腾讯获取G_tk的算法

haisong

g_tk只是QQ空间对日志进行操作的时候，所采取的一套安全机制，如果g_tk字符串的值不对的话，请求是没有办法提交的，因此，很多刚刚涉及HTTP协议技术的人想对QQ空间这尊大佛动手脚的话，只能望而却步。下面我以VB为例，在这里详解一下g_tk的计算方法。
    其实g_tk校验是通过skey值来算出来的，弄过QQ登录的人可能都知道，在登录成功之后，cookies里都会返回skey值，通常是以@开头，并且带有一串看似无规则的大小写字母混合，总共10位。下面我们先来抓包看看，g_tk到底用在了哪里，我们以转载日志为例来抓包，

1. 
   
2. POST /cgi-bin/blognew/blog_quote HTTP/1.1
   
3. Accept: */*
   
4. Accept-Language: zh-cn
   
5. Referer: http://b.qzone.qq.com/proxy.html
   
6. If-Modified-Since: 0
   
7. Content-Type: application/x-www-form-urlencoded
   
8. Accept-Encoding: gzip, deflate
   
9. User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)
   
10. Host: b.qzone.qq.com
    
11. Content-Length: 65
    
12. Connection: Keep-Alive
    
13. Cache-Control: no-cache
    
14. Cookie: pt2gguin=o0138001655; ptcz=0b25a27219dd08bcfe38fc85365593dadb1a2a99cac9f1abfd5fb31a7052f89b; pvid=6724688319; flv=10.0; adid=138001655; adSP=GHTsOtSHTIJdDIr9+GXVoaFY59pet/LONpbU1rA0yPY=_837_326830_1290874683_; adVer=3121; ac=1,030,006; ptui_qstatus=2; uin=o0138001655; skey=@sZmfEEBdt; ptisp=ctc; ssid=s8226120880; login_time=B46BD5B3A93F9EC5226847DB4AE9A71589641475FCCEBBC9; __Q_w_s__appDataSeed=1; randomSeed=220115
    
15. uin=138001655&fromuin=715746717&blogid=1286714133&g_tk=1423927145
    

复制代码

我们可以看到，数据包主体部分最后一个参数就是g_tk值，一般是一串数字。那这个值到底怎么算出来的呢？
    因为我们在网页登录QQ的时候，腾讯都会通过cookies里的skey值来计算，用js来算。既然在运算的时候执行了js脚本，那么我们就可以在抓包中获得。那g_tk是通过什么算法算出来的？其实很简单，当我们得到skey后，循环取单字符的二进制并取左值．累加之后就得到后面的g_tk值了，这听上去很复杂，不过算法不用我们自己写，我们只需要执行在腾讯网页登录的时候所执行的那个js脚本就可以了。当然，js不能直接调用，不过既然我写了这篇文章，就已经是有备而来的，js算法我已经整理并写了一个最简单的，代码如下：

1. function getGTK(str){
   
2. var hash = 5381;
   
3. 
   
4. for(var i = 0, len = str.length; i < len; ++i){
   
5. hash += (hash << 5) + str.charAt(i).charCodeAt();
   
6. }
   
7. 
   
8. return hash & 0x7fffffff;
   
9. }

复制代码

那么我们现在还有两个问题没有解决：
    1.如何获取登录后的cookies？
    2.如何在VB中执行js代码并得到返回值？

    上面两个问题其实到了你们手里，我相信也不会是问题了，下面我再通过代码以及讲解，来剖析并解决这两个所谓的问题。对于HTTP数据包POST/GET，相信看这篇文章的人应该都懂得吧，否则你看了也没用，那么我们可以设计一个登录程序，并在登录之后获取cookies中的skey值，并计算出g_tk。

主界面代码如下：（frmLogin.frm）

1. '-
   
2. ' - 腾讯QQ空间g_tk算法
   
3. ' - 作者：泡面 (QQ138001655 email：admin@mafom.com)
   
4. ' - 日期：2010/11/28
   
5. '-
   
6. ' - 本源码来自源始时代（http://www.codeages.com），转载时请保留此信息！
   
7. ' - 本程序仅供学习、交流用，下载后请于24小时内删除，使用所带来的后果概不负责！
   
8. '-
   
9. 
   
