反爬 __验证码类型__ 分析过程

某企业信用信息 使用了极限验证码，包括 滑块和点选 验证，这里尝试分析滑块验证

极限文档

准备工作

搭建极限 demo 环境

• 下载 demo

git clone https://github.com/GeeTeam/gt3-server-python-flask-sdk.git

• 运行 demo

cd gt3-server-python-flask-sdk
sudo pip install -r requirements.txt
sudo python3 app.py

在浏览器中访问http://localhost:5000即可看到demo界面。

js反混淆

请求文件中fullpage.9.0.0.js 和 slide.7.7.4.js 是经过代码混淆的，我们先对其进行反混淆。

反混淆是AST(抽象语法树)的方式进行代码的修改，AST使用 bable

bable 工程搭建

我们直接引用bable相关库，使用代码的方式进行工作。

首先安装bable相关库:

yarn add @babel/{parser,traverse,types,generator} -D

简单运行一个模版文件，看能不能正常运行:

const generator = require('@babel/generator');
const parser = require("@babel/parser");
const traverse = require("@babel/traverse");
const t = require("@babel/types");

function compile(code) {
  // 1. parse
  const ast = parser.parse(code);

  // 2. traverse
  const visitor = {
    CallExpression(path) {
      const { callee } = path.node;
      if (t.isMemberExpression(callee)
      && callee.object.name === 'console'
      && callee.property.name === 'log') {
        const funcPath = path.findParent(p => p.isFunctionDeclaration());
        path.node.arguments.unshift(t.stringLiteral(`[${funcPath.node.id.name}]`));
      }
    }
  };
  traverse.default(ast, visitor);

  // 3. generate
  return generator.default(ast, { /* options */ }, code);
}

const code = `
function foo(params) {
  console.log('bar');
}
`;

const result = compile(code);
console.log(result.code);

运行:

> node index.js
function foo(params) {
  console.log("[foo]", 'bar');
}

AST反混淆fullpage.9.0.0.js

首先使用beautifier对代码进行美化一下

js文件代码中有eval相关语句

eval(qFPY(535) + obj + pdkg(501))
eval(QgmM(535) + text + QgmM(501))
eval(AojHo.DoT(1559));
eval(AojHo.DoT(1596));
eval(AojHo.DoT(1569));
eval(AojHo.DoT(1521));
eval(AojHo.DoT(1518));
eval(AojHo.DoT(1560));

