某条逆向练习
url:aHR0cHM6Ly93d3cudG91dGlhby5jb20v
某条属于字节系关键是寻找 a_bogus 参数
1 定位
搜索:啥都搜不到。 使用xhr断点
断住之后可以看到请求地址在XMLHttpReqeust对象中
追栈 看到p是XMLHttpReqeust对象 它是携带ab参数的
再向上一层
参数e中没有携带,而且可以看到p是新建的一个XMLHttpReqeust对象可以判断,参数都是在这个函数中生成的,继续单步调试 计入p.send方法
看js名称这是一个jsvmp
目前字节系加密都使用的jsvmp技术。头条用的1.0.1.7版本
jsvmp重点是找到操作栈。我们向上一步看谁调用了这个e方法
在这里打一个日志断点看下输出内容
打完后日志点一直报错,替换文件 再执行
控制台输出内容
不过a_b参数长度好像在变化。把刚才日志断点改为条件断点,长度大于150 时进行断点
第一次断住之后看下返回内容
显然不是我们要的内容 继续
极大概率就是我们要的参数。单步进入函数
这个e函数的返回值 应该就是我们要参数
2 补环境
作为一个菜鸡纯算法搞定jsvmp 还在学习中,先用补环境搞定
导出函数
封装函数给Python端调用,其中arguments需要我们传递
function get_abogus(param){ arguments = [ 0, 1, 12, param, "", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" ] var r = window.xxx._v; console.log("r的值是:",r) return (0, window.xxx._u)(r[0], arguments, r[1], r[2], this) }
环境代码
function getEnvs(proxyObjs) { for (let i = 0; i < proxyObjs.length; i++) { const handler = {
get: function(target, property, receiver) {
console.log("方法:", "get ", "对象:", "${proxyObjs[i]}", " 属性:", property, " 属性类型:", typeof property, ", 属性值:", target[property], ", 属性值类型:", typeof target[property]);
return target[property];
},
set: function(target, property, value, receiver) {
console.log("方法:", "set ", "对象:", "${proxyObjs[i]}", " 属性:", property, " 属性类型:", typeof property, ", 属性值:", value, ", 属性值类型:", typeof target[property]);
return Reflect.set(...arguments);
}
}; eval(try {
${proxyObjs[i]};
${proxyObjs[i]} = new Proxy(${proxyObjs[i]}, ${handler});
} catch (e) {
${proxyObjs[i]} = {};
${proxyObjs[i]} = new Proxy(${proxyObjs[i]}, ${handler});
}`);
}
}
proxyObjs = ['window', 'document', 'location', 'navigator', 'history', 'screen']
window = global;
delete global;
delete Buffer;
getEnvs(proxyObjs);
requestAnimationFrame = function requestAnimationFrame() {
}
_sdkGlueVersionMap = {
"sdkGlueVersion": "1.0.0.55",
"bdmsVersion": "1.0.1.7",
"captchaVersion": "4.0.2"
}
XMLHttpRequest = function XMLHttpRequest() {
}
fetch = function fetch() {
}
window.onwheelx = {
"_Ax": "0X21"
}
navigator.vendorSubs = {
"ink": 1734165618552
}
window.innerWidth = 1011
window.innerHeight = 959
window.outerWidth = 1920
window.outerHeight = 1020
window.screenX = -291
window.screenY = -1080
window.pageYOffset = 51
window.pageXOffset = 0
screen = {
availHeight: 1040,
availLeft: 0,
availTop: 0,
availWidth: 1920,
colorDepth: 24,
height: 1080,
pixelWidth:24,
}
navigator.platform = "Win32"
navigator.userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36'
document.referrer ='https://www.toutiao.com/'
