某盾v2滑动验证码逆向分析教学文档<\/h1>

1. 验证码概述<\/h2>

某盾v2滑动验证码是一种常见的反爬机制，通过滑块验证来区分人类用户和自动化程序。该验证码系统包含以下主要接口：<\/p>

图片接口<\/strong>：获取验证码图片（背景图和滑块图）<\/li>

验证接口<\/strong>：提交滑块位置进行验证<\/li> <\/ul>
两个接口实际上是同一个接口，只是请求参数不同。<\/p>
2. 关键参数分析<\/h2>
验证码涉及9个关键参数(P1-P9)，下面详细分析每个参数的生成方式：<\/p>
2.1 P1参数生成<\/h3>
p1<\/span> =<\/span> oQO0Q0<\/span> <\/span><\/span><\/code><\/pre> oOoQQ0<\/code>为固定值："b37uCyfyme4S7TF\/MVDRqSRxP4CB2BjsnDxr4bSxz0vSL\/~hXNGID9Tr7vzaBm~F"<\/code><\/li> window._fmOpt.token<\/code>：由window._fmOpt.partner<\/code>、时间戳和随机数拼接而成<\/li> window._fmOpt.partner<\/code>和window._fmOpt.appName<\/code>：不同网站的标识<\/li> oO0QQo.mfaId<\/code>：通常为undefined，可忽略<\/li> <\/ul> 2.2 P2参数生成<\/h3> p2<\/span> =<\/span> OoOQ0O<\/span> <\/span><\/span><\/code><\/pre> 由QQoooQ.blackBox<\/code> + ^^1^^1^^1<\/code>生成（图片接口）<\/li> 验证接口时使用^^3^^1^^1<\/code>代替^^1^^1^^1<\/code><\/li> <\/ul> 2.3 P3参数生成<\/h3> p3<\/span> =<\/span> oQOoO0<\/span>(ooQQ0Q<\/span>, QQQOQO<\/span>) <\/span><\/span><\/code><\/pre> ooQQ0Q<\/code> = QOOO0O(p1 + p2) + QOOO0O(oOOoQO)<\/code> oOOoQO<\/code>：由固定值161155<\/code>拼接时间戳构成，如"161155^^|^^|^^1739762660066"<\/code><\/li> QOOO0O<\/code>函数：标准MD5哈希算法<\/li> <\/ul> <\/li> QQQOQO<\/code>： var<\/span> OOOQOQ<\/span> =<\/span> window._fmOpt<\/span>.token<\/span>.split<\/span>('-'<\/span>); <\/span><\/span>var<\/span> QoQQo0<\/span> =<\/span> OOOQOQ<\/span>[OOOQOQ<\/span>.length<\/span> -<\/span> 2<\/span>] +<\/span> OOOQOQ<\/span>[OOOQOQ<\/span>.length<\/span> -<\/span> 1<\/span>]; <\/span><\/span>var<\/span> QQQOQO<\/span> =<\/span> QQ00QO<\/span>('stq67pv9'<\/span>) +<\/span> QoQQo0<\/span>.substring<\/span>(10<\/span>, 18<\/span>); <\/span><\/span><\/code><\/pre> QQ00QO('stq67pv9')<\/code>生成固定值rsp67ou9<\/code><\/li> <\/ul> <\/li> oQOoO0<\/code>：AES加密函数，参数： IV：Moa14C2uXpe8AUJ5<\/code><\/li> 需要字符替换处理（q↔p，I↔J）<\/li> <\/ul> <\/li> <\/ul> Python实现示例：<\/p> from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> swap_characters<\/span>(input_str): <\/span><\/span> return<\/span> input_str.<\/span>replace('q'<\/span>, 'tem1'<\/span>).<\/span>replace('p'<\/span>, 'q'<\/span>).<\/span>replace('tem1'<\/span>, 'p'<\/span>).<\/span>replace('I'<\/span>, 'tem2'<\/span>).<\/span>replace('J'<\/span>, 'I'<\/span>).<\/span>replace('tem2'<\/span>, 'J'<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> encrypt_aes_cbc<\/span>(data, key): <\/span><\/span> iv =<\/span> 'Mnz14C2tXod8AUJ5'<\/span> <\/span><\/span> block_size =<\/span> AES.<\/span>block_size <\/span><\/span> pad =<\/span> lambda<\/span> s: s +<\/span> (block_size -<\/span> len(s) %<\/span> block_size) *<\/span> chr(block_size -<\/span> len(s) %<\/span> block_size) <\/span><\/span> data =<\/span> pad(data) <\/span><\/span> cipher =<\/span> AES.<\/span>new(key.<\/span>encode('latin-1'<\/span>), AES.<\/span>MODE_CBC, iv.<\/span>encode('latin-1'<\/span>)) <\/span><\/span> encrypted =<\/span> cipher.<\/span>encrypt(data.<\/span>encode('latin-1'<\/span>)) <\/span><\/span> return<\/span> swap_characters(base64.<\/span>b64encode(encrypted).<\/span>decode('latin-1'<\/span>).<\/span>swapcase()) <\/span><\/span><\/code><\/pre>2.4 P4参数生成<\/h3> p4<\/span> =<\/span> oQOoO0<\/span>(QOo0Oo<\/span>, QQQOQO<\/span>) <\/span><\/span><\/code><\/pre> oQOoO0<\/code>：同上AES加密<\/li> QOo0Oo<\/code>：图片接口直接为"|"<\/code>（固定值）<\/li> QQQOQO<\/code>：同上<\/li> <\/ul> 2.5 P5参数生成<\/h3> p5<\/span> =<\/span> QoOO00<\/span> <\/span><\/span><\/code><\/pre> QQ00QO('xfc')<\/code>：固定值"web"<\/code><\/li> <\/ul> 2.6 P6参数生成<\/h3> p6<\/span> =<\/span> Qoo0Q0<\/span> <\/span><\/span><\/code><\/pre> QOQQO0 = o0QoQQ(8)<\/code>：取8位随机数<\/li> Qoo0Q0 = oQOoO0(QOQQO0 + window.location.href, QQQOQO)<\/code> oQOoO0<\/code>：同上AES加密<\/li> window.location.href<\/code>：当前页面URL（可写死）<\/li> QQQOQO<\/code>：同上<\/li> <\/ul> <\/li> <\/ul> 2.7 P7参数生成<\/h3> p7<\/span> =<\/span> QOQ0QQ<\/span> +<\/span> o0QoQQ<\/span>(32<\/span>) <\/span><\/span><\/code><\/pre> o0QoQQ(32)<\/code>：取32位随机数<\/li> QOQ0QQ = QOOO0O(Qoo0Q0) + QOOO0O(oOOoQO)<\/code> QOOO0O<\/code>：标准MD5加密<\/li> Qoo0Q0<\/code>：P6值<\/li> oOOoQO<\/code>：同上<\/li> <\/ul> <\/li> <\/ul> 2.8 P8参数生成<\/h3> p8<\/span> =<\/span> QOQQO0<\/span> <\/span><\/span><\/code><\/pre> QOQQO0 = o0QoQQ(8)<\/code>：取8位随机数（与P6生成中的一致）<\/li> <\/ul> 2.9 P9参数生成<\/h3> p9<\/span> =<\/span> oOOoQO<\/span> <\/span><\/span><\/code><\/pre> oOOoQO = oQOoO0(oOOoQO, QQQOQO)<\/code> oQOoO0<\/code>：同上AES加密<\/li> oOOoQO<\/code>：同上<\/li> QQQOQO<\/code>：同上<\/li> <\/ul> <\/li> <\/ul> 3. 图片还原算法<\/h2> 获取的验证码大图是乱序的，需要根据bgImageSplitSequence<\/code>参数还原：<\/p> 将图片上下平均分割成2层，每层水平分割成8张小图，共16张小图<\/li> 根据bgImageSplitSequence<\/code>参数计算新的顺序<\/li> 重新排序拼接<\/li> <\/ol> Python实现：<\/p> from<\/span> io import<\/span> BytesIO <\/span><\/span>from<\/span> PIL import<\/span> Image <\/span><\/span> <\/span><\/span>def<\/span> reconstruct_image<\/span>(segment_sequence, image_binary): <\/span><\/span> # 加载图像<\/span> <\/span><\/span> img_io =<\/span> BytesIO(image_binary) <\/span><\/span> original_img =<\/span> Image.<\/span>open(img_io) <\/span><\/span> <\/span><\/span> # 定义图像尺寸和分割参数<\/span> <\/span><\/span> img_width, img_height =<\/span> 320<\/span>, 180<\/span> <\/span><\/span> segment_width, segment_height =<\/span> img_width \/\/<\/span> 8<\/span>, img_height \/\/<\/span> 2<\/span> <\/span><\/span> <\/span><\/span> # 拆分图像<\/span> <\/span><\/span> image_layers =<\/span> [[None<\/span>]*<\/span>8<\/span> for<\/span> _ in<\/span> range(2<\/span>)] <\/span><\/span> for<\/span> layer in<\/span> range(2<\/span>): <\/span><\/span> y_start =<\/span> layer *<\/span> segment_height <\/span><\/span> for<\/span> i in<\/span> range(8<\/span>): <\/span><\/span> x_start =<\/span> i *<\/span> segment_width <\/span><\/span> crop_box =<\/span> (x_start, y_start, x_start +<\/span> segment_width, y_start +<\/span> segment_height) <\/span><\/span> image_layers[layer][i] =<\/span> original_img.