反爬 __验证码类型__ 分析过程

某企业信用信息 使用了极限验证码,包括 滑块点选 验证,这里尝试分析滑块验证

极限文档

准备工作

搭建极限 demo 环境

  • 下载 demo
1
git clone https://github.com/GeeTeam/gt3-server-python-flask-sdk.git
  • 运行 demo
1
2
3
cd gt3-server-python-flask-sdk
sudo pip install -r requirements.txt
sudo python3 app.py

在浏览器中访问http://localhost:5000即可看到demo界面。

js反混淆

请求文件中fullpage.9.0.0.jsslide.7.7.4.js 是经过代码混淆的,我们先对其进行反混淆。

反混淆是AST(抽象语法树)的方式进行代码的修改,AST使用 bable

bable 工程搭建

我们直接引用bable相关库,使用代码的方式进行工作。

首先安装bable相关库:

1
yarn add @babel/{parser,traverse,types,generator} -D

简单运行一个模版文件,看能不能正常运行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
const generator = require('@babel/generator');
const parser = require("@babel/parser");
const traverse = require("@babel/traverse");
const t = require("@babel/types");

function compile(code) {
// 1. parse
const ast = parser.parse(code);

// 2. traverse
const visitor = {
CallExpression(path) {
const { callee } = path.node;
if (t.isMemberExpression(callee)
&& callee.object.name === 'console'
&& callee.property.name === 'log') {
const funcPath = path.findParent(p => p.isFunctionDeclaration());
path.node.arguments.unshift(t.stringLiteral(`[${funcPath.node.id.name}]`));
}
}
};
traverse.default(ast, visitor);

// 3. generate
return generator.default(ast, { /* options */ }, code);
}

const code = `
function foo(params) {
console.log('bar');
}
`;

const result = compile(code);
console.log(result.code);

运行:

1
2
3
4
> node index.js
function foo(params) {
console.log("[foo]", 'bar');
}

AST反混淆fullpage.9.0.0.js

首先使用beautifier对代码进行美化一下

js文件代码中有eval相关语句

1
2
3
4
5
6
7
8
eval(qFPY(535) + obj + pdkg(501))
eval(QgmM(535) + text + QgmM(501))
eval(AojHo.DoT(1559));
eval(AojHo.DoT(1596));
eval(AojHo.DoT(1569));
eval(AojHo.DoT(1521));
eval(AojHo.DoT(1518));
eval(AojHo.DoT(1560));