document.cookie = '__ac_signature=_02B4Z6wo00f01W3Q6sQAAIDC0AAK3sXordlt8O5AADwtf8; gfkadpd=24,6457; ttcid=68bece3ff08a4cf98cfc9f0b60c9912716; x-web-secsdk-uid=be52d38f-1a5d-4b56-80d3-d8599adecf42; _ga=GA1.1.241337849.1734165486; s_v_web_id=verify_m4nxcsme_XjHXqzvc_dnFm_4lKs_8GO7_hr7PIRG4FwcP; tt_scid=SrPBXFP1aP94ytN4Xlr4qogO4YQ7lY8G465DusvN8idjEH0w1xir-uAz33YqVMfydbd7; local_city_cache=%E7%9F%B3%E5%AE%B6%E5%BA%84; csrftoken=09332eb9c5647c2fd30828b41b206d3a; _ga_QEHZPBE5HH=GS1.1.1734165485.1.0.1734165548.0.0.0'
补完测试一下 长度只有168位 应该是环境出问题了
使用Python 跑一下
`import time
import urllib.parse
import subprocess
from functools import partial
subprocess.Popen = partial(subprocess.Popen, encoding="utf-8")
import execjs
import requests
headers = {
"accept": "application/json, text/plain, /",
"accept-language": "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7",
"cache-control": "no-cache",
"pragma": "no-cache",
"priority": "u=1, i",
"referer": "https://www.toutiao.com/",
"sec-ch-ua": ""Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": ""Windows"",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
}
cookies = {
"__ac_signature": "_02B4Z6wo00f01u4o2nQAAIDBU.g6biBL.LruCN7AAN0Mfb",
"tt_webid": "7454929317174461987",
"ttcid": "2429802eed1f4914a1d0cff215a4cda813",
"s_v_web_id": "verify_m5dwesj6_sk3d1tiU_NUwN_4R6z_AAMf_ZR0phZ9haLNE",
"_ga": "GA1.1.1931421161.1735736020",
"local_city_cache": "%E7%9F%B3%E5%AE%B6%E5%BA%84",
"csrftoken": "c1883c485567f9bd957384e0311881e4",
"passport_csrf_token": "ec850457101ba919d17595dccd64b842",
"gfkadpd": "24,6457",
"tt_scid": ".gTaP601SlMQUlInIJqlThxrCOaE3ZEmMKLOzKP69XHbyYJF6eXInctQgzgGUzEF12dc",
"ttwid": "1%7Clal96nDbm9I_RPM9lP3_osC5oo4mXiMU1X7AvU6mEGU%7C1737546089%7C1d8f383afc382b0668b8e165573a9a5e1f37d9ccf40fedfd7d384b9fcdea1857",
"_ga_QEHZPBE5HH": "GS1.1.1737548625.6.0.1737548625.0.0.0"
}
url = "https://www.toutiao.com/api/pc/list/feed"
stime = int(time.time()*1000)+15
params = {
"channel_id": "0",
"max_behot_time": f"{stime}",
"offset": "0",
"category": "pc_profile_recommend",
"aid": "24",
"app_name": "toutiao_web",
"msToken": "bhpC6gqsO1zvvQQRhQW_UwhK5CRgMkiVvRu51s0p_pIL9Rbo_KkIJKsFbXWbyNW97RzUhb-B5GVO4p6WAtAx7UpgPHlxzmUyzeBgy44TGg-aH39xeUGwT6mxevXzmGMY",
#"a_bogus": "OX8ZBmhDmDdB6Dyp5foLfY3qVWl3YZAB0t9bMDhqox3Lag39HMYO9exL2O0vsQujxs/gIegjy4hbO3KQrQV7MZwf7Wsx/2CZsg00t-P2soWC5Z8eCy6snGJx4vJlFeeQ-vV3Ec7MqJKcFYmk09Oc-hFvOf37aqhMHjkrPVrUfptsHAm="
}
param = urllib.parse.urlencode(params)
js = execjs.compile(open("toutiao.js",encoding="utf-8").read())
print(js)
abogus = js.call("get_abogus",param)
print("a_b参数的长度是:",len(abogus))
params["a_bogus"] =abogus
response = requests.get(url, headers=headers, cookies=cookies, params=params)
print(response.text)
`
居然能拿到数据
先这样 以后再完善一下环境
`
浙公网安备 33010602011771号