!'
# text = 'alex is dsb'  # 需要加密的內(nèi)容
# while len(text.encode('utf-8')) % 16 != 0:  # 如果text不足16位的倍數(shù)就用空格補(bǔ)足為16位
#     text += '\0'
text = text.encode()
print("完整text:", text)iv = b'abcdabcdabcdabcd'   #偏移量--必須16字節(jié)aes = AES.new(key, AES.MODE_CBC,iv)  # 創(chuàng)建一個(gè)aes對(duì)象en_text = aes.encrypt(text)  # 加密明文
print("aes加密數(shù)據(jù):::", en_text)en_text = base64.b64encode(en_text).decode()  # 將返回的字節(jié)型數(shù)據(jù)轉(zhuǎn)進(jìn)行base64編碼
print(en_text)  # rRPMWCaOBYahYnKUJzq65A==

CBC解密案例：

from Crypto.Cipher import AES
import base64key = '1234567890123456'.encode()  # 秘鑰
# 秘鑰：必須是16位字節(jié)或者24位字節(jié)或者32位字節(jié)（因?yàn)閜ython3的字符串是unicode編碼，需要 encode才可以轉(zhuǎn)換成字節(jié)型數(shù)據(jù)）
model = AES.MODE_CBC  # 定義模式
iv = b'abcdabcdabcdabcd'
aes = AES.new(key, model, iv)  # 創(chuàng)建一個(gè)aes對(duì)象text = 'J8bwyhYt1chAPAGu8N6kKA=='.encode()  # 需要解密的文本
ecrypted_base64 = base64.b64decode(text)  # base64解碼成字節(jié)流
str = aes.decrypt(ecrypted_base64).decode()  # 解密print("aes解密數(shù)據(jù):::")

1. 在Python中進(jìn)行AES加密解密時(shí)，所傳入的密文、明文、秘鑰、iv偏移量、都需要是bytes（字節(jié)型）數(shù)據(jù)。python 在構(gòu)建aes對(duì)象時(shí)也只能接受bytes類型數(shù)據(jù)。

2. 當(dāng)秘鑰，iv偏移量，待加密的明文，字節(jié)長度不夠16字節(jié)或者16字節(jié)倍數(shù)的時(shí)候需要進(jìn)行補(bǔ)全。

3. CBC模式需要重新生成AES對(duì)象，為了防止這類錯(cuò)誤，無論是什么模式都重新生成AES對(duì)象就可以了。

【5】非對(duì)稱加密(RSA)

非對(duì)稱加密. 加密和解密的秘鑰不是同一個(gè)秘鑰. 這里需要兩把鑰匙. 一個(gè)公鑰, 一個(gè)私鑰. 公鑰發(fā)送給客戶端. 發(fā)送端用公鑰對(duì)數(shù)據(jù)進(jìn)行加密. 再發(fā)送給接收端, 接收端使用私鑰來對(duì)數(shù)據(jù)解密. 由于私鑰只存放在接受端這邊. 所以即使數(shù)據(jù)被截獲了. 也是無法進(jìn)行解密的.

公鑰和私鑰

常見的非對(duì)稱加密算法: RSA, DSA等等, 我們就介紹一個(gè). RSA加密, 也是最常見的一種加密方案

1. 創(chuàng)建公鑰和私鑰

from Crypto.PublicKey import RSA# 生成秘鑰
rsakey = RSA.generate(1024)
with open("rsa.public.pem", mode="wb") as f:f.write(rsakey.publickey().exportKey())with open("rsa.private.pem", mode="wb") as f:f.write(rsakey.exportKey())

2. 加密

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import base64# 加密
data = "我喜歡你"
with open("rsa.public.pem", mode="r") as f:pk = f.read()rsa_pk = RSA.importKey(pk)rsa = PKCS1_v1_5.new(rsa_pk)result = rsa.encrypt(data.encode("utf-8"))# 處理成b64方便傳輸b64_result = base64.b64encode(result).decode("utf-8")print(b64_result)