10. Option Explicit
    
11. 
    
12. 'wininet提供的API函数，用于获取cookies
    
13. Private Declare Function InternetGetCookie Lib "wininet.dll" Alias "InternetGetCookieA" (ByVal lpszUrlName As String, ByVal lpszCookieName As String, ByVal lpszCookieData As String, lpdwSize As Long) As Boolean
    
14. 
    
15. Private Sub cmdCancel_Click()
    
16. End
    
17. End Sub
    
18. 
    
19. Private Sub cmdLogin_Click()
    
20. On Error GoTo hErr
    
21. 
    
22. If Len(txtQQNumber.Text) = 0 Then
    
23. MsgBox "请输入QQ号码！", vbInformation, "提示"
    
24. txtQQNumber.SetFocus
    
25. Exit Sub
    
26. End If
    
27. 
    
28. If Len(txtPassword.Text) = 0 Then
    
29. MsgBox "请输入QQ密码！", vbInformation, "提示"
    
30. txtPassword.SetFocus
    
31. Exit Sub
    
32. End If
    
33. 
    
34. If Len(txtVlCode.Text) = 0 Then
    
35. MsgBox "请输入验证码！", vbInformation, "提示"
    
36. txtVlCode.SetFocus
    
37. Exit Sub
    
38. End If
    
39. 
    
40. cmdLogin.Enabled = False
    
41. 
    
42. ScriptControl1.Language = "Jscript"
    
43. ScriptControl1.Timeout = -1
    
44. ScriptControl1.AddCode txtVarHexcase.Text
    
45. 
    
46. Dim QQPass As String
    
47. Dim retString As String
    
48. 
    
49. '对QQ密码进行加密，否则服务器不会通过
    
50. QQPass = ScriptControl1.Run("md5", ScriptControl1.Run("md5_3", txtPassword.Text) + UCase(txtVlCode.Text))
    
51. 
    
52. '发送登录请求
    
53. Inet1.Execute "http://ptlogin2.qq.com/login", "POST", "u=" & txtQQNumber.Text & "&p=" & QQPass & "&verifycode=" & txtVlCode.Text & "&aid=15000101&u1=http%3A%2F%2Fimgcache.qq.com%2Fqzone%2Fv5%2Floginsucc.html%3Fpara%3Dizone&fp=loginerroralert&h=1&ptredirect=1&ptlang=0&from_ui=1&dumy=", "CONTENT-TYPE : application/x-www-form-urlencoded"
    
54. 
    
55. Do While Inet1.StillExecuting
    
56. DoEvents
    
57. Loop
    
58. 
    
59. 
    
60. '取得返回数据
    
61. Dim BinBuff() As Byte
    
62. BinBuff() = Inet1.GetChunk(0, icByteArray)
    
63. retString = UTF8_Decode(BinBuff())
    
64. 
    
65. 
    
66. '判断登录状态
    
67. If InStr(retString, "QQ社区登录") Then
    
68. 
    
69. MsgBox "登录成功！", vbInformation, "提示"
    
70. 
    
71. Dim nLen As Long
    
72. Dim sBuff As String * 1024
    
73. nLen = 1024
    
74. 
    
75. '获取cookies
    
76. InternetGetCookie "http://ptlogin2.qq.com/login", vbNullString, sBuff, nLen
    
77. 
    
78. '获取skey值
    
79. Dim skey As String
    
80. Dim sPos As Long
    
81. 
    
82. sPos = InStr(sBuff, "skey=@")
    
83. 
    
84. If sPos <> 0 Then
    
85. skey = Mid(sBuff, sPos + 5, 10)
    
86. MsgBox "从cookies获取到的skey值：" & skey
    
87. End If
    
88. 
    
