破解滑动验证码最新版本（97%左右通过率）

一、简述：

       最近无聊想搞一下极验的滑块验证码破解这块，发现破解js代码耗时又耗力出现版本更新可能以前的所有努力都要推翻重做，不够通用性，最后还是选用selenium + PIL 来实现滑块验证码的破解。
       期间也翻阅过很多文章,大多都已经失效，并且缺口位置查找和模拟滑动轨迹成功率很低，很难应用到实际开发项目中，本次是针对最新版本的极验滑块验证码进行破解。

二、项目环境

大致需要用到以下模块各位看观请提前准备好:
python3.6、selenium、numpy、PIL、chromedriver

三、分析步骤以及代码编写

1.首先分析目标网站（本次主要以geetest官网滑块demo为参考）   

　　网站大致长这个样子，首先f12打开 开发者工具选择Elements查看节点，发现最新版本的滑块图片是使用画布来进行呈现的，期间查阅大量文档，使用如下代码获得画布中的图片数据，获　　取到的图片是base64进行编码的

document.getElementsByClassName("geetest_canvas_bg geetest_absolute")[0].toDataURL("image/png")

2.通过分析发现这两个画布放的是所需要的背景图和缺口图（其实一眼就看出来的）

3. 接下来就是代码的编写了

　　3.1 首先是获得背景图和缺口图的数据

   def get_images(self):
        """
        获取验证码图片
        :return: 图片的location信息
        """
        time.sleep(1)
        self.browser.web_driver_wait_ruishu(10, "class", 'geetest_canvas_slice')
        fullgb = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_bg geetest_'
                                             'absolute")[0].toDataURL("image/png")')["value"]

        bg = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_fullbg geetest_fade'
                                         ' geetest_absolute")[0].toDataURL("image/png")')["value"]
        return bg, fullgb

　　3.2 对数据进行解码操作并保存图片

    def get_decode_image(self, filename, location_list):
        """
        解码base64数据
        """
        _, img = location_list.split(",")
        img = base64.decodebytes(img.encode())
        new_im: image.Image = image.open(BytesIO(img))

        return new_im

　　3.3 接下来就是计算缺口位置了(这里使用的PIL中计算两张图片的差值获得缺口位置)

    def compute_gap(self, img1, img2):
        """计算缺口偏移 这种方式成功率很高"""
        # 将图片修改为RGB模式
        img1 = img1.convert("RGB")
        img2 = img2.convert("RGB")

        # 计算差值
        diff = ImageChops.difference(img1, img2)

        # 灰度图
        diff = diff.convert("L")

        # 二值化
        diff = diff.point(self.table, '1')

        left = 43
        # 这里做了优化为减少误差 纵坐标的像素点大于5时才认为是找到
        # 防止缺口有凸起时有误差
        for w in range(left, diff.size[0]):
            lis = []
            for h in range(diff.size[1]):
                if diff.load()[w, h] == 1:
                    lis.append(w)
                if len(lis) > 5:
                    return w

　　3.4 当滑块的缺口位置找到以后就需要生成滑动轨迹(其中加20是保证在滑动时先超过缺口位置然后在慢慢还原到正确位置)

def ease_out_quart(self, x):
        return 1 - pow(1 - x, 4)

    def get_tracks_2(self, distance, seconds, ease_func):
        """
        根据轨迹离散分布生成的数学 生成  # 参考文档  https://www.jianshu.com/p/3f968958af5a
        成功率很高 90% 往上
        :param distance: 缺口位置
        :param seconds:  时间
        :param ease_func: 生成函数
        :return: 轨迹数组
        """
        distance += 20
        tracks = [0]
        offsets = [0]
        for t in np.arange(0.0, seconds, 0.1):
            ease = ease_func
            offset = round(ease(t / seconds) * distance)
            tracks.append(offset - offsets[-1])
            offsets.append(offset)
        tracks.extend([-3, -2, -3, -2, -2, -2, -2, -1, -0, -1, -1, -1])
        return tracks

　　3.5 最后也就是滑动滑块到缺口位置

   def move_to_gap(self, track):
       """移动滑块到缺口处"""
       slider = self.wait.until(EC.presence_of_element_located((By.CLASS_NAME, 'geetest_slider_button')))
       ActionChains(self.browser).click_and_hold(slider).perform()

       while track:
           x = track.pop(0)
           ActionChains(self.browser).move_by_offset(xoffset=x, yoffset=0).perform()
           time.sleep(0.02)

