Netease proper use python online translation interface to analyze and crack the encryption js

Project Objectives

Netease proper translation of the interface of key parameters for analysis, and are js encryption cracking, in essence, is to find out in detail the process of Netease proper translation process interface encrypted key parameters, and conduct a simulated encrypted

Tips

So what good is it, then your site can use this interface to be translated, means you can build a translation website. However, the interface but with others, which is immoral, ha ha, anyway, make life difficult for the heart of this ridge, and if you put your website on the server, may bring legal risk.

Project Analysis

1. Open the Google's browser, enter the URL: proper way translation
2. keyboard, press F12 to enter developers debug mode, click Network, select XHR is js initiated asynchronous data loading a web page requests to obtain. In this case, when you type python, it will initiate an asynchronous request, the request translated content, we'll find this asynchronous request and the file is translated content.

3. As shown above, we find this file, then we look, this file url asynchronous request, and the request parameters needed

as shown above the red arrow This is the url

shown above in red box that is the request header

as shown above in red arrow this is the request parameters
4. we write code to simulate tour initiates an asynchronous request needs url, request headers, request parameters, see note here that post request or a get request .
Code Example :

import requests

data = {
    "i": "python",
    "from": "AUTO",
    "to": "AUTO",
    "smartresult": "dict",
    "client": "fanyideskweb",
    "salt": "15820940749399",
    "sign": "45994e3946b32fea4d9a53065ca6c622",
    "ts": "1582094074939",
    "bv": "7bcd9ea3ff9b319782c2a557acee9179",
    "doctype": "json",
    "version": "2.1",
    "keyfrom": "fanyi.web",
    "action": "FY_BY_REALTlME",
}

headers = {
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "zh-CN,zh;q=0.9",
    "Connection": "keep-alive",
    "Content-Length": "239",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Cookie": "[email protected]; OUTFOX_SEARCH_USER_ID_NCOO=1722240595.3583963; _ntes_nnid=748be7ae4227014517b57740c8415702,1582012592236; JSESSIONID=aaaGbBuv_q8yldGK66Bbx; ___rl__test__cookies=1582094074926",
    "Host": "fanyi.youdao.com",
    "Origin": "http://fanyi.youdao.com",
    "Referer": "http://fanyi.youdao.com/",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",
    "X-Requested-With": "XMLHttpRequest",
}

# 初始url
base_url = "http://fanyi.youdao.com/translate_o?smartresult=dict&smartresult=rule"
# 进行模拟post请求
response = requests.post(base_url, data=data, headers=headers)
# 转换为json格式
json_data = response.json()
print(json_data)

'''
运行结果：

{'translateResult': [[{'tgt': 'python', 'src': 'python'}]], 'errorCode': 0, 'type': 'en2zh-CHS', 'smartResult': {'entries': ['', 'n. 巨蟒；大蟒\r\n', 'n. （法）皮东（人名）\r\n'], 'type': 1}}

'''

5. succeed, but some of the parameters we have to try to get rid of, to see what is useful parameters, which parameters useless, useful parameter error will be removed, this can be used according to the judgment.
Code Example:

import requests

data = {
    "i": "python",
    # "from": "AUTO",
    # "to": "AUTO",
    # "smartresult": "dict",
    "client": "fanyideskweb",
    "salt": "15820940749399",
    "sign": "45994e3946b32fea4d9a53065ca6c622",
    # "ts": "1582094074939",
    # "bv": "7bcd9ea3ff9b319782c2a557acee9179",
    # "doctype": "json",
    # "version": "2.1",
    "keyfrom": "fanyi.web",
    # "action": "FY_BY_REALTlME",
}

headers = {
    # "Accept": "application/json, text/javascript, */*; q=0.01",
    # "Accept-Encoding": "gzip, deflate",
    # "Accept-Language": "zh-CN,zh;q=0.9",
    # "Connection": "keep-alive",
    # "Content-Length": "239",
    # "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Cookie": "[email protected]; OUTFOX_SEARCH_USER_ID_NCOO=1722240595.3583963; _ntes_nnid=748be7ae4227014517b57740c8415702,1582012592236; JSESSIONID=aaaGbBuv_q8yldGK66Bbx; ___rl__test__cookies=1582094074926",
    # "Host": "fanyi.youdao.com",
    # "Origin": "http://fanyi.youdao.com",
    "Referer": "http://fanyi.youdao.com/",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",
    # "X-Requested-With": "XMLHttpRequest",
}

