某亭雷池WAF验证码逆向分析教学文档<\/h1>

一、目标分析<\/h2>
目标网站<\/strong>：aHR0cHM6Ly95dW5wYW4xLndhbmcv (已脱敏)<\/p>
验证码类型<\/strong>：无感验证、直滑验证<\/p>

二、环境检测绕过<\/h2>
1. 控制台检测机制<\/h3>
当打开开发者工具时，页面显示"当前环境正在被调试"，这是通过v2\/challenge.js<\/code>文件中的控制台检测实现的。<\/p>
2. 检测点定位<\/h3> 搜索关键字devtools<\/code>发现关键检测函数：<\/p> devtoolsFormatterChecker<\/code> - 控制台格式检查器<\/li> _detectLoop<\/code> - 轮询检测函数，每500ms检查一次控制台状态<\/li> <\/ul> 3. 绕过方法<\/h3> 方法一<\/strong>：注释或替换检查器<\/p> \/\/ 将检查器return f.a注释或替换 <\/span><\/span><\/span><\/code><\/pre>方法二<\/strong>：重写轮询函数<\/p> \/\/ 断点定位到_detectLoop调用处 <\/span><\/span><\/span><\/span>this<\/span>._detectLoop<\/span> =<\/span> function<\/span>() {}; \/\/ 直接置空 <\/span><\/span><\/span><\/code><\/pre>方法三<\/strong>：修改launch方法调用<\/p> 参考项目<\/strong>：https:\/\/github.com\/AEPKILL\/devtools-detector<\/p> 三、接口分析<\/h2> 1. 请求流程<\/h3> 首次请求首页，状态码468<\/li> 验证成功后，cookie携带sl-challenge-jwt<\/code>值<\/li> 成功返回数据，状态码200<\/li> <\/ol> 2. 关键接口<\/h3> issue接口<\/strong>：<\/p> client_id<\/code>：首次请求首页468响应内容中获取<\/li> <\/ul> verify接口<\/strong>：<\/p> visitorId<\/code>：访问者ID（需分析）<\/li> issue_id<\/code>：由issue接口返回<\/li> result<\/code>：加密参数（需分析）<\/li> serials<\/code>：轨迹值（无感\/直滑验证的区别点）<\/li> <\/ul> 四、参数逆向<\/h2> 1. visitorId生成<\/h3> 定位到v2\/challenge.js<\/code>文件，使用fingerprintjs v3库生成设备指纹：<\/p> const<\/span> FingerprintJS<\/span> =<\/span> require<\/span>('@fingerprintjs\/fingerprintjs'<\/span>); <\/span><\/span> <\/span><\/span>FingerprintJS<\/span>.load<\/span>().then<\/span>(fp<\/span> => { <\/span><\/span> fp<\/span>.get<\/span>().then<\/span>(result<\/span> => { <\/span><\/span> console<\/span>.log<\/span>(result<\/span>.visitorId<\/span>); <\/span><\/span> }); <\/span><\/span>}); <\/span><\/span><\/code><\/pre>替代方案<\/strong>：使用fingerprintjs2（对Node.js环境更友好）<\/p> const<\/span> Fingerprint2<\/span> =<\/span> require<\/span>('fingerprintjs2'<\/span>); <\/span><\/span> <\/span><\/span>Fingerprint2<\/span>.get<\/span>(components<\/span> => { <\/span><\/span> const<\/span> values<\/span> =<\/span> components<\/span>.map<\/span>(component<\/span> => component<\/span>.value<\/span>); <\/span><\/span> const<\/span> murmur<\/span> =<\/span> Fingerprint2<\/span>.x64hash128<\/span>(values<\/span>.join<\/span>(''<\/span>), 31<\/span>); <\/span><\/span> console<\/span>.log<\/span>(murmur<\/span>); <\/span><\/span>}); <\/span><\/span><\/code><\/pre>2. result参数加密<\/h3> 加密流程分析<\/h4> 通过XHR断点定位到result生成位置<\/li> 发现是通过e(t.data)<\/code>的返回值<\/li> 使用createObjectURL<\/code>创建临时对象链接<\/li> <\/ol> HOOK定位方法<\/h4> originalCreateObjectURL<\/span> =<\/span> URL<\/span>.createObjectURL<\/span>; <\/span><\/span>URL<\/span>.createObjectURL<\/span> =<\/span> function<\/span>(obj<\/span>) { <\/span><\/span> console<\/span>.trace<\/span>("Blob 被创建了"<\/span>, obj<\/span>); <\/span><\/span> debugger<\/span>; <\/span><\/span> return<\/span> originalCreateObjectURL<\/span>.call<\/span>(this<\/span>, obj<\/span>); <\/span><\/span>}; <\/span><\/span><\/code><\/pre>加密实现<\/h4> 使用v2\/calc.wasm<\/code>文件进行WebAssembly计算<\/li> 传入issue<\/code>接口返回的data值<\/li> 通过WASM模块处理后返回result<\/li> <\/ol> Node.js复现代码<\/strong>：<\/p> const<\/span> fs<\/span> =<\/span> require<\/span>('fs'<\/span>); <\/span><\/span> <\/span><\/span>function<\/span> get_result<\/span>(data<\/span>){ <\/span><\/span> wasm<\/span> =<\/span> fs<\/span>.readFileSync<\/span>('.