       ActionChains(self.browser).release().perform()

贴出完整代码(注意selenium有些方法会被极验检测到所以使用js命令直接运行的方式来达到效果)

crack.py

# -*-coding:utf-8 -*-
import base64
import time
import functools
import numpy as np

from tools.selenium_spider import SeleniumSpider

from selenium.webdriver import ActionChains
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.common.by import By
import PIL.Image as image
from PIL import ImageChops, PngImagePlugin
from io import BytesIO


class Crack(object):
    """
    解决三代极验滑块验证码
    """
    def __init__(self):
        self.url = 'https://www.geetest.com'
        self.browser = SeleniumSpider(path="/personalwork/personal_tools_project/adbtools/chromedriver", max_window=True)
        self.wait = WebDriverWait(self.browser, 100)
        self.BORDER = 8
        self.table = []

        for i in range(256):
            if i < 50:
                self.table.append(0)
            else:
                self.table.append(1)

    def open(self):
        """
        打开浏览器,并输入查询内容
        """
        self.browser.get(self.url)
        self.browser.get(self.url + "/Sensebot/")
        self.browser.web_driver_wait_ruishu(10, "class", 'experience--area')
        time.sleep(1)
        self.browser.execute_js('document.getElementsByClassName("experience--area")[0].getElementsByTagName("div")'
                                '[2].getElementsByTagName("ul")[0].getElementsByTagName("li")[1].click()')

        time.sleep(1)
        self.browser.web_driver_wait_ruishu(10, "class", 'geetest_radar_tip')

        self.browser.execute_js('document.getElementsByClassName("geetest_radar_tip")[0].click()')

    def check_status(self):
        """
        检测是否需要滑块验证码
        :return:
        """
        self.browser.web_driver_wait_ruishu(10, "class", 'geetest_success_radar_tip_content')
        try:
            time.sleep(0.5)
            message = self.browser.find_element_by_class_name("geetest_success_radar_tip_content").text
            if message == "验证成功":
                return False
            else:
                return True
        except Exception as e:
            return True

    def get_images(self):
        """
        获取验证码图片
        :return: 图片的location信息
        """
        time.sleep(1)
        self.browser.web_driver_wait_ruishu(10, "class", 'geetest_canvas_slice')
        fullgb = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_bg geetest_'
                                             'absolute")[0].toDataURL("image/png")')["value"]

        bg = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_fullbg geetest_fade'
                                         ' geetest_absolute")[0].toDataURL("image/png")')["value"]
        return bg, fullgb

    def get_decode_image(self, filename, location_list):
        """
        解码base64数据
        """
        _, img = location_list.split(",")
        img = base64.decodebytes(img.encode())
        new_im: PngImagePlugin.PngImageFile = image.open(BytesIO(img))
        # new_im.convert("RGB")
        # new_im.save(filename)

        return new_im

    def compute_gap(self, img1, img2):
        """计算缺口偏移 这种方式成功率很高"""
        # 将图片修改为RGB模式
        img1 = img1.convert("RGB")
        img2 = img2.convert("RGB")

        # 计算差值
        diff = ImageChops.difference(img1, img2)

        # 灰度图
        diff = diff.convert("L")

        # 二值化
        diff = diff.point(self.table, '1')

        left = 43

        for w in range(left, diff.size[0]):
            lis = []
            for h in range(diff.size[1]):
                if diff.load()[w, h] == 1:
                    lis.append(w)
                if len(lis) > 5:
                    return w

    def ease_out_quad(self, x):
        return 1 - (1 - x) * (1 - x)

    def ease_out_quart(self, x):
        return 1 - pow(1 - x, 4)

    def ease_out_expo(self, x):
        if x == 1:
            return 1
        else:
            return 1 - pow(2, -10 * x)

    def get_tracks_2(self, distance, seconds, ease_func):
        """
        根据轨迹离散分布生成的数学 生成  # 参考文档  https://www.jianshu.com/p/3f968958af5a
        成功率很高 90% 往上
        :param distance: 缺口位置
        :param seconds:  时间
        :param ease_func: 生成函数
        :return: 轨迹数组
        """
        distance += 20
        tracks = [0]
        offsets = [0]
        for t in np.arange(0.0, seconds, 0.1):
            ease = ease_func
            offset = round(ease(t / seconds) * distance)
            tracks.append(offset - offsets[-1])
            offsets.append(offset)
        tracks.extend([-3, -2, -3, -2, -2, -2, -2, -1, -0, -1, -1, -1])
        return tracks