<\/span>crop(crop_box) <\/span><\/span> <\/span><\/span> # 创建新图像<\/span> <\/span><\/span> new_image =<\/span> Image.<\/span>new('RGB'<\/span>, (img_width, img_height)) <\/span><\/span> new_image_layers =<\/span> [[None<\/span>]*<\/span>8<\/span> for<\/span> _ in<\/span> range(2<\/span>)] <\/span><\/span> <\/span><\/span> # 重新排序<\/span> <\/span><\/span> for<\/span> index, hex_value in<\/span> enumerate(segment_sequence): <\/span><\/span> position =<\/span> int(hex_value, 16<\/span>) <\/span><\/span> layer, segment =<\/span> divmod(position, 8<\/span>) <\/span><\/span> original_layer =<\/span> 1<\/span> if<\/span> index >=<\/span> 8<\/span> else<\/span> 0<\/span> <\/span><\/span> new_image_layers[layer][segment] =<\/span> image_layers[original_layer][index %<\/span> 8<\/span>] <\/span><\/span> <\/span><\/span> # 拼接图像<\/span> <\/span><\/span> for<\/span> layer in<\/span> range(2<\/span>): <\/span><\/span> for<\/span> i in<\/span> range(8<\/span>): <\/span><\/span> new_image.<\/span>paste(new_image_layers[layer][i], (segment_width *<\/span> i, segment_height *<\/span> layer)) <\/span><\/span> <\/span><\/span> # 转换为二进制数据<\/span> <\/span><\/span> img_byte_arr =<\/span> BytesIO() <\/span><\/span> new_image.<\/span>save(img_byte_arr, format=<\/span>'PNG'<\/span>) <\/span><\/span> return<\/span> img_byte_arr.<\/span>getvalue() <\/span><\/span><\/code><\/pre>4. 滑块识别算法<\/h2> 使用OpenCV进行模板匹配识别滑块位置：<\/p> Python实现：<\/p> import<\/span> cv2 <\/span><\/span>import<\/span> numpy as<\/span> np <\/span><\/span> <\/span><\/span>def<\/span> bytes_to_cv2<\/span>(img): <\/span><\/span> # 将二进制数据转换为OpenCV图像<\/span> <\/span><\/span> img_buffer_np =<\/span> np.<\/span>frombuffer(img, dtype=<\/span>np.<\/span>uint8) <\/span><\/span> img_np =<\/span> cv2.<\/span>imdecode(img_buffer_np, cv2.<\/span>IMREAD_COLOR) <\/span><\/span> return<\/span> img_np <\/span><\/span> <\/span><\/span>def<\/span> get_distance<\/span>(bg, tp, save_path=<\/span>None<\/span>): <\/span><\/span> # 将二进制数据转换为OpenCV图像<\/span> <\/span><\/span> bg_img =<\/span> bytes_to_cv2(bg) <\/span><\/span> tp_img =<\/span> bytes_to_cv2(tp) <\/span><\/span> <\/span><\/span> # 转换为灰度图并进行高斯模糊<\/span> <\/span><\/span> tp_gray =<\/span> cv2.<\/span>GaussianBlur(cv2.<\/span>cvtColor(tp_img, cv2.<\/span>COLOR_BGR2GRAY), (5<\/span>, 5<\/span>), 0<\/span>) <\/span><\/span> bg_gray =<\/span> cv2.<\/span>GaussianBlur(cv2.<\/span>cvtColor(bg_img, cv2.<\/span>COLOR_BGR2GRAY), (5<\/span>, 5<\/span>), 0<\/span>) <\/span><\/span> <\/span><\/span> # 使用Canny边缘检测<\/span> <\/span><\/span> lower_threshold =<\/span> 30<\/span> <\/span><\/span> high_threshold =<\/span> 100<\/span> <\/span><\/span> tp_edge =<\/span> cv2.