Skip to content

Instantly share code, notes, and snippets.

@buptczq

buptczq/detect.py

Last active January 30, 2022 06:39
Show Gist options
  • Star 29 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save buptczq/0d0fc73a1a8d2232b4d21b5e1ac13344 to your computer and use it in GitHub Desktop.
Save buptczq/0d0fc73a1a8d2232b4d21b5e1ac13344 to your computer and use it in GitHub Desktop.
Download ZIP
QQ URL detect
Raw
detect.py
import hashlib
import struct
import sqlite3
def md5hash(buf):
return hashlib.md5(buf.encode("utf-16")[2:]).digest()
def md5cmp(buf, postfix, a1, a2, a3, a4):
if len(buf) < postfix:
return False
index = 0
while index <= (len(buf)-postfix):
md5 = md5hash(buf[index:index+postfix])
if md5 == struct.pack("<IIII", a1, a2, a3, a4):
return True
index += 1
return False
def detect(url):
urlbuf = url.upper()
return md5cmp(urlbuf, 23, 0x1C6389BA, 0xF2FA5666, 0xF2A2E0D3, 0xC892E7BA) or \
md5cmp(urlbuf, 34, 0xB829484C, 0x520F7CC3, 0x94EC8A73, 0xD808E79) or \
md5cmp(urlbuf, 30, 0xDDA1029, 0x9E67F3BB, 0xB18ACC45, 0x597CF438) or \
md5cmp(urlbuf, 21, 0x2564591C, 0x5B11347B, 0x846A0F72, 0xEF704A8)
conn = sqlite3.connect("History")
cursor = conn.cursor()
cursor.execute("select url from urls")
count = 0
for row in cursor:
url = row[0]
if detect(url):
print('detect: ' + url)
count += 1
if count == 0:
print('nothing')
cursor.close()
conn.close()
@buptczq
Copy link
Author

buptczq commented Jan 17, 2021
edited

  • 使用方法, 将%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History文件拷贝至某个文件夹, 下载上面的脚本至相同文件夹, 然后用 python 运行脚本

  • qq的上报逻辑:

  1. 扫描 IE, chrome, edge 等浏览器的浏览记录
  2. 对 url 的部分内容进行 md5, 与 4 个硬编码的 md5 进行比较
  3. 如果 md5 比较成功, 将 url 内容与关键词匹配, 对url进行分类, 并将分类结果上报至服务器 (没有上报原始的url内容)
tasks = {
# URL 匹配
# (23, 0x1C6389BA, 0xF2FA5666, 0xF2A2E0D3, 0xC892E7BA): b'', # ://S.TAOBAO.COM/SEARCH?
# (34, 0xB829484C, 0x520F7CC3, 0x94EC8A73, 0xD808E79): b'', # LIST.TMALL.COM/SEARCH_PRODUCT.HTM?
(30, 0xDDA1029, 0x9E67F3BB, 0xB18ACC45, 0x597CF438): b'', # TODO
# (21, 0x2564591C, 0x5B11347B, 0x846A0F72, 0xEF704A8): b'', # SEARCH.JD.COM/SEARCH?

# 搜索关键词匹配
# group 1
# (18, 0x8C2F8C3B, 0x9CA6DB69, 0x663C9537, 0xA0B64B58): b'', # 古着
# (7, 0x966DC59E, 0x592F2331, 0x6D2BF021, 0xA1D96C3C): b'', # VINTAGE

# group 2
# (18, 0x7FACF63C, 0xBEC2FCB0, 0xBE8836F6, 0x167CC273): b'', # 融券
# (18, 0x46B6D8D7, 0x8AA82723, 0xBE19FA24, 0x670E160C): b'', # 融资

# group 3
# (18, 0xE235F85E, 0x5C924D20, 0xA61B84AC, 0x4BC792DD): b'', # 炒股
# (18, 0x79088BEC, 0xF29CC9E8, 0xBF920D9, 0x455AE9ED): b'', # 股票
}

@buptczq
Copy link
Author

buptczq commented Jan 18, 2021
edited

更新:
所有md5已经解密完成:

# (23, 0x1C6389BA, 0xF2FA5666, 0xF2A2E0D3, 0xC892E7BA): b'', # ://S.TAOBAO.COM/SEARCH?
# (34, 0xB829484C, 0x520F7CC3, 0x94EC8A73, 0xD808E79): b'', # LIST.TMALL.COM/SEARCH_PRODUCT.HTM?
# (30, 0xDDA1029, 0x9E67F3BB, 0xB18ACC45, 0x597CF438): b'', # ULAND.TAOBAO.COM/SEM/TBSEARCH?
# (21, 0x2564591C, 0x5B11347B, 0x846A0F72, 0xEF704A8): b'', # SEARCH.JD.COM/SEARCH?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment