Python登录百度 - doranbai/Note GitHub Wiki

1 进到百度首页,右键检查

2 点开network那一栏,然后点击百度首页的登录按钮,选择账号密码登录,写错误的,然后看下network的记录

这就是登录接口,会向这个登录接口post数据,首先看看post的数据是什么 这是headers

POST /v2/api/?login HTTP/1.1
Host: passport.baidu.com
Connection: keep-alive
Content-Length: 3065
Pragma: no-cache
Cache-Control: no-cache
Origin: https://www.baidu.com
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: nested-navigate
Referer: https://www.baidu.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: HOSUPPORT=1; BAIDUID=11E6A4C8A28B18418B1B1A84ECBF8D17:FG=1; UBI=fi_PncwhpxZ%7ETaL93wQc-oO%7EP9Y3dIKWno10QsgD%7EvNqhnXBbZCOGYK9Z5xqD%7ExrZgA4ypsVroe4QVG%7E9Sw; BIDUPSID=11E6A4C8A28B18418B1B1A84ECBF8D17; PSTM=1577099419; delPer=0; H_PS_PSSID=1442_21081_30210_30283_26350; pplogid=1871qFi5zy2TXXUrpwLOJDtvMTRgxHGKmpv%2BK4993qY29lSiFVr5q6tiHKXkLJuL0dP8hj%2FYcUGwDbPdM2zBCJLegw%3D%3D

这是post的data

staticpage: https://www.baidu.com/cache/user/html/v3Jump.html
charset: UTF-8
token: c82bc1b17932b83ece6071ef63bde672
tpl: mn
subpro: 
apiver: v3
tt: 1577099446030
codestring: 
safeflg: 0
u: https://www.baidu.com/
isPhone: 
detect: 1
gid: 0ECFF34-38E3-4022-8C51-D2BE781194FE
quick_user: 0
logintype: dialogLogin
logLoginType: pc_loginDialog
idc: 
loginmerge: true
mkey: 
splogin: rate
username: qqq
password: g2mumKU9dd1rhslescikg9Ibzc/VucPlbGYmQw2RmL6lGprvtUVAkguPGRjvMGvBSU78JuUWx4hqRdQ2a8+Xz0jmqbOcNSemAFtd7wwncWQzZJevX6g9ThGAas+2whX3iR932Z6P3Y/GlPT0e2Hnj45f73A9+CGJdKvSzHYgLv0=
rsakey: VSRO1TEidxrJdzdSrCT2TpXCP0ftlnNQ
crypttype: 12
ppui_logintime: 17315
countrycode: 
fp_uid: 
fp_info: 
loginversion: v4
supportdv: 1
ds: tSqy9NaZEbjzrmCbS5/KQeXKwf8tf1GBdUsaHYFV9bwGIP01GPbtCH6tg9pSS+og1xQwA8eWE2kGJWtD6ceFqPtPlPPpYDM9Fg7nfrOCIlB6vnNb+8jXCJImA4OYnNfusER2gytokZcH260E4lJmKGLWyma9m8Axde2pR8CvRpoojpyEOKtQRE3Rn6SXZY9vSbVN8EQQfNBVv11Y1z7GLdPEO0eJKCxcoxBA6ssSoUIAUmJvcHbHLeHQDHZg6QwgIL9PRB4Zw2OwI1WrmZ0u3KEb1fxKbtats8FXI1CIny86LH+kUlPzAs54oEh6Uj41PbJI7ce3ZLQ7naSNXPTa6Xdl47ni/3uqCqB5cJ8ewtjBn5u956AXeUHHXnfGucyFs99oT2jVUlvtN2Q5Izj0UP/hgi5B9wUS2DFaZeNcKf+MQahSMmzi/I6uIbpG2wc0yqRqCOzY70tMBcsUQDmCd+Xjv7bB9HTsQqQ2+LlrCxO/zBsXQ4PwIgCnbdRfeoFIspNj58nmNRbgtP+R5+bL94M2ba3fzhghbi2srJc+4W1aD0ck6NlorcWdXKpTKyIHglAD8uwr5UpEvwiUcMWQ2T5MMml0BJmxzD/kvRaHGROEYQzdjnMI1lxos7QqVa9UUVsmkh6UPEDr3BwGbgXJMuswHpXtHxXAiT3KCX0LVOxfQajo6CGZEjbIrZAH7Ej6rNq7+H+Rm4D4dVMi3z/+UpkzUlzouvZsL6IJOVrQ/ca/dqtiJl1Tae3+LZhRzTunIRu2c75wthhGZG8euUI/4UIuv28CgmpX92QYjXZfDidG2J6gryalERkYiMzd9WJ0ptYtZnKr9MI+Y8fZViQ8MLI1J+3/+1B9NhnHnYDOenbwpHuEPv+w5jM0KklIYiaQJbFuQV+Oo3xV9KyYLmjU78xwcxbUMtjfRw/owJjaYxsA3eSs8wjMdkxUQ3U2edt55SgYInDR71uG6/h/bF042r1ECXgZsqhj3qvKPtcfY5OoZ6tZO8bREeWRAuEczijyFtwvcOioJb7iBGjQWQZ46wP0LgNT1PGTAoo8q0Tft450tVV+pQaMVRRvaEJ0S3ck2jRUG3KtaOs3XEYf8wkDHAUr2SvLSm6FxVwyuqDdM2GkgXcd6yVc8xHZAC9YAPLdJ6mLBW3UCEI3hYuUYyK470Pf/eAnokzmQd+nwbDR5norhC83pwvzewDOYStwM7sMF7LKKtoIxnjzt68B1fWhag==
tk: 1871qFi5zy2TXXUrpwLOJDtvMTRgxHGKmpv+K4993qY29lSiFVr5q6tiHKXkLJuL0dP8hj/YcUGwDbPdM2zBCJLegw==
dv: tk0.7316092452598511577099428986@oon0C~CktKrmbHuHzsHMpA8aeuHah7rIh78U4jO8vCFLa50ktdr3Mj7kQb0kqK4tpCEavhI4e7HpAu8jtd8aeaG~4xIJpgO6dbrkudCsd-r6dd0pEhIMP6uHa78ahIHplbrpe7P8A5GMz1DLHKrIqaAk5lCktKrmbHuHzsHMpA8aeuHah7rIh78Uh1GUAUDUvM0ktbrItU7kQb0kqK4tpCEavhI4e7HpAu8jtd8aedF8AjP~exOmdbrIujrVd_vn0svr3Fw0ku-AxdUCIHK7krxr6djCIGKrIQzC6bHuHzsHMpA8aeuHah7rIh78UAaFJaTPsdarjqKr3Gb0k2jrIFK4tpCEavhI4e7HpAu8jtd8aeJDUvg7kHjrNdwrIMKr3QUrxbHuHzsHMpA8aeuHah7rIh78~OfGJalAkGd0krUrxdarjt~0pEhIMP6uHa78ahIHplbrpe7OJexD8d_~rrBzrxMmoqShxngr6dx0kG-InhPnKd03GjrIFdCI2wAI2aCIQarItaAjGdCIMwr3QzCkF_gnhBsEwGsrc0xeUPUGiFJpTOsHiF~eg0xbaDJE5OJ5iOLu_unermdd0kGxCmdUrkFKrIHjANd-A3uKrIHjANdbAIr~0kQxAq__
traceid: 39C19501
callback: parent.bd__pcbs__8sxpnd
time: 1577099446
alg: v3
sig: bUFxNFJHdW03NUowQU9jTWlqdTBHSk9Gc1MwWml1OGxidHpsVElTT3czU2VJR2toU3RiRWNOYnRrWFhtOG5ieA==
elapsed: 5
shaOne: 00867cbbc4abc8a9c8d56fc54c36ea99431e7827

也就是说,只要能构造出这个data,并post接口上,就能登录成功了

4 多试几次,找到变化的data

用bc一比就出来了,没图

token:
tt: 
gid
rsakey: 
ppui_logintime: 
ds: 
tk:
dv:
traceid: 
callback: 
time:
sig:
elapsed:
shaOne:

5 获取参数大概思路

现在network搜一下,看看能不能直接找到,找不到就去source下搜js源码

6 获取token

搜搜token,token值,很容易的找到了连接

https://passport.baidu.com/v2/api/?getapi&token=&tpl=mn&subpro=&apiver=v3&tt=1577170546700&class=login&gid=0DEFF80-6895-46DE-A028-6EB29DA35852&loginversion=v4&logintype=dialogLogin&traceid=&time=1577170547&alg=v3&sig=RlFUT2lkTXdCOUtVZCszd041ZW9TZzZzeFAvSndFSlIra1FSTWY0MTdmZHoxd0lpcHp4ZS9xbS9FU05GTWxieQ%3D%3D&elapsed=27&shaOne=0019de86fc4ab8a5f63fffa7f1ba0106c42ec103&callback=bd__cbs__kjmkmm
返回值是json,里面就有token
bd__cbs__kjmkmm({
    "errInfo": {
        "no": "0"
    },
    "data": {
        "rememberedUserName": "",
        "codeString": "",
        "token": "a11b52f4eb13bfdd9c0aafb327ea2ae7",
        "cookie": "1",
        "usernametype": "",
        "spLogin": "rate",
        "disable": "",
        "loginrecord": {
            'email': [],
            'phone': []
        }
    },
    "traceid": ""
})

不过问题又来了,我们得构造一个链接去请求GET啊,盖中盖啊
url= https://passport.baidu.com/v2/api/ 同样看一下请求参数

getapi: 
token: 
tpl: mn
subpro: 
apiver: v3
tt: 1577170546700
class: login
gid: 0DEFF80-6895-46DE-A028-6EB29DA35852
loginversion: v4
logintype: dialogLogin
traceid: 
time: 1577170547
alg: v3
sig: RlFUT2lkTXdCOUtVZCszd041ZW9TZzZzeFAvSndFSlIra1FSTWY0MTdmZHoxd0lpcHp4ZS9xbS9FU05GTWxieQ==
elapsed: 27
shaOne: 0019de86fc4ab8a5f63fffa7f1ba0106c42ec103
callback: bd__cbs__kjmkmm
tt:
gid: 
time: 
elapsed:
shaOne:
callback:

6.1 先看第一个tt=1577170546700

这个一看就是timestamp,(new Date).getTime(),返回距 1970 年 1 月 1 日之间的毫秒数。如果有时间的话,可以在source界面搜索tt,慢慢找能找到

6.2 gid

network中没什么内容,去source搜索,发现在loginv4_19d79ee.js文件 里面gid不少,但是最终都调用了guideRandom 搜索,找到函数定义

function() {
            return "xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(e) {
                var t = 16 * Math.random() | 0
                  , n = "x" === e ? t : 3 & t | 8;
                return n.toString(16)
            }).toUpperCase()
        }

6.3 time

看着像时间戳除了1000

6.4 elapsed shaOne sig

搜了下发现在static/waplib/moonshad.js

            for (n = i = (new Date)[_0x19c3("0x95")](); "00" !== (i = f(u(i)))[_0x19c3("0x14")]()[_0x19c3("0x20")](0, 2); )
                ;
            t = {
                time: r.time,
                alg: r[_0x19c3("0x92")],
                sig: o[_0x19c3("0x9b")](r, c, _),
                elapsed: (new Date)[_0x19c3("0x95")]() - n || "",
                shaOne: i
            }

略复杂,貌似还有shaOne,alg,sig,上面的time,上动态调试 先翻译翻译

_0x19c3("0x95") gettime
_0x19c3("0x14") toString
_0x19c3("0x20") substr
_0x19c3("0x92") alg
_0x19c3("0x9b") "encryption"
for(n=i=getTime(),i= f(u(i)).toString().substr(0,2) !="00";);
            t = {
                time: r.time,  //Math['round']((new Date).getTime() / 1e3),
                alg: r['alg'],
                sig: o["encryption"](r, c, _),
                elapsed: (new Date).getTime() - n || "",
                shaOne: i
            }

n的初始值为timestamp,elapsed即为当前timestamp - 初始timestamp i的值为f(u(i)),且开头两位为00,即为shaOne值,看下f(u(i))代码 直接扣代码也行f(u(i))

var _0xe7d2 = ["words", "sigBytes", "length", "stringify", "ceil", "slice", "random", "enc", "Hex", "join", "substr", "push", "fromCharCode", "charCodeAt", "Utf8", "Malformed UTF-8 data", "parse", "BufferedBlockAlgorithm", "_data", "_nDataBytes", "concat", "blockSize", "max", "_minBufferSize", "min", "_doProcessBlock", "splice", "clone", "Hasher", "cfg", "reset", "_append", "_doFinalize", "finalize", "HMAC", "algo", "Cipher", "WordArray", "EvpKDF", "_ENC_XFORM_MODE", "_DEC_XFORM_MODE", "_xformMode", "_key", "_doReset", "_process", "encrypt", "decrypt", "flush", "mode", "BlockCipherMode", "Encryptor", "Decryptor", "_cipher", "_iv", "CBC", "encryptBlock", "_prevBlock", "pad", "Pkcs7", "BlockCipher", "createEncryptor", "createDecryptor", "_mode", "__creator", "unpad", "CipherParams", "formatter", "format", "ciphertext", "_parse", "kdf", "OpenSSL", "PasswordBasedCipher", "ivSize", "key", "execute", "keySize", "salt", "MD5", "hasher", "update", "compute", "Base64", "_map", "clamp", "_reverseMap", "charAt", "indexOf", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "abs", "sin", "_hash", "floor", "HmacMD5", "_createHmacHelper", "Word", "high", "low", "SHA1", "_createHelper", "HmacSHA1", "_iKey", "_hasher", "_oKey", "0123456789abcdef", "sqrt", "SHA256", "HmacSHA256", "x64", "toX32", "SHA512", "HmacSHA512", "moonshad5moonsh2", "moonshad3moonsh0", "moonshad8moonsh6", "moonshad0moonsh1", "moonshad1moonsh9", "OOOO0O", "O0000O", "O00O0O", "OO0OOO", "screen", "width", "height", "alg", "version", "round", "getTime", "sig", "traceid", "callback", "elapsed", "shaOne", "encryption", "sort", "split", "substring", "ECB", "byteOffset", "byteLength", "Utf16BE", "Utf16LE", "Utf16", "SHA224", "SHA384", "HmacSHA384", "SHA3", "_state", "outputLength", "HmacSHA3", "RIPEMD160", "HmacRIPEMD160", "iterations", "PBKDF2", "CFB", "CTR", "_counter", "OFB", "_keystream", "decryptBlock", "AnsiX923", "Ansix923", "Iso10126", "Iso97971", "ZeroPadding", "NoPadding", "AES", "_nRounds", "_keyPriorReset", "_keySchedule", "_invKeySchedule", "_doCryptBlock", "DES", "_subKeys", "_invSubKeys", "_lBlock", "_rBlock", "TripleDES", "_des2", "_des3", "_des1", "StreamCipher", "RC4", "drop", "RC4Drop", "Rabbit", "RabbitLegacy", "location", "protocol", "//nsclick.baidu.com/v.gif?", "pid=111&type=1023&v=", "&data_source=fe", "&extrajson=", "&monitorType=moonshadErrors", "{eventType:na-moonshad-error}", "&auto_en=na-monitor", "onload", "onerror", "src", "exports", "defineProperty", "undefined", "toStringTag", "Module", "__esModule", "object", "create", "default", "string", "bind", "prototype", "hasOwnProperty", "call", "lib", "Base", "mixIn", "init", "$super", "apply", "toString", "extend"];
!function(c) {
    !function(x) {
        for (; --x; )
            c.push(c.shift())
    }(421)
}(_0xe7d2);
var _0x19c3 = function(x, c) {
    return _0xe7d2[x -= 0]
};