调试可以得到相关内容：

> AojHo.DoT(535)
"("
> AojHo.DoT(501)
")"
> AojHo.DoT(1559)
"var ZAIc=AojHo.DoT,YwQmXB=['cgKSx'].concat(ZAIc),aUfu=YwQmXB[1];YwQmXB.shift();var bKyE=YwQmXB[0];if(e[ZAIc(1300)]===true){return;}e[ZAIc(1300)]=true;e[ZAIc(1325)]();"
> AojHo.DoT(1596)
"var jEBf=AojHo.DoT,ioGlKk=['mDVyD'].concat(jEBf),kuip=ioGlKk[1];ioGlKk.shift();var lFYm=ioGlKk[0];PuTO(e[jEBf(1340)]);if(!e[kuip(1318)]&&e[jEBf(1302)]){e[kuip(1340)]=OvZL(function(){var oTmT=AojHo.DoT,nVmzEQ=['rAIfE'].concat(oTmT),pJtT=nVmzEQ[1];nVmzEQ.shift();var qSAl=nVmzEQ[0];e[pJtT(1318)]=true;e[oTmT(1251)][oTmT(668)]();e[oTmT(1325)]();},2e3);}else if(!e[kuip(1318)]&&e[kuip(1349)]&&!e[jEBf(1315)]){e[kuip(1315)]=true;e[jEBf(1340)]=OvZL(function(){var tkME=AojHo.DoT,sGBWXk=['wGaIz'].concat(tkME),uXIp=sGBWXk[1];sGBWXk.shift();var vdBD=sGBWXk[0];e[tkME(1325)]();},500);}else{e[kuip(1300)]=false;e[kuip(1315)]=false;e[kuip(1200)]();}"
> AojHo.DoT(1569)
"var EUts=AojHo.DoT,DncKMW=['HOYYd'].concat(EUts),FFNm=DncKMW[1];DncKMW.shift();var GaAn=DncKMW[0];r[FFNm(112)]=e[EUts(112)];r[FFNm(107)]=e[EUts(107)];r[EUts(203)]=e[EUts(203)]||FFNm(193);r[EUts(133)]=t[FFNm(1273)];r[FFNm(1328)]=t[EUts(1261)];r[EUts(607)]=t[EUts(1386)];"
> AojHo.DoT(1521)
"var JuFF=AojHo.DoT,IQAxxl=['MMmxz'].concat(JuFF),KGvV=IQAxxl[1];IQAxxl.shift();var LrZb=IQAxxl[0];nAGc(t[JuFF(259)],ZDoq[JuFF(152)](JuFF(1370)),r)[JuFF(28)](function(e){var OTWD=AojHo.DoT,NVcCAn=['RmxTS'].concat(OTWD),PDmr=NVcCAn[1];NVcCAn.shift();var QMQO=NVcCAn[0];if(e[OTWD(67)]===oWfH){return FEDB(DZue(e,t,OTWD(1331)));}t[OTWD(1390)](e[OTWD(310)]);},function(){var TPhp=AojHo.DoT,SALdfO=['Wq_aL'].concat(TPhp),UmIM=SALdfO[1];SALdfO.shift();var VOfk=SALdfO[0];return FEDB(CvFn(UmIM(1385),t));});"
> AojHo.DoT(1518)
"var dnCX=AojHo.DoT,clKCMn=['gSjXV'].concat(dnCX),eJPX=clKCMn[1];clKCMn.shift();var flRB=clKCMn[0];var e=_[dnCX(1222)][eJPX(1095)]();var t=_[eJPX(1222)][eJPX(1319)]();var r=_[eJPX(1247)][dnCX(1319)]();var n=_[dnCX(1272)][eJPX(1095)]();var i=_[dnCX(259)];var o=lgpy()-Nnni;_[dnCX(1350)]=eJPX(95);var a=[[dnCX(203),i[dnCX(203)]||eJPX(193)],[dnCX(284),eJPX(1399)],[eJPX(1353),tMcx(e,i[eJPX(681)],i[dnCX(274)])||-1],[eJPX(1310),n||-1],[eJPX(274),sdFN(ZDoq[eJPX(731)](t))],[eJPX(1375),sdFN(ZDoq[dnCX(731)](r))],[eJPX(1317),sdFN(r)],[eJPX(1303),sdFN(_[dnCX(1212)])],[dnCX(1341),_[eJPX(1341)]||-1],[eJPX(1345),_[dnCX(1345)]||-1],[eJPX(1364),_[eJPX(1346)]()||-1],[dnCX(1379),o||-1],[eJPX(1378),sdFN(i[eJPX(112)]+i[eJPX(107)]+o)]];for(var s=0;s<a[eJPX(43)];s++){_[dnCX(1350)]+=eJPX(571)+a[s][0]+dnCX(587)+yoVX[dnCX(80)](a[s][1])+dnCX(576);}"
> AojHo.DoT(1560)
"var iLEU=AojHo.DoT,hYtVmn=['lUtzp'].concat(iLEU),johT=hYtVmn[1];hYtVmn.shift();var kfeu=hYtVmn[0];var r=EcBk();function HyII(){var DFV=AojHo.EsV()[0][7];for(;DFV!==AojHo.EsV()[3][6];){switch(DFV){case AojHo.EsV()[0][7]:var t=[johT(1366)];return function(e){var neYH=AojHo.DoT,mleLzP=['qmxxX'].concat(neYH),oV_n=mleLzP[1];mleLzP.shift();var pNOV=mleLzP[0];t[neYH(69)](e[neYH(155)]());var IhbN=oV_n(95);(function addHash(e,t){var sUwm=AojHo.DoT,rICcKm=['vHniQ'].concat(sUwm),tjnR=rICcKm[1];rICcKm.shift();var uUeH=rICcKm[0];function JYxL(e){var ETt=AojHo.EsV()[3][7];for(;ETt!==AojHo.EsV()[0][6];){switch(ETt){case AojHo.EsV()[3][7]:var t=5381;var r=e[sUwm(43)],n=0;while(r--){t=(t<<5)+t+e[tjnR(23)](n++);}t&=~(1<<31);return t;break;}}}new Date()[tjnR(332)]()-t[sUwm(332)]()>100&&(e=tjnR(1311));IhbN=sUwm(512)+_[sUwm(1350)]+tjnR(1377)+JYxL(addHash[tjnR(155)]()+JYxL(JYxL[tjnR(155)]())+JYxL(e[tjnR(155)]()))+sUwm(571)+tjnR(536);}(t[neYH(1283)](),new Date()));_[oV_n(1386)]=ZDoq[oV_n(1287)](r[neYH(388)](IhbN,_[oV_n(1223)]()));};break;}}}_[iLEU(1362)]=HyII();_[iLEU(1362)](johT(95));_[iLEU(1362)](iLEU(1376));_[johT(1362)](johT(1342));_[iLEU(1362)](johT(1363));_[johT(1362)](iLEU(1314));"