3. 解密

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import base64data = "BkiKG8jzVGzbWOl4m8NXJEYglgtxhOB05MGmap8JSP97GzoewPBmDTs7c5iACUof3k/uJf0H88GygajVgBvkcbckJp7oO+Qj6VSUQYTOHhKN/VG2a8v+WzL34EO/S7BYoj2oOxIDAr8wDLxYxjBeXq/Be6Q1yBbnZcKaMkifhP8="
# 解密
with open("rsa.private.pem", mode="r") as f:prikey = f.read()rsa_pk = RSA.importKey(prikey)rsa = PKCS1_v1_5.new(rsa_pk)result = rsa.decrypt(base64.b64decode(data), None)print("rsa解密數(shù)據(jù):::", result.decode("utf-8

10.2、PyExecJS模塊

pyexecjs是一個(gè)可以幫助我們運(yùn)行js代碼的一個(gè)第三方模塊. 其使用是非常容易上手的.

但是它的運(yùn)行是要依賴能運(yùn)行js的第三方環(huán)境的. 這里我們選擇用node作為我們運(yùn)行js的位置.

pip install pyexecjs

測試一下:

import execjs
print(execjs.get().name)  # 需要重啟pycharm或者重啟電腦 Node.js (V8)

簡單使用

import execjsprint(execjs.get().name)# execjs.eval 可以直接運(yùn)行js代碼并得到結(jié)果
js = """
"a,b,c,d".split(",")
"""
res = execjs.eval(js)
print(res)# execjs.compile(),  call()
# execjs.compile() 事先加載好一段js代碼,
jj = execjs.compile("""function foo(a, b){return a + b    }
""")
# call() 運(yùn)行代碼中的xxx函數(shù). 后續(xù)的參數(shù)是xxx的參數(shù)
ret = jj.call("foo", 10, 20)
print(ret)

windows中如果出現(xiàn)編碼錯(cuò)誤. 在引入execjs之前. 插入以下代碼即可.

import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding='utf-8')import execjs

10.3、JS逆向?qū)崙?zhàn)必備案例

【1】逆向案例之某道翻譯

Part01:逆向請(qǐng)求

（1）抓包

（2）獲取JS的請(qǐng)求入口

獲取請(qǐng)求入口:搜索關(guān)鍵字，比如sign（有時(shí)候太多不好用），比如請(qǐng)求路徑

（3）獲取構(gòu)建數(shù)據(jù)的目標(biāo)函數(shù)

分析請(qǐng)求參數(shù)

（4）獲取目標(biāo)函數(shù)源碼位置

方式1:

方式2:

（5） 逆向?qū)崿F(xiàn)

# Python逆向模擬：
import time
import hashlib
import requestssession = requests.session()
session.get("https://fanyi.youdao.com/")
word = "apple"
# (1) 構(gòu)建sign值
t = str(1683620934858)
s = f"client=fanyideskweb&mysticTime={t}&product=webfanyi&key=fsdsogkndfokasodnaso"
md5 = hashlib.md5()
md5.update(s.encode())
sign = md5.hexdigest()print("sign:::", sign)
# sign::: d246611271b76b9cbf43bb075a3d5ccb

