JS逆向之百度翻译
文章目录
- 1. 抓包分析
- 2. sign参数分析
- 3. 由表及里,探索sign是如何生成的
- 4. 编写Python代码测试
- 飞扬的少年最动人心,奔跑的时候像是穿过了光阴,加油啊!
1. 抓包分析
目标网址,百度翻译:https://fanyi.baidu.com/?aldtype=16047#auto/zh
我们打开网站,输入要翻译的数据开始抓包分析,如下:
点开请求头,看看我们需要什么样的相关的参数:
这样我们就找到了翻译接口,并且知道了请求方式是post方式,滑到最下面看看我们需要post什么参数:
2. sign参数分析
多查一个单词,做一下比较:
from: en
to: zh
query: dog
transtype: realtime
simple_means_flag: 3
sign: 871501.634748
token: bfca2c5e767b3601a29712abdb7e1ef4
domain: common
from: en
to: zh
query: doc
transtype: realtime
simple_means_flag: 3
sign: 478531.241266
token: bfca2c5e767b3601a29712abdb7e1ef4
domain: common
可以看到,除了查询单词query的参数不同外就只有一个sign不同了,接下来我们重点破解sign参数。
3. 由表及里,探索sign是如何生成的
全局搜索sign,一个个查看,可以看到如下:
可以看到sign 参数是一个L函数生成的点进去看一下:
就是这个e函数生成的,我们把这个复制下来,放到新建的一个js文件中:
function e(r) {
var o = r.match(/[\uD800-\uDBFF][\uDC00-\uDFFF]/g);
if (null === o) {
var t = r.length;
t > 30 && (r = "" + r.substr(0, 10) + r.substr(Math.floor(t / 2) - 5, 10) + r.substr(-10, 10))
} else {
for (var e = r.split(/[\uD800-\uDBFF][\uDC00-\uDFFF]/), C = 0, h = e.length, f = []; h > C; C++)
"" !== e[C] && f.push.apply(f, a(e[C].split(""))),
C !== h - 1 && f.push(o[C]);
var g = f.length;
g > 30 && (r = f.slice(0, 10).join("") + f.slice(Math.floor(g / 2) - 5, Math.floor(g / 2) + 5).join("") + f.slice(-10).join(""))
}
var u = void 0
, l = "" + String.fromCharCode(103) + String.fromCharCode(116) + String.fromCharCode(107);
u = null !== i ? i : (i = window[l] || "") || "";
for (var d = u.split("."), m = Number(d[0]) || 0, s = Number(d[1]) || 0, S = [], c = 0, v = 0; v < r.length; v++) {
var A = r.charCodeAt(v);
128 > A ? S[c++] = A : (2048 > A ? S[c++] = A >> 6 | 192 : (55296 === (64512 & A) && v + 1 < r.length && 56320 === (64512 & r.charCodeAt(v + 1)) ? (A = 65536 + ((1023 & A) << 10) + (1023 & r.charCodeAt(++v)),
S[c++] = A >> 18 | 240,
S[c++] = A >> 12 & 63 | 128) : S[c++] = A >> 12 | 224,
S[c++] = A >> 6 & 63 | 128),
S[c++] = 63 & A | 128)
}
for (var p = m, F = "" + String.fromCharCode(43) + String.fromCharCode(45) + String.fromCharCode(97) + ("" + String.fromCharCode(94) + String.fromCharCode(43) + String.fromCharCode(54)), D = "" + String.fromCharCode(43) + String.fromCharCode(45) + String.fromCharCode(51) + ("" + String.fromCharCode(94) + String.fromCharCode(43) + String.fromCharCode(98)) + ("" + String.fromCharCode(43) + String.fromCharCode(45) + String.fromCharCode(102)), b = 0; b < S.length; b++)
p += S[b],
p = n(p, F);
return p = n(p, D),
p ^= s,
0 > p && (p = (2147483647 & p) + 2147483648),
p %= 1e6,
p.toString() + "." + (p ^ m)
}
4. 编写Python代码测试
开始编写python代码测试:
import jsonpath
import requests
import execjs
