今日头条的as、cp破解

对今日头条的文章进行抓包时发现其url含有加密字段，如下
https://www.toutiao.com/api/pc/feed/?category=news_tech&utm_source=toutiao&widen=1&max_behot_time=1520569508&max_behot_time_tmp=1520569508&tadrequire=true&as=A1759A0A0293F8B&cp=5AA2A37F485B4E1&_signature=2jBH6gAAgJpfzO2xq4QUd9owR.

主要有三个字段需要破解’as’、’cp’、’_signature’

首先使用Chrome浏览器，打开调试，在Sources的 s3a.pstatp.com/toutiao/resource/ntoutiao_web/page/home/whome/
下找到js文件home_d09f00f.js，找到下面两段代码

e.getHoney = function () {
        var t = Math.floor((new Date).getTime() / 1e3),
        e = t.toString(16).toUpperCase(),
        i = md5(t).toString().toUpperCase();
        if (8 != e.length)
            return {
                as: "479BB4B7254C150",
                cp: "7E0AC8874BB0985"
            };
        for (var n = i.slice(0, 5), a = i.slice(-5), s = "", o = 0; 5 > o; o++)
            s += n[o] + e[o];
        for (var r = "", c = 0; 5 > c; c++)
            r += e[c + 3] + a[c];
        return {
            as: "A1" + s + e.slice(-3),
            cp: e.slice(0, 3) + r + "E1"
        }
    },

function e(t) {
        var e = ascp.getHoney(),
        i = "";
        window.TAC && (i = TAC.sign("refresh" === t ? 0 : r.params.max_behot_time_tmp)),
        r.params = _.extend({}, r.params, {
                as: e.as,
                cp: e.cp,
                max_behot_time: "refresh" === t ? 0 : r.params.max_behot_time_tmp,
                _signature: i
            })
    }

上述代码中的md5(t)可以用python实现，如下

import hashlib
import time

def md5_encrypt():
    t=int(time.time())
    m=hashlib.md5()
    m.update(str(t).encode(encoding='utf8'))
    return m.hexdigest()

也可以直接调用
s3.pstatp.com/toutiao/resource/ntoutiao_web/static/js/common/
下的js文件lib_060bfbf.js中的函数，新建toutiao.js，根据调试过程，编写代码如下：