md5是標(biāo)準(zhǔn)的，沒有魔改，程序員是個(gè)好人！

完整的逆向代碼也就出來了：

結(jié)果為：

Z21kD9ZK1ke6ugku2ccWu-MeDWh3z252xRTQv-wZ6jddVo3tJLe7gIXz4PyxGl73nSfLAADyElSjjvrYdCvEP4pfohVVEX1DxoI0yhm36ytQNvu-WLU94qULZQ72aml6JKK7ArS9fJXAcsG7ufBIE0gd6fbnhFcsGmdXspZe-8whVFbRB_8Fc9JlMHh8DDXnskDhGfEscN_rfi-A-AHB3F9Vets82vIYpkGNaJOft_JA-m5cGEjo-UNRDDpkTz_NIAvo5PbATpkh7PSna2tHcE6Hou9GBtPLB67vjScwplB96-zqZKXJJEzU5HGF0oPDY_weAkXArzXyGLBPXFCnn_IWJDkGD4vqBQQAh2n52f48GD_cb-PSCT_8b-ESsKUI9NJa11XsdaUZxAc8TzrYnXwdcQbtl_kZGKhS6_rCtuNEBouA_lvM2CbS7TTtV2U4zVmJKpp-c6nt3yZePK3Av01GWn1pH_3sZbaPEx8DUjSbdp4i4iK-Mj4p2HPoph67DR7B9MFETYku_28SgP9xsKRRvFH4aHBHESWX4FDbwaU=

Part02：解密數(shù)據(jù)

（1）解密入口

（2）查找解密函數(shù)

（3）解密實(shí)現(xiàn)

import hashlibdef get_md5_digest(newkey):md5 = hashlib.md5()md5.update(newkey.encode())return md5.digest()key = "ydsecret://query/key/B*RGygVywfNBwpmBaZg*WT7SIOUP2T0C9WHMZN39j^DAdaZhAnxvGcCY6VYFwnHl"
iv = "ydsecret://query/iv/C@lZe2YzHtZ2CYgaXKSVfsb7Y4QWHjITPPZ0nQp87fBeJ!Iv6v^6fvi2WN@bYpJ4"
key_md5 = get_md5_digest(key)
iv_md5 = get_md5_digest(iv)

基于Python的完整解密：

基于JS的完整解密：

const crypto = require('crypto');function g(e) {return crypto.createHash("md5").update(e).digest()
}function s() {let o = 'ydsecret://query/key/B*RGygVywfNBwpmBaZg*WT7SIOUP2T0C9WHMZN39j^DAdaZhAnxvGcCY6VYFwnHl'let n = 'ydsecret://query/iv/C@lZe2YzHtZ2CYgaXKSVfsb7Y4QWHjITPPZ0nQp87fBeJ!Iv6v^6fvi2WN@bYpJ4'const a = Buffer.alloc(16, g(o)), c = Buffer.alloc(16, g(n)), i = crypto.createDecipheriv("aes-128-cbc", a, c);let s = i.update(t, "base64", "utf-8");return s += i.final("utf-8")}
t = 'Z21kD9ZK1ke6ugku2ccWu-MeDWh3z252xRTQv-wZ6jddVo3tJLe7gIXz4PyxGl73nSfLAADyElSjjvrYdCvEP4pfohVVEX1DxoI0yhm36ytQNvu-WLU94qULZQ72aml6JKK7ArS9fJXAcsG7ufBIE0gd6fbnhFcsGmdXspZe-8whVFbRB_8Fc9JlMHh8DDXnskDhGfEscN_rfi-A-AHB3F9Vets82vIYpkGNaJOft_JA-m5cGEjo-UNRDDpkTz_NIAvo5PbATpkh7PSna2tHcE6Hou9GBtPLB67vjScwplB96-zqZKXJJEzU5HGF0oPDY_weAkXArzXyGLBPXFCnn_IWJDkGD4vqBQQAh2n52f48GD_cb-PSCT_8b-ESsKUI9NJa11XsdaUZxAc8TzrYnXwdcQbtl_kZGKhS6_rCtuNEBouA_lvM2CbS7TTtV2U4zVmJKpp-c6nt3yZePK3Av01GWn1pH_3sZbaPEx8DUjSbdp4i4iK-Mj4p2HPoph67DR7B9MFETYku_28SgP9xsKRRvFH4aHBHESWX4FDbwaU='
console.log(s())

# 基于execjs實(shí)現(xiàn)js與py的結(jié)合import execjswith open("jiemi.js") as f:data = f.read()JS = execjs.compile(data)
t = 'Z21kD9ZK1ke6ugku2ccWu-MeDWh3z252xRTQv-wZ6jddVo3tJLe7gIXz4PyxGl73nSfLAADyElSjjvrYdCvEP4pfohVVEX1DxoI0yhm36ytQNvu-WLU94qULZQ72aml6JKK7ArS9fJXAcsG7ufBIE0gd6fbnhFcsGmdXspZe-8whVFbRB_8Fc9JlMHh8DDXnskDhGfEscN_rfi-A-AHB3F9Vets82vIYpkGNaJOft_JA-m5cGEjo-UNRDDpkTz_NIAvo5PbATpkh7PSna2tHcE6Hou9GBtPLB67vjScwplB96-zqZKXJJEzU5HGF0oPDY_weAkXArzXyGLBPXFCnn_IWJDkGD4vqBQQAh2n52f48GD_cb-PSCT_8b-ESsKUI9NJa11XsdaUZxAc8TzrYnXwdcQbtl_kZGKhS6_rCtuNEBouA_lvM2CbS7TTtV2U4zVmJKpp-c6nt3yZePK3Av01GWn1pH_3sZbaPEx8DUjSbdp4i4iK-Mj4p2HPoph67DR7B9MFETYku_28SgP9xsKRRvFH4aHBHESWX4FDbwaU='
ret = JS.call("jieMi", t)
print(ret)

【2】逆向案例之網(wǎng)易云音樂

（1）抓包解析

（2）目標(biāo)定位

方式1:

方式2:

（3）逆向?qū)崿F(xiàn)