\/calc.wasm'<\/span>); <\/span><\/span> e<\/span> =<\/span> { <\/span><\/span> data<\/span>:<\/span> { <\/span><\/span> "action"<\/span>:<\/span> "calc"<\/span>, <\/span><\/span> "data"<\/span>:<\/span> { <\/span><\/span> "data"<\/span>:<\/span> data<\/span>, <\/span><\/span> "issue_id"<\/span>:<\/span> ""<\/span> <\/span><\/span> }, <\/span><\/span> "wasm"<\/span>:<\/span> wasm<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> var<\/span> result<\/span>; <\/span><\/span> var<\/span> flag<\/span> =<\/span> false<\/span>; <\/span><\/span> WebAssembly<\/span>.instantiate<\/span>(e<\/span>.data<\/span>.wasm<\/span>).then<\/span>(function<\/span>(t<\/span>) { <\/span><\/span> result<\/span> =<\/span> function<\/span>(e<\/span>) { <\/span><\/span> return<\/span> t<\/span>.instance<\/span>.exports<\/span>.reset<\/span>(), <\/span><\/span> e<\/span>.map<\/span>(function<\/span>(e<\/span>) { <\/span><\/span> return<\/span> t<\/span>.instance<\/span>.exports<\/span>.arg<\/span>(e<\/span>) <\/span><\/span> }), <\/span><\/span> Array(t<\/span>.instance<\/span>.exports<\/span>.calc<\/span>()).fill<\/span>(-<\/span>1<\/span>).map<\/span>(function<\/span>() { <\/span><\/span> return<\/span> t<\/span>.instance<\/span>.exports<\/span>.ret<\/span>() <\/span><\/span> }) <\/span><\/span> }(e<\/span>.data<\/span>.data<\/span>.data<\/span>); <\/span><\/span> flag<\/span> =<\/span> true<\/span>; <\/span><\/span> }).catch<\/span>(function<\/span>(e<\/span>) { <\/span><\/span> console<\/span>.log<\/span>(e<\/span>); <\/span><\/span> }) <\/span><\/span> while<\/span> (!<\/span>flag<\/span>) { <\/span><\/span> require<\/span>('deasync'<\/span>).sleep<\/span>(100<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span>}; <\/span><\/span> <\/span><\/span>console<\/span>.log<\/span>(get_result<\/span>([99<\/span>, 35<\/span>, 92<\/span>, 48<\/span>, 61<\/span>, 31<\/span>, 18<\/span>, 43<\/span>, 3<\/span>, 54<\/span>, 48<\/span>, 22<\/span>, 62<\/span>, 50<\/span>])); <\/span><\/span>\/\/ 输出: [ 17, 26, 51, 20 ] <\/span><\/span><\/span><\/code><\/pre>兼容算法<\/h4> 分析发现还有一套JS算法与WASM计算结果一致：<\/p> function<\/span> f<\/span>(e<\/span>) { <\/span><\/span> for<\/span> (var<\/span> t<\/span> =<\/span> 1<\/span>, n<\/span> =<\/span> e<\/span>.reduce<\/span>(function<\/span>(e<\/span>, t<\/span>) { <\/span><\/span> return<\/span> e<\/span> +<\/span> t<\/span> <\/span><\/span> }, 0<\/span>), r<\/span> =<\/span> (6<\/span> +<\/span> e<\/span>.length<\/span> +<\/span> n<\/span>) %<\/span> 6<\/span> +<\/span> 6<\/span>; r<\/span>--<\/span>; ) <\/span><\/span> t<\/span> *=<\/span> 6<\/span>; <\/span><\/span> t<\/span> <<\/span> 6666<\/span> &&<\/span> (t<\/span> *=<\/span> e<\/span>.length<\/span>), <\/span><\/span> t<\/span> ><\/span> 0x3f940aa<\/span> &&<\/span> (t<\/span> =<\/span> Math.floor<\/span>(t<\/span> \/<\/span> e<\/span>.length<\/span>)); <\/span><\/span> for<\/span> (var<\/span> o<\/span> =<\/span> 0<\/span>; o<\/span> <<\/span> e<\/span>.length<\/span>; o<\/span>++<\/span>) <\/span><\/span> t<\/span> +=<\/span> Math.pow<\/span>(e<\/span>[o<\/span>], 3<\/span>), <\/span><\/span> t<\/span> ^=<\/span> o<\/span>, <\/span><\/span> t<\/span> ^=<\/span> e<\/span>[o<\/span>] +<\/span> o<\/span>; <\/span><\/span> for<\/span> (var<\/span> f<\/span> =<\/span> []; t<\/span> ><\/span> 0<\/span>; ) <\/span><\/span> f<\/span>.unshift<\/span>(63<\/span> &<\/span> t<\/span>), <\/span><\/span> t<\/span> >>=<\/span> 6<\/span>; <\/span><\/span> return<\/span> f<\/span> <\/span><\/span>}; <\/span><\/span> <\/span><\/span>console<\/span>.log<\/span>(f<\/span>([99<\/span>, 35<\/span>, 92<\/span>, 48<\/span>, 61<\/span>, 31<\/span>, 18<\/span>, 43<\/span>, 3<\/span>, 54<\/span>, 48<\/span>, 22<\/span>, 62<\/span>, 50<\/span>])); <\/span><\/span>\/\/ 输出: [ 17, 26, 51, 20 ] <\/span><\/span><\/span><\/code><\/pre>五、完整验证流程<\/h2> 首次请求获取client_id<\/code><\/li> 生成visitorId<\/code><\/li> 调用issue接口获取data<\/code>和issue_id<\/code><\/li> 使用WASM或JS算法计算result<\/code><\/li> 构造verify请求参数<\/li> 获取sl-challenge-jwt<\/code>并携带访问<\/li> <\/ol> 六、注意事项<\/h2> 本文所有技术仅用于学习交流<\/li> 严禁用于商业用途和非法用途<\/li> 已对敏感信息进行脱敏处理<\/li> 未经许可禁止转载或二次传播<\/li> <\/ol> 七、参考资源<\/h2> devtools-detector项目<\/a><\/li> fingerprintjs官方库<\/a><\/li> 在线指纹测试<\/a><\/li> <\/ol>

