xx邮政滑块验证码逆向分析教程<\/h1>

一、前言<\/h2>
本教程将详细分析xx邮政滑块验证码的逆向过程，涵盖抓包分析、参数逆向、代码还原、加密算法破解等关键环节。该验证码系统采用了WebAssembly、WebGL等技术，具有一定的复杂度。<\/p>

二、逆向目标<\/h2>
目标网站：`aHR0cHM6Ly9wYXNzcG9ydC4xMTE4NS5jbi9jYXMvbG9naW4=<\/code>（已脱敏）<\/p>`
`验证码类型：滑块验证码<\/p>`

三、抓包分析<\/h2>
1. 图片接口(gen)<\/h3>
返回内容包含：<\/p>

clientUid：重要参数，需要逆向生成<\/li>
deviceId：设备ID<\/li>
webAName、miid、rc：后续加密所需参数<\/li>
<\/ul>
2. 验证接口<\/h3>
关键参数：<\/p>

id：图片接口返回<\/li>
bgImageHeight\/bgImageWidth：固定值<\/li>
clientUid：同图片接口<\/li>
deviceId：图片接口返回<\/li>
enmiid：需要逆向<\/li>
entSlidingTime\/startSlidingTime：验证时间，可模拟<\/li>
print：需要逆向<\/li>
sliderImageHeight\/sliderImageWidth：固定值<\/li>
trackList：滑块轨迹<\/li>
<\/ul>
四、逆向分析<\/h2>
1. clientUid参数生成<\/h3>
clientUid是一个UUID，通过分析main.js文件发现其生成逻辑：<\/p>
function<\/span> _0x236e93<\/span>(_0x5bbf46<\/span>, _0x3b7cda<\/span>, _0x21cf16<\/span>) {
<\/span><\/span>  var<\/span> _0x574141<\/span> =<\/span> (_0x5bbf46<\/span> =<\/span> _0x5bbf46<\/span> ||<\/span> {}).random<\/span> ||<\/span> (_0x5bbf46<\/span>.rng<\/span> ||<\/span> _0x2f762f<\/span>)();
<\/span><\/span>  _0x574141<\/span>[6<\/span>] =<\/span> _0x574141<\/span>[6<\/span>] &<\/span> 15<\/span> |<\/span> 64<\/span>;
<\/span><\/span>  _0x574141<\/span>[8<\/span>] =<\/span> _0x574141<\/span>[8<\/span>] &<\/span> 63<\/span> |<\/span> 128<\/span>;
<\/span><\/span>  if<\/span> (_0x3b7cda<\/span>) {
<\/span><\/span>    _0x21cf16<\/span> =<\/span> _0x21cf16<\/span> ||<\/span> 0<\/span>;
<\/span><\/span>    for<\/span> (var<\/span> _0x3503fc<\/span> =<\/span> 0<\/span>; _0x3503fc<\/span> <<\/span> 16<\/span>; ++<\/span>_0x3503fc<\/span>) {
<\/span><\/span>      _0x3b7cda<\/span>[_0x21cf16<\/span> +<\/span> _0x3503fc<\/span>] =<\/span> _0x574141<\/span>[_0x3503fc<\/span>];
<\/span><\/span>    }
<\/span><\/span>    return<\/span> _0x3b7cda<\/span>;
<\/span><\/span>  }
<\/span><\/span>  return<\/span> _0x19f649<\/span>(_0x574141<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>解决方案：<\/p>

直接使用UUID库生成<\/li>
扣取上述代码实现<\/li>
<\/ol>
2. enmiid和print参数生成<\/h3>
这两个参数通过以下流程生成：<\/p>