function pppp(x, c) {
    var i = 0;
    function _(x) {
        return function r(x) {
            for (var c = i ? "0123456789ABCDEF" : "0123456789abcdef", _ = "", t = 0; t < 4 * x[_0x19c3("0x18")]; t++)
                _ += c[_0x19c3("0x6c")](x[t >> 2] >> 8 * (3 - t % 4) + 4 & 15) + c[_0x19c3("0x6c")](x[t >> 2] >> 8 * (3 - t % 4) & 15);
            return _
        }(function p(x) {
            for (var c = x, _ = Array(80), t = 1732584193, r = -271733879, n = -1732584194, i = 271733878, e = -1009589776, o = 0; o < c[_0x19c3("0x18")]; o += 16) {
                for (var a = t, s = r, f = n, u = i, h = e, v = 0; v < 80; v++) {
                    _[v] = v < 16 ? c[o + v] : g(_[v - 3] ^ _[v - 8] ^ _[v - 14] ^ _[v - 16], 1);
                    var d = y(y(g(t, 5), b(v, r, n, i)), y(y(e, _[v]), (l = v) < 20 ? 1518500249 : l < 40 ? 1859775393 : l < 60 ? -1894007588 : -899497514));
                    e = i,
                    i = n,
                    n = g(r, 30),
                    r = t,
                    t = d
                }
                t = y(t, a),
                r = y(r, s),
                n = y(n, f),
                i = y(i, u),
                e = y(e, h)
            }
            var l;
            return new Array(t,r,n,i,e)
        }(function n(x) {
            for (var c = 1 + (x.length + 8 >> 6), _ = new Array(16 * c), t = 0; t < 16 * c; t++)
                _[t] = 0;
            for (t = 0; t < x[_0x19c3("0x18")]; t++)
                _[t >> 2] |= x[_0x19c3("0x23")](t) << 24 - 8 * (3 & t);
            return _[t >> 2] |= 128 << 24 - 8 * (3 & t),
            _[16 * c - 1] = 8 * x[_0x19c3("0x18")],
            _
        }(x)))
    }
    function b(x, c, _, t) {
        return x < 20 ? c & _ | ~c & t : x < 40 ? c ^ _ ^ t : x < 60 ? c & _ | c & t | _ & t : c ^ _ ^ t
    }
    function y(x, c) {
        var _ = (65535 & x) + (65535 & c);
        return (x >> 16) + (c >> 16) + (_ >> 16) << 16 | 65535 & _
    }
    function g(x, c) {
        return x << c | x >>> 32 - c
    }
    x[_0x19c3("0x0")] = _
  
 
  console.log('ppppp',x);
    console.log('ppppp',_(x)); 
}
function a(x, c) {
    function f(x, c) {
        var _ = (65535 & x) + (65535 & c);
        return (x >> 16) + (c >> 16) + (_ >> 16) << 16 | 65535 & _
    }
    function e(x, c, _, t, r, n) {
        return f(function i(x, c) {
            return x << c | x >>> 32 - c
        }(f(f(c, x), f(t, n)), r), _)
    }
    function u(x, c, _, t, r, n, i) {
        return e(c & _ | ~c & t, x, c, r, n, i)
    }
    function h(x, c, _, t, r, n, i) {
        return e(c & t | _ & ~t, x, c, r, n, i)
    }
    function v(x, c, _, t, r, n, i) {
        return e(c ^ _ ^ t, x, c, r, n, i)
    }
    function d(x, c, _, t, r, n, i) {
        return e(_ ^ (c | ~t), x, c, r, n, i)
    }
    function o(x, c) {
        x[c >> 5] |= 128 << c % 32,
        x[14 + (c + 64 >>> 9 << 4)] = c;
        var _, t, r, n, i, e = 1732584193, o = -271733879, a = -1732584194, s = 271733878;
        for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 16)
            o = d(o = d(o = d(o = d(o = v(o = v(o = v(o = v(o = h(o = h(o = h(o = h(o = u(o = u(o = u(o = u(r = o, a = u(n = a, s = u(i = s, e = u(t = e, o, a, s, x[_], 7, -680876936), o, a, x[_ + 1], 12, -389564586), e, o, x[_ + 2], 17, 606105819), s, e, x[_ + 3], 22, -1044525330), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 4], 7, -176418897), o, a, x[_ + 5], 12, 1200080426), e, o, x[_ + 6], 17, -1473231341), s, e, x[_ + 7], 22, -45705983), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 8], 7, 1770035416), o, a, x[_ + 9], 12, -1958414417), e, o, x[_ + 10], 17, -42063), s, e, x[_ + 11], 22, -1990404162), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 12], 7, 1804603682), o, a, x[_ + 13], 12, -40341101), e, o, x[_ + 14], 17, -1502002290), s, e, x[_ + 15], 22, 1236535329), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 1], 5, -165796510), o, a, x[_ + 6], 9, -1069501632), e, o, x[_ + 11], 14, 643717713), s, e, x[_], 20, -373897302), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 5], 5, -701558691), o, a, x[_ + 10], 9, 38016083), e, o, x[_ + 15], 14, -660478335), s, e, x[_ + 4], 20, -405537848), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 9], 5, 568446438), o, a, x[_ + 14], 9, -1019803690), e, o, x[_ + 3], 14, -187363961), s, e, x[_ + 8], 20, 1163531501), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 13], 5, -1444681467), o, a, x[_ + 2], 9, -51403784), e, o, x[_ + 7], 14, 1735328473), s, e, x[_ + 12], 20, -1926607734), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 5], 4, -378558), o, a, x[_ + 8], 11, -2022574463), e, o, x[_ + 11], 16, 1839030562), s, e, x[_ + 14], 23, -35309556), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 1], 4, -1530992060), o, a, x[_ + 4], 11, 1272893353), e, o, x[_ + 7], 16, -155497632), s, e, x[_ + 10], 23, -1094730640), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 13], 4, 681279174), o, a, x[_], 11, -358537222), e, o, x[_ + 3], 16, -722521979), s, e, x[_ + 6], 23, 76029189), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 9], 4, -640364487), o, a, x[_ + 12], 11, -421815835), e, o, x[_ + 15], 16, 530742520), s, e, x[_ + 2], 23, -995338651), a = d(a, s = d(s, e = d(e, o, a, s, x[_], 6, -198630844), o, a, x[_ + 7], 10, 1126891415), e, o, x[_ + 14], 15, -1416354905), s, e, x[_ + 5], 21, -57434055), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 12], 6, 1700485571), o, a, x[_ + 3], 10, -1894986606), e, o, x[_ + 10], 15, -1051523), s, e, x[_ + 1], 21, -2054922799), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 8], 6, 1873313359), o, a, x[_ + 15], 10, -30611744), e, o, x[_ + 6], 15, -1560198380), s, e, x[_ + 13], 21, 1309151649), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 4], 6, -145523070), o, a, x[_ + 11], 10, -1120210379), e, o, x[_ + 2], 15, 718787259), s, e, x[_ + 9], 21, -343485551),
            e = f(e, t),
            o = f(o, r),
            a = f(a, n),
            s = f(s, i);
        return [e, o, a, s]
    }
    function a(x) {
        var c, _ = "";
        for (c = 0; c < 32 * x[_0x19c3("0x18")]; c += 8)
            _ += String[_0x19c3("0x22")](x[c >> 5] >>> c % 32 & 255);
        return _
    }
    function s(x) {
        var c, _ = [];
        for (_[(x[_0x19c3("0x18")] >> 2) - 1] = undefined,
        c = 0; c < _.length; c += 1)
            _[c] = 0;
        for (c = 0; c < 8 * x[_0x19c3("0x18")]; c += 8)
            _[c >> 5] |= (255 & x[_0x19c3("0x23")](c / 8)) << c % 32;
        return _
    }
    function n(x) {
        var c, _, t = _0x19c3("0x7e"), r = "";
        for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 1)
            c = x[_0x19c3("0x23")](_),
            r += t.charAt(c >>> 4 & 15) + t.charAt(15 & c);
        return r
    }
    function _(x) {
        return unescape(encodeURIComponent(x))
    }
    function i(x) {
        return function c(x) {
            return a(o(s(x), 8 * x.length))
        }(_(x))
    }
    function l(x, c) {
        return function e(x, c) {
            var _, t, r = s(x), n = [], i = [];
            for (n[15] = i[15] = undefined,
            16 < r.length && (r = o(r, 8 * x[_0x19c3("0x18")])),
            _ = 0; _ < 16; _ += 1)
                n[_] = 909522486 ^ r[_],
                i[_] = 1549556828 ^ r[_];
            return t = o(n[_0x19c3("0x2a")](s(c)), 512 + 8 * c[_0x19c3("0x18")]),
            a(o(i[_0x19c3("0x2a")](t), 640))
        }(_(x), _(c))
    }
    function p(x, c, _) {
        return c ? _ ? l(c, x) : function t(x, c) {
            return n(l(x, c))
        }(c, x) : _ ? i(x) : function r(x) {
            return n(i(x))
        }(x)
    }
    console.log('当前域名配置',x[_0x19c3("0x0")]);
  	b= (new Date).getTime()