直接使用 内容替换。

AST去掉unicode格式的编码

代码中很多unicode格式的函数命名

> "\u0064\u0079\u0048\u006a"
"dyHj"

在ast在线编辑网站astexplorer上可以看到unicode编码就是因为有extra这个属性，我们只需把这个属性删掉，就能展示原来的值了（16进制同理）

注意，astexplorer 网站上的解析器选择@babel/parser

实现代码，如下：

const generator = require('@babel/generator');
const parser = require("@babel/parser");
const traverse = require("@babel/traverse");
const t = require("@babel/types");
const fs = require('fs');

var jscode = fs.readFileSync("../clone/fullpage.9.0.0-no_eval.js", {
  encoding: "utf-8"
});

function replace_unicode(path) {
  delete path.node.extra;
}

function compile(code) {
  // 1. parse
  const ast = parser.parse(code);

  // 2. traverse
  const visitor = {
    StringLiteral: {
      enter: [replace_unicode]  //遍历所有StringLiteral属性
    }
  };
  traverse.default(ast, visitor);

  // 3. generate
  return generator.default(ast, { /* options */ }, code);
}

const result = compile(jscode);
// console.log(result.code);
fs.writeFile('../clone/fullpage.9.0.0-out.js', result.code, (err) => {});

查看输出文件，还有两处正则表达式的unicode没有修改

var Etot = /[\\"\u0000-\u001f\u007f-\u009f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;
var FQoK = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;

里面是一些特殊符号我们先不管它。

AojHo.DoT 字符串编码

AojHo.DoT = function () { ... }

代码中很多AojHo.DoT(n)，主要是传参一个数值，返回一段字符串

> AojHo.DoT(0)
"dyrk"

它像是保存字符串的数组。
代码中对象属性使用这种方式。

AojHo.DoT 有两种用法，一种是直接用，一种是间接用
我们先看看直接使用的

看看AST的结构:

思路就是这样:

function replace_DoT(path){
    var node = path.node;
    if(node.callee == undefined || node.callee.property ==undefined )
      return;
    if (node.callee.property.name == "DoT"){
        let arg = node.arguments[0].value;
        let value = AojHo.DoT(arg);
        PathToLiteral(path,value)
    }
}
function PathToLiteral(path,value){
      switch (typeof value) {
          case 'boolean':
              path.replaceWith(t.booleanLiteral(value));
              break;
          case 'string':
              path.replaceWith(t.stringLiteral(value));
              break;
          case 'number':
              path.replaceWith(t.numericLiteral(value));
              break;
          default:
              console.log("出现其他类型" + value + "类型:" +typeof value);
              console.log(value);
              break
      }
}

