For technical exchange only, not for any commercial use

The last two days I taught you how to find the real MP3 player address on the console, but you can’t download paid, because you can only download playable songs. As for how to download paid netease cloud music, or open a member, to know that free is the most expensive this truth.

Some fans saw the first two days of the article want to use the code to install force, I in order to meet him, specially to toss for two days, finally write out, can’t wait to share with you. I have to say, this pit is very big, encountered a few pit in there toss over for a few hours, share out to let everyone want to pretend forced less pit. Without further ado, let’s start today’s topic!

1. Look for target requests

Open the homepage of netease Cloud, open the developer tool, and click Search

If you see a lot of requests, don’t panic, take your time. Look for it and you’ll find the link below

This link returns json, which contains the information of the song, but there is no LINK to play the MP3, this may be useful, because there is the id of the song, put it first.

I tried clicking on the song to play, adding a few more requests. A look, there is a link to the MP3 I want.

This way, get mp3 request link out, music.163.com/weapi/song/…

You can see it’s a POST request, status code 200, so let’s move on to what fromData is.

It is two encrypted parameters, but not afraid, if you read my previous article about using Python to climb netease cloud music and storing data in mysql, you will find that the fromData parameters are the same, so the idea of cracking encryption parameters is the same, but THIS time I don’t use Fiddler, just use developer tools to debug, watch!! Let’s see what the source of this request is.

Click in to see, is a confused JS, click the lower left corner can be formatted, so good-looking point.

Do a search for Params and you’ll find this:

As you can see, the encryption is the same as before, except the variable name has changed. **window.asrsea()** has four arguments. Let’s look at the last three arguments first, because they are all very similar. Continue the search for location.

As you can see, it’s a fixed object, so don’t worry about it, you can debug it later. Let’s look at the first parameter. It’s a JSON. We can do breakpoint debugging to get it.

Refresh and you’ll see the following.

You can see that **window.asrsea()** is a d function.

Click to go to the next breakpoint and you will see

All four parameters are out, SO I’ll just post them here:

d:"{"ids":"[523946593]","br":128000,"csrf_token":""}"e:"010001"f:"00e0b509f6259df8642dbc35662901477df22677ec152b5ff68ace 615bb7b725152b3ab17a876aea8a5aa76d2e417629ec4ee341f56135fccf695280104e0312ecbda92557c93870114af6c9d05c4f7f0c3685b7a46bee 255932575cce10b424d813cfe4875d3e82047b97ddef52741d546b8e289dc6935b3ece0462db0a22b8e7"g:"0CoJUm6Qyw8W8jud"Copy the code

Id = id = id = id = id = id = id = id = id = id Br is a fixed value, which may correspond to the quality of the song or something, so you don’t need to worry about it.

Here’s how the d function is encrypted:

There are three functions **a, b, and c **, so let’s look at a

The a function randomly finds 16 strings in a bunch of strings. Ok, next.

Function B uses AES encryption, encrypted ciphertext is E, that is, the content of parameter A, c is the key, the third parameter has offset D and encryption mode **CBC **. Let’s look at the C function.

The C function uses RSA encryption, where b is the encryption index, the empty string is the decryption parameter, and C is the encryption coefficient.

All right, so with the three functions done, let’s go back to the d function.

As you can see, the params parameter is generated twice by b function, that is, encrypted twice with AES, and the encSecKey parameter is generated by C function, that is, by RSA encryption.

Talk is cheap, show me the code

2. Code

Let’s show you the random generation of 16 strings

In order to make it a little bit nicer, I’m going to use photos instead

Next is AES encryption

There is a huge pit, Google has not found anyone encountered, is using python AES encryption, can only encrypt numbers and letters, not Chinese encryption, will report an error

Input strings must be a multiple of 16 in length

The solution is that in CBC encryption mode, when the string is completed to a multiple of length 16, the length indicator can not be used in Chinese, but must be converted to the unicode encoding length first. For example, the top one, the bottom one is a false demonstration

pad = 16 – len(text) % 16

The pit crawled over, followed by the next RSA encryption

Note also that when generating a random string of 16, you need to make sure that the params and encSecKey arguments correspond to the random string. Otherwise, there will still be errors after encryption, and you can’t get the correct information. Ok, the last one is to get two encryption parameters.

When the code is finished, what are we waiting for? Let’s do it!

{‘code’: -460, ‘msg’: ‘Cheating’}

This good, installed force failure, netease cloud recognized me as a reptile, then I try to add the request head? The result is still the same, this is also a giant pit. The solution is to add the request header, only need to add two, one is browser recognition **user-agent **, the other is cookie, guess what? I also can’t think of, there is actually a cookie on the reverse crawl, but I use **session ** to keep the cookie or not, need to copy browsing cookies can be saved.

The songs can be downloaded now, but I want any song. Ok, we’ll look at the request of https://music.163.com/weapi/cloudsearch/get/web?csrf_token=, because return is songs id.

3. Find the song ID

As you can see, the parameters are still the same as the above request parameters, but we know that the d function, the last three parameters are unchanged, so we just need to find the previous change of parameters, the same operation, breakpoint debugging.

And it’s easy to find, the d parameter is this one down here

d = ‘{“hlpretag”:”<span Class = \ \ “s – fc7 \” > “, “hlposttag” : “”,” s “:” can can “, “type” : “1”, “offset” : “0”, “total” : “true”, “limit” : “”,” 30 csrf_token “:” “} ‘

That’s the end of the analysis.

4. Search for song codes

This is the code to get the song ID, and nothing else is wrong.

The last

I have also packaged the program, and I can download all the songs I like. Although I can download them directly with netease cloud without so much trouble, what is the purpose of learning programming? You can use code and nothing else.

As above, download lever, need to complete the code can be back to the background music can be sent to you.

Ps: original is not easy, wrote this article can be said to cost me 1024 hair, I heard that forwarding is the most effective way to hair, so you know!