调试可以得到相关内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
> AojHo.DoT(535)
"("
> AojHo.DoT(501)
")"
> AojHo.DoT(1559)
"var ZAIc=AojHo.DoT,YwQmXB=['cgKSx'].concat(ZAIc),aUfu=YwQmXB[1];YwQmXB.shift();var bKyE=YwQmXB[0];if(e[ZAIc(1300)]===true){return;}e[ZAIc(1300)]=true;e[ZAIc(1325)]();"
> AojHo.DoT(1596)
"var jEBf=AojHo.DoT,ioGlKk=['mDVyD'].concat(jEBf),kuip=ioGlKk[1];ioGlKk.shift();var lFYm=ioGlKk[0];PuTO(e[jEBf(1340)]);if(!e[kuip(1318)]&&e[jEBf(1302)]){e[kuip(1340)]=OvZL(function(){var oTmT=AojHo.DoT,nVmzEQ=['rAIfE'].concat(oTmT),pJtT=nVmzEQ[1];nVmzEQ.shift();var qSAl=nVmzEQ[0];e[pJtT(1318)]=true;e[oTmT(1251)][oTmT(668)]();e[oTmT(1325)]();},2e3);}else if(!e[kuip(1318)]&&e[kuip(1349)]&&!e[jEBf(1315)]){e[kuip(1315)]=true;e[jEBf(1340)]=OvZL(function(){var tkME=AojHo.DoT,sGBWXk=['wGaIz'].concat(tkME),uXIp=sGBWXk[1];sGBWXk.shift();var vdBD=sGBWXk[0];e[tkME(1325)]();},500);}else{e[kuip(1300)]=false;e[kuip(1315)]=false;e[kuip(1200)]();}"
> AojHo.DoT(1569)
"var EUts=AojHo.DoT,DncKMW=['HOYYd'].concat(EUts),FFNm=DncKMW[1];DncKMW.shift();var GaAn=DncKMW[0];r[FFNm(112)]=e[EUts(112)];r[FFNm(107)]=e[EUts(107)];r[EUts(203)]=e[EUts(203)]||FFNm(193);r[EUts(133)]=t[FFNm(1273)];r[FFNm(1328)]=t[EUts(1261)];r[EUts(607)]=t[EUts(1386)];"
> AojHo.DoT(1521)
"var JuFF=AojHo.DoT,IQAxxl=['MMmxz'].concat(JuFF),KGvV=IQAxxl[1];IQAxxl.shift();var LrZb=IQAxxl[0];nAGc(t[JuFF(259)],ZDoq[JuFF(152)](JuFF(1370)),r)[JuFF(28)](function(e){var OTWD=AojHo.DoT,NVcCAn=['RmxTS'].concat(OTWD),PDmr=NVcCAn[1];NVcCAn.shift();var QMQO=NVcCAn[0];if(e[OTWD(67)]===oWfH){return FEDB(DZue(e,t,OTWD(1331)));}t[OTWD(1390)](e[OTWD(310)]);},function(){var TPhp=AojHo.DoT,SALdfO=['Wq_aL'].concat(TPhp),UmIM=SALdfO[1];SALdfO.shift();var VOfk=SALdfO[0];return FEDB(CvFn(UmIM(1385),t));});"
> AojHo.DoT(1518)
"var dnCX=AojHo.DoT,clKCMn=['gSjXV'].concat(dnCX),eJPX=clKCMn[1];clKCMn.shift();var flRB=clKCMn[0];var e=_[dnCX(1222)][eJPX(1095)]();var t=_[eJPX(1222)][eJPX(1319)]();var r=_[eJPX(1247)][dnCX(1319)]();var n=_[dnCX(1272)][eJPX(1095)]();var i=_[dnCX(259)];var o=lgpy()-Nnni;_[dnCX(1350)]=eJPX(95);var a=[[dnCX(203),i[dnCX(203)]||eJPX(193)],[dnCX(284),eJPX(1399)],[eJPX(1353),tMcx(e,i[eJPX(681)],i[dnCX(274)])||-1],[eJPX(1310),n||-1],[eJPX(274),sdFN(ZDoq[eJPX(731)](t))],[eJPX(1375),sdFN(ZDoq[dnCX(731)](r))],[eJPX(1317),sdFN(r)],[eJPX(1303),sdFN(_[dnCX(1212)])],[dnCX(1341),_[eJPX(1341)]||-1],[eJPX(1345),_[dnCX(1345)]||-1],[eJPX(1364),_[eJPX(1346)]()||-1],[dnCX(1379),o||-1],[eJPX(1378),sdFN(i[eJPX(112)]+i[eJPX(107)]+o)]];for(var s=0;s<a[eJPX(43)];s++){_[dnCX(1350)]+=eJPX(571)+a[s][0]+dnCX(587)+yoVX[dnCX(80)](a[s][1])+dnCX(576);}"
> AojHo.DoT(1560)
"var iLEU=AojHo.DoT,hYtVmn=['lUtzp'].concat(iLEU),johT=hYtVmn[1];hYtVmn.shift();var kfeu=hYtVmn[0];var r=EcBk();function HyII(){var DFV=AojHo.EsV()[0][7];for(;DFV!==AojHo.EsV()[3][6];){switch(DFV){case AojHo.EsV()[0][7]:var t=[johT(1366)];return function(e){var neYH=AojHo.DoT,mleLzP=['qmxxX'].concat(neYH),oV_n=mleLzP[1];mleLzP.shift();var pNOV=mleLzP[0];t[neYH(69)](e[neYH(155)]());var IhbN=oV_n(95);(function addHash(e,t){var sUwm=AojHo.DoT,rICcKm=['vHniQ'].concat(sUwm),tjnR=rICcKm[1];rICcKm.shift();var uUeH=rICcKm[0];function JYxL(e){var ETt=AojHo.EsV()[3][7];for(;ETt!==AojHo.EsV()[0][6];){switch(ETt){case AojHo.EsV()[3][7]:var t=5381;var r=e[sUwm(43)],n=0;while(r--){t=(t<<5)+t+e[tjnR(23)](n++);}t&=~(1<<31);return t;break;}}}new Date()[tjnR(332)]()-t[sUwm(332)]()>100&&(e=tjnR(1311));IhbN=sUwm(512)+_[sUwm(1350)]+tjnR(1377)+JYxL(addHash[tjnR(155)]()+JYxL(JYxL[tjnR(155)]())+JYxL(e[tjnR(155)]()))+sUwm(571)+tjnR(536);}(t[neYH(1283)](),new Date()));_[oV_n(1386)]=ZDoq[oV_n(1287)](r[neYH(388)](IhbN,_[oV_n(1223)]()));};break;}}}_[iLEU(1362)]=HyII();_[iLEU(1362)](johT(95));_[iLEU(1362)](iLEU(1376));_[johT(1362)](johT(1342));_[iLEU(1362)](johT(1363));_[johT(1362)](iLEU(1314));"