<\/span>Canny(tp_gray, lower_threshold, high_threshold) <\/span><\/span> bg_edge =<\/span> cv2.<\/span>Canny(bg_gray, lower_threshold, high_threshold) <\/span><\/span> <\/span><\/span> # 使用模板匹配算法<\/span> <\/span><\/span> result =<\/span> cv2.<\/span>matchTemplate(bg_edge, tp_edge, cv2.<\/span>TM_CCORR_NORMED) <\/span><\/span> _, _, _, max_loc =<\/span> cv2.<\/span>minMaxLoc(result) <\/span><\/span> <\/span><\/span> # 寻找滑块图像的轮廓<\/span> <\/span><\/span> contours, _ =<\/span> cv2.<\/span>findContours(tp_edge, cv2.<\/span>RETR_EXTERNAL, cv2.<\/span>CHAIN_APPROX_SIMPLE) <\/span><\/span> if<\/span> contours: <\/span><\/span> # 选择面积最大的轮廓<\/span> <\/span><\/span> contour =<\/span> max(contours, key=<\/span>cv2.<\/span>contourArea) <\/span><\/span> x, y, width, height =<\/span> cv2.<\/span>boundingRect(contour) <\/span><\/span> <\/span><\/span> # 在背景图上绘制矩形标记滑块缺口位置<\/span> <\/span><\/span> cv2.<\/span>rectangle(bg_img, (max_loc[0<\/span>] +<\/span> x, max_loc[1<\/span>] +<\/span> y), <\/span><\/span> (max_loc[0<\/span>] +<\/span> x +<\/span> width, max_loc[1<\/span>] +<\/span> y +<\/span> height), (0<\/span>, 255<\/span>, 0<\/span>), 2<\/span>) <\/span><\/span> <\/span><\/span> # 保存标记后的图片<\/span> <\/span><\/span> if<\/span> save_path: <\/span><\/span> cv2.<\/span>imwrite(save_path, bg_img) <\/span><\/span> <\/span><\/span> return<\/span> {'x'<\/span>: max_loc[0<\/span>] +<\/span> x, 'y'<\/span>: max_loc[1<\/span>] +<\/span> y} <\/span><\/span> else<\/span>: <\/span><\/span> return<\/span> None<\/span> <\/span><\/span><\/code><\/pre>5. 验证接口特殊处理<\/h2> 验证接口的P1-P9参数生成与图片接口大部分相同，主要区别在于：<\/p> P2参数<\/strong>：使用^^3^^1^^1<\/code>代替^^1^^1^^1<\/code><\/li> P3参数<\/strong>：加密的明文多了： validateCodeObj<\/code>：图片接口返回的对象<\/li> userAnswer<\/code>： userAnswer<\/span> =<\/span> Math.round<\/span>(QoO0Oo<\/span> \/<\/span> Oo0OOo<\/span>) +<\/span> QQ00QO<\/span>('|10|'<\/span>) +<\/span> new<\/span> Date().getTime<\/span>() <\/span><\/span><\/code><\/pre> Math.round(QoO0Oq \/ Oo0OOo)<\/code>：滑块识别的距离<\/li> QQ00QO('|10|')<\/code>：固定值"|10|"<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> P4参数<\/strong>：加密的明文多了mouseInfo<\/code>轨迹信息（可写死）<\/li> <\/ol> 6. 验证结果处理<\/h2> 验证接口返回结果：<\/p> 失败：needValidateCode: true<\/code>，返回图片接口信息<\/li> 成功：needValidateCode: false<\/code>，返回validateToken<\/code><\/li> <\/ul> 7. 总结<\/h2> 逆向某盾v2滑动验证码的关键点：<\/p> 理解P1-P9参数的生成逻辑，特别是AES加密部分<\/li> 掌握图片还原算法，正确处理bgImageSplitSequence<\/code><\/li> 使用OpenCV准确识别滑块位置<\/li> 验证接口与图片接口的参数差异处理<\/li> 轨迹模拟需要合理生成<\/li> <\/ol> 以上内容完整覆盖了某盾v2滑动验证码的逆向分析过程，包含了所有关键技术和实现细节。<\/p>

某盾v2滑动验证码逆向分析教学文档<\/h1>

2. 关键参数分析<\/h2> 验证码涉及9个关键参数(P1-P9)，下面详细分析每个参数的生成方式：<\/p>

2. 关键参数分析<\/h2>
验证码涉及9个关键参数(P1-P9)，下面详细分析每个参数的生成方式：<\/p>