# 宣告 **原創文章，請勿轉載！** **本文內容僅限於安全研究，不公開具體原始碼。維護網路安全，人人有責。** **本文配合《第三代驗證碼研究》《極驗無感驗證破解》服用效果更好，能更全面體會安全產品的設計。** **本文主要通過破解協議的方式繞過極驗安全驗證，思路與網上自動化的方式有很大的不同**
[toc] # 一、完整流程 ### 1、極驗官網完整流程 # 一、例項研究 **我們以春秋航空註冊場景的驗證碼為研究物件** ### 1、例項研究地址 https://account.ch.com/NonRegistrations-Regist ### 2、例項研究場景 # 二、請求分析 ## 1、網路請求抓包 從網路抓包結果可以看到，整個極驗驗證碼與極驗伺服器一共互動了**8**次。要想破解極驗驗證碼，首先我們就需要搞清楚每次請求都攜帶了哪些引數，其次就是引數如何生成的？只有搞明白每個引數的意義，後續我們才能夠通過偽造引數以達到破解的目的。 ## 2、資料說明 在分析極驗請求前，需要先解釋說明兩個引數。 （1）gt：極驗為每個使用方提供一個唯一身份標識用於進行服務區分 （2）challenge：用於請求串聯，我們都知道http是無狀態的，有了challenge就能把各個請求串聯起來。（注意：challenge是會發生改變的，記得及時更換） ## 3、請求分析 ### 請求1：gt.js #### （1）請求介紹 關於第一個請求，在極驗的官方文件已經給我們介紹了（https://docs.geetest.com/sensebot/deploy/client/web）。`gt.js`檔案用於載入對應的驗證JS庫。 #### **（2）關鍵程式碼** ```js Config.prototype = { api_server: 'api.geetest.com', protocol: 'http://', typePath: '/gettype.php', fallback_config: { slide: { static_servers: ["static.geetest.com", "dn-staticdown.qbox.me"], type: 'slide', slide: '/static/js/geetest.0.0.0.js' }, fullpage: { static_servers: ["static.geetest.com", "dn-staticdown.qbox.me"], type: 'fullpage', fullpage: '/static/js/fullpage.0.0.0.js' } }, _get_fallback_config: function () { var self = this; if (isString(self.type)) { return self.fallback_config[self.type]; } else if (self.new_captcha) { return self.fallback_config.fullpage; } else { return self.fallback_config.slide; } }, _extend: function (obj) { var self = this; new _Object(obj)._each(function (key, value) { self[key] = value; }) } }; ``` #### 解釋說明 （1）正常請求會發送gettype.php請求 ```json # Request URL https://api.geetest.com/gettype.php?gt=25ba81caec944f8d74c98befd841a667&callback=geetest_1605974702024 # Query String Parammeters gt: 25ba81caec944f8d74c98befd841a667 callback: geetest_1605974702024 ``` （2）兜底策略 如果發生異常情況，極驗伺服器無法響應。這時就會發送`http://static.geetest.com/static/js/geetest.0.0.0.js`獲取能夠在本地驗證的js檔案，確保應用服務正常執行。具體可以參考我的另一篇部落格《極驗無感驗證破解》`https://www.cnblogs.com/boycelee/p/13951819.html` ### 請求2：gettype.js #### （1）請求介紹 該請求的目的是獲取極驗安全的核心js檔案`/static/js/fullpage.9.0.2.js`和極驗提供的各型別驗證碼對應的js檔案。 #### （2）請求詳情 ```json # Request URL https://api.geetest.com/gettype.php?gt=25ba81caec944f8d74c98befd841a667&callback=geetest_1605974702024 # Query String Parammeters gt: 25ba81caec944f8d74c98befd841a667 callback: geetest_1605974702024 # Response geetest_1605974702024({status: "success",…}) data: {type: "fullpage", voice: "/static/js/voice.1.2.0.js", maze: "/static/js/maze.1.0.1.js",…} aspect_radio: {slide: 103, voice: 128, click: 128, pencil: 128, beeline: 50} beeline: "/static/js/beeline.1.0.1.js" click: "/static/js/click.2.9.4.js" fullpage: "/static/js/fullpage.9.0.2.js" geetest: "/static/js/geetest.6.0.9.js" maze: "/static/js/maze.1.0.1.js" pencil: "/static/js/pencil.1.0.3.js" slide: "/static/js/slide.7.7.5.js" static_servers: ["static.geetest.com/", "dn-staticdown.qbox.me/"] type: "fullpage" voice: "/static/js/voice.1.2.0.js" status: "success" ``` ### 請求3：fullpage.js #### 請求介紹 該js檔案就是極驗驗證碼的核心檔案，其主要功能是**指紋資料、環境檢測資料**收集。獲取js檔案可以通過`https://static.geetest.com/static/js/fullpage.9.0.2.js`得到。 ### 請求4：get.php #### **（1）請求介紹** 該請求主要傳送的內容是通過執行fullpage.js檔案收集的瀏覽器資料，用於後續裝置指紋計算以及初步風險檢測。如果該請求偽造得足夠好，就會觸發**無感驗證** #### （2）關鍵步驟 ​ **流程圖** ​ **a、資料收集** ​ **瀏覽器資料**：js檔案元素、瀏覽器大小、瀏覽器外掛、canvas、字型、時區等資料 ```json { textLength, HTMLLength, documentMode, A, IMG, INPUT, LINK,SPAN, STYLE, screenLeft, screenTop, screenAvailLeft, screenAvailTop, innerWidth, innerHeight, outerWidth, outerHeight, browserLanguage, browserLanguages, devicePixelRatio, colorDepth, userAgent, screenWidth, screenHeight, screenAvailWidth, screenAvailHeight, localStorageEnabled, sessionStorageEnabled, indexedDBEnabled, platform, doNotTrack, timezone, canvas2DFP, canvas3DFP, plugins, maxTouchPoints, flashEnabled, javaEnabled, hardwareConcurrency, jsFonts, timestamp, performanceTiming ...等等（不完全暴露，以免被有心人利用） }; ``` ​ **b、格式處理** ​ 在每個收集的資料中間，通過“!”感嘆號來對資料進行切割。 ​ **c、請求引數構造** ```json { gt: gt, challenge: challenge, new_captcha: true, protocol: https == true ? "https://" : "http://", beeline: scriptInfo.beeline, fullpage: scriptInfo.fullpage, static_servers: scriptInfo.static_servers, pencil: scriptInfo.pencil, click: scriptInfo.click, voice: scriptInfo.voice, slide: "/static/js/slide.7.7.5.js", geetest: "/static/js/geetest.6.0.9.js", https: https, i: # 收集的瀏覽器資料 } ``` ​ **d、明文請求引數加密** ​ 使用對稱加密演算法對上述明文引數進行加密（可能是AES）。 ​ **e、構造密文請求引數** ``` gt: 25ba81caec944f8d74c98befd841a667 challenge: 61f4492c9e8ea1e136e98b38107d561e lang: zh-cn pt: 0 client_type: web w: Wt(lNJWNy9DeW5Z6nJck3NZCQaoyQdi3TTcxtdnFpU65OTMLZvjnrK9bgDx94DdhAlV0bvg61eh)qX0m(bWYmvFzG84QiCW7S5tLICB4QMC(zoR0YLHui9VVj6iJwWEK9lFIqklAGbsFUYHM3GEGr6mrnflcVvbIyyo8SJGIF4j70VqCLwmmcChYl4TX9GZQb0pN0)dJHSIJucHlyrrxhSpqk4b(ox65Ur4IX)De0of3r6WB78QI7)XNqxKheWL(L7peMT)f(bIl6ut5S1gO7d9dRSSZac9SjtQGUfXPNHtbm1tOts(zRdjihk8z)Zfsh)JFqM4QQgrhnd6wBOQ8pyv60bjgpONQeJdKnNBIb(SXgo)flKztgLn1cehGDcCTTQcNlnWi5E7R)(5X01pqSyc16(8YSj)CXk2T6JHUXCXXFAXrSFWs7noM4IR7KUawc1KLmu4lDLA913wOOGoCv5C06D4D48IkVeDIalagtcLwMVd(S7TAVVwWtxXXzsnxLipWbB9HjYSiYPeg3YzjvnJpbV)oDukpEkYkl2kjs53ucZ8jo33(QE09ubUvMLgQuHwIWOoqaO5VJ4ESffY)87yPJrLJprSRUTYHmuTAo6yyI0OeQGk5CHxx67iHrgzHnNxAAPZY5yrv)CJ3xcBhZgu0tk8lCYgiH1wbigIChhPgd5QTP0nJiOJPgQs76yVkvX7bLEMWJfWjLqIzZ1hd9XQmt)2yGvVLC0iiApcqGuKSvRhxvVrW01WPp6pzFOywFXULhI7vsqUOTvqoNnwJtnSv1b40F)F2y6lC8LRsj1AKBcxREtAtqKvpXOcCFPxT2qMdLKgISgYJ33RVknFDS4JfOhTk9AgXBFtSJ2zM7tpPROoRoBsPVMOrbO)mdip4Z62PxxSDS8cA0PW980wi6ZhaDamumAlxx8RQKLPW587)9Xehn5s6cIMdMFRIAubg0VXlnW5Us2IvKeI6cjEfHNMyCJz4Fmv3)IYsXh3iigq87dCjtkGlGiVTrjjo2q44e(qr0GAo5CrxuKO)EgbdLDAyqf)5WFlSx)VXn5UoZF(AunphgVIn4(vMeFVWN(fWYj(MKztePyzCi2Cdd3pLrrL2IrD7NvNo87wvdX6ro5Q6GVVHP14IvrQsArUDdnIZjz5kMJ0IG0rsd2oQL2XFndtTcuJNlRewL5KYai(K2uPNjCQmXLfEfH2LMIjerHM126aAv5EhwLuFhvxKhIjoEGoQqMGg3FZorOHWIJEt6jSDtKNwLeeUXomknlRtaVwVCJJkrR9MfM8vldLCZ..e581bf73fb48171a223c9fac8fc74f151438380e515f1775cb26d78086253beef82f250f02349285fd86ed2d52d0acb6f45fa1733340ea282c3524c432d93df20d22b28c2c382e1ad52d72b20fcc2104188b7e99d11ca440325cb4391e34d78f2122162d3e3fb3efa810139c6d1f933b1dacfdc1e044686369271275d2ac258a ``` ​ **w引數：**`步驟4中對稱加密後的資料（gt、chanllenge、瀏覽器資料、驗證碼js路徑）+ 使用非對稱加密對“對稱加密金鑰”進行加密後的加密串 ` ​ **f、返回資料** ```json geetest_1605981310309({ "status": "success", "data": { "logo": false, "s": "73304840", "i18n_labels": { "read_reversed": false, "copyright": "\u7531\u6781\u9a8c\u63d0\u4f9b\u6280\u672f\u652f\u6301", "goto_confirm": "\u524d\u5f80", "ready": "\u70b9\u51fb\u6309\u94ae\u8fdb\u884c\u9a8c\u8bc1", "goto_homepage": "\u662f\u5426\u524d\u5f80\u9a8c\u8bc1\u670d\u52a1Geetest\u5b98\u7f51", "next": "\u6b63\u5728\u52a0\u8f7d\u9a8c\u8bc1", "next_ready": "\u8bf7\u5b8c\u6210\u9a8c\u8bc1", "loading_content": "\u667a\u80fd\u9a8c\u8bc1\u68c0\u6d4b\u4e2d", "success": "\u9a8c\u8bc1\u6210\u529f", "fullpage": "\u667a\u80fd\u68c0\u6d4b\u4e2d", "reset": "\u8bf7\u70b9\u51fb\u91cd\u8bd5", "goto_cancel": "\u53d6\u6d88", "refresh_page": "\u9875\u9762\u51fa\u73b0\u9519\u8bef\u5566\uff01\u8981\u7ee7\u7eed\u64cd\u4f5c\uff0c\u8bf7\u5237\u65b0\u6b64\u9875\u9762", "success_title": "\u901a\u8fc7\u9a8c\u8bc1", "error_content": "\u8bf7\u70b9\u51fb\u6b64\u5904\u91cd\u8bd5", "error": "\u7f51\u7edc\u4e0d\u7ed9\u529b", "error_title": "\u7f51\u7edc\u8d85\u65f6" }, "static_servers": ["static.geetest.com", "dn-staticdown.qbox.me"], "theme": "wind", "feedback": "", "c": [12, 