目标网站:aHR0cHM6Ly9qenNjLm1vaHVyZC5nb3YuY24vZGF0YS9jb21wYW55L2RldGFpbD9pZD0wMDIxMDUyOTEyMzk0NTEzMzk=网站分析: 进入页面刷新,在加载数据前会过一道验证码,验证码左下角显示为极验验证码。经过几天观察发现,网站每天验证码类型随机,发现有五种类型验证码:滑块,文字点选,图标点选,九宫格和空间推理,验证码类型为极验3类型(极验3和极验四最大区别就是滑块,极验3需要检测滑块轨迹,极验四不需要,再就是混淆逻辑不同)。5bfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2j5i4y4W2i4K6u0r3j5X3I4G2k6#2)9#2k6X3g2V1K9i4c8G2M7W2)9#2k6X3S2@1L8h3I4Q4x3V1k6J5k6h3I4W2j5i4y4W2x3W2)9J5k6e0c8Q4x3X3f1$3i4K6u0r3j5$3E0W2k6r3W2@1L8%4u0Q4x3V1k6H3L8s2g2Y4K9h3&6K6i4K6u0r3N6$3W2V1k6$3g2@1i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3K9r3q4F1k6r3I4W2i4K6u0W2M7r3&6Y4i4K6t1&6i4K6y4n7">编辑流程分析: 先看验证码请求逻辑,验证码完整的请求逻辑应该是先通过start接口获取challenge和gt,然后请求第一个get和ajax完成challenge和gt初始化,然后请求第二个get获取验证码图片信息,最后请求ajax提交验证。但经过测试发现可以去掉第一个get请求,第一个ajax的w值可以置空。 然后观察请求发现,start接口有内容加密,最后一个ajax有参数加密9adK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2j5i4y4W2i4K6u0r3j5X3I4G2k6#2)9#2k6X3g2V1K9i4c8G2M7W2)9#2k6X3S2@1L8h3I4Q4x3V1k6J5k6h3I4W2j5i4y4W2x3W2)9J5k6e0c8Q4x3X3f1$3i4K6u0r3j5$3E0W2k6r3W2@1L8%4u0Q4x3V1k6H3L8s2g2Y4K9h3&6K6i4K6u0r3N6$3W2V1k6$3g2@1i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3K9r3q4F1k6r3I4W2i4K6u0W2M7r3&6Y4i4K6t1&6i4K6y4n7">编辑加密: startCaptcha接口: 返回内容为加密内容,断点调试发现为aes加密,密钥和iv都固定,可使用标准库实现。8a8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2j5i4y4W2i4K6u0r3j5X3I4G2k6#2)9#2k6X3g2V1K9i4c8G2M7W2)9#2k6X3S2@1L8h3I4Q4x3V1k6J5k6h3I4W2j5i4y4W2x3W2)9J5k6e0c8Q4x3X3f1$3i4K6u0r3j5$3E0W2k6r3W2@1L8%4u0Q4x3V1k6H3L8s2g2Y4K9h3&6K6i4K6u0r3N6$3W2V1k6$3g2@1i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3K9r3q4F1k6r3I4W2i4K6u0W2M7r3&6Y4i4K6t1&6i4K6y4n7">编辑 ajax接口: w值加密,这里可以搜索"\u0077"定位,也可以断点跟栈定位,就不做描述。 7c7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2j5i4y4W2i4K6u0r3j5X3I4G2k6#2)9#2k6X3g2V1K9i4c8G2M7W2)9#2k6X3S2@1L8h3I4Q4x3V1k6J5k6h3I4W2j5i4y4W2x3W2)9J5k6e0c8Q4x3X3f1$3i4K6u0r3j5$3E0W2k6r3W2@1L8%4u0Q4x3V1k6H3L8s2g2Y4K9h3&6K6i4K6u0r3N6$3W2V1k6$3g2@1i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3K9r3q4F1k6r3I4W2i4K6u0W2M7r3&6Y4i4K6t1&6i4K6y4n7">编辑 c19K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2j5i4y4W2i4K6u0r3j5X3I4G2k6#2)9#2k6X3g2V1K9i4c8G2M7W2)9#2k6X3S2@1L8h3I4Q4x3V1k6J5k6h3I4W2j5i4y4W2x3W2)9J5k6e0c8Q4x3X3f1$3i4K6u0r3j5$3E0W2k6r3W2@1L8%4u0Q4x3V1k6H3L8s2g2Y4K9h3&6K6i4K6u0r3N6$3W2V1k6$3g2@1i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3K9r3q4F1k6r3I4W2i4K6u0W2M7r3&6Y4i4K6t1&6i4K6y4n7">编辑 观察发现,w的值由两个值构成:h和u,u为r[$_CAIAL(738)]()函数运行的产生的值,h为m[$_CAHJk(762)](l)运行产生的值。 u: 先看u,跟进r[$_CAIAL(738)],跟进去发现这个函数实际执行语句为:var e = new U()[$_CBFJy(326)](this[$_CBGAs(766)](t));
while (!e || 256 !== e[$_CBFJy(142)])
e = new U()[$_CBGAs(326)](this[$_CBFJy(766)](!0)); 其中this[$_CBGAs(766)](t)是一个随机字符串生成函数,可以固定写死,new U()[$_CBFJy(326)]是ras加密操作,这里可以使用三方库还原,也可以扣函数代码,公钥为固定值。eb1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7$3c8F1K9h3#2Y4i4K6u0W2j5$3&6Q4x3V1k6J5k6h3I4W2
...(已截断)
---
来源: 看雪论坛
原文链接: https://bbs.kanxue.com/thread-290281.htm
[原创]极验3逆向分析
179 浏览
2 回复
外链图片都不能显示
图裂了,哥们