这样AojHo.DoT直接使用的被替换了

但在函数体里面还有很多间接使用的:

var AemB = AojHo.DoT,
    yikWjA = ["DH_Ev"].concat(AemB),
    BmSB = yikWjA[1];
yikWjA.shift();
var CFhI = yikWjA[0];

给很多随机名称的变量赋值后，在通过这个变量去拿数组中的真实值

AojHo.DoT === AemB === BmSB === CFhI

// TODO

AojHo.EsV 控制流平坦化

// TODO

Chrome插件ReRes 验证

• 关于ReRes：

  能够根据特定url规则拦截符合规则的网页资源，并让网页加载用户自己指定的某个地址的资源。

  使用例子：
  当网站读取 foo.com/bar.js 资源时，使其加载自己本地电脑上的 file:///d:/reres/foo.com/bar.js 文件，以此实现修改网站js代码功能的能力。

  • 对比TamperMonkey：
    • TamperMonkey可以直接输入js代码到网页中，但TamperMonkey某些情况下会出现注入无效的问题（可能是网站有反注入机制，原因不明）
    • 并且在使用网页自带的全局变量时不方便（如在页面加载后N秒才会加载的一些脚本为网页添加的变量），ReRes避开了这个问题
    • 此外ReRes不仅仅可以拦截.js，也可以拦截.css或者.jpg等文件，实现较丰富的DIY

• 关于Stylus：

  如果懒得使用ReRes拦截，就使用Stylus来进行css的修改，这是一款可以方便地注入自己的css到网页的插件。

注意，需要在chrome 打开ReRes 访问文件网站的权限

JS追踪

验证类型追踪

点击验证按钮，会请求相应类型的js文件，比如 点选图片验证 的需求/static/js/click.2.9.3.js

发出请求后，在Chrome devtool 中查看 Network 上相关请求的Initiator 找到相应的调用栈

最后可以追踪到

发现存储在 UI.yZmO 中:

> e["yZmO"]
"click"
> e
UI {SrUd: Rvdq, LetQ: Gchs, vLVR: KoNj, uwIQ: Config, uIED: {…}, …}