直接使用 内容替换

AST去掉unicode格式的编码

代码中很多unicode格式的函数命名

1
2
> "\u0064\u0079\u0048\u006a"
"dyHj"

在ast在线编辑网站astexplorer上可以看到unicode编码就是因为有extra这个属性,我们只需把这个属性删掉,就能展示原来的值了(16进制同理)

ast-unicode

注意,astexplorer 网站上的解析器选择@babel/parser

实现代码,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
const generator = require('@babel/generator');
const parser = require("@babel/parser");
const traverse = require("@babel/traverse");
const t = require("@babel/types");
const fs = require('fs');

var jscode = fs.readFileSync("../clone/fullpage.9.0.0-no_eval.js", {
encoding: "utf-8"
});

function replace_unicode(path) {
delete path.node.extra;
}

function compile(code) {
// 1. parse
const ast = parser.parse(code);

// 2. traverse
const visitor = {
StringLiteral: {
enter: [replace_unicode] //遍历所有StringLiteral属性
}
};
traverse.default(ast, visitor);

// 3. generate
return generator.default(ast, { /* options */ }, code);
}

const result = compile(jscode);
// console.log(result.code);
fs.writeFile('../clone/fullpage.9.0.0-out.js', result.code, (err) => {});

查看输出文件,还有两处正则表达式的unicode没有修改

1
2
var Etot = /[\\"\u0000-\u001f\u007f-\u009f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;
var FQoK = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;

里面是一些特殊符号我们先不管它。

AojHo.DoT 字符串编码
1
AojHo.DoT = function () { ... }

代码中很多AojHo.DoT(n),主要是传参一个数值,返回一段字符串

1
2
> AojHo.DoT(0)
"dyrk"

它像是保存字符串的数组。
代码中对象属性使用这种方式。

AojHo.DoT 有两种用法,一种是直接用,一种是间接用
我们先看看直接使用的

看看AST的结构:

思路就是这样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
function replace_DoT(path){
var node = path.node;
if(node.callee == undefined || node.callee.property ==undefined )
return;
if (node.callee.property.name == "DoT"){
let arg = node.arguments[0].value;
let value = AojHo.DoT(arg);
PathToLiteral(path,value)
}
}
function PathToLiteral(path,value){
switch (typeof value) {
case 'boolean':
path.replaceWith(t.booleanLiteral(value));
break;
case 'string':
path.replaceWith(t.stringLiteral(value));
break;
case 'number':
path.replaceWith(t.numericLiteral(value));
break;
default:
console.log("出现其他类型" + value + "类型:" +typeof value);
console.log(value);
break
}
}

