-
-
[原创]WEB 协议-谷歌翻译协议分析
-
发表于: 2018-11-12 10:31
-
工具
- 谷歌浏览器
- 谷歌浏览器自带开发者工具(快捷键F12)
谷歌翻译协议分析
- 浏览器打开https://translate.google.cn
- 打开开发者工具进行抓包
- 分析 js 脚本
- 还原算法
抓包
输入 hello 实用进行抓包,抓取的内容如下
请求 URL:
Request URL: https://translate.google.cn/translate_a/single?client=t&sl=en&tl=zh-CN&hl=zh-CN&dt=at&dt=bd&dt=ex&dt=ld&dt=md&dt=qca&dt=rw&dt=rm&dt=ss&dt=t&ie=UTF-8&oe=UTF-8&pc=1&otf=1&ssel=0&tsel=0&kc=1&tk=264929.164808&q=hello Request Method: GET Status Code: 200 Remote Address: 127.0.0.1:8888 Referrer Policy: no-referrer-when-downgrade
返回内容:
[
[
[
"你好",
"hello",
null,
null,
1
],
[
null,
null,
"Nǐ hǎo",
"heˈlō,həˈlō"
]
],
[
[
"感叹词",
[
"你好!",
"喂!"
],
[
[
"你好!",
[
"Hello!",
"Hi!",
"Hallo!"
],
null,
0.13117145
],
[
"喂!",
[
"Hey!",
"Hello!"
],
null,
0.020115795
]
],
"Hello!",
9
]
],
"en",
null,
null,
[
[
"hello",
null,
[
[
"你好",
1000,
true,
false
],
[
"您好",
1000,
true,
false
]
],
[
[
0,
5
]
],
"hello",
0,
0
]
],
1,
null,
[
[
"en"
],
null,
[
1
],
[
"en"
]
],
null,
null,
[
[
"名词",
[
[
[
"howdy",
"hullo",
"hi",
"how-do-you-do"
],
""
]
],
"hello"
],
[
"惊叹词",
[
[
[
"hi",
"howdy",
"hey",
"hiya",
"ciao",
"aloha"
],
"m_en_us1254307.001"
]
],
"hello"
]
],
[
[
"名词",
[
[
"an utterance of “hello”; a greeting.",
"m_en_us1254307.006",
"she was getting polite nods and hellos from people"
]
],
"hello"
],
[
"惊叹词",
[
[
"used as a greeting or to begin a telephone conversation.",
"m_en_us1254307.001",
"hello there, Katie!"
]
],
"hello"
],
[
"动词",
[
[
"say or shout “hello”; greet someone.",
"m_en_us1254307.007",
"‘Hi Kirsten,’ he helloed , obviously calling me Kirsten on purpose."
]
],
"hello"
]
],
[
[
[
"And <b>hello</b> , what is this and why haven't I heard about it before?",
null,
null,
null,
3,
"m_en_us1254307.003"
],
[
"It is extraordinary how much can be achieved when you put enthusiasm into a routine task, a special project or a simple <b>hello</b> or conversation.",
null,
null,
null,
3,
"m_en_us1254307.006"
],
[
"So Bob, if you are out there, drop in and say <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"He was a little surprised since he had already said <b>hello</b> to her that morning.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"Ric's upset when he finds out that Alf returned from the USA the day before and didn't even say <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"she refused and, <b>hello</b>, I'm her manager!",
null,
null,
null,
3,
"neid_9509"
],
[
"<b>hello</b>, what's this?",
null,
null,
null,
3,
"neid_9510"
],
[
"My local Chinese shop owner always greets me with a big smile and a friendly <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.006"
],
[
"When their eyes met, she grinned wickedly in an informal <b>hello</b> .",
null,
null,
null,
3,
"m_en_us1254307.006"
],
[
"I have wanted to re-watch it like a DVD or something, but I couldn't because, <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"<b>hello</b>, what's all this then?",
null,
null,
null,
3,
"m_en_gb0372340.002"
],
[