  b=1577180869309
  console.log('当前域名配置',p(b));
  return p(b)
}
uuuu= a(2)
pppp(uuuu)

//for(n=i=(new Date).getTime();i= f(u(i)).toString().substr(0,2) !="00";)

上面抠出来的能直接运行。其实仔细看看,u函数时md5加密,f函数就是sha1加密,不扣代码,python里直接搞起

还有个sig,这个比较复杂,加密,算了,直接弄代码进去吧 o["encryption"](r, c, _)的代码大概是这样,关键函数r,n,i

encryption:function(x, c, _) {  
            var t = r(x, c);
            return i(n(t, _))
        }
这是个加密函数
var _0xe7d2 = ["words", "sigBytes", "length", "stringify", "ceil", "slice", "random", "enc", "Hex", "join", "substr", "push", "fromCharCode", "charCodeAt", "Utf8", "Malformed UTF-8 data", "parse", "BufferedBlockAlgorithm", "_data", "_nDataBytes", "concat", "blockSize", "max", "_minBufferSize", "min", "_doProcessBlock", "splice", "clone", "Hasher", "cfg", "reset", "_append", "_doFinalize", "finalize", "HMAC", "algo", "Cipher", "WordArray", "EvpKDF", "_ENC_XFORM_MODE", "_DEC_XFORM_MODE", "_xformMode", "_key", "_doReset", "_process", "encrypt", "decrypt", "flush", "mode", "BlockCipherMode", "Encryptor", "Decryptor", "_cipher", "_iv", "CBC", "encryptBlock", "_prevBlock", "pad", "Pkcs7", "BlockCipher", "createEncryptor", "createDecryptor", "_mode", "__creator", "unpad", "CipherParams", "formatter", "format", "ciphertext", "_parse", "kdf", "OpenSSL", "PasswordBasedCipher", "ivSize", "key", "execute", "keySize", "salt", "MD5", "hasher", "update", "compute", "Base64", "_map", "clamp", "_reverseMap", "charAt", "indexOf", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "abs", "sin", "_hash", "floor", "HmacMD5", "_createHmacHelper", "Word", "high", "low", "SHA1", "_createHelper", "HmacSHA1", "_iKey", "_hasher", "_oKey", "0123456789abcdef", "sqrt", "SHA256", "HmacSHA256", "x64", "toX32", "SHA512", "HmacSHA512", "moonshad5moonsh2", "moonshad3moonsh0", "moonshad8moonsh6", "moonshad0moonsh1", "moonshad1moonsh9", "OOOO0O", "O0000O", "O00O0O", "OO0OOO", "screen", "width", "height", "alg", "version", "round", "getTime", "sig", "traceid", "callback", "elapsed", "shaOne", "encryption", "sort", "split", "substring", "ECB", "byteOffset", "byteLength", "Utf16BE", "Utf16LE", "Utf16", "SHA224", "SHA384", "HmacSHA384", "SHA3", "_state", "outputLength", "HmacSHA3", "RIPEMD160", "HmacRIPEMD160", "iterations", "PBKDF2", "CFB", "CTR", "_counter", "OFB", "_keystream", "decryptBlock", "AnsiX923", "Ansix923", "Iso10126", "Iso97971", "ZeroPadding", "NoPadding", "AES", "_nRounds", "_keyPriorReset", "_keySchedule", "_invKeySchedule", "_doCryptBlock", "DES", "_subKeys", "_invSubKeys", "_lBlock", "_rBlock", "TripleDES", "_des2", "_des3", "_des1", "StreamCipher", "RC4", "drop", "RC4Drop", "Rabbit", "RabbitLegacy", "location", "protocol", "//nsclick.baidu.com/v.gif?", "pid=111&type=1023&v=", "&data_source=fe", "&extrajson=", "&monitorType=moonshadErrors", "{eventType:na-moonshad-error}", "&auto_en=na-monitor", "onload", "onerror", "src", "exports", "defineProperty", "undefined", "toStringTag", "Module", "__esModule", "object", "create", "default", "string", "bind", "prototype", "hasOwnProperty", "call", "lib", "Base", "mixIn", "init", "$super", "apply", "toString", "extend"];
!function(c) {
    !function(x) {
        for (; --x; )
            c.push(c.shift())
    }(421)
}(_0xe7d2);
var _0x19c3 = function(x, c) {
    return _0xe7d2[x -= 0]
};



