Several major portals in China have published api on Weibo, but ms Tencent does not. Tencent is always a fantastic work among Chinese Internet enterprises.Clear Ming Festival is idle. Making an automatic login script for Tencent Weibo can also be regarded as a study of Tencent Weibo login and encryption.The research I have done is for learning and communication purposes only, if it is of no interest to me.

1. Conversion between bytes and string s in Python

Note that the python version ms supporting this conversion is more than 3.0, this section refers to the web page: http://blog.fuqcool.com/tag/python%20str%20string%20bytes%20%E8%BD%AC%E6%8D%A2.

2. Implementation of Tencent Password Check Code Hybrid Encryption Policy python

The login account and password of Tencent QQ's webpage landing on Weibo are identical, both are QQ accounts and passwords, and the data is submitted encrypted by comm.js during the submission process.Tencent data submission is submitted by get. When you view it with httpfox plug-in, you will find that there is no post method. It hurts.Heh, Tencent has adopted three rounds of md5 encryption and the fourth round of mixed authentication code md5 encryption to prevent user attacks.The md5 algorithm itself is one-way, but a part of it can be cracked by using a dictionary, so Tencent uses multiple rounds of encryption for accounts and passwords, which is the technical quality assurance of the Internet.

There are two ideas for the final mix of password validation codes: one is to use the JS engine to execute JS locally to get the final result, which is the classic feticism, standing on the shoulders of giants.Another is to rewrite the JS script in another language, which can learn md5 encryption and have a clear understanding of Tencent's encryption process. I took the second approach.For details on encryption, see the JS script provided to us by Tencent: login_div.js:

import hashlib
#Tencent's password encryption strategy is the ultimate according to fxx boots. Looking at login.js, it's true that fxx boots
def Md5_3(password):
     #md5 iteration of cubic cryptographic values
     m1 =hashlib.md5()
     m1.update(password)
     m2 =hashlib.md5()
     m2.update(m1.digest())
     m3 = hashlib.md5()
     m3.update(m2.digest())
     return m3.hexdigest()

def Md5_Final(password, verifycode):
    #Mixed hash between MD5 iteration of cubic cryptographic values and verification code values
     m =hashlib.md5()
     strMixedTarget = Md5_3(password).upper()+str(verifycode, 'utf-8').upper()
     byteMixedTarget = bytes(strMixedTarget, 'utf-8')
     m.update(byteMixedTarget)
     return  m.hexdigest().upper()

if '__name__= __main__':
     pwd=b"ChenxofHit"
     verifycode = b"efta"
     print(Md5_Final(pwd, verifycode))

Execution results:

3. Acquisition of Authentication Code

The mixed encryption policy is mentioned above. Verycode = B "efta" is given directly in the code above. In fact, the verification code is linked through a similar link http://ptlogin2.qq.com/check?uin=723357969&appid=4600010&r=0.024315022575277512 Get it.

The following code is to get VC:

import random,re
import urllib.request

def getVC(uin,appid ="4600010"):
    r = random.random()
    url = "http://ptlogin2.qq.com/check?"+"uin="+uin+"&"+"appid="+appid+"&"+"r="+str(r)
    print(url)
    vc = None
    try:
        avatar = urllib.request.urlopen(url)
    except :
        print("Cannot connect to the remote host!")
        return vc
    else:
        vcTarget =avatar.read().decode("utf8")
        print(vcTarget)
        m = re.search(r'!.{3}', vcTarget)
        if m is not None:
            vc = m.group()
        else:
            print("VC Not getted!")
    return vc

def encode_b_VC(vc):
    vc = bytes(vc, 'utf-8')
    return vc
    
if __name__ == '__main__':
    uin="723357969"
    vc = getVC(uin)
    print(vc)

