2980邮箱多种类验证码逆向分析教学文档<\/h1>

一、目标分析<\/h2>
目标网站<\/strong>：2980邮箱登录页（已脱敏处理）
验证码类型<\/strong>：滑块、点选、旋转、拼图乱序、钟表等多种验证码
主要分析对象<\/strong>：滑块、点选、旋转验证码的逆向过程<\/p>

二、反调试处理<\/h2>
网站包含两处debugger反调试：<\/p>

首页加载时<\/li>
验证码加载时<\/li> <\/ol>
解决方案<\/h3>
方法1：HOOK Function.prototype.constructor<\/h4>
(()=>{ <\/span><\/span> Function.prototype<\/span>.__constructor<\/span> =<\/span> Function.prototype<\/span>.constructor<\/span>; <\/span><\/span> Function.prototype<\/span>.constructor<\/span> =<\/span> function<\/span>(){ <\/span><\/span> if<\/span>(arguments<\/span> &&<\/span> typeof<\/span> arguments<\/span>[0<\/span>]===<\/span>'string'<\/span>){ <\/span><\/span> if<\/span>("debugger"<\/span>===<\/span>arguments<\/span>[0<\/span>]){ <\/span><\/span> return<\/span> <\/span><\/span> } <\/span><\/span> return<\/span> Function.prototype<\/span>.__constructor<\/span>.apply<\/span>(this<\/span>,arguments<\/span>) <\/span><\/span> } <\/span><\/span> } <\/span><\/span>})() <\/span><\/span><\/code><\/pre>方法2：文件替换（推荐）<\/h4> 使用浏览器替换功能将debugger相关代码替换为空函数。<\/p> 三、验证码接口分析<\/h2> 1. 图片请求接口<\/h3> 返回数据<\/strong>：包含加密的mes字段<\/li> 验证码类型标识<\/strong>： 21: 滑块<\/li> 23: 点选<\/li> 16: 旋转<\/li> <\/ul> <\/li> <\/ul> 2. 请求参数<\/h3> token<\/li> appid<\/li> k值（需要逆向）<\/li> <\/ul> 3. 关键接口<\/h3> getBehaviorRegister<\/code>接口返回token和appid<\/p> 四、关键值逆向分析<\/h2> 1. sign值生成<\/h3> 加密方式<\/strong>：SHA256<\/li> 定位方法<\/strong>：通过启动器查找或XHR断点<\/li> 明文构造<\/strong>：相对简单，具体逻辑略<\/li> <\/ul> 2. k值生成<\/h3> 加密方式<\/strong>：AES-ECB<\/li> key生成<\/strong>：(_0x37cb01 + _0x134810).substring(8, 24)<\/code> _0x37cb01<\/code>：JS文件中固定值<\/li> _0x134810<\/code>：时间戳（与图片接口的t参数对应）<\/li> <\/ul> <\/li> 明文<\/strong>：指纹信息加密生成（fingerPrinterList[0x2]<\/code>和fingerPrinterSon<\/code>）<\/li> <\/ul> 3. mes值解密<\/h3> 解密方式<\/strong>：AES<\/li> key<\/strong>：与k值加密的key保持一致<\/li> 解密结果示例<\/strong>：<\/li> <\/ul> { <\/span><\/span> "dif"<\/span>:"0"<\/span>, <\/span><\/span> "answer"<\/span>:["9"<\/span>,"未"<\/span>,"雨"<\/span>], <\/span><\/span> "bg"<\/span>:"https:\/\/csmoss.duoyi.com\/19\/124bf7b8f82292"<\/span>, <\/span><\/span> "num"<\/span>:3<\/span>, <\/span><\/span> "sn"<\/span>:"9a363bc74a8a"<\/span>, <\/span><\/span> "type"<\/span>:23<\/span>, <\/span><\/span> "list"<\/span>:[] <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 滑块图片还原<\/h3> def<\/span> split_and_reorder_image<\/span>(image_path, reorder_array, split_ratios=<\/span>(10<\/span>, 1<\/span>)): <\/span><\/span> """ <\/span><\/span><\/span> 还原乱序的滑块图片 <\/span><\/span><\/span> :param image_path: 乱序的图片路径 <\/span><\/span><\/span> :param reorder_array: 滑块图片接口返回的mes解密后的list <\/span><\/span><\/span> :param split_ratios: 分割比例 <\/span><\/span><\/span> """<\/span> <\/span><\/span> from<\/span> PIL import<\/span> Image <\/span><\/span> <\/span><\/span> original_image =<\/span> Image.<\/span>open(image_path) <\/span><\/span> width, height =<\/span> original_image.<\/span>size <\/span><\/span> <\/span><\/span> # 分割图片<\/span> <\/span><\/span> split_width =<\/span> width \/\/<\/span> split_ratios[0<\/span>] <\/span><\/span> split_height =<\/span> height \/\/<\/span> split_ratios[1<\/span>] <\/span><\/span> images =<\/span> [(i *<\/span> split_width, j *<\/span> split_height, <\/span><\/span> (i +<\/span> 1<\/span>) *<\/span> split_width, (j +<\/span> 1<\/span>) *<\/span> split_height) <\/span><\/span> for<\/span> i in<\/span> range(split_ratios[0<\/span>]) <\/span><\/span> for<\/span> j in<\/span> range(split_ratios[1<\/span>])] <\/span><\/span> images =<\/span> [original_image.