function fun_8(x, c) {
    function f(x, c) {
        var _ = (65535 & x) + (65535 & c);
        return (x >> 16) + (c >> 16) + (_ >> 16) << 16 | 65535 & _
    }
    function e(x, c, _, t, r, n) {
        return f(function i(x, c) {
            return x << c | x >>> 32 - c
        }(f(f(c, x), f(t, n)), r), _)
    }
    function u(x, c, _, t, r, n, i) {
        return e(c & _ | ~c & t, x, c, r, n, i)
    }
    function h(x, c, _, t, r, n, i) {
        return e(c & t | _ & ~t, x, c, r, n, i)
    }
    function v(x, c, _, t, r, n, i) {
        return e(c ^ _ ^ t, x, c, r, n, i)
    }
    function d(x, c, _, t, r, n, i) {
        return e(_ ^ (c | ~t), x, c, r, n, i)
    }
    function o(x, c) {
        x[c >> 5] |= 128 << c % 32,
        x[14 + (c + 64 >>> 9 << 4)] = c;
        var _, t, r, n, i, e = 1732584193, o = -271733879, a = -1732584194, s = 271733878;
        for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 16)
            o = d(o = d(o = d(o = d(o = v(o = v(o = v(o = v(o = h(o = h(o = h(o = h(o = u(o = u(o = u(o = u(r = o, a = u(n = a, s = u(i = s, e = u(t = e, o, a, s, x[_], 7, -680876936), o, a, x[_ + 1], 12, -389564586), e, o, x[_ + 2], 17, 606105819), s, e, x[_ + 3], 22, -1044525330), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 4], 7, -176418897), o, a, x[_ + 5], 12, 1200080426), e, o, x[_ + 6], 17, -1473231341), s, e, x[_ + 7], 22, -45705983), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 8], 7, 1770035416), o, a, x[_ + 9], 12, -1958414417), e, o, x[_ + 10], 17, -42063), s, e, x[_ + 11], 22, -1990404162), a = u(a, s = u(s, e = u(e, o, a, s, x[_ + 12], 7, 1804603682), o, a, x[_ + 13], 12, -40341101), e, o, x[_ + 14], 17, -1502002290), s, e, x[_ + 15], 22, 1236535329), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 1], 5, -165796510), o, a, x[_ + 6], 9, -1069501632), e, o, x[_ + 11], 14, 643717713), s, e, x[_], 20, -373897302), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 5], 5, -701558691), o, a, x[_ + 10], 9, 38016083), e, o, x[_ + 15], 14, -660478335), s, e, x[_ + 4], 20, -405537848), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 9], 5, 568446438), o, a, x[_ + 14], 9, -1019803690), e, o, x[_ + 3], 14, -187363961), s, e, x[_ + 8], 20, 1163531501), a = h(a, s = h(s, e = h(e, o, a, s, x[_ + 13], 5, -1444681467), o, a, x[_ + 2], 9, -51403784), e, o, x[_ + 7], 14, 1735328473), s, e, x[_ + 12], 20, -1926607734), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 5], 4, -378558), o, a, x[_ + 8], 11, -2022574463), e, o, x[_ + 11], 16, 1839030562), s, e, x[_ + 14], 23, -35309556), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 1], 4, -1530992060), o, a, x[_ + 4], 11, 1272893353), e, o, x[_ + 7], 16, -155497632), s, e, x[_ + 10], 23, -1094730640), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 13], 4, 681279174), o, a, x[_], 11, -358537222), e, o, x[_ + 3], 16, -722521979), s, e, x[_ + 6], 23, 76029189), a = v(a, s = v(s, e = v(e, o, a, s, x[_ + 9], 4, -640364487), o, a, x[_ + 12], 11, -421815835), e, o, x[_ + 15], 16, 530742520), s, e, x[_ + 2], 23, -995338651), a = d(a, s = d(s, e = d(e, o, a, s, x[_], 6, -198630844), o, a, x[_ + 7], 10, 1126891415), e, o, x[_ + 14], 15, -1416354905), s, e, x[_ + 5], 21, -57434055), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 12], 6, 1700485571), o, a, x[_ + 3], 10, -1894986606), e, o, x[_ + 10], 15, -1051523), s, e, x[_ + 1], 21, -2054922799), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 8], 6, 1873313359), o, a, x[_ + 15], 10, -30611744), e, o, x[_ + 6], 15, -1560198380), s, e, x[_ + 13], 21, 1309151649), a = d(a, s = d(s, e = d(e, o, a, s, x[_ + 4], 6, -145523070), o, a, x[_ + 11], 10, -1120210379), e, o, x[_ + 2], 15, 718787259), s, e, x[_ + 9], 21, -343485551),
            e = f(e, t),
            o = f(o, r),
            a = f(a, n),
            s = f(s, i);
        return [e, o, a, s]
    }
    function a(x) {
        var c, _ = "";
        for (c = 0; c < 32 * x[_0x19c3("0x18")]; c += 8)
            _ += String[_0x19c3("0x22")](x[c >> 5] >>> c % 32 & 255);
        return _
    }
    function s(x) {
        var c, _ = [];
        for (_[(x[_0x19c3("0x18")] >> 2) - 1] = undefined,
        c = 0; c < _.length; c += 1)
            _[c] = 0;
        for (c = 0; c < 8 * x[_0x19c3("0x18")]; c += 8)
            _[c >> 5] |= (255 & x[_0x19c3("0x23")](c / 8)) << c % 32;
        return _
    }
    function n(x) {
        var c, _, t = _0x19c3("0x7e"), r = "";
        for (_ = 0; _ < x[_0x19c3("0x18")]; _ += 1)
            c = x[_0x19c3("0x23")](_),
            r += t.charAt(c >>> 4 & 15) + t.charAt(15 & c);
        return r
    }
    function _(x) {
        return unescape(encodeURIComponent(x))
    }
    function i(x) {
        return function c(x) {
            return a(o(s(x), 8 * x.length))
        }(_(x))
    }
    function l(x, c) {
        return function e(x, c) {
            var _, t, r = s(x), n = [], i = [];
            for (n[15] = i[15] = undefined,
            16 < r.length && (r = o(r, 8 * x[_0x19c3("0x18")])),
            _ = 0; _ < 16; _ += 1)
                n[_] = 909522486 ^ r[_],
                i[_] = 1549556828 ^ r[_];
            return t = o(n[_0x19c3("0x2a")](s(c)), 512 + 8 * c[_0x19c3("0x18")]),
            a(o(i[_0x19c3("0x2a")](t), 640))
        }(_(x), _(c))
    }
    _8 = function p(x, c, _) {
        return c ? _ ? l(c, x) : function t(x, c) {
            return n(l(x, c))
        }(c, x) : _ ? i(x) : function r(x) {
            return n(i(x))
        }(x)
    }

}
function fun_14(x, c, _) {
    var u = _8
      , h = {
        a: "3",
        b: "4",
        c: "5",
        d: "9",
        e: "8",
        f: "7",
        g: "1",
        h: "2",
        i: "6",
        j: "0",
        k: "a",
        l: "b",
        m: "c",
        n: "d",
        o: "e",
        p: "f",
        q: "g",
        r: "z",
        s: "y",
        t: "x",
        u: "w",
        v: "v",
        w: "u",
        x: "o",
        y: "p",
        z: "q",
        0: "s",
        1: "t",
        2: "r",
        3: "h",
        4: "i",
        5: "j",
        6: "k",
        7: "l",
        8: "m",
        9: "n"
    };
    _14 = function(x, c) {
        var _ = [];
        for (var t in x)
            x.hasOwnProperty(t) && _.push(t);
        _[_0x19c3("0x9c")]();
        for (var r = [], n = 0, i = _.length; n < i; n++) {
            var e = _[n];
            r[_0x19c3("0x21")](e + "=" + x[e])
        }
        var o = u(r.join("&"))
          , a = ""
          , s = (window[_0x19c3("0x8f")][_0x19c3("0x90")] + "" + window[_0x19c3("0x8f")].height)[_0x19c3("0x9d")]("");
        for (n = 0; n < s[_0x19c3("0x18")]; n++)
            a += h[s[n]];
        return function f(x, c) {
            var _, t = "", r = x[_0x19c3("0x9d")](""), n = c[_0x19c3("0x9d")]("");
            if (r[_0x19c3("0x18")] >= n[_0x19c3("0x18")]) {
                for (_ = 0; _ < n[_0x19c3("0x18")]; _++)
                    t += r[_] + n[_];
                t += x[_0x19c3("0x9e")](_)
            } else {
                for (_ = 0; _ < r.length; _++)
                    t += r[_] + n[_];
                t += c[_0x19c3("0x9e")](_)
            }
            return t
        }(o, a)
    }
}




x= {
"alg": "v3",
"apiver": "v3",
"class": "login",
"gid": "78352A1-5EE0-4F5C-B308-7E6A28882517",
"logintype": "dialogLogin",
"loginversion": "v4",
"subpro": "",
"time": 1577260418,
"token": "",
"tpl": "mn",
"tt": 1577260352645,
   }




fun_8() 
fun_14()
var t = _14(x);

console.log('当前域名配置',t);

算了,扣不动了,上面的是r函数的代码

我们仔细看一下的的话,能看出r函数用了md5,里面还用了窗口宽高,修改了md5串。
看看n函数是eas加密,之后用的i函数是base64
aes加密用的key就是_参数,

var t = r(x, c);
            return i(n(t, _))

_参数就是aes加密用的key,这个key是随时间变化的,各种OO00看的头大

6.5callback:

e为bd__cbs__ getUniqueId = function(e) { return e + Math.floor(2147483648 * Math.random()).toString(36) } 这个callback是个随机的,其实可以直接用,不变也可以。

这样整个token搞定 写段python,获取token部分测试一下。纯按顺序写python,无封装

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import base64
import hashlib
import time
import requests
import execjs
import json
import math
import random

def baseN(num, b):
    return ((num == 0) and "0") or (baseN(num // b, b).lstrip("0") + "0123456789abcdefghijklmnopqrstuvwxyz"[num % b])

# 获取gid,返回值为str
def getgid():
    """

    :return:
    """
    js = execjs.compile("""
        function gid(){
                return 'xxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (e) {
                var t = 16 * Math.random() | 0,
                n = 'x' == e ? t : 3 & t | 8;
                return n.toString(16)
                }).toUpperCase()
            }
    """)
    return js.call("gid")


data = {
    "alg": "v3",
    "apiver": "v3",
    "class": "login",
    "gid": "",
    "logintype": "dialogLogin",
    "loginversion": "v4",
    "subpro": "",
    "time": 1577270095,
    "token": "",
    "tpl": "mn",
    "tt": 1577270095354,
}
data["gid"] = getgid()
print("gid", data["gid"])
data["tt"] = int(time.time() * 1000)
data["time"] = int(time.time())

#计算shaOne和elapsed
n_time = int(time.time() * 1000)
while True:
    current = int(time.time() * 1000)
    md = hashlib.md5()
    md.update(str(current).encode('utf-8'))
    sha = hashlib.sha1()
    sha.update(md.hexdigest().encode('utf-8'))
    if sha.hexdigest()[0:2] == '00':
        break;

shaOne = current
print("shaOne", shaOne)
elapsed = int(time.time() * 1000) - n_time
print("elapsed", elapsed)

# ***************************************
# 计算sig
# 1.将data变成一个串,计算md5,之后会根据窗口宽高对md5串做处理,然后形成一个新串(变量名字按照js混淆后的名字,可以对应)
data2str = str(data)[1:-1].replace(':', '=').replace(',', '&').replace('\'', '').replace(' ', '')
print("data2str",data2str)
md5 = hashlib.md5()
md5.update(data2str.encode('utf-8'))
print("md5",md5.hexdigest())
# md5 = 'alg=v3&apiver=v3&class=login&gid=78352A1-5EE0-4F5C-B308-7E6A28882517&logintype=dialogLogin&loginversion=v4&subpro=&time=1577260418&token=&tpl=mn&tt=1577260352645'
r = x = md5.hexdigest()

s = ["1", "5", "3", "6", "8", "6", "4"]

h = {
    "a": "3", "b": "4", "c": "5", "d": "9", "e": "8", "f": "7", "g": "1", "h": "2", "i": "6", "j": "0", "k": "a",
    "l": "b",
    "m": "c", "n": "d", "o": "e", "p": "f", "q": "g", "r": "z", "s": "y", "t": "x", "u": "w", "v": "v", "w": "u",
    "x": "o",
    "y": "p", "z": "q", "0": "s", "1": "t", "2": "r", "3": "h", "4": "i", "5": "j", "6": "k", "7": "l", "8": "m",
    "9": "n"
}
a = ''
for i in range(len(s)):
    a += h[s[i]]
# a的结果为tjhkmki
t = ''
n = a
if (len(r) > len(n)):
    for _ in range(len(n)):
        t += r[_] + n[_]
    t += x[_ + 1:]
else:
    for _ in range(len(r)):
        t += r[_] + n[_]
    t += n[_ + 1:]
print("md5 to new str:",t)
# 完成,t就是新生成的串

# 2 接下来将新生成的t串做aes-128加密,mode为ecb,pad为pkcs7
# h key value,v参数是key,表明第几个h的value,h的value对应moonshadV3的key,moonshadV3的value即为函数。
# h的value转换后还对应了t的key
h = {"OOOOO0": "OOOO00", "O00000": "OOO00O", "O0O00O": "OOO000", "O000OO": "OOO0OO", "O0O000": "O0OOO0"}
trans = {
    "OOOO00": "OOOO0O", "OOO00O": "O0000O", "OOO000": "O00O0O", "OOO0OO": "OO0OOO", "O0OOO0": "OO0O0O" }
t_dict = {
    "O00O0O": "moonshad8moonsh6",
    "O0000O": "moonshad3moonsh0",
    "OO0O0O": "moonshad1moonsh9",
    "OO0OOO": "moonshad0moonsh1",
    "OOOO0O": "moonshad5moonsh2"
}
v = (int(time.time()) // 86400) % 5
b = list(h.keys())
# key值为aes加密key
#key = 'moonshad5moonsh2'
key = t_dict[trans[h[b[v]]]]
print("aes key:",key)
# s = '1tcj2hbk7mbk7i55ed2c91a7027bbeea0e3dd3e'
s = t

aes = AES.new(key=key.encode("utf-8"), mode=AES.MODE_ECB)
s_pad = pad(s.encode('utf-8'), AES.block_size, style='pkcs7')
s_text = aes.encrypt(s_pad)
print("aes encrypt:",s_text, type(s_text))
# 3 将aes加密后的串进行base64加密
base64_text = base64.encodebytes(s_text).replace(b'\n', b'')
sig = base64.encodebytes(base64_text).replace(b'\n', b'')
print("sig:",sig)

post_data = {
    #   "getapi":"" ,
    "token": "",
    "tpl": "mn",
    "subpro": "",
    "apiver": "v3",
    "tt": "1577270095354",
    "class": "login",
    "gid": "0E2A49B-9083-40AA-9E55-C4855C751735",
    "loginversion": "v4",
    "logintype": "dialogLogin",
    "traceid": "",
    "time": "1577270095",
    "alg": "v3",
    "sig": "VUtmamUvKzdWRGpIUi9LRUY5b3VScGthaEszampKUDNlZlpTSWMzdUVGelVKbnFSVWRuOVkrZm1yWS9LQ0tXZw==",
    "elapsed": "30",
    "shaOne": "0030cb20e20293d942ae96d0f756fa7fdc40b390",
    "callback": "bd__cbs__alo4yw"
}
post_data["gid"] = data["gid"]
post_data["time"] = data["time"]
post_data["tt"] = data["tt"]

rand = math.floor(2147483648 * random.random())
post_data["callback"] = 'bd__cbs__' + baseN(rand, 36)

post_data["elapsed"] = elapsed
post_data["shaOne"] = shaOne
post_data["sig"] = sig
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'}
session = requests.session()
request = session.get('https://www.baidu.com', headers=headers)

headers = {
    'Referer': 'https://www.baidu.com/',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'}

request = session.get('https://passport.baidu.com/v2/api/?getapi', params=post_data, headers=headers,
                      allow_redirects=False)
print(request.url)
print(request.status_code)
request.encoding = request.apparent_encoding
#print(request.text)
text = request.text.split("(", 1)[1].rsplit(")",1)[0].replace("\'","\"")
#print(text)
res_data = json.loads(text) #dict
token = res_data["data"]["token"]
print(token)

7 tt

timestamp

8 gid

这个和上面token的一致

9 rsakey

在network中一搜就有
https://passport.baidu.com/v2/getpublickey?