"But we had a surprise in store for Caroline when we said <b>hello</b> after the show.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"Umm… <b>hello</b> , the world just ended, everyone seems bizarrely unaffected, like the predicted deep freeze has already reached their brains.",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"Tlingit people do not use such greetings as <b>hello</b> , good-bye, good afternoon, or good evening.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"Quentin is surprised to see Maggie, and says <b>hello</b> .",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"I mean - <b>hello</b> - this is just kind of a witty, fun movie.",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"But - <b>hello</b> - they're only 15, and they're only playing at being grown up.",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"She whispered <b>hello</b> , then began to make her way to her room, where she hoped to take a nap.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"If you haven't met Joy yet, pop over to her site and say <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"My parents are chuckling - I guess more of my reaction than their news, but I mean, <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"She is living a more fortunate life than (most of) you, <b>hello</b> ?",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"I was stunned and I said I'm surprised anyone says <b>hello</b> to me ever in the mall or in the store after reading that.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"Like we have time for a life - <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"Ships' horns toot, children wave and call <b>hello</b> , and every morning you're awakened by the haunting call of the muezzin from some distant village mosque.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"She must have been really stupid to have mimicked me… I mean, <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"But instead of a normal greeting like saying <b>hello</b> or something, they hugged.",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"I haven't seen her in over a year, and yesterday she just strolls casually up to me and says <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.001"
],
[
"The girl is finding love on the telephone, <b>hello</b> !",
null,
null,
null,
3,
"m_en_us1254307.005"
],
[
"We didn't get the chance to get together this visit, but we had nice phone conversation and a waved <b>hello</b> .",
null,
null,
null,
3,
"m_en_us1254307.006"
],
[
"<b>hello</b> there, Katie!",
null,
null,
null,
3,
"m_en_us1254307.001"
]
]
]
]
我尝试修改一下 参数 q 的内容.返回如下内容:
403. That’s an error. Your client does not have permission to get URL /translate_a/single?client=t&sl=en&tl=zh-CN&hl=zh-CN&dt=at&dt=bd&dt=ex&dt=ld&dt=md&dt=qca&dt=rw&dt=rm&dt=ss&dt=t&ie=UTF-8&oe=UTF-8&pc=1&otf=1&ssel=0&tsel=0&kc=1&tk=264929.164808&q=world from this server. That’s all we know.
不更改 q 的内容直接请求是可以正常返回内容的,看来校检参数不在请求头里(因为我没加请求头).应该在请求链接上.
我更改不同的单词查询,就发现只有 tk 是不同的,看来校检参数是 tk.
看来谷歌对链接里的 tk参数进行了校检.下面我们就需要分析其 js 文件进行分析,看一下它是如何生成 tk 的.
分析
切换到开发者工具得 source 选项,如下图所示
发现其只有一个desktop_module_main.js文件.
- 在该 js 文件中搜索与 url 相关的字符串.
发现 oa这个变量就是请求的 url路径.
- 查看哪里引用了 oa(搜索)
发现 ps 函数使用了 oa,但没有发现 tk 函数,我们在其中下一个断点
继续输入单词,使其断下来.
断下来后跟进 ns 函数,单步跟踪到第2行,发现 tk 是由 ms 函数返回的,而传入的参数是我们输入的内容.
查看 ms 函数
发现其是取出 q参数(我们输入的内容)的内容,调用 Hr函数
查看 Hr 函数
发现 Hr 就是根据输入的单词生成 tk 的最终函数.前面的 if 是获取 TKK 的值,TKK 时固定的,在 index 页面可以查找到.