89. '执行js脚本，计算g_tk值
    
90. Dim js(6) As String
    
91. Dim g_tk As String
    
92. 
    
93. js(0) = "function getGTK(str){" & vbCrLf
    
94. js(1) = "var hash = 5381;" & vbCrLf
    
95. 
    
96. js(2) = "for(var i = 0, len = str.length; i < len; ++i){" & vbCrLf
    
97. js(3) = " hash += (hash << 5) + str.charAt(i).charCodeAt();" & vbCrLf
    
98. js(4) = "}" & vbCrLf
    
99. 
    
100. js(5) = " return hash & 0x7fffffff;" & vbCrLf
     
101. js(6) = "}"
     
102. 
     
103. ScriptControl1.AddCode js(0) & js(1) & js(2) & js(3) & js(4) & js(5) & js(6)
     
104. g_tk = ScriptControl1.Run("getGTK", skey)
     
105. 
     
106. MsgBox "计算出的g_tk值：" & g_tk
     
107. 
     
108. Else
     
109. 
     
110. If InStr(retString, "您输入的验证码有误，请重试。") <> 0 Then
     
111. MsgBox "您输入的验证码有误，请重试！", vbExclamation, "提示"
     
112. ElseIf InStr(retString, "您输入的密码有误，请重试。") <> 0 Then
     
113. MsgBox "您输入的密码有误，请重试！", vbExclamation, "提示"
     
114. ElseIf InStr(retString, "您的QQ号码存在安全隐患") <> 0 Then
     
115. MsgBox "您的QQ号码存在安全隐患！", vbExclamation, "提示"
     
116. Else
     
117. MsgBox "登录失败，请检查您的密码是否正确！", vbExclamation, "提示"
     
118. End If
     
119. 
     
120. End If
     
121. 
     
122. cmdLogin.Enabled = True
     
123. Exit Sub
     
124. 
     
125. hErr:
     
126. MsgBox "错误：" & Err.Number & vbCrLf & vbCrLf & Err.Description, vbExclamation, "错误"
     
127. Exit Sub
     
128. 
     
129. End Sub
     
130. 
     
131. '获取验证码
     
132. Sub GetCode()
     
133. On Error Resume Next
     
134. Dim Buff() As Byte
     
135. 
     
136. '腾讯最新登录接口，验证码已经升级为5位，请求验证码的时候必须要加上QQ号码
     
137. Inet1.URL = "http://captcha.qq.com/getimage?aid=46000101&r=0.03652396363445809&uin=" & txtQQNumber.Text & "&vc_type=063620256136860e997ba2ca06c3c10a43c1f346db8e9d98"
     
138. 
     
139. Buff() = Inet1.OpenURL(, icByteArray)
     
140. 
     
141. With picVlCode
     
142. .Picture = PictureFromBits(Buff()) '直接得到Picture对象
     
143. .PaintPicture .Picture, 0, 0, .Width, .Height, 0, 0, .ScaleWidth, .ScaleHeight
     
144. End With
     
145. End Sub
     
146. 
     
147. Private Sub Form_Load()
     
148. Me.Show
     
149. GetCode
     
150. txtQQNumber.SetFocus
     
151. End Sub

复制代码

模块代码：（mdlALG）

1. 
   
2. '二进制转UTF8
   
3. Declare Function MultiByteToWideChar _
   
4. Lib "kernel32" (ByVal CodePage As Long, _
   
5. ByVal dwFlags As Long, _
   
6. ByVal lpMultiByteStr As Long, _
   
7. ByVal cchMultiByte As Long, _
   
8. ByVal lpWideCharStr As Long, _
   
9. ByVal cchWideChar As Long) As Long
   
10. 
    
11. Public Enum CBoolean
    
12. CFalse = 0
    
13. CTrue = 1
    
14. End Enum
    
15. 
    
