aardio爬蟲) 實戰篇:逆向有道翻譯web介面

Python成长路發表於2024-05-06

前言

之前的文章把js引擎(aardio封裝庫) 微軟開源的js引擎(ChakraCore))寫好了,這篇文章整點js程式碼來測一下bug。測試網站:https://fanyi.youdao.com/index.html#/

逆向思路

逆向思路可以看有道翻譯js逆向(MD5加密,AES加密)附完整原始碼,逆向我就不贅述了。這篇文章說一下怎麼將文章中給的Python程式碼翻譯成aardio呼叫和扣js程式碼用ChakraCore呼叫。

扣js程式碼

有道翻譯的js是webpack,扣webpack主要有兩個內容,一個是載入器函式,還有就是實際呼叫的函式。這個可以去看b站志遠一期的內容,講的很詳細。

這個我看了下,把整個js放到nodejs裡執行就行,不需要扣函式,函式和函式之間關聯太多了,扣反而不方便。上面補個window,然後匯出成全域性函式。

91565這個函式在另一個js檔案裡,把整個大物件拿下來和e合併一下。

然後就可以直接呼叫

var r = n(91565)
console.log(r.createHash("md5").update("11111111").digest("hex"))

再封裝兩個函式給外部呼叫:

function md5(content){
    let r = n(91565);
    return r.createHash("md5").update(content).digest("hex");
};

function aes_cbc_decrypt(key, iv, content){
    let r = n(91565);
    let o = r.createHash("md5").update(key).digest();
    let a = r.createHash("md5").update(iv).digest() ; 
    let i = r.createDecipheriv("aes-128-cbc", o, a);
    let c = i.update(content, "base64", "utf-8");
    return c += i.final("utf-8");
};

測試了封裝的ChakraCore庫,有個莫名其妙的bug:如果不在js裡呼叫這兩個函式,那你再aardio使用run或者callFunction呼叫可能會報錯,測試了半天也沒找到具體原因,主要是ChakraCore的文件有點少。

沒辦法,目前只能在javaScript裡先呼叫一次,這個bug後面看看能不能解決

var decodeiv = "ydsecret://query/iv/C@lZe2YzHtZ2CYgaXKSVfsb7Y4QWHjITPPZ0nQp87fBeJ!Iv6v^6fvi2WN@bYpJ4";
var decodekey = "ydsecret://query/key/B*RGygVywfNBwpmBaZg*WT7SIOUP2T0C9WHMZN39j^DAdaZhAnxvGcCY6VYFwnHl";
var text = "";
// 需要先在js裡呼叫一次,不然aardio呼叫報錯
md5("1111")
aes_cbc_decrypt(decodekey, decodeiv, text)

用ChakraCore呼叫的完整程式碼(js檔案我放到了aardio-extlibs那個github倉庫裡作為ChakraCore的用例):

import console; 
import kirequests;
import ChakraCore;
io.open()
var core = ChakraCore()
core.start()

core.run(string.load("./有道翻譯.js"))

var client = "fanyideskweb";
var product = "webfanyi";
var key = "fsdsogkndfokasodnaso";
var signStr = `client=%s&mysticTime=%s&product=%s&key=%s`;

// 先請求主頁獲取cookie
var session = kirequests.session();
var url = "https://fanyi.youdao.com/index.html"
var resp = session.get(url);

// 要翻譯的內容
var word = "中國";
// 內容是什麼語言
var from = "auto";
// 想翻譯成什麼語言
var to = "";
var webtranslateApi = "https://dict.youdao.com/webtranslate";
var timestamp = tostring(tonumber(time())) + string.random(3,"1234567890");
var postData = {
	"i": word,
	"from": from,
	"to": to,
	"domain": "0",
	"dictResult": "true",
	"keyid": product,
	"client": client,
	"product": product,
	"appVersion": "1.0.0",
	"vendor": "web",
	"pointParam": "client,mysticTime,product",
	"mysticTime": timestamp,
	"keyfrom": "fanyi.web",
	"mid": "1",
	"screen": "1",
	"model": "1",
	"network": "wifi",
	"abtest": "0",
	"yduuid": "abcdefg"
}
var s = string.format(signStr, client,timestamp,product,key)
postData["sign"] =  core.callFunction("window.md5",s);
var resp = session.post(url=webtranslateApi,data=postData);
// 開始解密
var decodeiv = "ydsecret://query/iv/C@lZe2YzHtZ2CYgaXKSVfsb7Y4QWHjITPPZ0nQp87fBeJ!Iv6v^6fvi2WN@bYpJ4";
var decodekey = "ydsecret://query/key/B*RGygVywfNBwpmBaZg*WT7SIOUP2T0C9WHMZN39j^DAdaZhAnxvGcCY6VYFwnHl";
var result = core.callFunction("window.aes_cbc_decrypt", decodekey, decodeiv,resp.text)
console.log(result)
console.pause(true);

aardio實現

這裡在給個不用ChakraCore用上篇文章寫的aes庫呼叫的程式碼。

import console; 
import kirequests;
import kicrypt.aes;
import crypt;
import crypt.bin;


var client = "fanyideskweb";
var product = "webfanyi";
var key = "fsdsogkndfokasodnaso";
var signStr = `client=%s&mysticTime=%s&product=%s&key=%s`;

// 先請求主頁獲取cookie
var session = kirequests.session();
var url = "https://fanyi.youdao.com/index.html"
var resp = session.get(url);

// 要翻譯的內容
var word = "hello";
// 內容是什麼語言
var from = "auto";
// 想翻譯成什麼語言
var to = "";
var webtranslateApi = "https://dict.youdao.com/webtranslate";
var timestamp = tostring(tonumber(time())) + string.random(3,"1234567890");
var postData = {
	"i": word,
	"from": from,
	"to": to,
	"domain": "0",
	"dictResult": "true",
	"keyid": product,
	"client": client,
	"product": product,
	"appVersion": "1.0.0",
	"vendor": "web",
	"pointParam": "client,mysticTime,product",
	"mysticTime": timestamp,
	"keyfrom": "fanyi.web",
	"mid": "1",
	"screen": "1",
	"model": "1",
	"network": "wifi",
	"abtest": "0",
	"yduuid": "abcdefg"
}

postData["sign"] = crypt.md5(string.format(signStr, client,timestamp,product,key),false);
var resp = session.post(url=webtranslateApi,data=postData);
// 開始解密
var decodeiv = "ydsecret://query/iv/C@lZe2YzHtZ2CYgaXKSVfsb7Y4QWHjITPPZ0nQp87fBeJ!Iv6v^6fvi2WN@bYpJ4";
var decodekey = "ydsecret://query/key/B*RGygVywfNBwpmBaZg*WT7SIOUP2T0C9WHMZN39j^DAdaZhAnxvGcCY6VYFwnHl";
var key = string.unhex(crypt.md5(decodekey,false),"")
var iv = string.unhex(crypt.md5(decodeiv,false),"")
var aesObj = kicrypt.aes(key, iv);
var data = crypt.bin.decodeUrlBase64(resp.text)
var result = aesObj.decrypt(data, kicrypt.aes.CBC)
console.log(result)
console.pause(true);

本文由部落格一文多發平臺 OpenWrite 釋出!

相關文章