我把该函数所有需要的的参数都弄了出来(Hr 前面几行代码直接替换为固定的值),如下(可以直接运行的 js 脚本):
Fr = function(a, b) {
var test;
for (var c = 0; c < b.length - 2; c += 3) {
var d = b.charAt(c + 2);
d = "a" <= d ? d.charCodeAt(0) - 87 : Number(d);
test=a >>> d;
test=a << d;
d = "+" == b.charAt(c + 1) ? a >>> d : a << d;
a = "+" == b.charAt(c) ? a + d & 4294967295 : a ^ d
}
return a
}
var Er = function(a) {
return function() {
return a
}
}
var TKK="428257.4099441762";
Hr = function(a) {
var b=TKK;
var d = Er(String.fromCharCode(116));//t
c = Er(String.fromCharCode(107));//k
d = [d(), d()];
d[1] = c();//tk
c = "&" + d.join("") + "=";//&tk=
d = b.split(".");
b = Number(d[0]) || 0;
for (var e = [], f = 0, g = 0; g < a.length; g++) {
var l = a.charCodeAt(g);
128 > l ? e[f++] = l : (2048 > l ? e[f++] = l >> 6 | 192 : (55296 == (l & 64512) && g + 1 < a.length && 56320 == (a.charCodeAt(g + 1) & 64512) ? (l = 65536 + ((l & 1023) << 10) + (a.charCodeAt(++g) & 1023),
e[f++] = l >> 18 | 240,
e[f++] = l >> 12 & 63 | 128) : e[f++] = l >> 12 | 224,
e[f++] = l >> 6 & 63 | 128),
e[f++] = l & 63 | 128)
}
a = b;
for (f = 0; f < e.length; f++) {
a += e[f];
a = Fr(a, "+-a^+6");
}
a = Fr(a, "+-3^+b+-f");
a ^= Number(d[1]) || 0;
0 > a && (a = (a & 2147483647) + 2147483648);
a %= 1E6;
return c + (a.toString() + "." + (a ^ b))
};
tk=Hr("hello world")
console.log(tk);//输出&tk=904423.738310
还原为 Python 代码:
TKK="428257.4099441762"
def UShiftRight(a,b):
if b!=0:
if(a&0x80000000):
a&=0x7fffffff;
a>>=1;
b-=1
a|=0x40000000;
return a>>b;
def Fr(a,b):
a&=0xffffffff;
for c in range(0,b.__len__(),3):
d=b[c+2]
if("a" <= d):
d=ord(d)-87;
else:
d=int(d)
if("+" == b[c+1]):
d=UShiftRight(a,d)
else:
d=a<<d
d&=0xffffffff
if("+"==b[c]):
a=a+d&4294967295
else:
a=a^d
a&=0xffffffff;
return a
def Hr(a):
b=TKK;
d=b.split('.')
b=int(d[0])
e={}
f=0;
aLen=a.__len__()
for g in range(aLen):
l=ord(a[g])
if(128>l):
e[f]=l;f+=1;
elif 2048>l:
e[f]=l>>6|192;f+=1;
elif 55296 == (l & 64512) and g + 1 < aLen and 56320 == (ord(a[g + 1]) & 64512):
l = 65536 + ((l & 1023) << 10) + (ord(a[++g]) & 1023)
e[f]=l>>18|240;f+=1;
e[f]=l>>12&63 |128;
else:
e[f] = l >> 12 | 224;f+=1;
e[f] = l >> 6 & 63 | 128;f+=1;
e[f] = l & 63 | 128;f+=1;
a=b;
for f in range(e.__len__()):
a+=e[f];
a = Fr(a, "+-a^+6");
a= Fr(a, "+-3^+b+-f");
a^=int((d[1]))
if(0>a):
a=(a&0x7fffffff)+0x80000000;
a%=1E6;
a=int(a);
s1=str(a);
return (str(a)+"."+str(a^b))
tk=Hr("我")
print(tk)
通过上面函数算出来的 tk 就可以正确返回内容了.
协议
URL:https://translate.google.cn/translate_a/single?client=t&sl=en&tl=zh-CN&hl=zh-CN&dt=at&dt=bd&dt=ex&dt=ld&dt=md&dt=qca&dt=rw&dt=rm&dt=ss&dt=t&ie=UTF-8&oe=UTF-8&pc=1&otf=1&ssel=0&tsel=0&kc=1&tk=264929.164808&q=hello
| 参数 | 含义 |
|---|---|
| sl | 需要转换的语言 |
| tl | 转换到的语言 |
| tk | 对输入内容的签名(算法看前面) |
| q | 输入的内容 |
| 其他 | 无关紧要,可以去掉 是指示谷歌返回的内容. |
Header:不需要
Method:GET
总结
技术难度:无.
加密强度:低.
混淆强度:低.
最后于 2019-1-15 20:54
被chpeagle编辑
,原因: 图片修复
|
|
|---|---|
|
|
多谢LZ,学习了,
最后于 2018-11-12 11:14
被我是小三编辑
,原因:
|
|
|
|
|
|
|
|
|
|
|
|
并没有坏哦,只是我用其他markdown写好,里面带的图片我都一一上传并插入了,只是忘记删除原来的. |
crownless