这样AojHo.DoT直接使用的被替换了

但在函数体里面还有很多间接使用的:

1
2
3
4
5
var AemB = AojHo.DoT,
yikWjA = ["DH_Ev"].concat(AemB),
BmSB = yikWjA[1];
yikWjA.shift();
var CFhI = yikWjA[0];

给很多随机名称的变量赋值后,在通过这个变量去拿数组中的真实值

1
AojHo.DoT === AemB === BmSB === CFhI

// TODO

AojHo.EsV 控制流平坦化

// TODO

Chrome插件ReRes 验证
  • 关于ReRes

    能够根据特定url规则拦截符合规则的网页资源,并让网页加载用户自己指定的某个地址的资源。

    使用例子:
    当网站读取 foo.com/bar.js 资源时,使其加载自己本地电脑上的 file:///d:/reres/foo.com/bar.js 文件,以此实现修改网站js代码功能的能力。

    • 对比TamperMonkey
      • TamperMonkey可以直接输入js代码到网页中,但TamperMonkey某些情况下会出现注入无效的问题(可能是网站有反注入机制,原因不明)
      • 并且在使用网页自带的全局变量时不方便(如在页面加载后N秒才会加载的一些脚本为网页添加的变量),ReRes避开了这个问题
      • 此外ReRes不仅仅可以拦截.js,也可以拦截.css或者.jpg等文件,实现较丰富的DIY
  • 关于Stylus

    如果懒得使用ReRes拦截,就使用Stylus来进行css的修改,这是一款可以方便地注入自己的css到网页的插件。

注意,需要在chrome 打开ReRes 访问文件网站的权限

JS追踪

验证类型追踪

点击验证按钮,会请求相应类型的js文件,比如 点选图片验证 的需求/static/js/click.2.9.3.js

发出请求后,在Chrome devtool 中查看 Network 上相关请求的Initiator 找到相应的调用栈

最后可以追踪到

image-click.2.9.3.js

发现存储在 UI.yZmO 中:

1
2
3
4
> e["yZmO"]
"click"
> e
UI {SrUd: Rvdq, LetQ: Gchs, vLVR: KoNj, uwIQ: Config, uIED: {…}, …}