url = 'https://fanyi.baidu.com/v2transapi?from=en&to=zh'
cookies = {
'PSTM': '1619272075',
'BAIDUID': 'C945A07C492CD526BC511F5F2D926F97:FG=1',
'BIDUPSID': '60BBD234A1702CDEF09BBC8E24F953E5',
'__yjs_duid': '1_cf0870cc64248871b4c89a00aa39891c1619272125466',
'H_PS_PSSID': '34099_31660_34112_33607_34135_26350',
'BDORZ': 'B490B5EBF6F3CD402E515D22BCDA1598',
'BDSFRCVID': 'js8OJexroG38EYbecSJsUZJWwLweG7bTDYLtOwXPsp3LGJLVJeC6EG0Pts1-dEu-EHtdogKKKgOTHICF_2uxOjjg8UtVJeC6EG0Ptf8g0M5',
'H_BDCLCKID_SF': 'tR3aQ5rtKRTffjrnhPF3MRJbXP6-hnjy3bAOKxTt5RO6O4OaWx6R5UAWbttf5q3RymJJ2-39LPO2hpRjyxv4y4Ldj4oxJpOJ-bCL0p5aHl51fbbvbURvyP-g3-7A3M5dtjTO2bc_5KnlfMQ_bf--QfbQ0hOhqP-jBRIE3-oJqCLMMCtl3J',
'FANYI_WORD_SWITCH': '1',
'HISTORY_SWITCH': '1',
'REALTIME_TRANS_SWITCH': '1',
'SOUND_SPD_SWITCH': '1',
'SOUND_PREFER_SWITCH': '1',
'BDSFRCVID_BFESS': 'js8OJexroG38EYbecSJsUZJWwLweG7bTDYLtOwXPsp3LGJLVJeC6EG0Pts1-dEu-EHtdogKKKgOTHICF_2uxOjjg8UtVJeC6EG0Ptf8g0M5',
'H_BDCLCKID_SF_BFESS': 'tR3aQ5rtKRTffjrnhPF3MRJbXP6-hnjy3bAOKxTt5RO6O4OaWx6R5UAWbttf5q3RymJJ2-39LPO2hpRjyxv4y4Ldj4oxJpOJ-bCL0p5aHl51fbbvbURvyP-g3-7A3M5dtjTO2bc_5KnlfMQ_bf--QfbQ0hOhqP-jBRIE3-oJqCLMMCtl3J',
'delPer': '0',
'PSINO': '5',
'BAIDUID_BFESS': 'C945A07C492CD526BC511F5F2D926F97:FG=1',
'BA_HECTOR': '0laka5050l2k0kaltu1gdh2a10q',
'Hm_lvt_64ecd82404c51e03dc91cb9e8c025574': '1624632927,1624803652',
'Hm_lpvt_64ecd82404c51e03dc91cb9e8c025574': '1624803652',
'__yjs_st': '2_NDMxYTNmYjM4MDYxNjJiMzRlMDlmZTFhZTAzM2ViOGE1ZWI2ZmM5OTdhMjY5OGQxZThmNjM2ODc4ZmJkYjE5MjBiMzZhYmFlYTlhMjk2MjU5YzAwZjk2ZmJkYjVjN2UyNzhkMzM4YTQ3YWZkMGQwZjE5NzlmNDdlOTBjNjBiMWIyMzgxZDQxYzE3ODBiZGY5MzRhYjQxZmRkODBlNmM2YThkNDk3ZjVmZDE2ZjFmMmQzNDY3MjExMzZjZjI4MzkxYWMxNTNjNGUyODkwMGNjNmI4NGM2YzBkMDBjZmM0NGFkZTZlOWI2YzJhZmU0NjIwNjQ3ZDE0MTdlYzA4ZmZhZGNiMWI5YTVkMDg5Mjg4ZTk1N2NmNjExYWQ2NDBkZTgyXzdfZjZkMjU1N2U=',
'ab_sr': '1.0.1_ZmFmNjg2NzA4NjgyNmE0N2UxODFkMGUzY2YzZjE3M2ZhMWM5ZDRkZGE4Yzg5MzczMGI3NDQ0NmZjODhkM2Y4ZTgyOWRkMjBlZmY0OGUwZWMyNWJmY2IzY2Q2MjFhMTc5ZGZjZjEyZTlmOWMwODM4Yjc0YjJmZWRhNTZlNGQ0NDFhNGFhNGMwNDEyMzUxNzFmMGVmNGZmZjU5NDEzNzA2MA==',
}
headers = {
'Connection': 'keep-alive',
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"',
'Accept': '*/*',
'X-Requested-With': 'XMLHttpRequest',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': 'https://fanyi.baidu.com',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Referer': 'https://fanyi.baidu.com/?aldtype=16047',
'Accept-Language': 'zh-CN,zh;q=0.9',
}
def getsign(word):
with open('1.js','r',encoding='utf-8') as f:
js = f.read()
res =execjs.compile(js).call('e',word)
return res
def request(word):
sign = getsign(word)
