// abogus_poc 验证 goja 嵌入 a_bogus 算法能否绕过抖店风控 // // 流程: // 1. 构造 抖店 searchlist 的 URL params(不含 a_bogus) // 2. 用 goja 跑 a_bogus.js 算签名 // 3. 把 a_bogus 拼上去发请求,看是否返回 st=0 的真实订单数据 // // 用法: // // go run cmd/abogus_poc/main.go -buyer 47074703875 -cookie '<完整 cookie>' package main import ( "flag" "fmt" "io" "net/http" "net/url" "os" "strings" "time" "bindbox-game/internal/service/douyin/abogus" ) const ( defaultUA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36" defaultReferer = "https://fxg.jinritemai.com/ffa/morder/order/list" ) func main() { buyer := flag.String("buyer", "", "抖音 Buyer ID,必填") cookie := flag.String("cookie", "", "抖店登录 cookie 字符串,必填") pageSize := flag.Int("page-size", 10, "pageSize") flag.Parse() if *buyer == "" || *cookie == "" { fmt.Println("用法: -buyer -cookie ") os.Exit(1) } gen, err := abogus.NewGenerator() if err != nil { exit("初始化 a_bogus 生成器失败: %v", err) } csrf := parseCookie(*cookie, "csrf_session_id") msToken := parseCookie(*cookie, "msToken") if csrf == "" { fmt.Println("[WARN] cookie 中找不到 csrf_session_id,__token 用兜底值") } if msToken == "" { msToken = "qo0QYnkK7z_SrM7MPt2AA5xdWwKSGInO7AEeALRJ_BshJqip3nSLTnGa-gFL-aSNP6m1qNnf71-kf6hUf8xbwwLhbsaa_q3BamgxUXPxm4oXIyWPwBOXeXldqOkRV3naDtcad6PJb7rbxhbOaESKQ1YHY1y__z9Wt8GduCOxF-3ks9xHqstnKccV" fmt.Println("[WARN] cookie 中找不到 msToken,使用历史值(很可能已过期,建议从浏览器刷新一份)") } verifyFp := parseCookie(*cookie, "s_v_web_id") if verifyFp == "" { verifyFp = "verify_mmwdotm1_QYpHiLoc_99vO_49un_9xFU_0ZKfqsmF8gzh" } params := url.Values{} params.Set("page", "0") params.Set("pageSize", fmt.Sprintf("%d", *pageSize)) params.Set("compact_time[select]", "create_time_start,create_time_end") params.Set("buyer", *buyer) params.Set("order_by", "create_time") params.Set("order", "desc") params.Set("tab", "all") params.Set("appid", "1") if csrf != "" { params.Set("__token", csrf) } params.Set("_bid", "ffa_order") params.Set("aid", "4272") params.Set("verifyFp", verifyFp) params.Set("fp", verifyFp) params.Set("msToken", msToken) queryStr := params.Encode() aBogus, err := gen.Sign(queryStr, defaultUA) if err != nil { exit("计算 a_bogus 失败: %v", err) } fmt.Printf("生成 a_bogus = %s (长度 %d)\n", aBogus, len(aBogus)) finalURL := "https://fxg.jinritemai.com/api/order/searchlist?" + queryStr + "&a_bogus=" + url.QueryEscape(aBogus) body, status, err := doGet(finalURL, *cookie) if err != nil { exit("请求失败: %v", err) } fmt.Printf("HTTP %d\n响应前 1500 字节:\n%s\n", status, truncate(body, 1500)) } func parseCookie(cookie, key string) string { for _, part := range strings.Split(cookie, ";") { kv := strings.TrimSpace(part) if strings.HasPrefix(kv, key+"=") { return strings.TrimPrefix(kv, key+"=") } } return "" } func doGet(u, cookie string) (string, int, error) { req, err := http.NewRequest("GET", u, nil) if err != nil { return "", 0, err } req.Header.Set("User-Agent", defaultUA) req.Header.Set("Accept", "application/json, text/plain, */*") req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9") req.Header.Set("Cookie", cookie) req.Header.Set("Referer", defaultReferer) req.Header.Set("priority", "u=1, i") req.Header.Set("sec-ch-ua", `"Google Chrome";v="147", "Not.A/Brand";v="8", "Chromium";v="147"`) req.Header.Set("sec-ch-ua-mobile", "?0") req.Header.Set("sec-ch-ua-platform", `"macOS"`) req.Header.Set("sec-fetch-dest", "empty") req.Header.Set("sec-fetch-mode", "cors") req.Header.Set("sec-fetch-site", "same-origin") req.Close = true cli := &http.Client{Timeout: 60 * time.Second} resp, err := cli.Do(req) if err != nil { return "", 0, err } defer resp.Body.Close() b, err := io.ReadAll(resp.Body) return string(b), resp.StatusCode, err } func truncate(s string, n int) string { if len(s) <= n { return s } return s[:n] } func exit(format string, a ...any) { fmt.Fprintf(os.Stderr, format+"\n", a...) os.Exit(1) }