在yZmO被赋值的地方设置断点

UI.yZmO <== Gchs.yZmO

来自于第一次 ajax.php请求的返回

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Request URL: http://api.geetest.com/ajax.php?gt=c9c4facd1a6feeb80802222cbb74ca8e&challenge=79bb431287f4764279352c3366223bff&lang=zh-cn&pt=0&client_type=web&w=F03AGaPlz4FsAto3NTZQ05Q5qowONcavPHAkO8u3eAWHmdHqQmw9iehH6zIkDY2bCdenq5t1moPyoT6wJKE2dT6onvGf1ZCqYw8ycrumKDzIkQGnvI3XFFX8cixtumkTu6VVIxgG1cW5bm)lCUaCTt1iEmy4FimZ0jYjEk)lzHSg18Np)943cDmgj)1unS9BGqIigGDIWtBZMf5j9No0rZ4yAirUReaFaZFRo2KPYZ8mFeChkM56o0OXrSzDpJxiqSDAB0CoUPhggZI9NW82IXZ)O(Ep49CF9PATlTYsTm)vRjwuu9yqn69heuohUT1Ko9KBbCgQJpOBGrUlKGALxkT7PLATO3rpoA3G4nVJbpcf06u3hndJhAQGVdhclG03MN909MmxHv9ahWcsyZcs8tQAMyt4p)y1Z7xjPjZv4v9YZWt7OgogKvaoYbLb))J5rSZKXWYPD4xJyE2xyzzqv387KUYNskM(f9(qBcSKn1WIzXPUlTaIwVKWNaRQDw22Tf0xcwhsjc9ctce25x3E3MzdO8yTHoHag33)J5JQkONZ1Qo9BqbqiBQ5FnXGqVWs3UybxAA9bc3GSzGhhuCUrL4XSbWZEomIW0Y9b7Xnj6iKVbhwxiFBhUqbTe7kqOdJ3NX8ntaeOU9VL8Nvjf1M1E3)UplRGUUWbstIlwPOZjUJx8byJeXfQgEWtxHC7A4PeabO8pHAoVs9W4xRkTEowKUAYaCNAOUIaTZgEP5cwH3tWDdwJLkaVoH1SEcbTHj7AyopZwXwj0H7yCczDCP2cSSr5hjGNkBBU(7Y9HPf1vYTImKGzCJ)TX0TGtwgNy(QVVyDnl0Ton)c5)oyRzAfiQZ6)fQVWTe6MkLK7Sz(Mjz7vTS8Q5X6rSFL6YEGvhdF5vv(vV9gqlT5OOqNMnRskMmFWGyE4CC5Z7KGfBJ8JGNIpTOvdmA6wthjGoI4D)uVCME7tM((ikBAIv0yQ1aYh(yTOUjLwa)3xudmXiLYddOPR6dzkHpgvg5uT5IMPWjvjZlJsQJWk8Q9Ga(XUwrdiMRFknmuDdEHYagrCjUzsPqGf1QyNQUop5dFdyaYcZ55IN258FSKI7DF2lqsG7OkWlhsCOxUSX1JYeG8ZLFWjPz71TJMc7rzu8zLGEbsClnLp1Dw)UFYKwh2xAE6GKaeMv4zkgYSfDxx3MpNTqXjIPt4adz9)0BF7mNGZ)uKctYiQltMWKk4JjX1ftJD)9QwAFFEkk2pzPHOGkd2S800RISB6x4l(4mqPB(8pQ4kdMQBZNeTz8kPSbQywA8xLnoog7j2vu6w9o6OclRJWt1l5hndUYZr52epjqPuPJ6(hgOqd(hQyktZDRWJvYXZK39f3LrH3vWAOKxEv1ffqP3uQTziLZYaE7X5UQ2BjlaN8AbW1BFaMe3IFHIOrHuBVNiT1B4LIwBnlLBoBn)pSWatQuacGHqPx9eDTPDFPwz4PnIioYeKkDlhXZ2YnuLTL6lBRnycN4LziLXzm)MexYVjl24.&callback=geetest_1601011261270
Request Method: GET
Status Code: 200 OK