function t(e, t) {
        var n = (65535 & e) + (65535 & t),
        r = (e >> 16) + (t >> 16) + (n >> 16);
        return r << 16 | 65535 & n
    }
function n(e, t) {
    return e << t | e >>> 32 - t
}
function r(e, r, o, i, u, a) {
    return t(n(t(t(r, e), t(i, a)), u), o)
}
function o(e, t, n, o, i, u, a) {
    return r(t & n | ~t & o, e, t, i, u, a)
}
function i(e, t, n, o, i, u, a) {
    return r(t & o | n & ~o, e, t, i, u, a)
}
function u(e, t, n, o, i, u, a) {
    return r(t ^ n ^ o, e, t, i, u, a)
}
function a(e, t, n, o, i, u, a) {
    return r(n ^ (t | ~o), e, t, i, u, a)
}
function s(e, n) {
    e[n >> 5] |= 128 << n % 32,
    e[(n + 64 >>> 9 << 4) + 14] = n;
    var r,
    s,
    c,
    l,
    f,
    p = 1732584193,
    d = -271733879,
    h = -1732584194,
    m = 271733878;
    for (r = 0; r < e.length; r += 16)
        s = p, c = d, l = h, f = m, p = o(p, d, h, m, e[r], 7, -680876936), m = o(m, p, d, h, e[r + 1], 12, -389564586), h = o(h, m, p, d, e[r + 2], 17, 606105819), d = o(d, h, m, p, e[r + 3], 22, -1044525330), p = o(p, d, h, m, e[r + 4], 7, -176418897), m = o(m, p, d, h, e[r + 5], 12, 1200080426), h = o(h, m, p, d, e[r + 6], 17, -1473231341), d = o(d, h, m, p, e[r + 7], 22, -45705983), p = o(p, d, h, m, e[r + 8], 7, 1770035416), m = o(m, p, d, h, e[r + 9], 12, -1958414417), h = o(h, m, p, d, e[r + 10], 17, -42063), d = o(d, h, m, p, e[r + 11], 22, -1990404162), p = o(p, d, h, m, e[r + 12], 7, 1804603682), m = o(m, p, d, h, e[r + 13], 12, -40341101), h = o(h, m, p, d, e[r + 14], 17, -1502002290), d = o(d, h, m, p, e[r + 15], 22, 1236535329), p = i(p, d, h, m, e[r + 1], 5, -165796510), m = i(m, p, d, h, e[r + 6], 9, -1069501632), h = i(h, m, p, d, e[r + 11], 14, 643717713), d = i(d, h, m, p, e[r], 20, -373897302), p = i(p, d, h, m, e[r + 5], 5, -701558691), m = i(m, p, d, h, e[r + 10], 9, 38016083), h = i(h, m, p, d, e[r + 15], 14, -660478335), d = i(d, h, m, p, e[r + 4], 20, -405537848), p = i(p, d, h, m, e[r + 9], 5, 568446438), m = i(m, p, d, h, e[r + 14], 9, -1019803690), h = i(h, m, p, d, e[r + 3], 14, -187363961), d = i(d, h, m, p, e[r + 8], 20, 1163531501), p = i(p, d, h, m, e[r + 13], 5, -1444681467), m = i(m, p, d, h, e[r + 2], 9, -51403784), h = i(h, m, p, d, e[r + 7], 14, 1735328473), d = i(d, h, m, p, e[r + 12], 20, -1926607734), p = u(p, d, h, m, e[r + 5], 4, -378558), m = u(m, p, d, h, e[r + 8], 11, -2022574463), h = u(h, m, p, d, e[r + 11], 16, 1839030562), d = u(d, h, m, p, e[r + 14], 23, -35309556), p = u(p, d, h, m, e[r + 1], 4, -1530992060), m = u(m, p, d, h, e[r + 4], 11, 1272893353), h = u(h, m, p, d, e[r + 7], 16, -155497632), d = u(d, h, m, p, e[r + 10], 23, -1094730640), p = u(p, d, h, m, e[r + 13], 4, 681279174), m = u(m, p, d, h, e[r], 11, -358537222), h = u(h, m, p, d, e[r + 3], 16, -722521979), d = u(d, h, m, p, e[r + 6], 23, 76029189), p = u(p, d, h, m, e[r + 9], 4, -640364487), m = u(m, p, d, h, e[r + 12], 11, -421815835), h = u(h, m, p, d, e[r + 15], 16, 530742520), d = u(d, h, m, p, e[r + 2], 23, -995338651), p = a(p, d, h, m, e[r], 6, -198630844), m = a(m, p, d, h, e[r + 7], 10, 1126891415), h = a(h, m, p, d, e[r + 14], 15, -1416354905), d = a(d, h, m, p, e[r + 5], 21, -57434055), p = a(p, d, h, m, e[r + 12], 6, 1700485571), m = a(m, p, d, h, e[r + 3], 10, -1894986606), h = a(h, m, p, d, e[r + 10], 15, -1051523), d = a(d, h, m, p, e[r + 1], 21, -2054922799), p = a(p, d, h, m, e[r + 8], 6, 1873313359), m = a(m, p, d, h, e[r + 15], 10, -30611744), h = a(h, m, p, d, e[r + 6], 15, -1560198380), d = a(d, h, m, p, e[r + 13], 21, 1309151649), p = a(p, d, h, m, e[r + 4], 6, -145523070), m = a(m, p, d, h, e[r + 11], 10, -1120210379), h = a(h, m, p, d, e[r + 2], 15, 718787259), d = a(d, h, m, p, e[r + 9], 21, -343485551), p = t(p, s), d = t(d, c), h = t(h, l), m = t(m, f);
    return [p, d, h, m]
}
function c(e) {
    var t,
    n = "";
    for (t = 0; t < 32 * e.length; t += 8)
        n += String.fromCharCode(e[t >> 5] >>> t % 32 & 255);
    return n
}
function l(e) {
    var t,
    n = [];
    for (n[(e.length >> 2) - 1] = void 0, t = 0; t < n.length; t += 1)
        n[t] = 0;
    for (t = 0; t < 8 * e.length; t += 8)
        n[t >> 5] |= (255 & e.charCodeAt(t / 8)) << t % 32;
    return n
}
function f(e) {
    return c(s(l(e), 8 * e.length))
}
function p(e, t) {
    var n,
    r,
    o = l(e),
    i = [],
    u = [];
    for (i[15] = u[15] = void 0, o.length > 16 && (o = s(o, 8 * e.length)), n = 0; 16 > n; n += 1)
        i[n] = 909522486 ^ o[n], u[n] = 1549556828 ^ o[n];
    return r = s(i.concat(l(t)), 512 + 8 * t.length),
    c(s(u.concat(r), 640))
}
function d(e) {
    var t,
    n,
    r = "0123456789abcdef",
    o = "";
    for (n = 0; n < e.length; n += 1)
        t = e.charCodeAt(n), o += r.charAt(t >>> 4 & 15) + r.charAt(15 & t);
    return o
}
function h(e) {
    return unescape(encodeURIComponent(e))
}
function m(e) {
    return f(h(e))
}
function g(e) {
    return d(m(e))
}

function getHoney() {
        var t = Math.floor((new Date).getTime() / 1e3),
        e = t.toString(16).toUpperCase(),
        i = g(t).toString().toUpperCase();
        if (8 != e.length)
            return {
                as: "479BB4B7254C150",
                cp: "7E0AC8874BB0985"
            };
        for (var n = i.slice(0, 5), a = i.slice(-5), s = "", o = 0; 5 > o; o++)
            s += n[o] + e[o];
        for (var r = "", c = 0; 5 > c; c++)
            r += e[c + 3] + a[c];
        return {
            as: "A1" + s + e.slice(-3),
            cp: e.slice(0, 3) + r + "E1"
        }
    }

新建python文件 toutiao.py并运行

import execjs
def py_execjs():    
    node = execjs.get() 
    file = 'toutiao.js'
    content=open(file,encoding='utf-8',errors='ignore').read()
    ctx = node.compile(content)
    js='getHoney()'
    result = ctx.eval(js)
    return result

as_cp=py_execjs()
print(as_cp)
#{'as': 'A1552A7A02C3DF3', 'cp': '5AA2036D0FE39E1'}

没能破解’_signature’