在yZmO被赋值的地方设置断点

UI.yZmO <== Gchs.yZmO

来自于第一次 ajax.php请求的返回

Request URL: http://api.geetest.com/ajax.php?gt=c9c4facd1a6feeb80802222cbb74ca8e&challenge=79bb431287f4764279352c3366223bff&lang=zh-cn&pt=0&client_type=web&w=F03AGaPlz4FsAto3NTZQ05Q5qowONcavPHAkO8u3eAWHmdHqQmw9iehH6zIkDY2bCdenq5t1moPyoT6wJKE2dT6onvGf1ZCqYw8ycrumKDzIkQGnvI3XFFX8cixtumkTu6VVIxgG1cW5bm)lCUaCTt1iEmy4FimZ0jYjEk)lzHSg18Np)943cDmgj)1unS9BGqIigGDIWtBZMf5j9No0rZ4yAirUReaFaZFRo2KPYZ8mFeChkM56o0OXrSzDpJxiqSDAB0CoUPhggZI9NW82IXZ)O(Ep49CF9PATlTYsTm)vRjwuu9yqn69heuohUT1Ko9KBbCgQJpOBGrUlKGALxkT7PLATO3rpoA3G4nVJbpcf06u3hndJhAQGVdhclG03MN909MmxHv9ahWcsyZcs8tQAMyt4p)y1Z7xjPjZv4v9YZWt7OgogKvaoYbLb))J5rSZKXWYPD4xJyE2xyzzqv387KUYNskM(f9(qBcSKn1WIzXPUlTaIwVKWNaRQDw22Tf0xcwhsjc9ctce25x3E3MzdO8yTHoHag33)J5JQkONZ1Qo9BqbqiBQ5FnXGqVWs3UybxAA9bc3GSzGhhuCUrL4XSbWZEomIW0Y9b7Xnj6iKVbhwxiFBhUqbTe7kqOdJ3NX8ntaeOU9VL8Nvjf1M1E3)UplRGUUWbstIlwPOZjUJx8byJeXfQgEWtxHC7A4PeabO8pHAoVs9W4xRkTEowKUAYaCNAOUIaTZgEP5cwH3tWDdwJLkaVoH1SEcbTHj7AyopZwXwj0H7yCczDCP2cSSr5hjGNkBBU(7Y9HPf1vYTImKGzCJ)TX0TGtwgNy(QVVyDnl0Ton)c5)oyRzAfiQZ6)fQVWTe6MkLK7Sz(Mjz7vTS8Q5X6rSFL6YEGvhdF5vv(vV9gqlT5OOqNMnRskMmFWGyE4CC5Z7KGfBJ8JGNIpTOvdmA6wthjGoI4D)uVCME7tM((ikBAIv0yQ1aYh(yTOUjLwa)3xudmXiLYddOPR6dzkHpgvg5uT5IMPWjvjZlJsQJWk8Q9Ga(XUwrdiMRFknmuDdEHYagrCjUzsPqGf1QyNQUop5dFdyaYcZ55IN258FSKI7DF2lqsG7OkWlhsCOxUSX1JYeG8ZLFWjPz71TJMc7rzu8zLGEbsClnLp1Dw)UFYKwh2xAE6GKaeMv4zkgYSfDxx3MpNTqXjIPt4adz9)0BF7mNGZ)uKctYiQltMWKk4JjX1ftJD)9QwAFFEkk2pzPHOGkd2S800RISB6x4l(4mqPB(8pQ4kdMQBZNeTz8kPSbQywA8xLnoog7j2vu6w9o6OclRJWt1l5hndUYZr52epjqPuPJ6(hgOqd(hQyktZDRWJvYXZK39f3LrH3vWAOKxEv1ffqP3uQTziLZYaE7X5UQ2BjlaN8AbW1BFaMe3IFHIOrHuBVNiT1B4LIwBnlLBoBn)pSWatQuacGHqPx9eDTPDFPwz4PnIioYeKkDlhXZ2YnuLTL6lBRnycN4LziLXzm)MexYVjl24.&callback=geetest_1601011261270
Request Method: GET
Status Code: 200 OK

Query Parameters:
gt: c9c4facd1a6feeb80802222cbb74ca8e
challenge: 79bb431287f4764279352c3366223bff
lang: zh-cn
pt: 0
client_type: web
w: F03AGaPlz4FsAto3NTZQ05Q5qowONcavPHAkO8u3eAWHmdHqQmw9iehH6zIkDY2bCdenq5t1moPyoT6wJKE2dT6onvGf1ZCqYw8ycrumKDzIkQGnvI3XFFX8cixtumkTu6VVIxgG1cW5bm)lCUaCTt1iEmy4FimZ0jYjEk)lzHSg18Np)943cDmgj)1unS9BGqIigGDIWtBZMf5j9No0rZ4yAirUReaFaZFRo2KPYZ8mFeChkM56o0OXrSzDpJxiqSDAB0CoUPhggZI9NW82IXZ)O(Ep49CF9PATlTYsTm)vRjwuu9yqn69heuohUT1Ko9KBbCgQJpOBGrUlKGALxkT7PLATO3rpoA3G4nVJbpcf06u3hndJhAQGVdhclG03MN909MmxHv9ahWcsyZcs8tQAMyt4p)y1Z7xjPjZv4v9YZWt7OgogKvaoYbLb))J5rSZKXWYPD4xJyE2xyzzqv387KUYNskM(f9(qBcSKn1WIzXPUlTaIwVKWNaRQDw22Tf0xcwhsjc9ctce25x3E3MzdO8yTHoHag33)J5JQkONZ1Qo9BqbqiBQ5FnXGqVWs3UybxAA9bc3GSzGhhuCUrL4XSbWZEomIW0Y9b7Xnj6iKVbhwxiFBhUqbTe7kqOdJ3NX8ntaeOU9VL8Nvjf1M1E3)UplRGUUWbstIlwPOZjUJx8byJeXfQgEWtxHC7A4PeabO8pHAoVs9W4xRkTEowKUAYaCNAOUIaTZgEP5cwH3tWDdwJLkaVoH1SEcbTHj7AyopZwXwj0H7yCczDCP2cSSr5hjGNkBBU(7Y9HPf1vYTImKGzCJ)TX0TGtwgNy(QVVyDnl0Ton)c5)oyRzAfiQZ6)fQVWTe6MkLK7Sz(Mjz7vTS8Q5X6rSFL6YEGvhdF5vv(vV9gqlT5OOqNMnRskMmFWGyE4CC5Z7KGfBJ8JGNIpTOvdmA6wthjGoI4D)uVCME7tM((ikBAIv0yQ1aYh(yTOUjLwa)3xudmXiLYddOPR6dzkHpgvg5uT5IMPWjvjZlJsQJWk8Q9Ga(XUwrdiMRFknmuDdEHYagrCjUzsPqGf1QyNQUop5dFdyaYcZ55IN258FSKI7DF2lqsG7OkWlhsCOxUSX1JYeG8ZLFWjPz71TJMc7rzu8zLGEbsClnLp1Dw)UFYKwh2xAE6GKaeMv4zkgYSfDxx3MpNTqXjIPt4adz9)0BF7mNGZ)uKctYiQltMWKk4JjX1ftJD)9QwAFFEkk2pzPHOGkd2S800RISB6x4l(4mqPB(8pQ4kdMQBZNeTz8kPSbQywA8xLnoog7j2vu6w9o6OclRJWt1l5hndUYZr52epjqPuPJ6(hgOqd(hQyktZDRWJvYXZK39f3LrH3vWAOKxEv1ffqP3uQTziLZYaE7X5UQ2BjlaN8AbW1BFaMe3IFHIOrHuBVNiT1B4LIwBnlLBoBn)pSWatQuacGHqPx9eDTPDFPwz4PnIioYeKkDlhXZ2YnuLTL6lBRnycN4LziLXzm)MexYVjl24.
callback: geetest_1601011261270

