• 极验无感验证破解


    原创文章,请勿转载
    维护网络安全人人有责,本文章只做技术研究,请勿使用于任何商业场景。
    本文配合其他文章一起服用效果更好,能更全面体会安全产品的设计。

    (1)《第三代验证码研究》https://www.cnblogs.com/boycelee/p/11363611.html(推荐)

    (2)《顶象验证码破解与研究》https://www.cnblogs.com/boycelee/p/14269941.html(推荐)

    (3)《极验验证码破解与研究》https://www.cnblogs.com/boycelee/p/14021048.html(推荐)

    (4)《极验无感验证破解》https://www.cnblogs.com/boycelee/p/13951819.html

    (5)《同盾小程序指纹破解》https://www.cnblogs.com/boycelee/category/1819211.html

    极验无感验证通过

    背景

    之前在研究极验验证码时,validate参数都是由极验服务器下发。但偶然发现首航极验验证码与极验服务只进行一次交互只是拉取fullpage.js文件,极验服务并没有下发validate参数。为什么后续验证环节却凭空多出了validate参数?

    这引起了我的好奇心,于是决定一探究竟。

    特点

    (1)fullpage版本为0.0.0

    (2)后续没有与极验交互

    (3)首航请求时需要validate,但网络信息中找不到validate值

    实践

    以首都航空举例:https://m.jdair.net/h5/views/onlinecheckin/handleCheckin.jsp

    1、查看geetest相关请求信息

    发现只获取了fullpage.0.0.0.js,后续和极验服务没有任何交互。可以断定validate为本地生成。

    首航极验fullpage

    2、极验failback流程

    极验failback流程

    3、关键代码

    在fullpage.0.0.0.js文件中,通过静态分析+动态分析,定位本地计算代码。

    具体流程是:传入challenge经过函数生成validate。

    function $_CDm(e) {
                function c(e, t) {
                    return e << t | e >>> 32 - t;
                }
                function u(e, t) {
                    var n, r, o, i, a;
                    return o = 2147483648 & e,
                    i = 2147483648 & t,
                    a = (1073741823 & e) + (1073741823 & t),
                    (n = 1073741824 & e) & (r = 1073741824 & t) ? 2147483648 ^ a ^ o ^ i : n | r ? 1073741824 & a ? 3221225472 ^ a ^ o ^ i : 1073741824 ^ a ^ o ^ i : a ^ o ^ i;
                }
                function t(e, t, n, r, o, i, a) {
                    return u(c(e = u(e, u(u(function s(e, t, n) {
                        var $_DJFy = $_AY.$_Dn
                          , $_DJED = ['$_DJIw'].concat($_DJFy)
                          , $_DJGi = $_DJED[1];
                        $_DJED.shift();
                        var $_DJHk = $_DJED[0];
                        return e & t | ~e & n;
                    }(t, n, r), o), a)), i), t);
                }
                function n(e, t, n, r, o, i, a) {
                    return u(c(e = u(e, u(u(function s(e, t, n) {
                        var $_EAAP = $_AY.$_Dn
                          , $_DJJG = ['$_EADQ'].concat($_EAAP)
                          , $_EABQ = $_DJJG[1];
                        $_DJJG.shift();
                        var $_EACU = $_DJJG[0];
                        return e & n | t & ~n;
                    }(t, n, r), o), a)), i), t);
                }
                function r(e, t, n, r, o, i, a) {
                    return u(c(e = u(e, u(u(function s(e, t, n) {
                        var $_EAFu = $_AY.$_Dn
                          , $_EAEo = ['$_EAIs'].concat($_EAFu)
                          , $_EAGH = $_EAEo[1];
                        $_EAEo.shift();
                        var $_EAHb = $_EAEo[0];
                        return e ^ t ^ n;
                    }(t, n, r), o), a)), i), t);
                }
                function o(e, t, n, r, o, i, a) {
                    return u(c(e = u(e, u(u(function s(e, t, n) {
