Reverse crawler 30 A verification code of the fourth generation slider

This paper refers to CSDN The other two bloggers , Namely SerendipitySpider and Tearful fish , Because they have completed the general process , Here is a summary of the experience of deducting your own code

One . Packet capture analysis request process

Two . Locate encryption parameters JS

challenge： reference value ,4ed83c16-da5d-46a8-890a-d138518a0a71

Global search

callback： reference value ,geetest_1650294566413, It's simple ,geetest_ + Time stamp

w： Track encryption value , Global search can't find , Because variable names are passed through unicode Encryption is hidden , You can see the call stack and value positioning , You can also search directly "\u0077" Come looking for w Where it was generated

// w be equal to r
r = d[$_BHHFU(91)](l[$_BHHFU(91)][$_BHHGm(541)](e), a)
//  Equivalent to 
r = d['default'](l['default']['stringify'](e), a)
/*  First look at the parameters ： e It's an object , Contains the following key values , Related to trajectory  device_id、ep、f3st、geetest、lang、lot_number、passtime、pow_msg、pow_sign、setLeft、track、userresponse a yes this, I can't understand the parameters inside , I don't care , Wait until you see the follow-up function , It doesn't have to be used  l['default']['stringify'] The effect is equivalent to JSON.stringify  Let's look at functions ： d['default'] Is to generate r Encryption function of , Because the parameters cannot be determined immediately , So you can't deduct this directly d['default'], Follow in and have a look  */

// d['default'] The function returns 
return c[$_CEAAg(139)](o) + a;
//  Equivalent to 
return c['arrayToHex'](o) + a;
//  First look at the parameters a and o
//  look for a
a = new _[($_CEAAg(91))]()[$_CEABJ(757)](n);
//  Equivalent to 
a = new _['default']()['encrypt'](n);
//  First look at the parameters n
var n = c[$_CEAAg(181)]()
//  Equivalent to 
var n = c['guid']()
/*  No parameters , Direct analysis ： c It's an object , Export objects directly c, call ['guid'] that will do  */
/*  go back to  a = new _['default']()['encrypt'](n); n It has been determined that , Analyze the front  _ It's an object , Export objects directly _, In the way here new, Call again ['encrypt'], Generate a */
/*  go back to  return c['arrayToHex'](o) + a; a It has been determined that , look for o */
var o = i[$_CEAAg(91)][$_CEAAg(757)](e, n);
//  Equivalent to 
var o = i['default']['encrypt'](e, n);
/* n It has been determined that ,e Is the first parameter passed in by the function , Trajectory correlation  i It's an object , Export objects directly i, Call... In the way here ['default']['encrypt'], Generate o */
/*  go back to  return c['arrayToHex'](o) + a; a and o It's all set   Previously generated n When , object c Has been exported , Call... In the way here ['arrayToHex'], return r value （w value ） */
/*  Summary ：  All the methods here export , Only the parameters of the function e（ Trajectory correlation ） It's not sure , Encapsulate the function , Pass in e, return r value （w value ） */

object e Value ：

/*  file unicode After decoding , You can easily search in the file where these values are generated , Except that the trajectory needs to be generated by itself   Dynamic values are ： lot_number:  Previously returned  passtime:  Slider sliding event  pow_msg: "1|0|md5|{datetime}|{captcha_id}|{lot_number}||{uuid}" pow_sign: md5(pow_msg) setLeft:  Slider track gap recognition distance , That is, the distance the slider needs to move  track:  The trajectory  userresponse: set_left/1.0059466666666665 （1.0059466666666665 This value may change ） */

Track generation reference Tearful fish

3、 ... and . Deduction code summary

1. When deducting the code , See the object priority export object , If this object is used, the following methods , Just export the object once .
2. After locating the encryption method , If the parameters are not easy to determine , You can look at the function first , Whether the parameter determines the encryption result , When I first saw it , Stuck at the entrance of the method Parameters a The above , result Parameters a Will not participate in encrypted Computing .