声明:
该文章为学习使用,严禁用于商业用途和非法用途,违者后果自负,由此产生的一切后果均与作者无关
一、找出需要加密的参数
- js运行 atob(‘aHR0cHM6Ly9teXRva2VuY2FwLmNvbS8=’) 拿到网址,F12打开调试工具,点击Cryptocurrencies导航,找到 ticker/currencylist 请求,鼠标右击请求找到Copy>Copy as cUrl(cmd)
- 打开网站:https://spidertools.cn/#/curl2Request,把拷贝好的curl转成python代码
- 新建mytoken.py文件,把代码复制到该文件内,把reponse.text换成reponse.json(),运行该文件会发现请求成功,并且成功打印出数据
- 然后把代码中的header全部注释,再运行文件,会发现数据依然可以请求成功,再把params中的code注释会发现数据请求失败,说明header、cookie中不存在加密参数,params中的code是加密参数
二、定位参数加密位置
- 首先尝试关键字code搜索,会发现没有赋值的地方
- 切换到sources,添加XHR拦截 ticker/currencylist?page=
- 点击页面下面表格的tab重新发送请求,一直点击跳到下一个函数,看到 h.interceptors.response 响应拦截器停下,找到请求拦截器发现有 code 赋值的地方,在赋值的地方打上断点
- 跳过此次断点调试,点击页面下面表格的tab重新发送请求,在控制台上输出 r,跳过断点调试,查看请求中 最新 ticker/currencylist 请求的code 发现和 r值一样,说明code加密位置是在第2步的拦截器中
三、分析 r 值加密代码
- 点击页面下面表格的tab重新发送请求,会发现 r = o()(n + “9527” + n.substr(0, 6)) ,鼠标悬浮 o 方法上点击蓝色区域找到 o 方法会发现 r 并没有经过其他逻辑处理却生成一堆字符,可以考虑是哈希算法加密
- 把 r 输出到控制台并打印长度发现该字符串时 32 位,而 MD5 正好时32位,可以初步确认是MD5
- 再把 n + “9527” + n.substr(0, 6) 加密参数控制台打印,打开 https://spidertools.cn/#/curl2Request 网址,把值放入加解密工具中 会发现生成的 MD5值 和控制台上的一样,可以确认这是 MD5 加密
四、生成加密参数
- 看变量 n 的生成方式会发现加密字符串 完全是由 Date.now().toString() 变换得到
- js 生成加密参数:新建mytoken.js文件
- python 生成加密参数
五、验证结果
- python 加密参数验证
import requests
import hashlib
import time
def get_md5():
n = int(round(time.time() * 1000))
md5 = hashlib.md5(f'{n}9527{str(n)[0:6]}'.encode('utf-8'))
return n,md5.hexdigest()
timestamp,code = get_md5()
headers = {
"authority": "api.mytokenapi.com",
"accept": "application/json, text/plain, */*",
"accept-language": "zh-CN,zh;q=0.9",
"cache-control": "no-cache",
"content-type": "application/x-www-form-urlencoded;charset=utf-8",
"origin": "https://mytokencap.com",
"pragma": "no-cache",
"referer": "https://mytokencap.com/",
"sec-ch-ua": "^\\^Google",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "^\\^Windows^^",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}
url = "https://api.mytokenapi.com/futurescontract/centerlist"
params = {
"page": "1",
"size": "100",
"filter_filed": "1",
"filter_type": "rank",
"timestamp": timestamp,
"code": code,
"platform": "web_pc",
"v": "0.1.0",
"language": "en_US",
"legal_currency": "USD",
"international": "1"
}
response = requests.get(url, headers=headers, params=params)
print(response.json())
print(response)
- js加密参数验证
import requests
import execjs
headers = {
"authority": "api.mytokenapi.com",
"accept": "application/json, text/plain, */*",
"accept-language": "zh-CN,zh;q=0.9",
"cache-control": "no-cache",
"content-type": "application/x-www-form-urlencoded;charset=utf-8",
"origin": "https://mytokencap.com",
"pragma": "no-cache",
"referer": "https://mytokencap.com/",
"sec-ch-ua": "^\\^Google",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "^\\^Windows^^",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"}
url = "https://api.mytokenapi.com/futurescontract/centerlist"params = {
"page": "1",
"size": "100",
"filter_filed": "1",
"filter_type": "rank",
"platform": "web_pc",
"v": "0.1.0",
"language": "en_US",
"legal_currency": "USD",
"international": "1"}
with open('mytoken.js','r') as js_file:
js = execjs.compile(js_file.read())
code = js.call('main')
print(code)
params['timestamp'] = code['timestamp']
params['code'] = code['code']
response = requests.get(url, headers=headers, params=params)
print(response.json())
print(response)
六、最终代码
- mytoken.js
const cryptoJS = require('crypto-js');
function main(){
const n = Date.now().toString();
return {
timestamp: n,
code: cryptoJS.MD5(n + "9527" + n.substr(0, 6)).toString()
};
}
console.log(main())
- mytoken.py
import requests
import hashlib
import time
import execjs
def get_md5():
n = int(round(time.time() * 1000))
md5 = hashlib.md5(f'{n}9527{str(n)[0:6]}'.encode('utf-8'))
return n,md5.hexdigest()
timestamp,code = get_md5()
headers = {
"authority": "api.mytokenapi.com",
"accept": "application/json, text/plain, */*",
"accept-language": "zh-CN,zh;q=0.9",
"cache-control": "no-cache",
"content-type": "application/x-www-form-urlencoded;charset=utf-8",
"origin": "https://mytokencap.com",
"pragma": "no-cache",
"referer": "https://mytokencap.com/",
"sec-ch-ua": "^\\^Google",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "^\\^Windows^^",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}
url = "https://api.mytokenapi.com/futurescontract/centerlist"
params = {
"page": "1",
"size": "100",
"filter_filed": "1",
"filter_type": "rank",
"timestamp": timestamp,
"code": code,
"platform": "web_pc",
"v": "0.1.0",
"language": "en_US",
"legal_currency": "USD",
"international": "1"
}
response = requests.get(url, headers=headers, params=params)
print(response.json())
print(response)
# with open('mytoken.js','r') as js_file:
# js = execjs.compile(js_file.read())
# code = js.call('main')
# print(code)
# params['timestamp'] = code['timestamp']
# params['code'] = code['code']
# response = requests.get(url, headers=headers, params=params)
#
# print(response.json())
# print(response)