4. Cookie settings:

With the firefox HttpFox plug-in, you can send messages from clients to the server.The specific process of Cookie setup in Header can be found in the JS script provided to us by Tencent: ping.js:

from datetime import datetime
import random
def set_pgv_pvid():
    curMs  =datetime.utcnow().second
    pvidtmp = (round(random.random() * 2147483647) * curMs) % 10000000000
    return pvidtmp

def  set_pgv_flv():  #flash version
    pgv_flv = "10.2 r152"
    return pgv_flv


def set_pgv_info():
    curMs  =datetime.utcnow().second
    ssid = "s" + str( (round(random.random() * 2147483647) * curMs) % 10000000000 )
    return ssid

def set_pgv_r_cookie():
    datenow = datetime.now()
    dateUTCnow  = datetime.utcnow()
    pgv_r_cookie  = datenow.year % 100 + (dateUTCnow.month + 1) + dateUTCnow.day + dateUTCnow.microsecond  + round(random.random() * 100000)
    return pgv_r_cookie


def setCookies():
    pgv_pvid = set_pgv_pvid()
    pgv_flv = set_pgv_flv()
    pgv_info = set_pgv_info()
    pgv_r_cookie = set_pgv_r_cookie()
    #  pgv_pvid=6069385845; pgv_flv=10.1 r102; pgv_info=ssid=s3027620338; pgv_r_cookie=114719260880
    cookie = "pgv_pvid="+str(pgv_pvid)+";"+"pgv_flv="+str(pgv_flv)+";"+"pgv_info=ssid="+str(pgv_info)+";"+"pgv_r_cookie="+str(pgv_r_cookie)
    #print(cookie)
    return cookie


if '__name__= __main__':
    print(setCookies())

5. Comprehensive testing:

import QQMB_pwdEncryption as QPwd
import QQMB_setCookies as QCookie
import  QQMB_verifyCode   as QVC

import http.cookiejar, urllib.request, urllib.parse

loginUrl = "http://ptlogin2.qq.com/login?"

if '__name__ = __main__':
    uin = "723357969"
    pwd =b"*******"
    vc = QVC.getVC(uin)
    if vc is not None:
        encPwd = QPwd.Md5_Final(pwd, QVC.encode_b_VC(vc)) #After four cycle encryption
        print(encPwd)
        #http://ptlogin2.qq.com/login?u=723357969&p=8B8F042EE71CD0C55476201A2F1E18F7&verifycode=!08L&low_login_enable=1&low_login_hour=720&aid=46000101&u1=http%3A%2F%2Ft.qq.com&ptredirect=1&h=1&from_ui=1&dumy=&fp=loginerroralert

        cj = http.cookiejar.CookieJar()
        opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
        urllib.request.install_opener(opener)
        req =urllib.request.Request(loginUrl)
        #req.add_header("Host","ptlogin2.qq.com")
        req.add_header("User-Agent","Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15")
        req.add_header("Accept-Charset","GB2312,utf-8;q=0.7,*;q=0.7")
        req.add_header("Referer","http://t.qq.com/")
        req.add_header("Cookie", QCookie.setCookies())

        parameters = { 'u':uin,
                              'p':encPwd,
                              'verifycode':vc,
                              'low_login_enable':'1',
                              'low_login_hour':'720',
                              'aid':'46000101',
                              'u1':'http%3A%2F%2Ft.qq.com',
                              'ptredirect':'1',
                              'from_ui':'1',
                              'dumy':'',
                              'fp':'loginerroralert'
                            }
        paraEncode = urllib.parse.urlencode(parameters).encode("GB2312")
        print(paraEncode)
        res = urllib.request.urlopen(req, paraEncode)
        html=res.read().decode('utf-8')
        print(html)

    else:
        print("VC Not getted Properly!Try it again!")

Once again, the above research is solely for personal learning and communication purposes and I am not responsible for causing unnecessary disputes for other purposes.

Reference page:

http://hi.baidu.com/qiuzhiying2200/blog/item/b9e5c4cb33873653f21fe71d.html Journal Top of the President of Shenzhen Graduate School

http://www.cnblogs.com/bboy/archive/2010/10/29/1864537.html Python Web Page Grabbing, Simulated Logon (Take Logging in to Blog Park for example)

http://www.city792.com/QQbiaoqing/2010/0921/1163.html Tencent qq space Web landing is really abnormal: novel, Tencent landing POST

(There is a big change from Python 2.X to Python 3.x. There's no way to do that. Look at the api more.)