<\/span>crop(box) for<\/span> box in<\/span> images] <\/span><\/span> <\/span><\/span> # 重新排序<\/span> <\/span><\/span> reordered_images =<\/span> [""<\/span> for<\/span> _ in<\/span> range(len(images))] <\/span><\/span> for<\/span> i, new_index in<\/span> enumerate(reorder_array): <\/span><\/span> reordered_images[new_index] =<\/span> images[i] <\/span><\/span> <\/span><\/span> # 拼接还原<\/span> <\/span><\/span> new_width =<\/span> split_width *<\/span> split_ratios[0<\/span>] <\/span><\/span> new_height =<\/span> split_height *<\/span> split_ratios[1<\/span>] <\/span><\/span> new_image =<\/span> Image.<\/span>new('RGB'<\/span>, (new_width, new_height)) <\/span><\/span> <\/span><\/span> for<\/span> i, img in<\/span> enumerate(reordered_images): <\/span><\/span> x =<\/span> (i %<\/span> split_ratios[0<\/span>]) *<\/span> split_width <\/span><\/span> y =<\/span> (i \/\/<\/span> split_ratios[0<\/span>]) *<\/span> split_height <\/span><\/span> new_image.<\/span>paste(img, (x, y)) <\/span><\/span> <\/span><\/span> new_image.<\/span>save(image_path) <\/span><\/span><\/code><\/pre>五、验证请求分析<\/h2> 1. 请求参数<\/h3> token、appid：从接口获取<\/li> portion、cn、timestamp、signature：需要逆向<\/li> sn：图片接口解密后返回<\/li> 请求负载：不同验证码类型有差异<\/li> <\/ul> 2. 参数生成逻辑<\/h3> portion = Math.random().toFixed(2)<\/code><\/li> cn = md5('num' + parseInt(10000000 + Math.random() * 1000000) + 'time' + new Date().getTime())<\/code><\/li> timestamp = new Date().getTime()<\/code><\/li> signature = md5(md5(portion + ':' + timestamp + ':' + token) + sn + ':1:' + cn + ':auth' + ":5b350044ac092f7bf3c2bc791638ca2f")<\/code><\/li> <\/ul> 3. 请求负载生成<\/h3> 加密方式：AES<\/li> 明文：环境信息+验证码相关信息（JSON格式）<\/li> key：固定值 + signature，截取8到24位<\/li> <\/ul> 六、不同类型验证码参数差异<\/h2> 1. 点选验证码<\/h3> 关键参数<\/strong>： slide<\/code>：点选轨迹<\/li> click_behavior<\/code>：点选坐标+时间+顺序<\/li> portion<\/code>：计算后的点选坐标（与图片宽高的比例）<\/li> <\/ul> <\/li> <\/ul> portion计算代码<\/strong>：<\/p> # center_points 点选坐标<\/span> <\/span><\/span>portion =<\/span> [] <\/span><\/span>for<\/span> i in<\/span> range(len(center_points)): <\/span><\/span> portion.<\/span>append([ <\/span><\/span> str(format(center_points[i][0<\/span>]\/<\/span>320<\/span>, '.5f'<\/span>)), <\/span><\/span> str(round((center_points[i][1<\/span>]+<\/span>0.83332824707031<\/span>)\/<\/span>200<\/span>, 5<\/span>)) <\/span><\/span> ]) <\/span><\/span><\/code><\/pre>2. 滑块验证码<\/h3> 关键参数<\/strong>： slide<\/code>：滑动轨迹<\/li> portion<\/code>：计算后的滑块距离<\/li> <\/ul> <\/li> <\/ul> 滑动距离计算函数<\/strong>：<\/p> function<\/span> get_huadongtiao<\/span>(x<\/span>, startposition<\/span>) { <\/span><\/span> var<\/span> _0x3c1ee0<\/span> =<\/span> 72<\/span>; <\/span><\/span> var<\/span> _0x3d74b9<\/span> =<\/span> 1.11<\/span>; <\/span><\/span> var<\/span> _0x4b4e13<\/span> =<\/span> 0.74<\/span>; <\/span><\/span> var<\/span> _0x1fda62<\/span> =<\/span> startposition<\/span>; \/\/ 图片接口返回的startPosition参数 <\/span><\/span><\/span><\/span> var<\/span> _0x101145<\/span> =<\/span> 1<\/span>; <\/span><\/span> var<\/span> _0x3d3596<\/span>; <\/span><\/span> <\/span><\/span> for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 999<\/span>; i<\/span>++<\/span>) { <\/span><\/span> _0x101145<\/span>++<\/span>; <\/span><\/span> _0x3d3596<\/span> =<\/span> Math.pow<\/span>(_0x3c1ee0<\/span> *<\/span> _0x101145<\/span>, 0.4<\/span> *<\/span> Math.abs<\/span>(Math.sin<\/span>(0.025<\/span> *<\/span> _0x101145<\/span>))) +<\/span> <\/span><\/span> Math.pow<\/span>(_0x101145<\/span>, _0x3d74b9<\/span>) *<\/span> _0x4b4e13<\/span> +<\/span> _0x1fda62<\/span>; <\/span><\/span> <\/span><\/span> if<\/span> (Math.abs<\/span>(_0x3d3596<\/span> -<\/span> x<\/span>) <=<\/span> 