篇幅有限

完整内容及源码关注公众号：ReverseCode，发送冲

http://www.jycinema.com/wap/#/register

抓包

登录url:

POST http://www.jycinema.com/frontUIWebapp/appserver/photoMessageService/newsSendMessage

参数：

params:ey622Jt557b2114Jp469bG373VO310dW8741i248ZX535Ii076Oi988Ix997NT571gw811Nj907Iw911ND991A5893NS763Is198In627Nl690bm498RU398eX141Bl991Ij727oi670cm475Vn649Ii854wi037Y2151hh831bm4625l109bE023lk146Ij946o3769LC284Jj066aG622Fu333bm353Vs667Q26149k642ZS856I6624Ik524ow241MD637A1091Ii342wi356bW787Vt825Ym215Vy105SW604Qi506Oi857Ii850fQ497==152

分析

ey开头是base64中的{，fq是base64中的}，有可能是base64加密

搜索photoMessageService/newsSendMessage

定义了sendMg属性，那么必定被调用才发起请求，搜索.sendMg

点击获取验证码,请求参数中$scope.registerData.tel就是我们提交的手机号，那么加密必然是在getData中

跟进getData后对params进行处理生成{"mobileNumber":"15806204095","sendType":"reg","channelId":7,"channelCode":"J0005","memberId":""}

并发现了密码加密的函数，在下方通过$rootScope.getEncryption(params.params)调用生成密码。

由于Base64.encode有utf-8乱码问题，无法直接使用，var re_btou = new RegExp(["[À-ß][-¿]", "[à-ï][-¿]{2}", "[ð-÷][-¿]{3}"].join("|"),"g");通过base64.js源码提供Base64.encode(value)实现params加密关键函数getEncryption。

爬虫实现

由于个人的js学的太孬了，在python调用js时报错execjs._exceptions.ProgramError: ReferenceError: Base64 is not defined,那么我只能避开，使用python实现base64加密并作为参数传入调用getEncryption。

import json
import requests
import execjs
import base64

from requests_toolbelt import MultipartEncoder

username = "15806204095"
psssword = "123456"
with open(r'jy_params.js', encoding='utf-8', mode='r') as f:
    JsData = f.read()
param = {"mobileNumber": "15806204095", "sendType": "reg", "channelId": 7, "channelCode": "J0005", "memberId": ""}
val = base64.b64encode(json.dumps(param).encode())
params = execjs.compile(JsData).call('getEncryption', val.decode())
print(params)
headers = {
    'Accept': 'application/json, text/plain, */*',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Content-Length': '341',
    'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
    'Cookie': 'JSESSIONID=DD188088D4E4EAC0098C9CCBCC32E52F; Hm_lvt_62d04228e1f84e012c1d9c0227f722c3=1618618136; Hm_lpvt_62d04228e1f84e012c1d9c0227f722c3=1618618136',
    'Host': 'www.jycinema.com',
    'Origin': 'http://www.jycinema.com',
    'Proxy-Connection': 'keep-alive',
    'Referer': 'http://www.jycinema.com/wap/',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Mobile Safari/537.36',
}
data = {'params': params}
r = requests.post("http://www.jycinema.com/frontUIWebapp/appserver/photoMessageService/newsSendMessage", data,
                  headers=headers)
print(r.text)

{“msg”:”短信发送成功”,”count”:0,”status”:”S”}

完整源码请关注微信公众号：ReverseCode，回复：JS逆向