    def get_track(self, distance):
        """
        根据物理学生成方式   极验不能用 成功率基本为0
        :param distance: 偏移量
        :return: 移动轨迹
        """
        distance += 20
        # 移动轨迹
        track = []
        # 当前位移
        current = 0
        # 减速阈值
        mid = distance * 3 / 5
        # 计算间隔
        t = 0.5
        # 初速度
        v = 0

        while current < distance:
            if current < mid:
                # 加速度为正2
                a = 2
            else:
                # 加速度为负3
                a = -3
            # 初速度v0
            v0 = v
            # 当前速度v = v0 + at
            v = v0 + a * t
            # 移动距离x = v0t + 1/2 * a * t^2
            move = v0 * t + 0.5 * a * (t ** 2)
            # 当前位移
            current += move
            # 加入轨迹
            track.append(round(move))
        track.extend([-3, -3, -2, -2, -2, -2, -2, -1, -1, -1, -1])
        return track

    def move_to_gap(self, track):
        """移动滑块到缺口处"""
        slider = self.wait.until(EC.presence_of_element_located((By.CLASS_NAME, 'geetest_slider_button')))
        ActionChains(self.browser).click_and_hold(slider).perform()

        while track:
            x = track.pop(0)
            ActionChains(self.browser).move_by_offset(xoffset=x, yoffset=0).perform()
            time.sleep(0.02)

        ActionChains(self.browser).release().perform()

    def crack(self, n):
        # 打开浏览器
        self.open()

        if self.check_status():
            # 保存的图片名字
            bg_filename = 'bg.png'
            fullbg_filename = 'fullbg.png'

            # 获取图片
            bg_location_base64, fullbg_location_64 = self.get_images()

            # 根据位置对图片进行合并还原
            bg_img = self.get_decode_image(bg_filename, bg_location_base64)
            fullbg_img = self.get_decode_image(fullbg_filename, fullbg_location_64)
            # 获取缺口位置
            gap = self.compute_gap(fullbg_img, bg_img)
            print('缺口位置', gap)

            track = self.get_tracks_2(gap - self.BORDER, 1, self.ease_out_quart)
            print("滑动轨迹", track)
            print("滑动距离", functools.reduce(lambda x, y: x+y, track))
            self.move_to_gap(track)

            time.sleep(1)
            if not self.check_status():
                print('验证成功')
                return True
            else:
                print('验证失败')
                # 保存图片方便调试
                bg_img.save(f"bg_img{n}.png")
                fullbg_img.save(f"fullbg{n}.png")
                return False

        else:
            print("验证成功")
            return True


if __name__ == '__main__':
    print('开始验证')
    crack = Crack()
    # crack.crack(0)
    count = 0
    for i in range(200):
        if crack.crack(i):
            count += 1
    print(f"成功率：{count / 200 * 100}%")

selenium_spider.py

#!/usr/local/bin/python
# coding:utf-8

"""
@author: Liubing
@software: PyCharm
@file: selenium_spider.py
@time: 2019-03-11 13:46
@describe: 基于selenium版本进一步封装 只针对于谷歌浏览器 其他浏览器需要自己封装
"""
import json
import time as time_

from lxml import etree
from selenium.webdriver.support.wait import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.chrome.webdriver import WebDriver
from selenium.webdriver.chrome.options import Options


class SeleniumSpider(WebDriver):
   """基于selenium进一步封装"""

   def __init__(self, path, params=None, max_window=False, *args, **kwargs):
       """
       初始化
       :param path: str selenium驱动路径
       :param params: list driver 附加参数
       :param args: tuple
       :param kwargs:
       """
       self.__path = path
       self.__params = params
       # 初始化
       self.__options = Options()
       self.__options.add_argument('--dns-prefetch-disable')
       self.__options.add_argument('--disable-gpu')  # 谷歌文档提到需要加上这个属性来规避bug
       self.__options.add_argument('disable-infobars')  # 隐藏"Chrome正在受到自动软件的控制"
       # self.__options.add_argument('--headless')
       self.is_maximize_window = max_window  # 是否开启全屏模式