Response:
geetest_1601011261270({"status": "success", "data": {"result": "slide"}})

修改验证类型试试:

"AnzP": function (e) {
    var t = this;
    var r = t["$"];
    var n = t["vLVR"];
    var i = t["SrUd"];
    // t["yZmO"] = e;
    t.yZmO = "slide";

    ...
}

修改后：

1. 点选验证的时候 验证会出不来
2. 感应验证不走这里

所以，不能直接修改验证类型

追踪ajax.php请求

"NyMy": function (e) {
    var t = this;

    if (!t["vLVR"]["aeskey"] || e) {
        t["vLVR"]["aeskey"] = jKCV();
    }

    return t["vLVR"]["aeskey"];
},

var jKCV = function () {
    function S4() {
        return ((1 + Math["random"]()) * 65536 | 0)["toString"](16)["substring"](1);
    }

    return function () {
        return S4() + S4() + S4() + S4();
    };
}();

function HyII() {
    var t = ["bbOy"];
    return function (e) {
        t["push"](e["toString"]());
        var IhbN = "";

        (function addHash(e, t) {
            function JYxL(e) {
                var t = 5381;
                var r = e["length"],
                    n = 0;

                while (r--) {
                    t = (t << 5) + t + e["charCodeAt"](n++);
                }

                t &= ~(1 << 31);
                return t;
            }

            new Date()["getTime"]() - t["getTime"]() > 100 && (e = "qwe");
            IhbN = "{" + _["gMyn"] + "\"captcha_token\":\"" + JYxL(addHash["toString"]() + JYxL(JYxL["toString"]()) + JYxL(e["toString"]())) + "\"" + "}";
        })(t["shift"](), new Date());

        _["evlb"] = ZDoq["gove"](r["encrypt"](IhbN, _["NyMy"]()));
    };
}

_["NyMy"]() 对应的值(早就生成好了,存储在KoNj的aeskey属性中):

> t.vLVR.aeskey
"6d6aeecb5d4e5647"
> t.vLVR
KoNj { ... }
> IhbN
"{"lang":"zh-cn","type":"fullpage","tt":"M-h8Pjp8N:3(@9(9-AQ)A99(BAA(::()-9(.(E:F*Dbc@cjFAB-2./.6Z)-C0Lp0UC?AK)5?-c/Z99-n7C.8-:S?cn7D/D-N-ED,g)(:fV.5/:5?p)M*o(-f((n(9cb,((85ifjT:XU-61hOe/,bE4)(96E.Jl),i/E-3jAS))jc4F?M9/0()N1(E-(((j((,Mq*k55I(q8b(,bbb8ne69M925M9Km:G))/-RbE4)ME/(/,M1-)MM(N2)An-*b9-)M9(?bE-N,)(E-(bC9/)()M9(E/((Lqq","light":"DIV_0","s":"c7c3e21112fe4f741921cb3e4ff9f7cb","h":"a178bb3fcf33918eda2cf5b882a53091","hh":"13c3753ac17e20c349344bce7d8f04e6","hi":"03b38445dba1cf046d4ad55a36a87339","vip_order":-1,"ct":-1,"ep":{"v":"9.0.0","de":false,"te":false,"me":true,"ven":"Intel Inc.","ren":"Intel(R) Iris(TM) Graphics 6100","fp":["move",125,53,1601022140801,"pointermove"],"lp":["up",503,78,1601022142895,"pointerup"],"em":{"ph":0,"cp":0,"ek":"11","wd":0,"nt":0,"si":0,"sc":0},"tm":{"a":1601022137903,"b":1601022137961,"c":1601022137961,"d":0,"e":0,"f":1601022137907,"g":1601022137907,"h":1601022137907,"i":1601022137907,"j":1601022137907,"k":0,"l":1601022137927,"m":1601022137944,"n":1601022137947,"o":1601022137969,"p":1601022138181,"q":1601022138181,"r":1601022138214,"s":1601022138248,"t":1601022138248,"u":1601022138248},"by":0},"passtime":4270,"rp":"c7b740399e3b941a851a3099ddfa6d27","captcha_token":"987243730"}"

修改代码captcha_token给固定值987243730试试，是可以正常验证的

看看_.gMyn:

整理后的：

pxDM = 300

var e = _["sWVy"]["xMxC"]();
var t = _["sWVy"]["yhrd"]();
var r = _["lVwU"]["yhrd"]();
var n = _["KLSY"]["xMxC"]();
var i = _["vLVR"];
var o = currentTimeMillis() - startTime;

_["gMyn"] = "";
var a = [
    ["lang", "zh-cn"], 
    ["type", "fullpage"], 
    ["tt", tMcx(e, i.c, i.s) || -1], 
    ["light", n || -1], 
    ["s", sdFN(ZDoq.fXPz(t))], 
    ["h", sdFN(ZDoq.fXPz(r))], 
    ["hh", sdFN(r)], 
    ["hi", sdFN(_["Lg_n"])],
    ["vip_order", -1],
    ["ct", -1],
    ["ep", _["hfAl"]() || -1], 
    ["passtime", o || -1], 
    ["rp", sdFN(i.gt + i.challenge + o)]];

for (var s = 0; s < a.length; s++) {
    _.gMyn += "\"" + a[s][0] + "\":" + yoVX.stringify(a[s][1]) + ",";
}

tMcx, sdFN, ZDoq.fXPz 都是 编码方式

function HyII() {
    return function (e) {
        var word = "{" + _.gMyn + "\"captcha_token\":\"" + "987243730" + "\"" + "}";
        var aeskey = _.NyMy();
        _.evlb = ZDoq.gove(r.encrypt(word, aeskey));
    };
}

---

参考：

• AST 团队分享
• JS反混淆|AST突破极验JS反混淆
• JS逆向：AST还原极验混淆JS实战
• Python爬虫进阶必备 | 关于 ReRes 的一篇教程

工具：

• astexplorer
• beautifier

---

扩展：

• JS逆向抓取 |
• 安卓群控抓取 |
• APP逆向抓取 |

• 爬虫社会工程 |

• 52讲轻松搞定网络爬虫