# 初始url
base_url = "http://fanyi.youdao.com/translate_o?smartresult=dict&smartresult=rule"
# 进行模拟post请求
response = requests.post(base_url, data=data, headers=headers)
# 转换为json格式
json_data = response.json()
print(json_data)

'''
{'translateResult': [[{'tgt': 'python', 'src': 'python'}]], 'errorCode': 0, 'type': 'en2zh-CHS', 'smartResult': {'entries': ['', 'n. 巨蟒；大蟒\r\n', 'n. （法）皮东（人名）\r\n'], 'type': 1}}
'''

6. All of the above parameters were analyzed:
after some agonizing find the above parameters are necessary parameters, or output not want: { "errorCode": 50} or lack of critical parameters will complain

{"errorCode":50}

7.经过多次尝试我们可以发现"salt"，“sign”，以及“i”是可变参数，并且"i"是要查询的词，那么就剩"salt"跟"sign"了，
提示：如果读者复制我上面这个代码会输出如下语句，这是因为"salt"，"sign"这两个参数是加密的参数，是网页脚本js生成的。
那么现在我们就来找找这个叫"salt"的参数：

8.如上图所示，将这个参数放到搜索栏中去搜索，即可找到这个文件叫fanyi.min.js中有这个参数，可以看到这是个js文件，于是我们的猜想是正确的，参数被这个js文件加密了，于是我们打开他。

9.如上图Response中的数据，我们复制到格式格式化的在线网站上，进行js格式化

10.如上图，我们格式化成功，将格式化后的代码放到pycharm中去，通过Ctri+f进行代码的查找，找出如何生成，这个参数，搜到有用的代码如下

o = r.generateSaltSign(t);
 data: {
                i: e.i,
                client: e.client,
                salt: o.salt,
                sign: o.sign,
                ts: o.ts,
                bv: o.bv,
                tgt: e.tgt,
                from: e.from,
                to: e.to,
                doctype: "json",
                version: "3.0",
                cache: !0
      }

r = "" + (new Date).getTime(),
i = r + parseInt(10 * Math.random(), 10);
return {
    ts: r,
    bv: t,
    salt: i,
    sign: n.md5("fanyideskweb" + e + i + "n%A-rKaT5fb[Gy?;N5@Tj")
}

i = r(t);

data: {
                i: e.i,
                client: "fanyideskweb",
                salt: i.salt,
                sign: i.sign,
                ts: i.ts,
                bv: i.bv,
                tgt: e.tgt,
                modifiedTgt: e.modifiedTgt,
                from: e.from,
                to: e.to
            }

r = v.generateSaltSign(n)
{
            i: n,
            from: S,
            to: E,
            smartresult: "dict",
            client: k,
            salt: r.salt,
            sign: r.sign,
            ts: r.ts,
            bv: r.bv,
            doctype: "json",
            version: "2.1",
            keyfrom: "fanyi.web",
            action: e || "FY_BY_DEFAULT"
        }

11.根据这些线索我们可以将上述连立起来
salt参数的获取：
因为i=r + parseInt(10 * Math.random(), 10)由于r="" + (new Date).getTime()，所以i就等于
“” + (new Date).getTime()+parseInt(10 * Math.random(), 10)

sign=o.sign=i=r + parseInt(10 * Math.random(), 10)
			"" + (new Date).getTime()+parseInt(10 * Math.random(), 10)

