上一篇已经找到了post参数中的dv来源,今天继续往下看,回顾一上一篇中dv的相关js
var a = document.getElementById("dv_Input")
, c = {
gid: n.guideRandom || "",
username: n._SBCtoDBC(i.value),
countrycode: s,
bdstoken: n.bdPsWtoken,
tpl: n.config.product ? n.config.product : "",
vcodestr: n.getElement("smsHiddenFields_smsVcodestr").value,
vcodesign: n.getElement("smsHiddenFields_smsVcodesign").value,
verifycode: n._SBCtoDBC(n.getElement("confirmVerifyCode").value),
flag_code: n.config.voice_sms_flag,
dv: a ? a.value : window.LG_DV_ARG && window.LG_DV_ARG.dvjsInput || ""
}
dv来源window.LG_DV_ARG.dvjsInput,然后继续往下找LG_DV_ARG
function d(e) {
M && (x = e.token + "@" + S(e, e.token),
(1 & F.SendMethod) > 0 && c(x))
}
function c(n) {
var r = t.getElementById("dv_Input");
r && (r.value = n),
e.LG_DV_ARG.dvjsInput = n
}
其中重要只有x = e.token + “@” + S(e, e.token)
继续找到e.token的生成函数和S函数的源码
b.Token = "tk" + Math.random() + (new Date).getTime(),
function S(e, t) {
var r = new n(t)
, o = {
flashInfo: 0,
mouseDown: 1,
keyDown: 2,
mouseMove: 3,
version: 4,
loadTime: 5,
browserInfo: 6,
token: 7,
location: 8,
screenInfo: 9
}
, a = [r.iary([2])];
for (var i in e) {
var d = e[i];
if (void 0 !== d && void 0 !== o[i]) {
var c;
"number" == typeof d ? (c = d >= 0 ? 1 : 2,
d = r.int(d)) : "boolean" == typeof d ? (c = 3,
d = r.int(d ? 1 : 0)) : "object" == typeof d && d instanceof Array ? (c = 4,
d = r.bary(d)) : (c = 0,
d = r.str(d + "")),
d && a.push(r.iary([o[i], c, d.length]) + d)
}
}
return a.join("")
}
e.token生成很简单,就是随机数加上时间戳;s函数的作用就是拼接e对象里面的几个属性值,我们可以用一个固定值代替s函数的执行结果。
traceid
继续全局查找traceid只有下面js函数可疑,先看看
e.traceID = {
headID: e.traceID && e.traceID.headID || "",
flowID: e.traceID && e.traceID.flowID || "",
cases: e.traceID && e.traceID.cases || "",
initTraceID: function(e) {
var t = this;
e && e.length > 0 ? (t.headID = e.slice(0, 6),
t.flowID = e.slice(6, 8)) : t.destory()
},
createTraceID: function() {
var e = this;
return e.headID + e.flowID + e.cases
},
startFlow: function(e) {
var t = this
, n = t.getFlowID(e);
0 === t.flowID.length || t.flowID === n ? (t.createHeadID(),
t.flowID = n) : t.finishFlow(n)
},
finishFlow: function() {
var e = this;
e.destory()
},
getRandom: function() {
return parseInt(90 * Math.random() + 10, 10)
},
createHeadID: function() {
var e = this
, t = (new Date).getTime() + e.getRandom().toString()
, n = Number(t).toString(16)
, i = n.length
, s = n.slice(i - 6, i).toUpperCase();
e.headID = s
},
getTraceID: function(e) {
var t = this
, n = e && e.traceid || "";
t.initTraceID(n)
},
getFlowID: function(e) {
var t = {
login: "01",
reg: "02"
};
return t[e]
},
setData: function(e) {
var t = this;
return e.data ? e.data.traceid = t.createTraceID() : e.url = e.url + (e.url.indexOf("?") > -1 ? "&" : "?") + "traceid=" + t.createTraceID(),
e
},
destory: function() {
var e = this;
e.headID = "",
e.flowID = ""
}
};
createTraceID:return e.headID + e.flowID + e.cases其中e.case是固定的01,e.headID+e.flowID需要按下面js执行
e.traceID.initTraceID()
undefined
e.traceID.createHeadID()
undefined
e.traceID.createTraceID()
"C23F67"
但是注意e对象定义的时候应该给他赋值,不然返回是空,完整如下
var e = {a: 1, b: 1, c: 1}
e.traceID = {
headID: e.traceID && e.traceID.headID || "",
flowID: e.traceID && e.traceID.flowID || "",
cases: e.traceID && e.traceID.cases || "",
initTraceID: function(e) {
var t = this;
e && e.length > 0 ? (t.headID = e.slice(0, 6),
t.flowID = e.slice(6, 8)) : t.destory()
},
省略········
getFlowID: function(e) {
var t = {
login: "01",
reg: "02"
};
return t[e]
},
setData: function(e) {
var t = this;
return e.data ? e.data.traceid = t.createTraceID() : e.url = e.url + (e.url.indexOf("?") > -1 ? "&" : "?") + "traceid=" + t.createTraceID(),
e
},
destory: function() {
var e = this;
e.headID = "",
e.flowID = ""
}
};
{headID: "", flowID: "", cases: "", initTraceID: ƒ, createTraceID: ƒ, …}
e
{a: 1, b: 1, c: 1, traceID: {…}}
e.traceID.initTraceID
ƒ (e) {
var t = this;
e && e.length > 0 ? (t.headID = e.slice(0, 6),
t.flowID = e.slice(6, 8)) : t.destory()
}
e.traceID.initTraceID()
undefined
e.traceID.createHeadID()
undefined
e.traceID.createTraceID()+"01"
"C23F6701"
至于密码的RSA算法的js分析就不理了,到此百度post的参数分析就完结了。文章是边分析边写,可能有些地方有点混乱,在后面如果有时间的话会在完整是重塑一遍,并用Python完整实现登陆。
ID:Python之战
|作|者|公(zhong)号:python之战
专注Python,专注于网络爬虫、RPA的学习-践行-总结
喜欢研究技术瓶颈并分享,欢迎围观,共同学习。
独学而无友,则孤陋而寡闻!