Query Parameters:
gt: c9c4facd1a6feeb80802222cbb74ca8e
challenge: 79bb431287f4764279352c3366223bff
lang: zh-cn
pt: 0
client_type: web
w: F03AGaPlz4FsAto3NTZQ05Q5qowONcavPHAkO8u3eAWHmdHqQmw9iehH6zIkDY2bCdenq5t1moPyoT6wJKE2dT6onvGf1ZCqYw8ycrumKDzIkQGnvI3XFFX8cixtumkTu6VVIxgG1cW5bm)lCUaCTt1iEmy4FimZ0jYjEk)lzHSg18Np)943cDmgj)1unS9BGqIigGDIWtBZMf5j9No0rZ4yAirUReaFaZFRo2KPYZ8mFeChkM56o0OXrSzDpJxiqSDAB0CoUPhggZI9NW82IXZ)O(Ep49CF9PATlTYsTm)vRjwuu9yqn69heuohUT1Ko9KBbCgQJpOBGrUlKGALxkT7PLATO3rpoA3G4nVJbpcf06u3hndJhAQGVdhclG03MN909MmxHv9ahWcsyZcs8tQAMyt4p)y1Z7xjPjZv4v9YZWt7OgogKvaoYbLb))J5rSZKXWYPD4xJyE2xyzzqv387KUYNskM(f9(qBcSKn1WIzXPUlTaIwVKWNaRQDw22Tf0xcwhsjc9ctce25x3E3MzdO8yTHoHag33)J5JQkONZ1Qo9BqbqiBQ5FnXGqVWs3UybxAA9bc3GSzGhhuCUrL4XSbWZEomIW0Y9b7Xnj6iKVbhwxiFBhUqbTe7kqOdJ3NX8ntaeOU9VL8Nvjf1M1E3)UplRGUUWbstIlwPOZjUJx8byJeXfQgEWtxHC7A4PeabO8pHAoVs9W4xRkTEowKUAYaCNAOUIaTZgEP5cwH3tWDdwJLkaVoH1SEcbTHj7AyopZwXwj0H7yCczDCP2cSSr5hjGNkBBU(7Y9HPf1vYTImKGzCJ)TX0TGtwgNy(QVVyDnl0Ton)c5)oyRzAfiQZ6)fQVWTe6MkLK7Sz(Mjz7vTS8Q5X6rSFL6YEGvhdF5vv(vV9gqlT5OOqNMnRskMmFWGyE4CC5Z7KGfBJ8JGNIpTOvdmA6wthjGoI4D)uVCME7tM((ikBAIv0yQ1aYh(yTOUjLwa)3xudmXiLYddOPR6dzkHpgvg5uT5IMPWjvjZlJsQJWk8Q9Ga(XUwrdiMRFknmuDdEHYagrCjUzsPqGf1QyNQUop5dFdyaYcZ55IN258FSKI7DF2lqsG7OkWlhsCOxUSX1JYeG8ZLFWjPz71TJMc7rzu8zLGEbsClnLp1Dw)UFYKwh2xAE6GKaeMv4zkgYSfDxx3MpNTqXjIPt4adz9)0BF7mNGZ)uKctYiQltMWKk4JjX1ftJD)9QwAFFEkk2pzPHOGkd2S800RISB6x4l(4mqPB(8pQ4kdMQBZNeTz8kPSbQywA8xLnoog7j2vu6w9o6OclRJWt1l5hndUYZr52epjqPuPJ6(hgOqd(hQyktZDRWJvYXZK39f3LrH3vWAOKxEv1ffqP3uQTziLZYaE7X5UQ2BjlaN8AbW1BFaMe3IFHIOrHuBVNiT1B4LIwBnlLBoBn)pSWatQuacGHqPx9eDTPDFPwz4PnIioYeKkDlhXZ2YnuLTL6lBRnycN4LziLXzm)MexYVjl24.
callback: geetest_1601011261270

Response:
geetest_1601011261270({"status": "success", "data": {"result": "slide"}})

修改验证类型试试:

1
2
3
4
5
6
7
8
9
10
"AnzP": function (e) {
var t = this;
var r = t["$"];
var n = t["vLVR"];
var i = t["SrUd"];
// t["yZmO"] = e;
t.yZmO = "slide";

...
}

修改后:

  1. 点选验证的时候 验证会出不来
  2. 感应验证不走这里

所以,不能直接修改验证类型

追踪ajax.php请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
"NyMy": function (e) {
var t = this;

if (!t["vLVR"]["aeskey"] || e) {
t["vLVR"]["aeskey"] = jKCV();
}

return t["vLVR"]["aeskey"];
},

var jKCV = function () {
function S4() {
return ((1 + Math["random"]()) * 65536 | 0)["toString"](16)["substring"](1);
}

return function () {
return S4() + S4() + S4() + S4();
};
}();

function HyII() {
var t = ["bbOy"];
return function (e) {
t["push"](e["toString"]());
var IhbN = "";

(function addHash(e, t) {
function JYxL(e) {
var t = 5381;
var r = e["length"],
n = 0;

while (r--) {
t = (t << 5) + t + e["charCodeAt"](n++);
}

t &= ~(1 << 31);
return t;
}

new Date()["getTime"]() - t["getTime"]() > 100 && (e = "qwe");
IhbN = "{" + _["gMyn"] + "\"captcha_token\":\"" + JYxL(addHash["toString"]() + JYxL(JYxL["toString"]()) + JYxL(e["toString"]())) + "\"" + "}";
})(t["shift"](), new Date());

_["evlb"] = ZDoq["gove"](r["encrypt"](IhbN, _["NyMy"]()));
};
}

_["NyMy"]() 对应的值(早就生成好了,存储在KoNjaeskey属性中):