那这个(new Date).getTime()这个是什么呢？

如图下图所示，在游览器控制台输入这个(new Date).getTime()发现这好像是一个时间戳，我们就去验证一下

总结：如上图所示我们成功了，那这个这个(new Date).getTime()就是时间戳
那么还剩下一个我们再去控制台测试一下

总结：多测试几次发现parseInt(10 * Math.random(), 10)是一个10以内的随机数
13.sign参数的获取：

sign=o.sign=n.md5("fanyideskweb" + e + i + "n%A-rKaT5fb[Gy?;N5@Tj")

我们可以使用谷歌里的js进行调试，首先，根据fanyi.min.js文件的url在Sources中查找sign: n.md5(“fanyideskweb” + e + i + “Nw(nmmbP%A-r6U3EUn]Aj”)这一行，如下图所示

如下图所示，我们再进行设置断点进行debug调试，黑色的箭头是设置的断点，于是又在网页要翻译的内容的地方又重新输入了python进行翻译，我们可以点击下图黄色框框中的最后一个按钮，进行debug调试，当运行到与代码中红色框框中的下一行，我们可以发现，黑色箭头指向的python与e的值相等，都等于python。这就推出了e这个参数

总结：e在代码中通过调试发现这是需要翻译的内容，并且i就是salt，将括号里面的所有参数及字符串加在一起，进行md5加密就能得到sign参数

分析完毕，进行代码模拟加密过程，代码演示

代码示例：

import requests,random,time
import hashlib

def md5(value):
    #创建md加密对象
    md5_obj=hashlib.md5()
    #加密字符串
    md5_obj.update(bytes(value,encoding="utf-8"))
    #进行16位加密
    sign=md5_obj.hexdigest()
    return sign

def youdao(kw):
    #目标url
    base_url="http://fanyi.youdao.com/translate_o?smartresult=dict&smartresult=rule"
    #生成salt
    salt=str(int(time.time()*1000)) +str(random.randint(0,9))
    #生成sign
    sign=md5('fanyideskweb'+kw+salt+"n%A-rKaT5fb[Gy?;N5@Tj")

    data={
        "i":kw,
        # "from":"AUTO",
        # "to":"AUTO",
        # "smartresult":"dict",
        "client":"fanyideskweb",
        "salt":salt,
        "sign":sign,
        # "ts":"1581937772025",
        # "bv":"7bcd9ea3ff9b319782c2a557acee9179",
        # "doctype":"json",
        # "version":"2.1",
        "keyfrom":"fanyi.web",
        # "action":"FY_BY_REALTlME",
    }
    headers={
        # "Accept":"application/json, text/javascript, */*; q=0.01",
        # "Accept-Encoding":"gzip, deflate",
        # "Accept-Language":"zh-CN,zh;q=0.9",
        # "Connection":"keep-alive",
        # "Content-Length":"239",
        # "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
        "Cookie":"[email protected]; JSESSIONID=aaaPMpcGOu58rahSSJsbx; OUTFOX_SEARCH_USER_ID_NCOO=1722240595.3583963; ___rl__test__cookies=1581937772017",
        # "Host":"fanyi.youdao.com",
        # "Origin":"http://fanyi.youdao.com",
        "Referer":"http://fanyi.youdao.com/",
        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",
        # "X-Requested-With":"XMLHttpRequest",
        }

    #发起请求
    response=requests.post(base_url,data=data,headers=headers)
    #获取数据
    json_data=response.json()
    data_list=json_data["smartResult"]["entries"]
    print(data_list)
if __name__ == '__main__':
    kw=input("你要查询的单词")
    youdao(kw)

控制台输入guess单词，运行结果：

'''
['', 'n. 猜测；推测\r\n', 'vi. 猜；推测；猜中\r\n', 'vt. 猜测；认为；推测；猜中\r\n']
'''

这里就大功告成了，成功破解网易有道接口部分参数js加密

提示一下：
这里的cookie需要你自己在线网易有道词典网页的cookie

To wave, push it!
Group number: 781 121 386
group name: Life is short, I learned programming
welcome to join us, along with the exchange of technology !!!