16. Private Const S_OK = 0
    
17. Private Declare Function CreateStreamOnHGlobal _
    
18. Lib "ole32" (ByVal hGlobal As Long, _
    
19. ByVal fDeleteOnRelease As CBoolean, _
    
20. ppstm As Any) As Long
    
21. Private Declare Function OleLoadPicture _
    
22. Lib "olepro32" (pStream As Any, _
    
23. ByVal lSize As Long, _
    
24. ByVal fRunmode As CBoolean, _
    
25. riid As GUID, _
    
26. ppvObj As Any) As Long
    
27. 
    
28. Public Type GUID
    
29. dwData1 As Long
    
30. wData2 As Integer
    
31. wData3 As Integer
    
32. abData4(7) As Byte
    
33. End Type
    
34. 
    
35. Private Declare Function CLSIDFromString _
    
36. Lib "ole32" (ByVal lpsz As Any, _
    
37. pclsid As GUID) As Long
    
38. Private Const sIID_IPicture = "{7BF80980-BF32-101A-8BBB-00AA00300CAB}"
    
39. Private Const GMEM_MOVEABLE = &H2
    
40. Private Declare Function GlobalAlloc _
    
41. Lib "kernel32" (ByVal uFlags As Long, _
    
42. ByVal dwBytes As Long) As Long
    
43. Private Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long
    
44. Private Declare Function GlobalUnlock Lib "kernel32" (ByVal hMem As Long) As Long
    
45. Private Declare Function GlobalFree Lib "kernel32" (ByVal hMem As Long) As Long
    
46. Private Declare Sub MoveMemory _
    
47. Lib "kernel32" _
    
48. Alias "RtlMoveMemory" (pDest As Any, _
    
49. pSource As Any, _
    
50. ByVal dwLength As Long)
    
51. 
    
52. Public Function PictureFromBits(abPic() As Byte) As IPicture
    
53. Dim nLow As Long
    
54. Dim cbMem As Long
    
55. Dim hMem As Long
    
56. Dim lpMem As Long
    
57. Dim IID_IPicture As GUID
    
58. Dim istm As stdole.IUnknown
    
59. Dim ipic As IPicture
    
60. On Error GoTo Out
    
61. nLow = LBound(abPic)
    
62. On Error GoTo 0
    
63. cbMem = (UBound(abPic) - nLow) + 1
    
64. hMem = GlobalAlloc(GMEM_MOVEABLE, cbMem) '分配可移动的内存
    
65. 
    
66. If hMem Then
    
67. lpMem = GlobalLock(hMem)
    
68. 
    
69. If lpMem Then
    
70. MoveMemory ByVal lpMem, abPic(nLow), cbMem
    
71. Call GlobalUnlock(hMem)
    
72. 
    
73. If (CreateStreamOnHGlobal(hMem, CTrue, istm) = S_OK) Then
    
74. If (CLSIDFromString(StrPtr(sIID_IPicture), IID_IPicture) = S_OK) Then
    
75. Call OleLoadPicture(ByVal ObjPtr(istm), cbMem, CFalse, IID_IPicture, PictureFromBits)
    
76. End If
    
77. End If
    
78. End If
    
79. End If
    
80. 
    
81. Out:
    
82. End Function
    
83. 
    
84. Public Function UTF8_Decode(bUTF8() As Byte) As String '二进制解析为UTF8
    
85. Dim lRet As Long
    
86. Dim lLen As Long
    
87. Dim lBufferSize As Long
    
88. Dim sBuffer As String
    
89. Dim bBuffer() As Byte
    
90. lLen = UBound(bUTF8) + 1
    
91. 
    
92. If lLen = 0 Then Exit Function
    
93. lBufferSize = lLen * 2
    
94. sBuffer = String$(lBufferSize, Chr(0))
    
95. lRet = MultiByteToWideChar(65001, 0, VarPtr(bUTF8(0)), lLen, StrPtr(sBuffer), lBufferSize)
    
96. 
    
97. If lRet <> 0 Then
    
98. sBuffer = Mid(sBuffer, 1, lRet)
    
99. End If
    
100. 
     
101. UTF8_Decode = sBuffer
     
102. End Function

复制代码