1. 數(shù)據(jù)加密

const CryptoJS = require('crypto-js');function RSAKeyPair(a, b, c) {this.e = biFromHex(a),this.d = biFromHex(b),this.m = biFromHex(c),this.chunkSize = 2 * biHighIndex(this.m),this.radix = 16,this.barrett = new BarrettMu(this.m)
}function twoDigit(a) {return (10 > a ? "0" : "") + String(a)
}function encryptedString(a, b) {for (var f, g, h, i, j, k, l, c = new Array, d = b.length, e = 0; d > e;)c[e] = b.charCodeAt(e),e++;for (; 0 != c.length % a.chunkSize;)c[e++] = 0;for (f = c.length,g = "",e = 0; f > e; e += a.chunkSize) {for (j = new BigInt,h = 0,i = e; i < e + a.chunkSize; ++h)j.digits[h] = c[i++],j.digits[h] += c[i++] << 8;k = a.barrett.powMod(j, a.e),l = 16 == a.radix ? biToHex(k) : biToString(k, a.radix),g += l + " "}return g.substring(0, g.length - 1)
}function decryptedString(a, b) {var e, f, g, h, c = b.split(" "), d = "";for (e = 0; e < c.length; ++e)for (h = 16 == a.radix ? biFromHex(c[e]) : biFromString(c[e], a.radix),g = a.barrett.powMod(h, a.d),f = 0; f <= biHighIndex(g); ++f)d += String.fromCharCode(255 & g.digits[f], g.digits[f] >> 8);return 0 == d.charCodeAt(d.length - 1) && (d = d.substring(0, d.length - 1)),d
}function setMaxDigits(a) {maxDigits = a,ZERO_ARRAY = new Array(maxDigits);for (var b = 0; b < ZERO_ARRAY.length; b++)ZERO_ARRAY[b] = 0;bigZero = new BigInt,bigOne = new BigInt,bigOne.digits[0] = 1
}function BigInt(a) {this.digits = "boolean" == typeof a && 1 == a ? null : ZERO_ARRAY.slice(0),this.isNeg = !1
}function biFromDecimal(a) {for (var d, e, f, b = "-" == a.charAt(0), c = b ? 1 : 0; c < a.length && "0" == a.charAt(c);)++c;if (c == a.length)d = new BigInt;else {for (e = a.length - c,f = e % dpl10,0 == f && (f = dpl10),d = biFromNumber(Number(a.substr(c, f))),c += f; c < a.length;)d = biAdd(biMultiply(d, lr10), biFromNumber(Number(a.substr(c, dpl10)))),c += dpl10;d.isNeg = b}return d
}function biCopy(a) {var b = new BigInt(!0);return b.digits = a.digits.slice(0),b.isNeg = a.isNeg,b
}function biFromNumber(a) {var c, b = new BigInt;for (b.isNeg = 0 > a,a = Math.abs(a),c = 0; a > 0;)b.digits[c++] = a & maxDigitVal,a >>= biRadixBits;return b
}function reverseStr(a) {var c, b = "";for (c = a.length - 1; c > -1; --c)b += a.charAt(c);return b
}function biToString(a, b) {var d, e, c = new BigInt;for (c.digits[0] = b,d = biDivideModulo(a, c),e = hexatrigesimalToChar[d[1].digits[0]]; 1 == biCompare(d[0], bigZero);)d = biDivideModulo(d[0], c),digit = d[1].digits[0],e += hexatrigesimalToChar[d[1].digits[0]];return (a.isNeg ? "-" : "") + reverseStr(e)
}function biToDecimal(a) {var c, d, b = new BigInt;for (b.digits[0] = 10,c = biDivideModulo(a, b),d = String(c[1].digits[0]); 1 == biCompare(c[0], bigZero);)c = biDivideModulo(c[0], b),d += String(c[1].digits[0]);return (a.isNeg ? "-" : "") + reverseStr(d)
}function digitToHex(a) {var b = 15, c = "";for (i = 0; 4 > i; ++i)c += hexToChar[a & b],a >>>= 4;return reverseStr(c)
}function biToHex(a) {var d, b = "";for (biHighIndex(a),d = biHighIndex(a); d > -1; --d)b += digitToHex(a.digits[d]);return b
}function charToHex(a) {var h, b = 48, c = b + 9, d = 97, e = d + 25, f = 65, g = 90;return h = a >= b && c >= a ? a - b : a >= f && g >= a ? 10 + a - f : a >= d && e >= a ? 10 + a - d : 0
