原创文章,请勿转载
维护网络安全人人有责,本文章只做技术研究,请勿使用于任何商业场景。
本文配合其他文章一起服用效果更好,能更全面体会安全产品的设计。
(1)《第三代验证码研究》https://www.cnblogs.com/boycelee/p/11363611.html(推荐)
(2)《顶象验证码破解与研究》https://www.cnblogs.com/boycelee/p/14269941.html(推荐)
(3)《极验验证码破解与研究》https://www.cnblogs.com/boycelee/p/14021048.html(推荐)
(4)《极验无感验证破解》https://www.cnblogs.com/boycelee/p/13951819.html
(5)《同盾小程序指纹破解》https://www.cnblogs.com/boycelee/category/1819211.html
背景
之前在研究极验验证码时,validate参数都是由极验服务器下发。但偶然发现首航极验验证码与极验服务只进行一次交互只是拉取fullpage.js文件,极验服务并没有下发validate参数。为什么后续验证环节却凭空多出了validate参数?
这引起了我的好奇心,于是决定一探究竟。
特点
(1)fullpage版本为0.0.0
(2)后续没有与极验交互
(3)首航请求时需要validate,但网络信息中找不到validate值
实践
以首都航空举例:https://m.jdair.net/h5/views/onlinecheckin/handleCheckin.jsp
1、查看geetest相关请求信息
发现只获取了fullpage.0.0.0.js,后续和极验服务没有任何交互。可以断定validate为本地生成。
2、极验failback流程
3、关键代码
在fullpage.0.0.0.js文件中,通过静态分析+动态分析,定位本地计算代码。
具体流程是:传入challenge经过函数生成validate。
function $_CDm(e) {
function c(e, t) {
return e << t | e >>> 32 - t;
}
function u(e, t) {
var n, r, o, i, a;
return o = 2147483648 & e,
i = 2147483648 & t,
a = (1073741823 & e) + (1073741823 & t),
(n = 1073741824 & e) & (r = 1073741824 & t) ? 2147483648 ^ a ^ o ^ i : n | r ? 1073741824 & a ? 3221225472 ^ a ^ o ^ i : 1073741824 ^ a ^ o ^ i : a ^ o ^ i;
}
function t(e, t, n, r, o, i, a) {
return u(c(e = u(e, u(u(function s(e, t, n) {
var $_DJFy = $_AY.$_Dn
, $_DJED = ['$_DJIw'].concat($_DJFy)
, $_DJGi = $_DJED[1];
$_DJED.shift();
var $_DJHk = $_DJED[0];
return e & t | ~e & n;
}(t, n, r), o), a)), i), t);
}
function n(e, t, n, r, o, i, a) {
return u(c(e = u(e, u(u(function s(e, t, n) {
var $_EAAP = $_AY.$_Dn
, $_DJJG = ['$_EADQ'].concat($_EAAP)
, $_EABQ = $_DJJG[1];
$_DJJG.shift();
var $_EACU = $_DJJG[0];
return e & n | t & ~n;
}(t, n, r), o), a)), i), t);
}
function r(e, t, n, r, o, i, a) {
return u(c(e = u(e, u(u(function s(e, t, n) {
var $_EAFu = $_AY.$_Dn
, $_EAEo = ['$_EAIs'].concat($_EAFu)
, $_EAGH = $_EAEo[1];
$_EAEo.shift();
var $_EAHb = $_EAEo[0];
return e ^ t ^ n;
}(t, n, r), o), a)), i), t);
}
function o(e, t, n, r, o, i, a) {
return u(c(e = u(e, u(u(function s(e, t, n) {
var $_EBAC = $_AY.$_Dn
, $_EAJm = ['$_EBDv'].concat($_EBAC)
, $_EBBJ = $_EAJm[1];
$_EAJm.shift();
var $_EBCI = $_EAJm[0];
return t ^ (e | ~n);
}(t, n, r), o), a)), i), t);
}
function i(e) {
var t, n = $_DFBA(169), r = $_DFAo(169);
for (t = 0; t <= 3; t++)
n += (r = $_DFAo(127) + (e >>> 8 * t & 255)[$_DFAo(209)](16))[$_DFAo(138)](r[$_DFBA(130)] - 2, 2);
return n;
}
var a, s, _, l, h, f, d, p, g, v;
for (a = function m(e) {
var $_EBFg = $_AY.$_Dn
, $_EBEW = ['$_EBIG'].concat($_EBFg)
, $_EBGm = $_EBEW[1];
$_EBEW.shift();
var $_EBHd = $_EBEW[0];
var t, n = e[$_EBFg(130)], r = n + 8, o = 16 * (1 + (r - r % 64) / 64), i = Array(o - 1), a = 0, s = 0;
while (s < n)
a = s % 4 * 8,
i[t = (s - s % 4) / 4] = i[t] | e[$_EBFg(251)](s) << a,
s++;
return a = s % 4 * 8,
i[t = (s - s % 4) / 4] = i[t] | 128 << a,
i[o - 2] = n << 3,
i[o - 1] = n >>> 29,
i;
}(e = function E(e) {
var $_ECAV = $_AY.$_Dn
, $_EBJW = ['$_ECDz'].concat($_ECAV)
, $_ECBc = $_EBJW[1];
$_EBJW.shift();
var $_ECCN = $_EBJW[0];
e = e[$_ECBc(174)](/
/g, $_ECAV(223));
for (var t = $_ECBc(169), n = 0; n < e[$_ECAV(130)]; n++) {
var r = e[$_ECAV(251)](n);
r < 128 ? t += String[$_ECBc(155)](r) : (127 < r && r < 2048 ? t += String[$_ECAV(155)](r >> 6 | 192) : (t += String[$_ECBc(155)](r >> 12 | 224),