responce

bd__cbs__ii2fve({
    "errno": '0',
    "msg": '',
    "pubkey": '-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUgNsdqndDCdKfsf1rMd0zB6OT\n448Nh+O5x1xVInB\/7Hb4OoOMreTJe\/45X+RDyxHNt8WLOYl57MCjvTDAsjK+vvAw\nwG+GvX4Iy0\/WRWswYUCSHpcgm2Uv+pwpgnA5Q+MRFXGolcjZqd26pMWqxQCces3B\npBLRkKuyMZ+Qhs0A6wIDAQAB\n-----END PUBLIC KEY-----\n',
    "key": 'RCKEYjwblMiriSRxnw60AYbT7aAZ7REK',
    "traceid": ""
})

那个key就是了
继续构造请求参数

token: 08963795d8d87eede02e445936ea5aec
tpl: mn
subpro: 
apiver: v3
tt: 1577182097629
gid: 04C5389-B2B7-480B-B12C-CEA5440344F1
loginversion: v4
traceid: 
time: 1577182098
alg: v3
sig: ZGFleGhiMkdrbUsxSzBkNWsvdDhVV2pyazMzdHBKaDR1MGtva2dmWWl6Si9yUXNyOFBRYUpVQzVzK2lmMStHUA==
elapsed: 1
shaOne: 004736d0ea345a1ed60d72d06decd8b277e89763
callback: bd__cbs__ii2fve

这些参数一看,都是我们刚才获得的,直接get一次请求,得到rsakey

10 ppui_logintime:

network里面没有,source里面一搜就有
timeSpan: "ppui_logintime",
发现了timeSpan,继续搜索

n.timeSpan = (new Date).getTime() - e.initTime

搜索initTime ,看到_initApi,搜索_initApi,发现跟点击事件有关系
直接在_initApi打上断点,然后发现在首页点击登录事件会停下来,所以ppui_logintime代表的是点击登录到登录请求的时间差

11 ds:

https://passport.baidu.com/viewlog?ak=1e3f2dd1c81f2075171a547893391274&callback=jsonpCallbackA19216&v=10211&t=1577349087131 访问一次这个链接就能返回tk,ds,而且还会pplogid cookie ,貌似可以直接请求

ak: 1e3f2dd1c81f2075171a547893391274
callback: jsonpCallbackA18383
v: 1797
t: 1577428128429

ak: 1e3f2dd1c81f2075171a547893391274
这值一搜就有,是个固定值

ak是个固定值,t是时间戳,
这些搜搜就能发现在mkd.js
callback是 jsonpCallbackA + 一个随机数 v也是个随机数,同样的算法

        function o() {
            return Math.floor(1e4 * Math.random() + 500)
        }

12 tk前面获取到了

13 dv

搜dv: 很快能定位到window.LG_DV_ARG.dvjsInput 继续搜LG_DV_ARG,两个文件里有,只有g.min里面有赋值操作

        function c(n) {
            var r = t.getElementById("dv_Input");
            r && (r.value = n),
            e.LG_DV_ARG.dvjsInput = n
        }

打断点,继续查看下调用栈
t就是document,里面没有dv_input的元素 所以n很关键了 调用者就在它上面

        function d(e) {
            M && (x = e.token + "@" + S(e, e.token),
            (1 & F.SendMethod) > 0 && c(x))
        }

x就是传递的n, x = e.token + "@" + S(e, e.token)

function m(t) {
            try {
                if (F.RCKSEvent > 0 && G >= F.RCKSEvent)
                    return;
                var n = t || e.event
                  , r = n.target || n.srcElement
                  , o = n.keyCode
                  , a = 0;
                n.ctrlKey && 17 != o && (a += 1),
                n.altKey && 18 != o && (a += 2),
                n.shiftKey && 16 != o && (a += 4);
                var i = "null";
                r && (i = r.id ? encodeURIComponent(r.id) : r.name ? encodeURIComponent(r.name) : i);
                for (var c = 0; c < F.ExcludeTarget.length; c++)
                    if (F.ExcludeTarget[c] == i)
                        return;
                var f = (new Date).getTime() - q;
                G++,
                w.keyDown += [o, a, i, f].join(",") + "|",
                d(w)
            } catch (u) {}
        }

此时w就是传进去的e
call stack已经到头了,此函数中也没有发现w赋值,这个函数形成闭包,w一定在此文件某个地方赋值了。

        function I() {
            w.mouseDown = "",
            w.keyDown = "",
            w.mouseMove = "",
            0 == _ && (_ = 1,
            i(),
            (2 & F.SendMethod) > 0 && setInterval(Y, F.SendTimer),
            w.version = l(),
            w.loadTime = q / 1e3,
            F.BrowserInfo && (w.browserInfo = u()),
            w.token = F.PageToken,
            F.Location && (w.location = E()),
            F.ScreenInfo && (w.screenInfo = v()),
            F.FlashInfo && (w.flashInfo = y()),
            d(w))
        }

没错,找到了,就是在这里,继续找F变量

function R() {
            if ("undefined" == typeof b)
                return 1;
            if ("number" != typeof b.Flag)
                return 1;
            var e = new Object;
            if ("undefined" != typeof b.FormId && "" != b.FormId && (e.FormId = b.FormId),
            "undefined" != typeof b.RecordStr && "" != b.RecordStr && (e.RecordStr = b.RecordStr),
            e.EnableKSEvent = b.Flag >> 1 & 1,
            e.EnableMCEvent = b.Flag >> 2 & 1,
            e.EnableMPEvent = b.Flag >> 3 & 1,
            e.RecordTimeInterval = b.Flag >> 6 & 1,
            e.BrowserInfo = b.Flag >> 7 & 1,
            e.LSIDInfo = b.Flag >> 10 & 1,
            e.Location = b.Flag >> 11 & 1,
            e.Token = b.Flag >> 12 & 1,
            e.ScreenInfo = b.Flag >> 13 & 1,
            e.FlashInfo = b.Flag >> 16 & 1,
            e.DVID = b.Flag >> 17 & 1,
            "string" == typeof b.Token ? e.PageToken = b.Token : e.Token = 0,
            e.ImgUrl = "string" == typeof b.ImgUrl ? b.ImgUrl : "",
            e.EltAttrs = [],
            "undefined" != typeof b.EltAttrs)
                for (var t = 0; t < b.EltAttrs.length; t++)
                    e.EltAttrs.push(b.EltAttrs[t]);
            if (e.ExcludeTarget = [],
            "undefined" != typeof b.ExcludeTarget)
                for (var t = 0; t < b.ExcludeTarget.length; t++)
                    e.ExcludeTarget.push(b.ExcludeTarget[t]);
            return e.RCInterval = "undefined" != typeof b.RCInterval && b.RCInterval > 0 ? b.RCInterval : 50,
            e.RCMSEvent = "undefined" != typeof b.RCMSEvent && b.RCMSEvent > 0 ? b.RCMSEvent : 5,
            e.RCKSEvent = "undefined" != typeof b.RCKSEvent && b.RCKSEvent > 0 ? b.RCKSEvent : 5,
            e.RCMVEvent = "undefined" != typeof b.RCMVEvent && b.RCMVEvent > 0 ? b.RCMVEvent : 5,
            e.RCFCEvent = "undefined" != typeof b.RCFCEvent && b.RCFCEvent > 0 ? b.RCFCEvent : 0,
            e.SendInterval = "undefined" != typeof b.SendInterval && b.SendInterval > 0 ? b.SendInterval : 1,
            e.SendMethod = "undefined" != typeof b.SendMethod && b.SendMethod > 0 ? b.SendMethod : 0,
            e.GYInterval = "undefined" != typeof b.GYInterval && b.GYInterval > 0 ? b.GYInterval : 50,
            e.RCGPEvent = "undefined" != typeof b.RCGPEvent && b.RCGPEvent > 0 ? b.RCGPEvent : 5,
            e.RCTVEvent = "undefined" != typeof b.RCTVEvent && b.RCTVEvent > 0 ? b.RCTVEvent : 5,
            e.SendMethod |= 1,
            e.DVHost = "string" == typeof b.DVHost ? b.DVHost : "passport.baidu.com",
            e.SendTimer = "number" == typeof b.SendTimer ? b.SendTimer : 1e3,
            F = e,
            F.BrowserInfo = !0,
            F.Location = !0,
            F.ScreenInfo = !0,
            F.FlashInfo = !0,
            F.LSIDInfo = !0,
            0
        }