}function hexToDigit(a) {var d, b = 0, c = Math.min(a.length, 4);for (d = 0; c > d; ++d)b <<= 4,b |= charToHex(a.charCodeAt(d));return b
}function biFromHex(a) {var d, e, b = new BigInt, c = a.length;for (d = c,e = 0; d > 0; d -= 4,++e)b.digits[e] = hexToDigit(a.substr(Math.max(d - 4, 0), Math.min(d, 4)));return b
}function biFromString(a, b) {var g, h, i, j, c = "-" == a.charAt(0), d = c ? 1 : 0, e = new BigInt, f = new BigInt;for (f.digits[0] = 1,g = a.length - 1; g >= d; g--)h = a.charCodeAt(g),i = charToHex(h),j = biMultiplyDigit(f, i),e = biAdd(e, j),f = biMultiplyDigit(f, b);return e.isNeg = c,e
}function biDump(a) {return (a.isNeg ? "-" : "") + a.digits.join(" ")
}function biAdd(a, b) {var c, d, e, f;if (a.isNeg != b.isNeg)b.isNeg = !b.isNeg,c = biSubtract(a, b),b.isNeg = !b.isNeg;else {for (c = new BigInt,d = 0,f = 0; f < a.digits.length; ++f)e = a.digits[f] + b.digits[f] + d,c.digits[f] = 65535 & e,d = Number(e >= biRadix);c.isNeg = a.isNeg}return c
}function biSubtract(a, b) {var c, d, e, f;if (a.isNeg != b.isNeg)b.isNeg = !b.isNeg,c = biAdd(a, b),b.isNeg = !b.isNeg;else {for (c = new BigInt,e = 0,f = 0; f < a.digits.length; ++f)d = a.digits[f] - b.digits[f] + e,c.digits[f] = 65535 & d,c.digits[f] < 0 && (c.digits[f] += biRadix),e = 0 - Number(0 > d);if (-1 == e) {for (e = 0,f = 0; f < a.digits.length; ++f)d = 0 - c.digits[f] + e,c.digits[f] = 65535 & d,c.digits[f] < 0 && (c.digits[f] += biRadix),e = 0 - Number(0 > d);c.isNeg = !a.isNeg} elsec.isNeg = a.isNeg}return c
}function biHighIndex(a) {for (var b = a.digits.length - 1; b > 0 && 0 == a.digits[b];)--b;return b
}function biNumBits(a) {var e, b = biHighIndex(a), c = a.digits[b], d = (b + 1) * bitsPerDigit;for (e = d; e > d - bitsPerDigit && 0 == (32768 & c); --e)c <<= 1;return e
}function biMultiply(a, b) {var d, h, i, k, c = new BigInt, e = biHighIndex(a), f = biHighIndex(b);for (k = 0; f >= k; ++k) {for (d = 0,i = k,j = 0; e >= j; ++j,++i)h = c.digits[i] + a.digits[j] * b.digits[k] + d,c.digits[i] = h & maxDigitVal,d = h >>> biRadixBits;c.digits[k + e + 1] = d}return c.isNeg = a.isNeg != b.isNeg,c
}function biMultiplyDigit(a, b) {var c, d, e, f;for (result = new BigInt,c = biHighIndex(a),d = 0,f = 0; c >= f; ++f)e = result.digits[f] + a.digits[f] * b + d,result.digits[f] = e & maxDigitVal,d = e >>> biRadixBits;return result.digits[1 + c] = d,result
}function arrayCopy(a, b, c, d, e) {var g, h, f = Math.min(b + e, a.length);for (g = b,h = d; f > g; ++g,++h)c[h] = a[g]
}function biShiftLeft(a, b) {var e, f, g, h, c = Math.floor(b / bitsPerDigit), d = new BigInt;for (arrayCopy(a.digits, 0, d.digits, c, d.digits.length - c),e = b % bitsPerDigit,f = bitsPerDigit - e,g = d.digits.length - 1,h = g - 1; g > 0; --g,--h)d.digits[g] = d.digits[g] << e & maxDigitVal | (d.digits[h] & highBitMasks[e]) >>> f;return d.digits[0] = d.digits[g] << e & maxDigitVal,d.isNeg = a.isNeg,d
}function biShiftRight(a, b) {var e, f, g, h, c = Math.floor(b / bitsPerDigit), d = new BigInt;for (arrayCopy(a.digits, c, d.digits, 0, a.digits.length - c),e = b % bitsPerDigit,f = bitsPerDigit - e,g = 0,h = g + 1; g < d.digits.length - 1; ++g,++h)d.digits[g] = d.digits[g] >>> e | (d.digits[h] & lowBitMasks[e]) << f;return d.digits[d.digits.length - 1] >>>= e,d.isNeg = a.isNeg,d
}function biMultiplyByRadixPower(a, b) {var c = new BigInt;return arrayCopy(a.digits, 0, c.digits, b, c.digits.length - b),c