data = {
'from': 'en',
'to': 'zh',
'query': word,
'transtype': 'realtime',
'simple_means_flag': '3',
'sign': sign,
'token': 'bfca2c5e767b3601a29712abdb7e1ef4',
'domain': 'common'
}
res = requests.post(url,data=data,cookies=cookies,headers=headers).json()
print(res)
res_ = jsonpath.jsonpath(res, '$..word_means')[0]
print(res_)
request('dog')
开始执行python代码,会报 i 没有被定义错误,断点调试发现i是一个固定值,只需要把它加到上面那个函数里就行了,再次执行python代码又会报n没有被定义的错误,直接点进n函数,把那个函数复制下了放上面就行了。
最终的js文件如下:
function n(r, o) {
for (var t = 0; t < o.length - 2; t += 3) {
var a = o.charAt(t + 2);
a = a >= "a" ? a.charCodeAt(0) - 87 : Number(a),
a = "+" === o.charAt(t + 1) ? r >>> a : r << a,
r = "+" === o.charAt(t) ? r + a & 4294967295 : r ^ a
}
return r
}
function e(r) {
var i ="320305.131321201"
var o = r.match(/[\uD800-\uDBFF][\uDC00-\uDFFF]/g);
if (null === o) {
var t = r.length;
t > 30 && (r = "" + r.substr(0, 10) + r.substr(Math.floor(t / 2) - 5, 10) + r.substr(-10, 10))
} else {
for (var e = r.split(/[\uD800-\uDBFF][\uDC00-\uDFFF]/), C = 0, h = e.length, f = []; h > C; C++)
"" !== e[C] && f.push.apply(f, a(e[C].split(""))),
C !== h - 1 && f.push(o[C]);
var g = f.length;
g > 30 && (r = f.slice(0, 10).join("") + f.slice(Math.floor(g / 2) - 5, Math.floor(g / 2) + 5).join("") + f.slice(-10).join(""))
}
var u = void 0
, l = "" + String.fromCharCode(103) + String.fromCharCode(116) + String.fromCharCode(107);
u = null !== i ? i : (i = window[l] || "") || "";
for (var d = u.split("."), m = Number(d[0]) || 0, s = Number(d[1]) || 0, S = [], c = 0, v = 0; v < r.length; v++) {
var A = r.charCodeAt(v);
128 > A ? S[c++] = A : (2048 > A ? S[c++] = A >> 6 | 192 : (55296 === (64512 & A) && v + 1 < r.length && 56320 === (64512 & r.charCodeAt(v + 1)) ? (A = 65536 + ((1023 & A) << 10) + (1023 & r.charCodeAt(++v)),
S[c++] = A >> 18 | 240,
S[c++] = A >> 12 & 63 | 128) : S[c++] = A >> 12 | 224,
S[c++] = A >> 6 & 63 | 128),
S[c++] = 63 & A | 128)
}
for (var p = m, F = "" + String.fromCharCode(43) + String.fromCharCode(45) + String.fromCharCode(97) + ("" + String.fromCharCode(94) + String.fromCharCode(43) + String.fromCharCode(54)), D = "" + String.fromCharCode(43) + String.fromCharCode(45) + String.fromCharCode(51) + ("" + String.fromCharCode(94) + String.fromCharCode(43) + String.fromCharCode(98)) + ("" + String.fromCharCode(43) + String.fromCharCode(45) + String.fromCharCode(102)), b = 0; b < S.length; b++)
p += S[b],
p = n(p, F);
return p = n(p, D),
p ^= s,
0 > p && (p = (2147483647 & p) + 2147483648),
p %= 1e6,
p.toString() + "." + (p ^ m)
}
效果:
这个案例比较简单,可以说是做js逆向破解的经典小案例,其实总结下来就是缺啥补啥,有时候我们遇到比这复杂很多的,更需要我们的耐心和细心。