|
|
import base64import binasciiimport ctypesimport gzipimport hashlibimport jsonimport timefrom urllib.parse import quote, urlparse, parse_qs, quote_plus
from Crypto.Cipher import AESfrom Crypto.Util.Padding import pad, unpad
def encrypt_aes_cbc(plaintext): key = "z7Jut6Ywr2Pe5Nhx".encode("utf-8") iv = "0807060504030201".encode("utf-8") cipher = AES.new(key, AES.MODE_CBC, iv) ciphertext = cipher.encrypt(pad(bytes.fromhex(plaintext), AES.block_size)) return base64.b64encode(ciphertext).decode()
def decrypt_aes_128_cbc(ciphertext): """
"""
key = "z7Jut6Ywr2Pe5Nhx".encode("utf-8") iv = "0807060504030201".encode("utf-8") cipher = AES.new(key, AES.MODE_CBC, iv) plaintext = cipher.decrypt(base64.b64decode(ciphertext)) strs = binascii.b2a_hex(plaintext).decode() print(strs, len(strs)) return binascii.b2a_hex(unpad(plaintext, AES.block_size))
def md5_(bytearray): md5 = hashlib.md5() md5.update(bytearray) result = md5.hexdigest() # print(result) return result
def hex_2_str(v: int): v = v & 0xffffffff # 将结果转换为32位有符号整数 return str(hex(v))[2:]
def get_md5Array(hex_md5): md5_list = [hex_md5[i: i + 8] for i in range(0, len(hex_md5), 8)]
for j in range(len(md5_list)): m = [md5_list[j][i: i + 2] for i in range(0, len(md5_list[j]), 2)] md5_list[j] = "".join(m[::-1]) # print(md5_list) md5_int_list = [] for q in md5_list: decimal_num = int(q, 16) # decimal_num = is_overflow(decimal_num) md5_int_list.append(decimal_num)
# print(md5_int_list)
return md5_int_list
def hex_reserve(i): st1 = hex_2_str(i) st1 = '0' * (8 - len(st1)) + st1 if len(st1) < 8 else st1 return "".join([st1[i: i + 2] for i in range(0, len(st1), 2)][::-1])
def logical_left_shift(n, bits): # 有符号左移 return ctypes.c_int(n << bits).value
def logical_right_shift(n, bits): # 无符号右移 return (n % 0x100000000) >> bits
def python_2_js(value, size): # python转为和js一样 ^ return (value ^ size) % (2**32)
def iu(jo): jp = [] for jq in range(0, len(jo), 2): jr = jo[jq:jq + 2] js = int(jr, 16) jp.append(js) # print(jp) return jp
def ix(jo): if jo is None: jo = []
jp = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f"]
result = "".join([jp[jo_item >> 4 & 15] + jp[15 & jo_item] for jo_item in jo])
return result
def is_(jo): jp = quote(jo) # print(jp) jq = [] jr = 0 while jr < len(jp): js = jp[jr] if "%" == js: jt = jp[jr + 1] + jp[jr + 2] ju = int(jt, 16) jq.append(ju) jr += 2 else: jq.append(ord(js[0])) jr += 1
# print(len(jq), jq) return jq
def _iD(jo): raw_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' new_table = 'ZmserbBoHQtNP+wOcza/LpngG8yJq42KWYj0DSfdikx3VT16IlUAFM97hECvuRX5=' dictionary_decode = str.maketrans(new_table, raw_table) # 创建字符映射关系 用于base64decode dictionary_encode = dict(zip(dictionary_decode.values(), dictionary_decode.keys())) # 创建一个与上面反向的映射关系用于base64encode result_b64 = base64.b64encode(bytearray(jo)).decode() new_result_b64 = result_b64.translate(dictionary_encode) # print(new_result_b64) return new_result_b64
def get_k2(jo, jp): """
iO(jo, jp) jo: url相关的数组 jp: 时间戳 """
m = len(jo) % 4 jj = jp ^ len(jo) ju = 1540483477 # 固定
# 每四个为一组 for i in range(0, len(jo) - m, 4): tmp1 = (jo[i] & 255) | logical_left_shift((jo[i + 1] & 255), 8) tmp2 = logical_left_shift((jo[i + 2] & 255), 16) tmp3 = tmp1 | tmp2 tmp4 = tmp3 | logical_left_shift(jo[i + 3] & 255, 24)
tmp5 = (tmp4 & 65535) * ju tmp6 = logical_left_shift((((logical_right_shift(tmp4, 16)) * ju) & 65535), 16) tmp7 = tmp5 + tmp6