}function biDivideByRadixPower(a, b) {var c = new BigInt;return arrayCopy(a.digits, b, c.digits, 0, c.digits.length - b),c
}function biModuloByRadixPower(a, b) {var c = new BigInt;return arrayCopy(a.digits, 0, c.digits, 0, b),c
}function biCompare(a, b) {if (a.isNeg != b.isNeg)return 1 - 2 * Number(a.isNeg);for (var c = a.digits.length - 1; c >= 0; --c)if (a.digits[c] != b.digits[c])return a.isNeg ? 1 - 2 * Number(a.digits[c] > b.digits[c]) : 1 - 2 * Number(a.digits[c] < b.digits[c]);return 0
}function biDivideModulo(a, b) {var f, g, h, i, j, k, l, m, n, o, p, q, r, s, c = biNumBits(a), d = biNumBits(b), e = b.isNeg;if (d > c)return a.isNeg ? (f = biCopy(bigOne),f.isNeg = !b.isNeg,a.isNeg = !1,b.isNeg = !1,g = biSubtract(b, a),a.isNeg = !0,b.isNeg = e) : (f = new BigInt,g = biCopy(a)),new Array(f, g);for (f = new BigInt,g = a,h = Math.ceil(d / bitsPerDigit) - 1,i = 0; b.digits[h] < biHalfRadix;)b = biShiftLeft(b, 1),++i,++d,h = Math.ceil(d / bitsPerDigit) - 1;for (g = biShiftLeft(g, i),c += i,j = Math.ceil(c / bitsPerDigit) - 1,k = biMultiplyByRadixPower(b, j - h); -1 != biCompare(g, k);)++f.digits[j - h],g = biSubtract(g, k);for (l = j; l > h; --l) {for (m = l >= g.digits.length ? 0 : g.digits[l],n = l - 1 >= g.digits.length ? 0 : g.digits[l - 1],o = l - 2 >= g.digits.length ? 0 : g.digits[l - 2],p = h >= b.digits.length ? 0 : b.digits[h],q = h - 1 >= b.digits.length ? 0 : b.digits[h - 1],f.digits[l - h - 1] = m == p ? maxDigitVal : Math.floor((m * biRadix + n) / p),r = f.digits[l - h - 1] * (p * biRadix + q),s = m * biRadixSquared + (n * biRadix + o); r > s;)--f.digits[l - h - 1],r = f.digits[l - h - 1] * (p * biRadix | q),s = m * biRadix * biRadix + (n * biRadix + o);k = biMultiplyByRadixPower(b, l - h - 1),g = biSubtract(g, biMultiplyDigit(k, f.digits[l - h - 1])),g.isNeg && (g = biAdd(g, k),--f.digits[l - h - 1])}return g = biShiftRight(g, i),f.isNeg = a.isNeg != e,a.isNeg && (f = e ? biAdd(f, bigOne) : biSubtract(f, bigOne),b = biShiftRight(b, i),g = biSubtract(b, g)),0 == g.digits[0] && 0 == biHighIndex(g) && (g.isNeg = !1),new Array(f, g)
}function biDivide(a, b) {return biDivideModulo(a, b)[0]
}function biModulo(a, b) {return biDivideModulo(a, b)[1]
}function biMultiplyMod(a, b, c) {return biModulo(biMultiply(a, b), c)
}function biPow(a, b) {for (var c = bigOne, d = a; ;) {if (0 != (1 & b) && (c = biMultiply(c, d)),b >>= 1,0 == b)break;d = biMultiply(d, d)}return c
}function biPowMod(a, b, c) {for (var d = bigOne, e = a, f = b; ;) {if (0 != (1 & f.digits[0]) && (d = biMultiplyMod(d, e, c)),f = biShiftRight(f, 1),0 == f.digits[0] && 0 == biHighIndex(f))break;e = biMultiplyMod(e, e, c)}return d
}function BarrettMu(a) {this.modulus = biCopy(a),this.k = biHighIndex(this.modulus) + 1;var b = new BigInt;b.digits[2 * this.k] = 1,this.mu = biDivide(b, this.modulus),this.bkplus1 = new BigInt,this.bkplus1.digits[this.k + 1] = 1,this.modulo = BarrettMu_modulo,this.multiplyMod = BarrettMu_multiplyMod,this.powMod = BarrettMu_powMod
}function BarrettMu_modulo(a) {var i, b = biDivideByRadixPower(a, this.k - 1), c = biMultiply(b, this.mu), d = biDivideByRadixPower(c, this.k + 1),e = biModuloByRadixPower(a, this.k + 1), f = biMultiply(d, this.modulus),g = biModuloByRadixPower(f, this.k + 1), h = biSubtract(e, g);for (h.isNeg && (h = biAdd(h, this.bkplus1)),i = biCompare(h, this.modulus) >= 0; i;)h = biSubtract(h, this.modulus),i = biCompare(h, this.modulus) >= 0;return h