从图片接口获取webAName、miid、rc<\/li>
构造weba.js请求URL：https:\/\/kks.11185.cn\/static\/front\/[webAName]\/bin\/weba.js<\/code><\/li>
通过WebAssembly与JavaScript交互处理数据<\/li>
最终生成enmiid和print参数<\/li>
<\/ol>
关键代码分析：<\/h4>
\/\/ 处理rc参数
<\/span><\/span><\/span><\/span>_0x2d1fb0<\/span> =<\/span> rc<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 处理miid等参数
<\/span><\/span><\/span><\/span>_0x354e64<\/span> =<\/span> {
<\/span><\/span>  hitId<\/span>:<\/span> miid<\/span>,
<\/span><\/span>  deviceId<\/span>:<\/span> deviceId<\/span>,
<\/span><\/span>  _print<\/span>:<\/span> _0x468795<\/span>(miid<\/span>)
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ WebAssembly处理
<\/span><\/span><\/span><\/span>weba<\/span>().then<\/span>(function<\/span>(Module<\/span>) {
<\/span><\/span>  _0x156e64<\/span> =<\/span> Module<\/span>.allocateUTF8<\/span>(JSON<\/span>.stringify<\/span>(_0x354e64<\/span>));
<\/span><\/span>  _0x3e92b3<\/span> =<\/span> Module<\/span>._rotate<\/span>(_0x156e64<\/span>);
<\/span><\/span>  _0x57276e<\/span> =<\/span> Module<\/span>.UTF8ToString<\/span>(_0x3e92b3<\/span>);
<\/span><\/span>  result<\/span> =<\/span> JSON<\/span>.parse<\/span>(_0x57276e<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>print参数生成细节：<\/h4>
function<\/span> _0x468795<\/span>(_0x34c930<\/span>) {
<\/span><\/span>  \/\/ WebGL绘制图形
<\/span><\/span><\/span><\/span>  \/\/ 转换为图像数据URL
<\/span><\/span><\/span><\/span>  \/\/ 生成密文
<\/span><\/span><\/span><\/span>  var<\/span> _0x492d6a<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    \/\/ 加密逻辑
<\/span><\/span><\/span><\/span>    return<\/span> crypto<\/span>.createHash<\/span>('md5'<\/span>).update<\/span>(_0x5ad970<\/span> +<\/span> "|"<\/span> +<\/span> 密文<\/span>).digest<\/span>('hex'<\/span>);
<\/span><\/span>  };
<\/span><\/span>  return<\/span> _0x492d6a<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. WebAssembly处理<\/h3>
需要下载weba.js文件并模拟浏览器环境执行：<\/p>
weba<\/span> =<\/span> require<\/span>('.\/Weba.js'<\/span>);
<\/span><\/span>window =<\/span> global<\/span>;
<\/span><\/span>
<\/span><\/span>function<\/span> ZxptRestKks<\/span>(rc<\/span>, _0x354e64<\/span>) {
<\/span><\/span>  var<\/span> result<\/span>;
<\/span><\/span>  var<\/span> flag<\/span> =<\/span> false<\/span>;
<\/span><\/span>  weba<\/span>().then<\/span>(function<\/span>(Module<\/span>) {
<\/span><\/span>    if<\/span> (Module<\/span>) {
<\/span><\/span>      _0x2d1fb0<\/span> =<\/span> rc<\/span>;
<\/span><\/span>      window[_0x354e64<\/span>.deviceId<\/span>] =<\/span> function<\/span>() {
<\/span><\/span>        return<\/span> _0xa2b2bc<\/span> =<\/span> Module<\/span>.allocateUTF8<\/span>(_0x2d1fb0<\/span>);
<\/span><\/span>      };
<\/span><\/span>      _0x156e64<\/span> =<\/span> Module<\/span>.allocateUTF8<\/span>(JSON<\/span>.stringify<\/span>(_0x354e64<\/span>));
<\/span><\/span>      _0x3e92b3<\/span> =<\/span> Module<\/span>._rotate<\/span>(_0x156e64<\/span>);
<\/span><\/span>      _0x57276e<\/span> =<\/span> Module<\/span>.UTF8ToString<\/span>(_0x3e92b3<\/span>);
<\/span><\/span>      result<\/span> =<\/span> JSON<\/span>.parse<\/span>(_0x57276e<\/span>);
<\/span><\/span>      flag<\/span> =<\/span> true<\/span>;
<\/span><\/span>    }
<\/span><\/span>  });
<\/span><\/span>  while<\/span> (!<\/span>flag<\/span>) {
<\/span><\/span>    require<\/span>('deasync'<\/span>).sleep<\/span>(100<\/span>);
<\/span><\/span>  }