某亭雷池WAF验证码逆向分析教学文档<\/h1>

一、目标分析<\/h2> 目标网站<\/strong>：aHR0cHM6Ly95dW5wYW4xLndhbmcv (已脱敏)<\/p> 验证码类型<\/strong>：无感验证、直滑验证<\/p>

1. 控制台检测机制<\/h3> 当打开开发者工具时，页面显示"当前环境正在被调试"，这是通过v2\/challenge.js<\/code>文件中的控制台检测实现的。<\/p>

四、参数逆向<\/h2>

2. result参数加密<\/h3>

七、参考资源<\/h2> devtools-detector项目<\/a><\/li> fingerprintjs官方库<\/a><\/li> 在线指纹测试<\/a><\/li> <\/ol>

一、目标分析<\/h2>
目标网站<\/strong>：aHR0cHM6Ly95dW5wYW4xLndhbmcv (已脱敏)<\/p>
验证码类型<\/strong>：无感验证、直滑验证<\/p>

1. 控制台检测机制<\/h3>
当打开开发者工具时，页面显示"当前环境正在被调试"，这是通过`v2\/challenge.js<\/code>文件中的控制台检测实现的。<\/p>`

七、参考资源<\/h2>

devtools-detector项目<\/a><\/li>
fingerprintjs官方库<\/a><\/li>
在线指纹测试<\/a><\/li> <\/ol>