}function BarrettMu_multiplyMod(a, b) {var c = biMultiply(a, b);return this.modulo(c)
}function BarrettMu_powMod(a, b) {var d, e, c = new BigInt;for (c.digits[0] = 1,d = a,e = b; ;) {if (0 != (1 & e.digits[0]) && (c = this.multiplyMod(c, d)),e = biShiftRight(e, 1),0 == e.digits[0] && 0 == biHighIndex(e))break;d = this.multiplyMod(d, d)}return c
}var maxDigits, ZERO_ARRAY, bigZero, bigOne, dpl10, lr10, hexatrigesimalToChar, hexToChar, highBitMasks, lowBitMasks,biRadixBase = 2, biRadixBits = 16, bitsPerDigit = biRadixBits, biRadix = 65536, biHalfRadix = biRadix >>> 1,biRadixSquared = biRadix * biRadix, maxDigitVal = biRadix - 1, maxInteger = 9999999999999998;
setMaxDigits(20),dpl10 = 15,lr10 = biFromNumber(1e15),hexatrigesimalToChar = new Array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"),hexToChar = new Array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f"),highBitMasks = new Array(0, 32768, 49152, 57344, 61440, 63488, 64512, 65024, 65280, 65408, 65472, 65504, 65520, 65528, 65532, 65534, 65535),lowBitMasks = new Array(0, 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, 16383, 32767, 65535);function a(a) {var d, e, b = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", c = "";for (d = 0; a > d; d += 1)e = Math.random() * b.length,e = Math.floor(e),c += b.charAt(e);return c
}function b(a, b) {var c = CryptoJS.enc.Utf8.parse(b), d = CryptoJS.enc.Utf8.parse("0102030405060708"), e = CryptoJS.enc.Utf8.parse(a), f = CryptoJS.AES.encrypt(e, c, {iv: d,mode: CryptoJS.mode.CBC});return f.toString()
}function c(a, b, c) {var d, e;return setMaxDigits(131),d = new RSAKeyPair(b, "", c),e = encryptedString(d, a)
}function d(d, e, f, g) {var h = {}, i = a(16);return h.encText = b(d, g),h.encText = b(h.encText, i),h.encSecKey = c(i, e, f),h
}function e(a, b, d, e) {var f = {};return f.encText = c(a + e, b, d),f
}ret = d('{"ids":"[1942741405]","level":"standard","encodeType":"aac","csrf_token":""}', '010001', '00e0b509f6259df8642dbc35662901477df22677ec152b5ff68ace615bb7b725152b3ab17a876aea8a5aa76d2e417629ec4ee341f56135fccf695280104e0312ecbda92557c93870114af6c9d05c4f7f0c3685b7a46bee255932575cce10b424d813cfe4875d3e82047b97ddef52741d546b8e289dc6935b3ece0462db0a22b8e7', '0CoJUm6Qyw8W8jud')
console.log(ret)

2. 模擬請(qǐng)求

import execjs
import requestsdata = (
'{"ids":"[1374626440]","level":"standard","encodeType":"aac","csrf_token":""}', '010001', '00e0b509f6259df8642dbc35662901477df22677ec152b5ff68ace615bb7b725152b3ab17a876aea8a5aa76d2e417629ec4ee341f56135fccf695280104e0312ecbda92557c93870114af6c9d05c4f7f0c3685b7a46bee255932575cce10b424d813cfe4875d3e82047b97ddef52741d546b8e289dc6935b3ece0462db0a22b8e7','0CoJUm6Qyw8W8jud',
)
with open("網(wǎng)易音樂.js") as f:jsCode = f.read()JS = execjs.compile(jsCode)
body = JS.call("d", *data)
print(body, type(body))res = requests.post("https://music.163.com/weapi/song/enhance/player/url/v1?csrf_token=",data={"params": body.get("encText"),"encSecKey": body.get("encSecKey"),})res = res.json()song_url = res.get("data")[0].get("url")
res = requests.get(song_url)with open("mySong.m4p", "wb") as f:f.write(res.content)