t += String[$_ECBc(155)](r >> 6 & 63 | 128)),
t += String[$_ECBc(155)](63 & r | 128));
}
return t;
}(e)),
d = 1732584193,
p = 4023233417,
g = 2562383102,
v = 271733878,
s = 0; s < a[$_DFBA(130)]; s += 16)
p = o(p = o(p = o(p = o(p = r(p = r(p = r(p = r(p = n(p = n(p = n(p = n(p = t(p = t(p = t(p = t(l = p, g = t(h = g, v = t(f = v, d = t(_ = d, p, g, v, a[s + 0], 7, 3614090360), p, g, a[s + 1], 12, 3905402710), d, p, a[s + 2], 17, 606105819), v, d, a[s + 3], 22, 3250441966), g = t(g, v = t(v, d = t(d, p, g, v, a[s + 4], 7, 4118548399), p, g, a[s + 5], 12, 1200080426), d, p, a[s + 6], 17, 2821735955), v, d, a[s + 7], 22, 4249261313), g = t(g, v = t(v, d = t(d, p, g, v, a[s + 8], 7, 1770035416), p, g, a[s + 9], 12, 2336552879), d, p, a[s + 10], 17, 4294925233), v, d, a[s + 11], 22, 2304563134), g = t(g, v = t(v, d = t(d, p, g, v, a[s + 12], 7, 1804603682), p, g, a[s + 13], 12, 4254626195), d, p, a[s + 14], 17, 2792965006), v, d, a[s + 15], 22, 1236535329), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 1], 5, 4129170786), p, g, a[s + 6], 9, 3225465664), d, p, a[s + 11], 14, 643717713), v, d, a[s + 0], 20, 3921069994), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 5], 5, 3593408605), p, g, a[s + 10], 9, 38016083), d, p, a[s + 15], 14, 3634488961), v, d, a[s + 4], 20, 3889429448), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 9], 5, 568446438), p, g, a[s + 14], 9, 3275163606), d, p, a[s + 3], 14, 4107603335), v, d, a[s + 8], 20, 1163531501), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 13], 5, 2850285829), p, g, a[s + 2], 9, 4243563512), d, p, a[s + 7], 14, 1735328473), v, d, a[s + 12], 20, 2368359562), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 5], 4, 4294588738), p, g, a[s + 8], 11, 2272392833), d, p, a[s + 11], 16, 1839030562), v, d, a[s + 14], 23, 4259657740), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 1], 4, 2763975236), p, g, a[s + 4], 11, 1272893353), d, p, a[s + 7], 16, 4139469664), v, d, a[s + 10], 23, 3200236656), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 13], 4, 681279174), p, g, a[s + 0], 11, 3936430074), d, p, a[s + 3], 16, 3572445317), v, d, a[s + 6], 23, 76029189), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 9], 4, 3654602809), p, g, a[s + 12], 11, 3873151461), d, p, a[s + 15], 16, 530742520), v, d, a[s + 2], 23, 3299628645), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 0], 6, 4096336452), p, g, a[s + 7], 10, 1126891415), d, p, a[s + 14], 15, 2878612391), v, d, a[s + 5], 21, 4237533241), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 12], 6, 1700485571), p, g, a[s + 3], 10, 2399980690), d, p, a[s + 10], 15, 4293915773), v, d, a[s + 1], 21, 2240044497), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 8], 6, 1873313359), p, g, a[s + 15], 10, 4264355552), d, p, a[s + 6], 15, 2734768916), v, d, a[s + 13], 21, 1309151649), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 4], 6, 4149444226), p, g, a[s + 11], 10, 3174756917), d, p, a[s + 2], 15, 718787259), v, d, a[s + 9], 21, 3951481745),
d = u(d, _),
p = u(p, l),
g = u(g, h),
v = u(v, f);
return (i(d) + i(p) + i(g) + i(v))[$_DFAo(192)]();
}
4、最后调用结果
具体服务化代码就不开源啦。
最后
没理解什么时候会触发fullpage.0.0.0.js,那就暂且理解为一种兜底策略吧。
在极端情况下,极验服务无法响应,使用通过js混淆隐藏兜底逻辑,启用本地算法进行token计算也不失为一种好的设计方式。
最后最后,维护网络安全人人有责,本文章只做技术研究,请勿使用于任何商业场景。