                        var $_EBAC = $_AY.$_Dn
                          , $_EAJm = ['$_EBDv'].concat($_EBAC)
                          , $_EBBJ = $_EAJm[1];
                        $_EAJm.shift();
                        var $_EBCI = $_EAJm[0];
                        return t ^ (e | ~n);
                    }(t, n, r), o), a)), i), t);
                }
                function i(e) {
                    var t, n = $_DFBA(169), r = $_DFAo(169);
                    for (t = 0; t <= 3; t++)
                        n += (r = $_DFAo(127) + (e >>> 8 * t & 255)[$_DFAo(209)](16))[$_DFAo(138)](r[$_DFBA(130)] - 2, 2);
                    return n;
                }
                var a, s, _, l, h, f, d, p, g, v;
                for (a = function m(e) {
                    var $_EBFg = $_AY.$_Dn
                      , $_EBEW = ['$_EBIG'].concat($_EBFg)
                      , $_EBGm = $_EBEW[1];
                    $_EBEW.shift();
                    var $_EBHd = $_EBEW[0];
                    var t, n = e[$_EBFg(130)], r = n + 8, o = 16 * (1 + (r - r % 64) / 64), i = Array(o - 1), a = 0, s = 0;
                    while (s < n)
                        a = s % 4 * 8,
                        i[t = (s - s % 4) / 4] = i[t] | e[$_EBFg(251)](s) << a,
                        s++;
                    return a = s % 4 * 8,
                    i[t = (s - s % 4) / 4] = i[t] | 128 << a,
                    i[o - 2] = n << 3,
                    i[o - 1] = n >>> 29,
                    i;
                }(e = function E(e) {
                    var $_ECAV = $_AY.$_Dn
                      , $_EBJW = ['$_ECDz'].concat($_ECAV)
                      , $_ECBc = $_EBJW[1];
                    $_EBJW.shift();
                    var $_ECCN = $_EBJW[0];
                    e = e[$_ECBc(174)](/
    /g, $_ECAV(223));
                    for (var t = $_ECBc(169), n = 0; n < e[$_ECAV(130)]; n++) {
                        var r = e[$_ECAV(251)](n);
                        r < 128 ? t += String[$_ECBc(155)](r) : (127 < r && r < 2048 ? t += String[$_ECAV(155)](r >> 6 | 192) : (t += String[$_ECBc(155)](r >> 12 | 224),
                        t += String[$_ECBc(155)](r >> 6 & 63 | 128)),
                        t += String[$_ECBc(155)](63 & r | 128));
                    }
                    return t;
                }(e)),
                d = 1732584193,
                p = 4023233417,
                g = 2562383102,
                v = 271733878,
                s = 0; s < a[$_DFBA(130)]; s += 16)
                    p = o(p = o(p = o(p = o(p = r(p = r(p = r(p = r(p = n(p = n(p = n(p = n(p = t(p = t(p = t(p = t(l = p, g = t(h = g, v = t(f = v, d = t(_ = d, p, g, v, a[s + 0], 7, 3614090360), p, g, a[s + 1], 12, 3905402710), d, p, a[s + 2], 17, 606105819), v, d, a[s + 3], 22, 3250441966), g = t(g, v = t(v, d = t(d, p, g, v, a[s + 4], 7, 4118548399), p, g, a[s + 5], 12, 1200080426), d, p, a[s + 6], 17, 2821735955), v, d, a[s + 7], 22, 4249261313), g = t(g, v = t(v, d = t(d, p, g, v, a[s + 8], 7, 1770035416), p, g, a[s + 9], 12, 2336552879), d, p, a[s + 10], 17, 4294925233), v, d, a[s + 11], 22, 2304563134), g = t(g, v = t(v, d = t(d, p, g, v, a[s + 12], 7, 1804603682), p, g, a[s + 13], 12, 4254626195), d, p, a[s + 14], 17, 2792965006), v, d, a[s + 15], 22, 1236535329), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 1], 5, 4129170786), p, g, a[s + 6], 9, 3225465664), d, p, a[s + 11], 14, 643717713), v, d, a[s + 0], 20, 3921069994), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 5], 5, 3593408605), p, g, a[s + 10], 9, 38016083), d, p, a[s + 15], 14, 3634488961), v, d, a[s + 4], 20, 3889429448), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 9], 5, 568446438), p, g, a[s + 14], 9, 3275163606), d, p, a[s + 3], 14, 4107603335), v, d, a[s + 8], 20, 1163531501), g = n(g, v = n(v, d = n(d, p, g, v, a[s + 13], 5, 2850285829), p, g, a[s + 2], 9, 4243563512), d, p, a[s + 7], 14, 1735328473), v, d, a[s + 12], 20, 2368359562), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 5], 4, 4294588738), p, g, a[s + 8], 11, 2272392833), d, p, a[s + 11], 16, 1839030562), v, d, a[s + 14], 23, 4259657740), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 1], 4, 2763975236), p, g, a[s + 4], 11, 1272893353), d, p, a[s + 7], 16, 4139469664), v, d, a[s + 10], 23, 3200236656), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 13], 4, 681279174), p, g, a[s + 0], 11, 3936430074), d, p, a[s + 3], 16, 3572445317), v, d, a[s + 6], 23, 76029189), g = r(g, v = r(v, d = r(d, p, g, v, a[s + 9], 4, 3654602809), p, g, a[s + 12], 11, 3873151461), d, p, a[s + 15], 16, 530742520), v, d, a[s + 2], 23, 3299628645), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 0], 6, 4096336452), p, g, a[s + 7], 10, 1126891415), d, p, a[s + 14], 15, 2878612391), v, d, a[s + 5], 21, 4237533241), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 12], 6, 1700485571), p, g, a[s + 3], 10, 2399980690), d, p, a[s + 10], 15, 4293915773), v, d, a[s + 1], 21, 2240044497), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 8], 6, 1873313359), p, g, a[s + 15], 10, 4264355552), d, p, a[s + 6], 15, 2734768916), v, d, a[s + 13], 21, 1309151649), g = o(g, v = o(v, d = o(d, p, g, v, a[s + 4], 6, 4149444226), p, g, a[s + 11], 10, 3174756917), d, p, a[s + 2], 15, 718787259), v, d, a[s + 9], 21, 3951481745),
                    d = u(d, _),
                    p = u(p, l),
                    g = u(g, h),
                    v = u(v, f);
                return (i(d) + i(p) + i(g) + i(v))[$_DFAo(192)]();
            }
    

    4、最后调用结果

    极验无感结果获取

    具体服务化代码就不开源啦。

    最后

    没理解什么时候会触发fullpage.0.0.0.js,那就暂且理解为一种兜底策略吧。

    在极端情况下,极验服务无法响应,使用通过js混淆隐藏兜底逻辑,启用本地算法进行token计算也不失为一种好的设计方式。

    最后最后,维护网络安全人人有责,本文章只做技术研究,请勿使用于任何商业场景。

  • 相关阅读:
    Java在处理大数据的时候一些小技巧
    大并发处理解决方案
    数据库SQL优化大总结之 百万级数据库优化方案
    DotNet中的计时器线程计时器
    System.Threading.Timer的使用技巧
    Asp.net Mvc 请求是如何到达 MvcHandler的——UrlRoutingModule、MvcRouteHandler分析,并造个轮子
    C#-结构
    @Html.ActionLink(),@Html.Raw(),@Url.Action()等
    bootstarpt-table小结
    input[ type="file"]上传文件问题
  • 原文地址:https://www.cnblogs.com/boycelee/p/13951819.html
Copyright © 2020-2023  润新知