Inorishio/anishio
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
192abe44bac2c739c53bcb04c2c70bb9bf7cd3dd
anishio/docs/analyzed.md
T

5.9 KiB
Raw Blame History

ani-cli Codebase Analysis: How It Retrieves Anime Episodes

Based on the exploration of the ani-cli repository, here is how the application works behind the scenes to fetch anime episodes. The application utilizes a bash script which operates primarily by scraping and making API requests to allanime endpoints.

1. The Target API

ani-cli points to a GraphQL API backend:

  • Base URL: https://api.allanime.day/api (constructed from allanime_base="allanime.day")
  • Referrer Policy: To bypass basic bot protections, it explicitly sets the HTTP Referer header to https://allmanga.to ($allanime_refr) and passes a user-agent.

2. Searching & Episode Lists via GraphQL

The codebase uses specific embedded GraphQL queries encoded within the bash script, sent via curl -X POST.

  • Search: It queries shows(search: ...) using a query named search_gql to find titles and returns their respective _id and episode count.
  • Episode Listing: Once an _id is found, it queries episodes_list_gql to retrieve a list of available episodes (e.g., availableEpisodesDetail) for the chosen sub/dub setting (translationType).

3. Fetching the Episode Video Links

When an episode is selected, ani-cli needs the embedded player source. It does this by making another GraphQL request using episode_embed_gql.

  • It passes the $showId, $translationType (sub or dub mode), and $episodeString (the episode number).
  • The API returns a JSON payload containing sourceUrls.

4. Bypassing Encryption (tobeparsed)

Sometimes, allanime obfuscates the video source URLs to prevent scraping. The API returns an encrypted base64 payload under the key "tobeparsed".

  • ani-cli catches this field with grep -q '"tobeparsed"'.
  • It then routes the blob to a decryption function decode_tobeparsed().
  • The Decryption Method: It extracts the IV (first 12 bytes of the decoded base64 string) and uses openssl to run AES-256-CTR decryption against the rest of the payload.
  • The Key: The decryption key ($allanime_key) is dynamically generated by taking the SHA-256 hash of the hardcoded salt string: Xot36i3lK3:v1.

5. Link Generation & Processing

Once the embed URLs are decrypted (or retrieved plain), they are mapped to respective video providers using generate_link(). Providers include wixmp (the default), youtube, sharepoint, and hianime.

  • The get_links() function takes the direct links, hits them, and uses sed to extract .mp4 URLs or .m3u8 playlist files based on the provider format.
  • Subtitle URLs are also isolated if available.

6. Streaming or Downloading

Finally, these isolated stream links (along with the necessary referrer headers) are passed directly into standard media players like mpv, vlc, android_vlc, or downstream download managers like aria2c.

Code Reference (Line Numbers)

Here are the exact line numbers in the ani-cli script where these specific mechanisms are implemented:

  • API Configuration & Keys:
    • allanime_refr="https://allmanga.to": Line 405
    • allanime_base="allanime.day": Line 406
    • allanime_api="https://api.${allanime_base}": Line 407
    • allanime_key (The hardcoded AES key hash): Line 408
  • GraphQL Queries:
    • episode_embed_gql (Fetching the video player URLs): Line 227
    • search_gql (Searching for anime titles): Line 257
    • episodes_list_gql (Getting available episodes): Line 280
  • The Decryption Logic:
    • The decode_tobeparsed() function where the AES-256-CTR decryption happens: Lines 211 - 221
    • The check that routes the response to the decryption function (if printf "%s" "$api_resp" | grep -q '"tobeparsed"'; then): Line 230

Is this a partnership, or can you do it yourself?

You can absolutely do this yourself. This is not an official partnership.

What the developers of ani-cli have done is known as Reverse Engineering and Web Scraping. When you watch a video on a site like allanime in your normal web browser, your browser has to know how to talk to their servers to get the video files. Because all of this happens on the client-side (in your browser), the instructions are visible if you know where to look.

Here is how developers (and how you can) figure this out for almost any website:

  1. Network Tab Inspection: If you open your browser's Developer Tools (F12) and go to the "Network" tab, you can see every request the website makes. If you search for an anime, you will see a POST request going to https://api.allanime.day/api.
  2. Payload Analysis: By clicking on that network request, you can see exactly what data was sent (the GraphQL query) and what the server responded with (the JSON payload).
  3. Bypassing Basic Protections: Websites try to stop automated scripts from doing this by checking headers. The developers saw that the site checks the Referer header to make sure the request is coming from https://allmanga.to. So, they simply programmed ani-cli to fake that header (curl -e "https://allmanga.to").
  4. Finding Encryption Keys: When the site started returning encrypted "tobeparsed" blobs instead of plain video URLs, the developers of ani-cli likely opened the "Sources" tab in their browser's Developer Tools, downloaded the website's obfuscated JavaScript files, and reverse-engineered how the web player decrypts the video. That's how they found the exact AES algorithm (aes-256-ctr) and the hardcoded salt string (Xot36i3lK3:v1).

Can you do this? Yes! You can use tools like Python (with requests and BeautifulSoup), Bash (like this script uses curl, grep, and sed), or NodeJS to replicate these exact network requests for any site.

Note: Because this is reverse-engineered, sites frequently change their API endpoints, encryption keys, or security measures to break scrapers, which is why tools like ani-cli require constant updates.

Reference in New Issue View Git Blame Copy Permalink