tmp8 = python_2_js(tmp7, logical_right_shift(tmp7, 24)) tmp9 = (tmp8 & 65535) * ju tmp10 = logical_left_shift((((logical_right_shift(tmp8, 16)) * ju) & 65535), 16) tmp11 = tmp9 + tmp10
tmp12 = (jj & 65535) * ju tmp13 = logical_left_shift((((logical_right_shift(jj, 16)) * ju) & 65535), 16) tmp14 = tmp12 + tmp13
jj = python_2_js(tmp11, tmp14)
i = i + 4 if m == 3: jj = python_2_js(jj , logical_left_shift(255 & jo[i + 2], 16)) jj = python_2_js(jj , logical_left_shift(255 & jo[i + 1], 8)) jj = python_2_js(jj, (255 & jo[i])) jj = (65535 & jj) * ju + logical_left_shift(logical_right_shift(jj, 16) * ju & 65535, 16) elif m == 2: jj = python_2_js(jj , logical_left_shift(255 & jo[i + 1], 8)) jj = python_2_js(jj, (255 & jo[i])) jj = (65535 & jj) * ju + logical_left_shift(logical_right_shift(jj, 16) * ju & 65535, 16) elif m == 1: jj = python_2_js(jj, (255 & jo[i])) jj = (65535 & jj) * ju + logical_left_shift(logical_right_shift(jj, 16) * ju & 65535, 16)
tmp0 = python_2_js(jj, logical_right_shift(jj, 13)) tmp1 = (tmp0 & 65535) * ju tmp2 = logical_left_shift((logical_right_shift(tmp0, 16) * ju) & 65535, 16) tmp3 = tmp1 + tmp2
tmp4 = logical_right_shift(python_2_js(tmp3, logical_right_shift(tmp3, 15)), 0)
res = ctypes.c_int(tmp4 ^ ju).value # print(res) return res
def iy(jo, jq): jr = 0 js = 0 jt = [] ju = len(jq) # print(f"{jq} 长度为 {ju}") for jv in range(ju): jr = (jr + 1) % 256 js = (js + jo[jr]) % 256 jp = jo[jr] jo[jr] = jo[js] jo[js] = jp jt.append(ord(jq[jv]) ^ jo[(jo[jr] + jo[js]) % 256])
return jt
def get_k1(jZ, jp): array1 = [i for i in range(256)] array2 = jZ jr = 0 for i in range(256): jt = i % 256 n = i % 16 js = array1[jt] jr = (jr + js + array2[n] + 31) % 256 array1[jt] = array1[jr] array1[jr] = js
# print(f"ararry1 => {array1}") jt_ = iy(array1, jp) # print(f"_arrary1 => {array1}") jZ.extend(jt_) # print(f" jZ => {len(jZ)} => {jZ}")
k1 = _iD(jZ) # a5 return k1
def get_kh(jS, kb, kf, x0=4): m = [0] * 2 m[0] = jS << x0 m[1] = jS << (32 - x0) m[0] = m[0] | m[1] kg = m[0] kf[0] = kf[0] ^ kg kf[1] = kf[1] ^ kb kf[2] = kf[2] ^ kb ^ kg kf[3] = kf[3] ^ kf[0]
kh_list = [] for i in kf: kh_list.append(hex_reserve(i))
kh = "".join(kh_list) return kh
def iv(jo): jp = [] jp.append((jo >> 24) & 255) jp.append((jo >> 16) & 255) jp.append((jo >> 8) & 255) jp.append(jo & 255) return jp
def bc(p): t = 256 f = [None] * t while t: c = 8 t -= 1 a = t while c: if a & 1: a = python_2_js(logical_right_shift(a, 1), 3988292384) else: a = logical_right_shift(a, 1) c -= 1
f[t] = logical_right_shift(a, 0)
c = 0 t = -1 while c < len(p): t = f[python_2_js(255 & t, p[c])] ^ logical_right_shift(t, 8) c += 1
return python_2_js(t, 306674911) - 2 ** 32
def get_a6(a6): """
直接读取a6 并修改a6的部分内容 :return: """
env = from_a6(a6[4:]) A = gzip.compress(env.encode("utf-8"), compresslevel=1) C = encrypt_aes_cbc(A.hex()) C = "w1.3" + C return C
def get_JP(url): """
处理url """
parse_result = urlparse(url) path = parse_result.path param_dict = parse_qs(parse_result.query) param_list = list(param_dict.keys()) param_list.sort() # 排序从小到大 params = "&".join([f'{i}={quote_plus(param_dict[i][0])}' for i in param_list])
target_ = f"GET {path} {params}" JP = is_(target_) return JP
def get_a5(i, y, qa): """
a5 生成 """
d = i & 4294967295 p = iv(d) g = [] g.extend(is_(y)) g.extend(p)