1<\/span>) { <\/span><\/span> break<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> var<\/span> portion<\/span> =<\/span> (Math.pow<\/span>(_0x3c1ee0<\/span> *<\/span> _0x101145<\/span>, 0.4<\/span> *<\/span> Math.abs<\/span>(Math.sin<\/span>(0.025<\/span> *<\/span> _0x101145<\/span>))) +<\/span> <\/span><\/span> Math.pow<\/span>(_0x101145<\/span>, _0x3d74b9<\/span>) *<\/span> _0x4b4e13<\/span>) \/<\/span> 320<\/span>; <\/span><\/span> <\/span><\/span> return<\/span> { <\/span><\/span> "portion"<\/span>:<\/span> portion<\/span>, <\/span><\/span> "value"<\/span>:<\/span> _0x101145<\/span> <\/span><\/span> }; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 旋转验证码<\/h3> 关键参数<\/strong>： portion<\/code>：识别角度<\/li> slide<\/code>：旋转滑动轨迹（根据滑动条滑动距离计算）<\/li> <\/ul> <\/li> <\/ul> 滑动距离计算<\/strong>：<\/p> 滑动距离 =<\/span> int(portion *<\/span> 0.6<\/span>) <\/span><\/span><\/code><\/pre>轨迹生成函数<\/strong>：<\/p> import<\/span> random <\/span><\/span> <\/span><\/span>def<\/span> __ease_out_expo<\/span>(sep): <\/span><\/span> """缓动函数 easeOutExpo"""<\/span> <\/span><\/span> if<\/span> sep ==<\/span> 1<\/span>: <\/span><\/span> return<\/span> 1<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> return<\/span> 1<\/span> -<\/span> pow(2<\/span>, -<\/span>10<\/span> *<\/span> sep) <\/span><\/span> <\/span><\/span>def<\/span> get_slide_track<\/span>(distance): <\/span><\/span> """ <\/span><\/span><\/span> 根据滑动距离生成滑动轨迹 <\/span><\/span><\/span> :param distance: 需要滑动的距离 <\/span><\/span><\/span> :return: 滑动轨迹[[x,y,t], ...] <\/span><\/span><\/span> """<\/span> <\/span><\/span> if<\/span> not<\/span> isinstance(distance, int) or<\/span> distance <<\/span> 0<\/span>: <\/span><\/span> raise<\/span> ValueError<\/span>(f<\/span>"distance类型必须是大于等于0的整数: distance: <\/span>{<\/span>distance}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> # 初始化轨迹列表<\/span> <\/span><\/span> slide_track =<\/span> [[0<\/span>, 0<\/span>, -<\/span>(distance *<\/span> 20<\/span>)]] <\/span><\/span> <\/span><\/span> # 共记录count次滑块位置信息<\/span> <\/span><\/span> count =<\/span> 50<\/span> +<\/span> int(distance \/<\/span> 2<\/span>) <\/span><\/span> <\/span><\/span> # 初始化滑动时间<\/span> <\/span><\/span> t =<\/span> slide_track[0<\/span>][2<\/span>] <\/span><\/span> <\/span><\/span> # 记录上一次滑动的距离<\/span> <\/span><\/span> _x =<\/span> 0<\/span> <\/span><\/span> _y =<\/span> slide_track[0<\/span>][1<\/span>] <\/span><\/span> <\/span><\/span> for<\/span> i in<\/span> range(count): <\/span><\/span> _y -=<\/span> 1<\/span> if<\/span> i %<\/span> 9<\/span> ==<\/span> 0<\/span> else<\/span> 0<\/span> <\/span><\/span> <\/span><\/span> # 已滑动的横向距离<\/span> <\/span><\/span> x =<\/span> slide_track[0<\/span>][0<\/span>] +<\/span> round(__ease_out_expo(i \/<\/span> count) *<\/span> distance) <\/span><\/span> <\/span><\/span> # 滑动过程消耗的时间<\/span> <\/span><\/span> t -=<\/span> random.<\/span>randint(10<\/span>, 20<\/span>) <\/span><\/span> <\/span><\/span> if<\/span> x ==<\/span> _x: <\/span><\/span> continue<\/span> <\/span><\/span> <\/span><\/span> slide_track.<\/span>append([x, _y, t]) <\/span><\/span> _x =<\/span> x <\/span><\/span> <\/span><\/span> slide_track.<\/span>append(slide_track[-<\/span>1<\/span>]) <\/span><\/span> return<\/span> slide_track <\/span><\/span><\/code><\/pre>七、验证结果<\/h2> 成功响应<\/strong>：{"message":{"pass":"cd5201bdb47748fe8b9114769d7122cb"},"code":1}<\/code><\/li> 失败响应<\/strong>：{"message":"not match","code":0}<\/code><\/li> <\/ul> 八、总结<\/h2> 该验证码系统采用了多种反调试手段，需要先处理debugger<\/li> 关键加密使用SHA256和AES（ECB模式）<\/li> 不同验证码类型的区别主要在于请求负载的构造<\/li> 滑块验证码需要额外的图片还原处理<\/li> 验证请求需要构造复杂的签名参数<\/li> <\/ol> 通过分析加密逻辑和参数构造方式，可以完整实现该验证码系统的自动化识别。<\/p>

