【2021-01-22】JS逆向之七麦数据analysis获取

文章目录


前言

地址:aHR0cHM6Ly93d3cucWltYWkuY24vcmFuaw==
加密类型:base64


一、页面分析

刷新页面,抓包,可以看到有个analysis参数,这就是我们要破解的参数
【2021-01-22】JS逆向之七麦数据analysis获取

二、analysis参数获取

1.找加密位置

直接搜发现找不到
【2021-01-22】JS逆向之七麦数据analysis获取

从堆栈入手,慢慢找加密位置
【2021-01-22】JS逆向之七麦数据analysis获取

2.参数破解

下断点重新加载,这个a就是我们要找的analysis,分析一下,外面嵌套了两个方法p.d和,p.j,传了参数r,y
【2021-01-22】JS逆向之七麦数据analysis获取
看下r,y的值,其中y是定值,r是经过加密后的值
【2021-01-22】JS逆向之七麦数据analysis获取
然后再看下r未加密时的值,里面有时间跟页数的参数分别是4和5
【2021-01-22】JS逆向之七麦数据analysis获取

看下Object(p.d)这个方法,其中I()方法是base64加密,后面的r方法进行字符串的转换
【2021-01-22】JS逆向之七麦数据analysis获取
【2021-01-22】JS逆向之七麦数据analysis获取

下面这个是Object(p.j)这个方法,直接扣这个方法,没啥难度,其他参数改补的补
【2021-01-22】JS逆向之七麦数据analysis获取


三、源码

var window = global;
var CryptoJS = require('crypto-js');
var navigator = {
    appCodeName: "Mozilla",
    appName: "Netscape",
    appVersion: "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
    connection: {onchange: null, effectiveType: "4g", rtt: 100, downlink: 5.5, saveData: false},
    cookieEnabled: true,
    doNotTrack: null,
    geolocation: {},
    hardwareConcurrency: 4,
    language: "zh-CN",
    languages: ["zh-CN", "zh"],
    maxTouchPoints: 0,
    mediaCapabilities: {},
    mediaSession: {metadata: null, playbackState: "none"},
    mimeTypes: {},
    onLine: true,
    permissions: {},
    platform: "Win32",
    plugins: {},
    product: "Gecko",
    productSub: "20030107",
    userActivation: {hasBeenActive: false, isActive: false},
    userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
    vendor: "Google Inc.",
    vendorSub: "",
    webkitPersistentStorage: {},
    webkitTemporaryStorage: {},
    javaEnabled: function () {
        return false
    }
};
window['navigator'] = navigator;

function base64(data) {
    var wordArray = CryptoJS.enc.Utf8.parse(data);
    var base64_data = CryptoJS.enc.Base64.stringify(wordArray);
    return base64_data
}

function i() {
    var e = "";
    return ["66", "72", "6f", "6d", "43", "68", "61", "72", "43", "6f", "64", "65"].forEach(function (t) {
        e += unescape("%u00" + t)
    }),
        e
}

function d_r(e) {
    var t = i();
    return String[t](e)
}

function d(e) {
    return base64(encodeURIComponent(e).replace(/%([0-9A-F]{2})/g, function (e, t) {
        return d_r("0x" + t)
    }))
}

function o() {
    return unescape("861831832863830866861836861862839831831839862863839830865834861863837837830830837839836861835833".replace(/8/g, "%u00"))
}

function j(e, t) {
    t || (t = o()),
        e = e.split("");
    for (var n = e.length, a = t.length, i = "charCodeAt", s = 0; s < n; s++)
        e[s] = d_r(e[s][i](0) ^ t[(s + 10) % a][i](0));
    return e.join("")
}

var y = "00000008d78d46a"
    , w = "synct"
    , b = "syncd"
    , _ = "@#"
    , S = "analysis"
    , k = 703;

function get_analysis(date, page) {
    var e = {
        baseURL: "https://api.qimai.cn",
        url: "/rank/indexPlus/brand_id/1"  // 0--付费榜 1--免费榜 2--畅销榜
    };
    var r = [date, "36", page, "all", "cn", "iphone"];

    var n = +new Date - (k || 0) - 1515125653845, a = "";

    r = r.sort().join(""),
        r = d(r),
        r += _ + e.url.replace(e.baseURL, ""),
        r += _ + n,
        r += _ + 1,
        a = d(j(r, y))
    return a

}

console.log(get_analysis("2021-01-22", 1))


'''

https://www.qimai.cn/rank

'''


import time

import execjs
import requests

headers = {
    'authority': 'api.qimai.cn',
    'sec-ch-ua': '"Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"',
    'accept': 'application/json, text/plain, */*',
    'sec-ch-ua-mobile': '?0',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36',
    'origin': 'https://www.qimai.cn',
    'sec-fetch-site': 'same-site',
    'sec-fetch-mode': 'cors',
    'sec-fetch-dest': 'empty',
    'referer': 'https://www.qimai.cn/',
    'accept-language': 'zh-CN,zh;q=0.9',
}

date_str = str(time.strftime('%Y-%m-%d',time.localtime(time.time())))
page = 1

with open('./code.js',encoding='utf8') as f:
    js_fun = execjs.compile(f.read())

analysis = js_fun.call('get_analysis',date_str,page)
params = (
    ('analysis', analysis),
    ('brand', 'all'),
    ('country', 'cn'),
    ('device', 'iphone'),
    ('genre', '36'),
    ('date', date_str),
    ('page', page),
)

response = requests.get('https://api.qimai.cn/rank/indexPlus/brand_id/1', headers=headers, params=params)

print(response.json())


【2021-01-22】JS逆向之七麦数据analysis获取

上一篇:论文笔记:Towards Practical Differential Privacy for SQL Queries FLEX工具 PrivSql主要参考和对比的对象


下一篇:thinkphp + mariadb order group 进行分组查询