v = md5_(bytearray(g)) m = iu(v[:15]) f = 0 # env 环境值 m[7] = 255 & (f ^ bc(p)) m.extend(p) l = iv(4294967295 & bc(m)) m.extend(l) a5 = get_k1(m, qa) return a5
def get_main(i, a6, a3, a7, url, jq): # i = 1723618362188 # 时间戳 TODO:需要二次处理 o = i & 4294967295 a5 = get_a5(i, a6, jq)
tmp = is_(a6) l = iv(o) tmp.extend(l) g = bytearray(tmp) v = md5_(g) w = get_JP(url) S = get_k2(w, i) C = iv(S) A = get_k2(bytearray(is_(a5)), i) I = iv(A) c = [S, A, S ^ o, S ^ A ^ o] O = iu("".join([hex_reserve(i) for i in c]))
tmp = [] tmp.extend(C) tmp.extend(I) tmp.extend(O) D = ix(tmp) # a4
d = logical_right_shift(A, 0) T = f"1.2{i}{a3}{D}{d}{v}{a7}" tmp = md5_(bytearray(is_(T))) j = get_md5Array(tmp) d1 = get_kh(o, d, j, x0=3) # 到这一步就是 小程序的 d1
mtgsig = { "a1": "1.2", "a2": i, # 时间戳 估计有校验 "a3": a3, # 服务器下发 "a4": D, # 计算 "a5": a5, # 计算 暂时不清楚入参 "a6": a6, # 计算环境 需要确定环境信息 "a7": a7, # wxcode 固定 "x0": 3, # 固定 "d1": d1 # 计算 比h5少一步 }
return mtgsig
def from_a6(a6): """
根据版本迭代 a6 :param a6: :return: """
decode_res = decrypt_aes_128_cbc(a6) plain_text = gzip.decompress(bytes.fromhex(decode_res.decode())) p = json.loads(plain_text.decode()) p[-3] = int(time.time()) # 修改时间戳 p[-4][-6] = "3.9.12" # 修改版本 p[-4][-9] = "3.6.3" # 修改另外一个版本 **目前没有看到其他的需要修改的地方 res = json.dumps(p, ensure_ascii=False, separators=(',', ':')) return res
def mtgsig_run(url, b8, a3, a6): """
mtgsig 对外调用接口 :param url: 需要加密的链接 :param b8: 累加 :param a3: a3服务器下发 暂时写死 :param a6: 目标设备环境 :return: """
a6 = get_a6(a6) a7 = "wx734c1ad7b3562129" # m = 1723688535465 i = int(time.time() * 1000) # diff = i - m # i = i - diff # 处理时间 这块暂时先写死 _jq = {"b7": int(time.time()) - 200, "b1": {"miniProgram": {"appId": "wx734c1ad7b3562129", "envVersion": "release", "version": "9.37.232"}}, "b6": "", "b8": b8, "b2": "pages/poi/poi"}
jq = json.dumps(_jq, separators=(',', ':')) mtgsig = json.dumps(get_main(i, a6, a3, a7, url, jq), ensure_ascii=False, separators=(',', ':')) return mtgsig
if __name__ == '__main__': url = "https://mapi.dianping.com/mapi/wechat/weshop.bin?yodaReady=wx&csecappid=wx734c1ad7b3562129&csecplatform=3&csecversionname=9.64.0&csecversion=1.4.0&optimus_uuid=18b229261a3c8-c53ac1e606702-0-0-18b229261a3c8&optimus_platform=13&optimus_partner=203&optimus_risk_level=71&optimus_code=10&redirect_from=pages%252Fdetail%252Fdetail&shopUuid=k9Kcg8I6w4GBcuGF&shopType=10&shopStyle=bigpic&online=1&shopuuid=k9Kcg8I6w4GBcuGF&pageName=shop&lat=40.055335628194634&lng=116.35128357647478&mtsiReferrer=pages%252Fdetail%252Fdetail%253Fredirect_from%253Dpages%25252Fdetail%25252Fdetail%2526shopUuid%253Dk9Kcg8I6w4GBcuGF%2526shopType%253D10%2526shopStyle%253Dbigpic%2526online%253D1%2526shopuuid%253Dk9Kcg8I6w4GBcuGF%2526shopId%253Dk9Kcg8I6w4GBcuGF%2526pageName%253Dshop&cookieid=-4TzrChF1yPgyQBn5D7NrKC2_vuFu9oL8DiAq28T-Kk&device_system=MAC&wxmp_version=9.64.0" # print(mtgsig_run(url)) a6 = "w1.3grvNcRFZkE6QoEQ31ALPuc415J6/VKamSdeIXCVWX/DGsGA+taQlBpn7QF0z/ffrSmLkkQW0dqtDnWECJyGr9iFEhTKHYlyKRbYWwffNlvlDZ9tmFet/PyCSfKJw7xVZe8/4QYaAcbk1eJ7tWMUQllVcQDKlxku5Smml4r566JVAOGi48LCGAHxImhjIuI2KomDqOtCQb7Ii2cbGd2Y7vmWjypGGJbTtrztH/1weiEULAxadX72+RdjpXDa8UMgGbVmEUu5LLIwoyNEi6leK6f/QvV9/EvVfb5vtKyL5IAQND5B9g5qndP4GOuTftOM2ylQKb4rguR4TEQsR3uyruBJusZlID67k1d8jPCM+ol2mbFJP88EfBwnrQ+BSDWfVQjjfIj2mWpEnI+oA72gkPxuHteESJaXzZz94udFusf1tUtdf0q15QiQPSBX7JjK2P/lLHMfe+867ZiGMyoivxisrw1d9bbal27BjMTm32IrAN+ywQFoP9bHXNThdxmai" print(get_a6(a6)) print(from_a6(a6[4:]))
|