2980邮箱多种类验证码逆向分析教学文档<\/h1>

一、目标分析<\/h2> 目标网站<\/strong>：2980邮箱登录页（已脱敏处理） 验证码类型<\/strong>：滑块、点选、旋转、拼图乱序、钟表等多种验证码 主要分析对象<\/strong>：滑块、点选、旋转验证码的逆向过程<\/p>

解决方案<\/h3>

方法2：文件替换（推荐）<\/h4> 使用浏览器替换功能将debugger相关代码替换为空函数。<\/p>

三、验证码接口分析<\/h2>

3. 关键接口<\/h3> getBehaviorRegister<\/code>接口返回token和appid<\/p>

五、验证请求分析<\/h2>

六、不同类型验证码参数差异<\/h2>

一、目标分析<\/h2>
目标网站<\/strong>：2980邮箱登录页（已脱敏处理）
验证码类型<\/strong>：滑块、点选、旋转、拼图乱序、钟表等多种验证码
主要分析对象<\/strong>：滑块、点选、旋转验证码的逆向过程<\/p>

方法2：文件替换（推荐）<\/h4>
使用浏览器替换功能将debugger相关代码替换为空函数。<\/p>

3. 关键接口<\/h3>
`getBehaviorRegister<\/code>接口返回token和appid<\/p>`