statement
All content in this article is only for learning and communication, not for any other purpose, does not provide complete code, packet capture content, sensitive URLs, data interfaces, etc. have been desensitized, strictly prohibited for commercial use and illegal use, otherwise all consequences arising therefrom have nothing to do with the author!
This article is prohibited from being reprinted without permission, prohibiting any secondary dissemination after modification, and any accident caused by the unauthorized use of the technology explained in this article, the author is not responsible, if there is infringement, please contact the author in the public account [K brother crawler] to delete immediately!
Reverse targeting
- Target: Verification code of a certain degree slider, click verification code, rotation verification code, v1, v2 reverse analysis
- v1 Spin Captcha:
aHR0cHM6Ly93YXBwYXNzLmJhaWR1LmNvbS9zdGF0aWMvY2FwdGNoYS90dXhpbmcuaHRtbD9haz0zM2M0ODg4NGI3ZGY4M2Q0MjMwZTA3Y2JjZDBkMDdmZCZiYWNrdXJsPWh0dHBzJTNBJTJGJTJGYWlxaWNoYS5iYWlkdS5jb20mdGltZXN0YW1wPTE2MzE0MzQ0MjUmc2lnbmF0dXJlPWM2ODRhODJiNzk4MjAyOTg3NWJmZDhlMGE2NjBiNzdm - v2 Spin Captcha:
aHR0cHM6Ly93YXBwYXNzLmJhaWR1LmNvbS9zdGF0aWMvY2FwdGNoYS90dXhpbmcuaHRtbD8mYWs9YzI3YmJjODlhZmNhMDQ2MzY1MGFjOWJkZTY4ZWJlMDY= - v2 slider verification code:
aHR0cHM6Ly93YXBwYXNzLmJhaWR1LmNvbS9zdGF0aWMvY2FwdGNoYS90dXhpbmcuaHRtbD8mYW1wO2FrPWMyN2JiYzg5YWZjYTA0NjM2NTBhYzliZGU2OGViZTA2 - v2 Click Captcha:
aHR0cHM6Ly93YXBwYXNzLmJhaWR1LmNvbS92Ni9nZXRQYXNz PS: v1, v2 are the version numbers named by the author himself for distinction, mainly based on the fact that the core JS file is divided into two versions, mkd.js and mkd_v2.js, as shown in the following figure:
In addition, there are also differences in the interface, the V2 version of the rotation, slider pictures have obvious shadows, line interference, as shown in the following figure:
In the address given above, the address of clicking the verification code is sometimes clicked, sometimes it becomes rotational, it is estimated that it is caused by different abnormal levels, in addition, there is a rumor that there is a kind of non-sensory verification, but the author looked everywhere and did not find an address, the estimated logic is similar, and the non-sensory verification is shown in the figure below:
Packet capture analysis
The following takes the v1 rotation verification code as an example (the v2 interface name is different, but the logic is the same), the first viewlog interface, the requested AK is a fixed value, of course, different websites are different in different scenarios, callback callback value, _ timestamp, return value as, tk are all used later.
Then there is a getstyle interface, where tk is returned by the previous viewlog interface, and the return value will be used in the backstr subsequent parameter encryption, img is the rotating image address, info is some copyright information.
Rotate the verification code to start verification, at this time the viewlog interface appears for the second time, the as and tk parameters are returned by the first viewlog, the fs parameter needs us to reverse, including the rotation angle and other information, if the rotation angle is correct and the parameters are okay, the op in the return value is 1, and the returned ds and tk will be used later.
After the previous step of verification, it does not mean that the verification has passed, and there will be a viewlog/c interface that needs to be further verified, where the tk, ds parameters are returned in the previous step, if the verification fails, the return value code is 1, and the verification is successful, the code is 0.
Reverse analysis FS
Next, analyze the main encryption parameter fs, followed by the stack-to-mkd .js:
You can see that o is fs, and o is obtained by r.rzData after encryption, and the output is r.rzData, the structure is shown in the following figure:
Important parameters:
- ac_c: At a glance, you can know that it is related to the angle of rotation;
- backstr: returned by the getstyle interface;
- cl: x,y coordinates and timestamp, measure it to know that this coordinate is the coordinate when the mouse clicks the slider button below;
- MV: mouse track, the coordinate and timestamp will be recorded with a mouse movement;
- cr: screen length, width and height and other information;
- All other values are null or 0.
In the actual test, CL and MV are not verified, write dead or empty, of course, if you want to fake it yourself, you can measure the position of the sliding button on the screen, CL is randomly generated according to this position. Focus on the ac_c, and you can locate it by searching directly:
You can see that this value is calculated as parseFloat(o/a).toFixed(2), a is the fixed value of 212, which is actually the maximum length that the slider can slide, o is the distance of the slide, if we identify the rotation angle angle, then ac_c is calculated as follows:
var o = angle * 212 / 360
var ac_c = parseFloat(o / 212).toFixed(2)
// 也可以直接写成:
var ac_c = parseFloat(angle / 360).toFixed(2) After r.rzData is done, there is only one r.encrypt() method, which is directly followed by the AES algorithm we are familiar with, where iv is the as value returned by the viewlog interface plus a fixed value appsapi0, and there is no need to talk about the rest. At this point, the encryption parameters are finished, and it is still very simple.