F=e,然后e.PageToken = b.Token,跪了,又出来了b.Token
终于找到了
b.Token = "tk" + Math.random() + (new Date).getTime() 要干啥来着......
e.token + "@" + S(e, e.token)
扣出S(e, e.token),可直接使用拿出去测试。

        function r(e, t) {
            for (var n = t.split(""), r = 0; r < e.length; r++) {
                var o = r % n.length;
                o = n[o].charCodeAt(0),
                o %= e.length;
                var a = e[r];
                e[r] = e[o],
                e[o] = a
            }
            return e
        }
function o(e) {
            for (var t = [], n = 0; n < e.length; n++)
                for (var r = e[n][0]; r <= e[n][1]; r++)
                    t.push(String.fromCharCode(r));
            return t
        } 
function n(e) {
            var t = [[48, 57], [65, 90], [97, 122], [45, 45], [126, 126]]
              , n = o(t)
              , a = o(t.slice(1));
            e && (n = r(n, e),
            a = r(a, e)),
            this.dict = n,
            this.dict2 = a
        }      

         function iary(e) {
                for (var t = "", n = 0; n < e.length; n++) {
                    var r = a(e[n], this.dict2);
                    t += r.length > 1 ? r.length - 2 + r : r
                }
                return t
            }
        function a(e, t) {
            var n = ""
              , r = Math.abs(parseInt(e));
            if (r)
                for (; r; )
                    n += t[r % t.length],
                    r = parseInt(r / t.length);
            else
                n = t[0];
            return n
        }
function bary(e) {
                for (var t = 0, n = {}, r = 0; r < e.length; r++)
                    e[r] > t && (t = e[r],
                    n[e[r]] = !0);
                var o = parseInt(t / 6);
                o += t % 6 ? 1 : 0;
                for (var a = "", r = 0; o > r; r++) {
                    for (var i = 6 * r, d = 0, c = 0; 6 > c; c++)
                        n[i] && (d += Math.pow(2, c)),
                        i++;
                    a += this.dict[d]
                }
                return a
            }
function int(e) {
                return a(e, this.dict)
            }
function str(e) {
                for (var t = [], n = 0; n < e.length; n++) {
                    var r = e.charCodeAt(n);
                    r >= 1 && 127 >= r ? t.push(r) : r > 2047 ? (t.push(224 | r >> 12 & 15),
                    t.push(128 | r >> 6 & 63),
                    t.push(128 | r >> 0 & 63)) : (t.push(192 | r >> 6 & 31),
                    t.push(128 | r >> 0 & 63))
                }
                for (var o = "", n = 0, a = t.length; a > n; ) {
                    var i = t[n++];
                    if (n >= a) {
                        o += this.dict[i >> 2],
                        o += this.dict[(3 & i) << 4],
                        o += "__";
                        break
                    }
                    var d = t[n++];
                    if (n >= a) {
                        o += this.dict[i >> 2],
                        o += this.dict[(3 & i) << 4 | (240 & d) >> 4],
                        o += this.dict[(15 & d) << 2],
                        o += "_";
                        break
                    }
                    var c = t[n++];
                    o += this.dict[i >> 2],
                    o += this.dict[(3 & i) << 4 | (240 & d) >> 4],
                    o += this.dict[(15 & d) << 2 | (192 & c) >> 6],
                    o += this.dict[63 & c]
                }
                return o
            }
function S(e, t) {
            var r = new n(t)
              , o = {
                flashInfo: 0,
                mouseDown: 1,
                keyDown: 2,
                mouseMove: 3,
                version: 4,
                loadTime: 5,
                browserInfo: 6,
                token: 7,
                location: 8,
                screenInfo: 9
            }
              ;r.iary=iary;var a = [r.iary([2])];

                    r.str = str,r.int=int,r.bary=bary;
            for (var i in e) {
                var d = e[i];
                if (void 0 !== d && void 0 !== o[i]) {
                    var c;

                    "number" == typeof d ? (c = d >= 0 ? 1 : 2,
                    d = r.int(d)) : "boolean" == typeof d ? (c = 3,
                    d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4,
                    d = r.bary(d)) : (c = 0,
                    d = r.str(d + "")),
                    d && a.push(r.iary([o[i], c, d.length]) + d)
                
                }
            }
            return a.join("")
        }


e={
mouseDown: "",
keyDown: "81,0,TANGRAM__PSP_10__userName,22511|81,0,TANGRAM__PSP_10__userName,29534|81,0,TANGRAM__PSP_10__userName,43673|119,0,TANGRAM__PSP_10__userName,46970|17,0,TANGRAM__PSP_10__userName,50479|",
mouseMove: "538,378,10501,TANGRAM__PSP_10__submit|605,242,15589,TANGRAM__PSP_10__userName|569,265,39495,TANGRAM__PSP_10__form|584,227,57742,TANGRAM__PSP_10__userName|",
  version: 26,
  loadTime: 1577435194.019,
browserInfo: "1,2,78",
  token: "tk0.59217013109449961577435194019",
  
location: "https://www.baidu.com/,undefined",

screenInfo: "0,0,1536,864,1536,864,1536,1536,824",
flashInfo: undefined
 }
t="tk0.59217013109449961577435194019"
console.log(S(e,t))

我们获得了dv

14 traceid:

其实traceid在我们之前的请求中可以看到它的身影,但是每次都是空,只有这次请求的时候不为空了

            createTraceID: function() {
                var e = this;
                return e.headID + e.flowID + e.cases
            }

e.flowID login是为"01", reg时为"02",我们是login
整理下流程, 下面代码能直接用,有时间用python重写

   function createTraceID() {
                var e = this;
                return e.headID + "01"
            }
  function createHeadID() {
                var e = this
                  , t = (new Date).getTime() + getRandom().toString()
                  , n = Number(t).toString(16)
                  , i = n.length
                  , s = n.slice(i - 6, i).toUpperCase();
              console.log(s)
                e.headID = s
            }
       function  getRandom() {
                return parseInt(90 * Math.random() + 10, 10)
            }
createHeadID()
console.log(createTraceID())

15 callback:

与之前一致

16 time:

与之前一致

17 sig:

与之前一致

18 elapsed:

与之前一致

19 shaOne:

与之前一致

收工,百度首页登录过程参数解析完毕 等等==

20 最重要的password还没解密啊

https://passport.bdimg.com/passApi/js/loginv4_19d79ee.js

                        if (e.RSA && e.rsakey) {
                            var o = s;
                            o.length < 128 && !e.config.safeFlag && (i.password = baidu.url.escapeSymbol(e.RSA.encrypt(o)),
                            i.rsakey = e.rsakey,
                            i.crypttype = 12)
                        }

核心语句 i.password = baidu.url.escapeSymbol(e.RSA.encrypt(o))

    baidu.url.escapeSymbol = function(a) {
        return String(a).replace(/[#%&+=\/\\\ \ \f\r\n\t]/g, function(b) {
            return "%" + (256 + b.charCodeAt()).toString(16).substring(1).toUpperCase()
        })
    }

直接rsa,base64就完事了

请求顺序

⚠️ **GitHub.com Fallback** ⚠️