       # 过检测 具体参考文档: https://juejin.im/post/5c62b6d5f265da2dab17ae3c
       self.__options.add_experimental_option('excludeSwitches', ['enable-automation'])

       if params:
           for i in params:
               self.__options.add_argument(i)
       super(SeleniumSpider, self).__init__(executable_path=self.__path, options=self.__options, *args, **kwargs) 56        if self.is_maximize_window:
           self.maximize_window()

       # 规则部分
       self.ID = "id"
       self.XPATH = "xpath"
       self.LINK_TEXT = "link text"
       self.PARTIAL_LINK_TEXT = "partial link text"
       self.NAME = "name"
       self.TAG_NAME = "tag name"
       self.CLASS_NAME = "class name"
       self.CSS_SELECTOR = "css selector"

   def cookies_dict_to_selenium_cookies(self, cookies: dict, domain):
       """
       requests cookies 转换到 selenium cookies
       :param cookies: requests cookies
       :return: selenium 支持的cookies
       """
       temp_cookies = []
       for key, value in cookies.items():
           # requests 有bug 域区分的不是很清楚 手动区分 只限全国电信接口能用
           temp_cookies.append({"name": key, "value": value, "domain": domain})
       return temp_cookies

   def get(self, url: str, cookies=None, domain=None):
       """
       请求数据
       :param url: 待请求的url
       :param cookies: 添加cookies cookies 格式 [{"name": key, "value": value, "domain": domain},...]
       :param domain: cookie作用域
       :return:
       """
       super().get(url)
       if cookies:
           # 执行
           if type(cookies) == list:
               for cookie in cookies:
                   if "name" in cookie.keys() and "value" in cookie.keys() and "domain" in cookie.keys():
                       self.add_cookie(cookie)
                   else:
                       raise TypeError('cookies错误请传入正确格式[{"name": key, "value": value, "domain": domain},...'
                                       '] 或者{key: vale,...}')
           elif type(cookies) == dict:
               if domain:
                   for i in self.cookies_dict_to_selenium_cookies(cookies, domain):
                       self.add_cookie(i)
               else:
                   raise ValueError("{key:vale}格式必须传入doamin参数")
           # 刷新页面
           self.refresh()

   def web_driver_wait(self, time: int, rule: str, num: str):
       """
       页面等待  瑞数产品弃用这种方法 不然会400错误
       :param time: 等待时间
       :param rule: 规则 [id, xpath, link text, partial link text, name, tag name, class name, css selector]
       :param num: 根据元素id
       :return:
       """
       WebDriverWait(self, time, 0.5).until(
           EC.presence_of_element_located((rule, num)))

   def web_driver_wait_ruishu(self, time: int, rule: str, num: str):
       """
       笨方法 遍历页面匹配
       :param time: 等待时间
       :param rule: 规则 [id, class]
       :param num: 根据元素id
       :return:
       """
       while time:
           response = self.execute_js("document.documentElement.outerHTML")
           try:
               html = etree.HTML(text=response["value"])
               inp = html.xpath("//*[contains(@%s, '%s')]" % (rule, num))
               if inp:
                   break
           except Exception as e:
               continue
           time_.sleep(1)
           time -= 1
       if not time:
           raise Exception("未找到 %s" % num)

   def execute_chrome_protocol_js(self, protocol, params: dict):
       """
       Chrome DevTools 协议操作 具体协议请参考 https://chromedevtools.github.io/devtools-protocol/
       :param protocol: str 协议名称
       :param params: dict 参数
       :return:
       """
       resource = "/session/%s/chromium/send_command_and_get_result" % self.session_id
       command_executor = self.command_executor
       url = command_executor._url + resource
       body = json.dumps({'cmd': protocol, 'params': params})
       response = command_executor._request('POST', url, body)
       if response['status']:
           return response
       return response["value"]

   def execute_js(self, js):
       """
       执行js  过瑞数检测
       :param js: str 待执行的js
       :return:  {"type": "xxx", value: "xxx"}
       """
       response = self.executor_chrome_protocol_js('Runtime.evaluate', js)
       if response['status']:
           return response
       return response["value"]["result"]

问题：对于windows下滑动卡顿导致不成功问题解决办法

修改源码文件 site-packagesseleniumwebdrivercommonactionspointer_input.py

将默认250改为30或者其他值就可以（不能太快）

最后以极验官网demo为例进行了200次的测试，准确率高达了99%。