Rotation angle recognition
Here is a recommended RotNet project of a foreign big guy, which can be used to predict the rotation angle of the image to correct its direction, and based on this project, Nanda big guy's RotateCaptchaBreak, another big guy's rotate-captcha-crack, etc., the link is as follows:
- https://github.com/d4nst/RotNet
- https://github.com/chencchen/RotateCaptchaBreak
- https://github.com/Starry-OvO/rotate-captcha-crack
Deep learning bosses can be further trained based on these projects, like me, who don't know anything about this aspect is of course to choose the coding platform, cloud code coding is not bad, but the official website only released the v1 version without shadow interference, find their customer service can get the v2 version has a shadow interference type, here is not much to say, so as not to be considered advertising hahaha.
v2 version analysis
The v2 version and the v1 version are basically the same, the difference is that the structure of rzData is not the same, the calculation method of ac_c is different, and the IV of AES is different, first look at the IV of AES, the v2 version is as value plus fixed value appsapi2:
Then look at rzData, the common field is basically the format of rzData of v1, under captchalist, there are at least spin-0 (rotation), 'puzzle-0 (slider), click-0 (click), ac_c is still the proportion of rotation angle, sliding proportion and click coordinate information, the rest is still written dead or empty.
Then there is the calculation method of ac_c, first rotate the captcha and search directly for ac_c:
Further up the stack, there is a percent, a trichocular expression, e is a fixed value of 290, e - 52 = 238,238 is the maximum length that the slider can slide:
If we identify the angle of rotation, then the ac_c is calculated as follows:
var distance = angle * 238 / 360
var ac_c = Number((distance / (290 - 52)).toFixed(2))
// 也可以直接写成:
var ac_c = Number((angle / 360).toFixed(2)) And for the slider captcha is different, the same is the trinocular expression of this place, but to follow the logic:
If we identify the sliding distance distance, the slider ac_c is calculated as follows:
var ac_c = Number((distance / 290).toFixed(2)) Also for click verification codes, the value of ac_c is the xy coordinate of the click and the timestamp:
Other issues
Earlier we said that Baidu's verification should have twice, for the second verification, that is, V1's Viewlog/C interface, V2's CAP/C interface, even if you pass the first verification, this C interface verification may not pass, the reason for this situation is that the time to pass is too short, random time.sleep 1-3 seconds, if the time is too short, the C interface may report the following verification error:
{'code': 1, 'isRectified': False, 'msg': 'Verification Failed'} There is also a situation that prompts that there is a security risk, please verify again, in this case you will find that it is the same to go to the browser to manually slide, so add a logic of re-verification locally, generally speaking, the second verification can pass.
{'code': 0, 'msg': 'success', 'data': {'f': {'feedback': 'https://www.baidu.com/passport/ufosubmit.html', 'reason': '存在安全风险,请再次验证'}}} Then there is no Referer in the request header or if Referer is incorrect, an error will be reported:
// v1 没有 Referer
{'code': 1, 'msg': 'Unregistered Host'}
// v1 Referer 不正确
{'code': 1, 'msg': 'Invalid Request', 'data': []}
// v2 没有 Referer 或者 Referer 不正确
{'code': 100600, 'msg': 'Unauthorized Host'} There is also a tip, if you want to verify for yourself whether the angle of rotation is correct, how to measure this angle? We can use some graphics software, such as the Meitu App, to create a new canvas, and then directly drag the captcha picture into it, you can rotate freely, and the software will automatically mark the rotation angle when rotating, as shown in the following figure:
Result validation
Crawler tool station
Brother K has newly launched a crawler tool station, welcome to test: https://www.kgtools.cn/
!!! Fan Feedback!!
In order to celebrate the original content of the K brother crawler public account exceeded 100 and the number of fans exceeded 10,000, a fan feedback activity was specially held!
Thank you Fast Agent for your strong support to this event!
Activity rules
- Pay attention to the K brother crawler public account
- Comment in the comment area of this article on the public account, and draw lucky fans by lottery
- Duplicate comments are prohibited
Event Prizes
1st Prize: Fast Agent Monthly Package + Knowledge Planet + K Brother Crawler Custom Mug (1 winner)
2nd Prize: Fast Agent Weekly Package + Knowledge Planet + K Brother Crawler Custom Mug (3 winners)
3rd Prize: K Brother Crawler Custom Mug (5 winners)
4th Prize: Cash Envelope 6.6 (10 winners)
Activity time
Event starts: July 7, 2023
Deadline: July 14, 2023
Draw time: July 17, 2023