网上有不少获取QQ Clientkey的方式，第一种是模拟浏览器访问本地登陆QQ的方式获取Clientkey；另外就是注入到QQ通过调用它的导出函数获取Clientkey。

本文主要是通过网页模拟浏览器访问来获取QQ Clientkey，之前的老方法已经被和谐。

原理

一、获取pt_local_token

https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1

二、获取本机所登陆的uin、QQ号码

https://localhost.ptlogin2.weiyun.com:4301/pt_get_uins?callback=ptui_getuins_CB&r=0.6694805047494219&pt_local_tk= pt_local_tk
请求带入Referer，Cookie带入获取的pt_local_token值
端口是从4301~4308之间

Referer：
https://ssl.xui.ptlogin2.weiyun.com/

返回数据

var var_sso_uin_list=
[{“account”:“ QQ号码”,“client_type”:65793,“face_index”:144,“gender”:1,“nickname”:“Blue”,“uin”:“ QQ号码”,“uin_flag”:4194822}];ptui_getuins_CB(var_sso_uin_list);

三、获取Clientkey

https://localhost.ptlogin2.weiyun.com:4301/pt_get_st?clientuin= QQ号码&pt_local_tk= pt_local_token

请求头带入Referer

Referer:
https://ssl.xui.ptlogin2.weiyun.com/

Clientkey数据在response中header的Set-Cookie中

四、获取skey，uin

https://ptlogin2.qq.com/jump?clientuin= QQ 号码&clientkey= Clientkey&keyindex=9&u1= https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40

请求头带入referer

Referer:
https://ptlogin2.qq.com/

skey在response中header的Set-Cookie中

返回数据

ptui_qlogin_CB('0', ' https://ssl.ptlogin2.weiyun.com/check_sig?pttype=2&uin= QQ 号码&service=jump&nodirect=0& ptsigx=06bbcd374ab3c5df7d26d1493f9a6364895db2999b5cb25a3fcf208213a7211c3848716312355f3cb98c44626c6f3fda428d7e4e09f196e1ace0c26f3acd7620&s_url= https%3A%2F%2Fwww.weiyun.com%2Fweb%2Fcallback%2Fcommon_qq_login_ok.html%3Flogin_succ&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=372&j_later=0&low_login_hour=0&regmaster=0&pt_login_type=2&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0', '')

其中 '0' 表示登录成功 '1' 为失败

该返回地址也可用作登录相应服务网站之用
' https://ssl.ptlogin2.weiyun.com/check_sig?pttype=2&uin= QQ 号码&service=jump&nodirect=0& ptsigx=06bbcd374ab3c5df7d26d1493f9a6364895db2999b5cb25a3fcf208213a7211c3848716312355f3cb98c44626c6f3fda428d7e4e09f196e1ace0c26f3acd7620&s_url= https%3A%2F%2Fwww.weiyun.com%2Fweb%2Fcallback%2Fcommon_qq_login_ok.html%3Flogin_succ&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=372&j_later=0&low_login_hour=0&regmaster=0&pt_login_type=2&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0'

五、获取p_skey

https://ssl.ptlogin2.weiyun.com/check_sig? ptsigx=06bbcd374ab3c5df7d26d1493f9a6364895db2999b5cb25a3fcf208213a7211c3848716312355f3cb98c44626c6f3fda428d7e4e09f196e1ace0c26f3acd7620