<\/span><\/span>  return<\/span> result<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、滑块识别与轨迹生成<\/h2>
1. 缺口识别<\/h3>
使用OpenCV识别滑块缺口位置：<\/p>
def<\/span> identify_gap<\/span>(bg, tp):
<\/span><\/span>    # 读取背景图片和缺口图片<\/span>
<\/span><\/span>    bg_img =<\/span> cv2.<\/span>imdecode(np.<\/span>frombuffer(bg, np.<\/span>uint8), cv2.<\/span>IMREAD_GRAYSCALE)
<\/span><\/span>    tp_img =<\/span> cv2.<\/span>imdecode(np.<\/span>frombuffer(tp, np.<\/span>uint8), cv2.<\/span>IMREAD_GRAYSCALE)
<\/span><\/span>    
<\/span><\/span>    # 处理缺口图片<\/span>
<\/span><\/span>    yy =<\/span> []
<\/span><\/span>    xx =<\/span> []
<\/span><\/span>    for<\/span> y in<\/span> range(tp_img.<\/span>shape[0<\/span>]):
<\/span><\/span>        for<\/span> x in<\/span> range(tp_img.<\/span>shape[1<\/span>]):
<\/span><\/span>            r =<\/span> tp_img[y, x]
<\/span><\/span>            if<\/span> r <<\/span> 200<\/span>:
<\/span><\/span>                yy.<\/span>append(y)
<\/span><\/span>                xx.<\/span>append(x)
<\/span><\/span>    tp_img =<\/span> tp_img[min(yy):max(yy), min(xx):max(xx)]
<\/span><\/span>    
<\/span><\/span>    # 识别图片边缘<\/span>
<\/span><\/span>    bg_edge =<\/span> cv2.<\/span>Canny(bg_img, 100<\/span>, 200<\/span>)
<\/span><\/span>    tp_edge =<\/span> cv2.<\/span>Canny(tp_img, 100<\/span>, 200<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 转换图片格式<\/span>
<\/span><\/span>    bg_pic =<\/span> cv2.<\/span>cvtColor(bg_edge, cv2.<\/span>COLOR_GRAY2RGB)
<\/span><\/span>    tp_pic =<\/span> cv2.<\/span>cvtColor(tp_edge, cv2.<\/span>COLOR_GRAY2RGB)
<\/span><\/span>    
<\/span><\/span>    # 缺口匹配<\/span>
<\/span><\/span>    res =<\/span> cv2.<\/span>matchTemplate(bg_pic, tp_pic, cv2.<\/span>TM_CCOEFF_NORMED)
<\/span><\/span>    min_val, max_val, min_loc, max_loc =<\/span> cv2.<\/span>minMaxLoc(res)
<\/span><\/span>    
<\/span><\/span>    # 返回缺口的X坐标<\/span>
<\/span><\/span>    value =<\/span> max_loc[0<\/span>]
<\/span><\/span>    return<\/span> int(value *<\/span> 0.55<\/span>)  # 需要乘以0.55的系数<\/span>
<\/span><\/span><\/code><\/pre>2. 轨迹生成<\/h3>
def<\/span> get_sub_trajectory<\/span>(trajectories, value):
<\/span><\/span>    # 检查value是否在轨迹的x值中<\/span>
<\/span><\/span>    for<\/span> trajectory in<\/span> trajectories:
<\/span><\/span>        if<\/span> trajectory['x'<\/span>] ==<\/span> value:
<\/span><\/span>            return<\/span> [t for<\/span> t in<\/span> trajectories if<\/span> t['x'<\/span>] <=<\/span> value]
<\/span><\/span>    
<\/span><\/span>    # 如果value不在x值中，找到最接近的x值<\/span>
<\/span><\/span>    closest_x =<\/span> None<\/span>
<\/span><\/span>    min_diff =<\/span> float('inf'<\/span>)
<\/span><\/span>    for<\/span> trajectory in<\/span> trajectories:
<\/span><\/span>        if<\/span> abs(trajectory['x'<\/span>] -<\/span> value) <<\/span> min_diff:
<\/span><\/span>            min_diff =<\/span> abs(trajectory['x'<\/span>] -<\/span> value)
<\/span><\/span>            closest_x =<\/span> trajectory['x'<\/span>]
<\/span><\/span>    
<\/span><\/span>    # 截取从轨迹开始到最接近的x值的子数组<\/span>
<\/span><\/span>    sub_trajectory =<\/span> [t for<\/span> t in<\/span> trajectories if<\/span> t['x'<\/span>] <=<\/span> closest_x]
<\/span><\/span>    sub_trajectory[-<\/span>1<\/span>]['type'<\/span>] =<\/span> 'up'<\/span>  # 最后一步标记为抬起<\/span>
<\/span><\/span>    return<\/span> sub_trajectory
<\/span><\/span><\/code><\/pre>六、注意事项<\/h2>