1
2
3
4
5
6
> t.vLVR.aeskey
"6d6aeecb5d4e5647"
> t.vLVR
KoNj { ... }
> IhbN
"{"lang":"zh-cn","type":"fullpage","tt":"M-h8Pjp8N:3(@9(9-AQ)A99(BAA(::()-9(.(E:F*Dbc@cjFAB-2./.6Z)-C0Lp0UC?AK)5?-c/Z99-n7C.8-:S?cn7D/D-N-ED,g)(:fV.5/:5?p)M*o(-f((n(9cb,((85ifjT:XU-61hOe/,bE4)(96E.Jl),i/E-3jAS))jc4F?M9/0()N1(E-(((j((,Mq*k55I(q8b(,bbb8ne69M925M9Km:G))/-RbE4)ME/(/,M1-)MM(N2)An-*b9-)M9(?bE-N,)(E-(bC9/)()M9(E/((Lqq","light":"DIV_0","s":"c7c3e21112fe4f741921cb3e4ff9f7cb","h":"a178bb3fcf33918eda2cf5b882a53091","hh":"13c3753ac17e20c349344bce7d8f04e6","hi":"03b38445dba1cf046d4ad55a36a87339","vip_order":-1,"ct":-1,"ep":{"v":"9.0.0","de":false,"te":false,"me":true,"ven":"Intel Inc.","ren":"Intel(R) Iris(TM) Graphics 6100","fp":["move",125,53,1601022140801,"pointermove"],"lp":["up",503,78,1601022142895,"pointerup"],"em":{"ph":0,"cp":0,"ek":"11","wd":0,"nt":0,"si":0,"sc":0},"tm":{"a":1601022137903,"b":1601022137961,"c":1601022137961,"d":0,"e":0,"f":1601022137907,"g":1601022137907,"h":1601022137907,"i":1601022137907,"j":1601022137907,"k":0,"l":1601022137927,"m":1601022137944,"n":1601022137947,"o":1601022137969,"p":1601022138181,"q":1601022138181,"r":1601022138214,"s":1601022138248,"t":1601022138248,"u":1601022138248},"by":0},"passtime":4270,"rp":"c7b740399e3b941a851a3099ddfa6d27","captcha_token":"987243730"}"

修改代码captcha_token给固定值987243730试试,是可以正常验证的

看看_.gMyn:

整理后的:

pxDM = 300

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
var e = _["sWVy"]["xMxC"]();
var t = _["sWVy"]["yhrd"]();
var r = _["lVwU"]["yhrd"]();
var n = _["KLSY"]["xMxC"]();
var i = _["vLVR"];
var o = currentTimeMillis() - startTime;

_["gMyn"] = "";
var a = [
["lang", "zh-cn"],
["type", "fullpage"],
["tt", tMcx(e, i.c, i.s) || -1],
["light", n || -1],
["s", sdFN(ZDoq.fXPz(t))],
["h", sdFN(ZDoq.fXPz(r))],
["hh", sdFN(r)],
["hi", sdFN(_["Lg_n"])],
["vip_order", -1],
["ct", -1],
["ep", _["hfAl"]() || -1],
["passtime", o || -1],
["rp", sdFN(i.gt + i.challenge + o)]];

for (var s = 0; s < a.length; s++) {
_.gMyn += "\"" + a[s][0] + "\":" + yoVX.stringify(a[s][1]) + ",";
}

tMcx, sdFN, ZDoq.fXPz 都是 编码方式

1
2
3
4
5
6
7
function HyII() {
return function (e) {
var word = "{" + _.gMyn + "\"captcha_token\":\"" + "987243730" + "\"" + "}";
var aeskey = _.NyMy();
_.evlb = ZDoq.gove(r.encrypt(word, aeskey));
};
}

参考:

工具:


扩展:

Powered by Hexo and Hexo-theme-hiker

Copyright © 2013 - 2021 朝着牛逼的道路一路狂奔 All Rights Reserved.

访客数 : | 访问量 :