注意的是需要设置禁止自动跳转，不然数据获取不成功

p_skey是在Response的Header中

效果图

完整工具下载地址：

https://download.csdn.net/download/qq_39190622/87423303

官方网站
www.chwm.vip

部分实现代码：

#include "stdafx.h"
#include <string>
#include <windows.h>
#include <iostream>
#include <tlhelp32.h>
#include <WinInet.h>
#pragma comment(lib,"wininet.lib")
using namespace std;BOOL DelTempFiles()
{BOOL bResult = FALSE;BOOL bDone = FALSE;LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL;DWORD  dwTrySize, dwEntrySize = 4096; // start buffer sizeHANDLE hCacheDir = NULL;DWORD  dwError = ERROR_INSUFFICIENT_BUFFER;do{switch (dwError){// need a bigger buffercase ERROR_INSUFFICIENT_BUFFER:delete [] lpCacheEntry;lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwEntrySize];lpCacheEntry->dwStructSize = dwEntrySize;dwTrySize = dwEntrySize;BOOL bSuccess;if (hCacheDir == NULL)bSuccess = (hCacheDir= FindFirstUrlCacheEntry(NULL, lpCacheEntry,&dwTrySize)) != NULL;elsebSuccess = FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize);if (bSuccess)dwError = ERROR_SUCCESS;else{dwError = GetLastError();dwEntrySize = dwTrySize; // use new size returned}break;// we are donecase ERROR_NO_MORE_ITEMS:bDone = TRUE;bResult = TRUE;break;// we have got an entrycase ERROR_SUCCESS:// don't delete cookie entryif (!(lpCacheEntry->CacheEntryType & COOKIE_CACHE_ENTRY))DeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);// get ready for next entrydwTrySize = dwEntrySize;if (FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize))dwError = ERROR_SUCCESS;else{dwError = GetLastError();dwEntrySize = dwTrySize; // use new size returned}break;// unknown errordefault:bDone = TRUE;break;}if (bDone){delete []lpCacheEntry;if (hCacheDir)FindCloseUrlCache(hCacheDir);}} while (!bDone);return TRUE;
}BOOL GetProcessName(LPCTSTR szProcess) 
{ HANDLE hShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);PROCESSENTRY32 pe32x = {sizeof(PROCESSENTRY32),0};if( Process32First(hShot,&pe32x) ) {CString TargetName = "";TargetName.Format(TEXT("%s"), szProcess);TargetName.MakeLower(); do{CString ProcessName = "";ProcessName.Format(TEXT("%s"), pe32x.szExeFile);ProcessName.MakeLower();if( ProcessName == TargetName ){CloseHandle(hShot);return TRUE;}}while( Process32Next(hShot, &pe32x) );} CloseHandle(hShot);return FALSE;
}int _tmain(int argc, _TCHAR* argv[])
{// 清理缓存DelTempFiles();// 检测是否已登录QQif(!GetProcessName("qq.exe")) {MessageBox("\r\n未检测到 QQ.exe 进程，请先登录 QQ 客户端。\r\n\r\n", "注意", MB_ICONHAND);return 0;}// 初始化URLURL_COMPONENTSA crackedURL = { 0 };char URL_STRING[] = "https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http://www.qq.com/qq2012/loginSuccess.htm&style=20&border_radius=1&target=self&maskOpacity=40";char szHostName[128];char szUrlPath[256];crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);crackedURL.lpszHostName = szHostName;crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);crackedURL.lpszUrlPath = szUrlPath;crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);// 初始化会话HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);// 发送HTTP请求HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);// 查询HTTP请求状态DWORD dwRetCode = 0;DWORD dwSizeOfRq = sizeof(DWORD);BOOL bRet = FALSE;bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);// 读取整个Headerschar lpHeaderBuffer[1024] = {0};dwSizeOfRq = 1024;bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);// 从Cookie中提取pt_local_token的值char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;while (pt_local_token != lpHeaderBuffer){if (strstr(pt_local_token, "pt_local_token=")){// 退出之前，修正偏移pt_local_token += sizeof("pt_local_token");char* pEndBuffer = strstr(pt_local_token, ";");*pEndBuffer = 0;break;}pt_local_token--;}cout << "[+] Token:" << pt_local_token << endl;// 关闭句柄,只需要释放下面两个,注意关闭时按相反的顺序InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);/* 第二次建立会话 *///生成16位随机数time_t seed = time(NULL);srand((unsigned)seed);CString szRand1, szRand2;for (int j = 0; j<16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 5 + 48);break;default:szRand1.Format("%C", rand() % 5 + 53);}szRand2 += szRand1;Sleep(100);}// 初始化URL参数char lpszUrlPath[MAX_PATH] = { 0 };strcat(lpszUrlPath, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");strcat(lpszUrlPath, szRand2);            // 追加16位随机数strcat(lpszUrlPath, "&pt_local_tk=");strcat(lpszUrlPath, pt_local_token);    // 追加pt_local_tokencout << "[+] URLPath:" << lpszUrlPath << endl;// 初始化会话hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);// 发送HTTP请求,添加头信息char* lpHeaders = "Referer:https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http%3A%2F%2Fwww.qq.com%2Fqq2012%2FloginSuccess.htm";HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);// 获取返回数据的大小DWORD dwNumberOfBytesAvailable = 0;bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);// 读取网页内容char* lpBuffer = new char[dwNumberOfBytesAvailable]();bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);// 获取返回数据并提取uin（QQ号）char* uin = lpBuffer + dwNumberOfBytesAvailable;while (uin != lpBuffer){if (strstr(uin, "\"account\":\"")){// 退出之前，修正偏移uin += sizeof("\"account\":");char* pEndBuffer = strstr(uin, "\"");*pEndBuffer = 0;break;}uin--;}cout << "[+] uin:" << uin << endl;// 释放资源,注意关闭句柄时按相反的顺序InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);/* 第三次会话 */// 初始化URL参数ZeroMemory(lpszUrlPath,MAX_PATH);strcat(lpszUrlPath, "/pt_get_st?clientuin=");strcat(lpszUrlPath, uin);strcat(lpszUrlPath, "&callback=ptui_getst_CB&pt_local_tk=");strcat(lpszUrlPath, pt_local_token);// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);// 添加头信息lpHeaders = "Referer:https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http%3A%2F%2Fwww.qq.com%2Fqq2012%2FloginSuccess.htm";HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);// 从Cookie中提取ClientKey的值char* clientkey = lpHeaderBuffer + dwSizeOfRq;while (clientkey != lpHeaderBuffer){if (strstr(clientkey, "clientkey=")){// 退出之前，修正偏移clientkey += sizeof("clientkey");char* pEndBuffer = strstr(clientkey, ";");*pEndBuffer = 0;break;}clientkey--;}cout << "[+] client key:" << clientkey << endl;InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);InternetCloseHandle(hInternet);delete[] lpBuffer;return 0;
}