风控措施<\/strong>：<\/p>

对距离识别要求较高<\/li>
会封IP和UA<\/li>
速度过快会影响成功率<\/li>
建议在识别后添加延迟：time.sleep(1)<\/code><\/li>
<\/ul>
<\/li>

成功率优化<\/strong>：<\/p>

使用高质量的代理IP<\/li>
模拟真实浏览器环境<\/li>
轨迹生成要符合人类操作特征<\/li>
识别结果乘以0.55的系数<\/li>
<\/ul>
<\/li>

代码混淆处理<\/strong>：<\/p>

使用AST工具处理混淆代码<\/li>
推荐工具：v_jstools插件<\/li>
在线分析工具：https:\/\/astexplorer.net<\/li>
<\/ul>
<\/li>
<\/ol>
七、总结<\/h2>
本教程详细分析了xx邮政滑块验证码的逆向过程，包括：<\/p>

抓包分析接口参数<\/li>
clientUid的UUID生成<\/li>
enmiid和print参数的WebAssembly处理<\/li>
滑块缺口识别算法<\/li>
轨迹生成方法<\/li>
风控绕过技巧<\/li>
<\/ol>
通过完整实现上述流程，可以达到99%的验证通过率。<\/p>

xx邮政滑块验证码逆向分析教程<\/h1>

一、前言<\/h2> 本教程将详细分析xx邮政滑块验证码的逆向过程，涵盖抓包分析、参数逆向、代码还原、加密算法破解等关键环节。该验证码系统采用了WebAssembly、WebGL等技术，具有一定的复杂度。<\/p>

二、逆向目标<\/h2> 目标网站：aHR0cHM6Ly9wYXNzcG9ydC4xMTE4NS5jbi9jYXMvbG9naW4=<\/code>（已脱敏）<\/p> 验证码类型：滑块验证码<\/p>

四、逆向分析<\/h2>

五、滑块识别与轨迹生成<\/h2>

一、前言<\/h2>
本教程将详细分析xx邮政滑块验证码的逆向过程，涵盖抓包分析、参数逆向、代码还原、加密算法破解等关键环节。该验证码系统采用了WebAssembly、WebGL等技术，具有一定的复杂度。<\/p>

二、逆向目标<\/h2>
目标网站：`aHR0cHM6Ly9wYXNzcG9ydC4xMTE4NS5jbi9jYXMvbG9naW4=<\/code>（已脱敏）<\/p>`
`验证码类型：滑块验证码<\/p>`