58, 98, 36, 43, 95, 62, 15, 12], "api_server": "api.geetest.com", "theme_version": "1.5.8" } }) ``` ​ **g、無感驗證** 如果該請求偽造的瀏覽器資訊足夠好，就會觸發無感驗證，不需要進行加強驗證。 ```json # Response geetest_1606035710872({status: "success", data: {s: "6b402d61", theme: "wind", api_server: "api.geetest.com",…}}) data: {s: "6b402d61", theme: "wind", api_server: "api.geetest.com",…} api_server: "api.geetest.com" c: [12, 58, 98, 36, 43, 95, 62, 15, 12] feedback: "" i18n_labels: {success_title: "通過驗證", refresh_page: "頁面出現錯誤啦！要繼續操作，請重新整理此頁面", ready: "點選按鈕進行驗證", next: "正在載入驗證",…} logo: false s: "6b402d61" static_servers: ["static.geetest.com", "dn-staticdown.qbox.me"] theme: "wind" theme_version: "1.5.8" status: "success" ``` ### 請求5：ajax.php #### （1）請求介紹 ​ **a、請求詳情** ```json # Request URL https://api.geetest.com/ajax.php? # Query String Parameters gt: 25ba81caec944f8d74c98befd841a667 challenge: f91e9b5f7cb34fc2fef98a1281c4f9a5 lang: zh-cn pt: 0 client_type: web w: PN3AyfkANbA5SEGeV3zj3wrdYwzvdZZw0hxaGHTXJUKFj7oeqLehkFa0c2Wma0D)DkvqU4xfIcbZGjnFyBK0NQ7VFAKCE(BnrKk5RDHCLXGrU3jkPh1pPGCXxywO2y2gg332yjxU7Wk7ZZzYroMNgrNZdc4ebUioVkgivWUbGFSEOBLPBPtU3Mg56FixAAO8jr1VsKXQsJFbmmMeGZ)QgmtJ9xUOhmFXjBNIbfVlsxvFljpNYaGrYxb7jV8(PhtHROTS37gGcpBoLuCXJo1iSHXEPixniDFZoQYt8r9gxFiK)CTPgwmiqXHeg0mkCQTxUTDr1)fVw9(1DCVTOXgXwCQ3LDIfdmi7bTNOqOf2F)8kXGv8g8cvMcSxkoAK(FWIblKoHjk4BT(thhJG4oyphzxQkRFLjXKE8aEmBI1Wn3legt66SGj3zZJk94OyWrkEWLyK2YnT7SYS1KVjj1Gd81mZlVA5P5sfnhZl72IRuaLGWn4jIFJhcd0dAZs5sTrIXzMpmoInN6TvMHTlux3oHs3c6l8TUPExxMoQ6oMLVAi6IZM0hrUDozyrWRJ8UT6KaeKBIgruAM)YXdQCGM4zDzL0fPwzTJC3cmlBLFmuGE(hAxbBzCuuyD8)7g2no7n0okLw9tpovsBaISZLH8pP4ujt05oz0ekEYnYZloSgQFTs40s(31TB8Pg5IO7Mg83WqgvDhKH1t1nsgqtwEmOuP6ra1yV6UHqqcg1MoPb2Rk5IbXws)utkSbrfLBlEYKVNuCqIuTqr9pvvhnHSeD5Y7pJYLBqS6sWCNQo8H()S8bQ)R2n0j8kAGUnJ27tIHzVKJE3BiO5ZO4WudFKpcqQVffhPpjtzl(f65)nLI5Hd0X7MLpXbUR36DC7FkTHwlVR4jMh3s2MboNIhpxuzzDgNzxwH9gmlgPpL3eU0s2UYGUY5L94DWTNktRlTaVEGNdpDAIoaoVKC6uf2wBJvwZh0TWrhGr2PdHiBpcmJYXlDpH0csf5PTGyBHxcNv0(AiOoKsYc0xcaLUJq)OlFBzErRIbxTnG1bfB4u1KG9vBs)qxGqux7n8DfIQ8tQCswqKk(5Yr7fnGTlO6zGlPmMQdcSfuCasd9T573MrZsIc(sX)VC5wc4Rd2BI31RVbu6P7DhQBnt)1IPPLKOmNo)liGCgG9PaFyAX(TJvyD5DDKDE)0fAbl7DD2i9NBW)Eoq9lVDalE(F8xxnlVxfQCJP)CyJEG8F0SxJo4AG6kQF(JFOEn8zH)UDbeYz1tgOWEcO0hDTdlmOIEVP1Ipmrpa95bQm4lSlbtE(vFjy2NrWt1AN)fyAgIvWaQH9bypqoUinzSxK4DJlaipaMee3Z9odzZw9aB5z9KaEixqDrCsf7H7Nfus. callback: geetest_1605981541804 # Response geetest_1605981541804({"status": "success", "data": {"result": "slide"}}) ``` 問題：w引數如何生成？ #### （2）關鍵步驟 ​ **a、資料收集** 瀏覽器資料：再一次收集“請求4”中的瀏覽器資料。 ​ **b、格式處理** ​ （1）在每個收集的資料中間，通過“!”感嘆號來對資料進行切割。 ​ （2）在每個收集的資料中間，通過“magic”來對資料進行切割。例子：`11078magic data34095magic dataCSS1Compatmagic data168magic data-1magic data-1magic data-1magic` ​ 此處相對於“請求4”有點不一樣，為什麼一份資料要用兩種方式進行切割，請求4與請求5都發送一遍，我也沒想明白。 ​ **c、滑鼠資料收集** ​ 資料格式：`行為 + x座標 + y座標 + 時間戳 + 行為` `var pointArray = [["move",900,400,1552388419164,"pointermove"],["move",904,397,1552388419180,"pointermove"],["move",911,381,1552388419195,"pointermove"],["move",916,379,1552388419210,"pointermove"],["move",923,377,1552388419225,"pointermove"],["move",930,373,1552388419240,"pointermove"],["move",937,369,1552388419256,"pointermove"],["move",942,366,1552388419271,"pointermove"],["move",949,364,1552388419287,"pointermove"],["move",953,362,1552388419302,"pointermove"],["move",957,360,1552388419318,"pointermove"],["move",961,356,1552388419333,"pointermove"],["move",966,352,1552388419349,"pointermove"],["move",973,350,1552388419364,"pointermove"],["move",978,348,1552388419380,"pointermove"],["move",983,345,1552388419396,"pointermove"],["move",990,343,1552388419411,"pointermove"],["move",994,340,1552388419427,"pointermove"],["move",999,336,1552388419442,"pointermove"],["down",1059,411,1552388422125,"pointerdown"],["focus",1552388422126],["up",1059,411,1552388422375,"pointerup"]];` ​ **d、s與c引數加密** ​ s引數與c引數是“請求4返回的”，我的理解是與s引數是“請求4”進行繫結而c引數是圖片順序（從極驗伺服器返回的圖片是被無規則切割後的，我們需要c引數配合演算法還原） ​ **e、上述引數各種加密後進行再一次加密** ​ **f、生成最終w引數** ​ 與“請求4”中的w引數加密方法相同。 ​ w引數：`(gt, challenge, ip, version, c, s, 瀏覽器資訊, 滑鼠軌跡）對稱加密 + 使用非對稱加密對“對稱加密金鑰”進行加密後的加密串` ​ **g、資料結構圖** ​ 此處加密結構實在是太過於冗餘，所以用圖的方式更清晰。 ### 請求6：slide.js #### 請求介紹 “請求5”中Response返回資料`geetest_1605981541804({"status": "success", "data": {"result": "slide"}})`表明，使用滑塊進行加強驗證。後續進行滑塊驗證碼驗證時，會使用該js進行資料收集與加密處理。 #### 請求詳情 ```json # Request URL https://static.geetest.com/static/js/slide.7.7.5.js # Response 返回滑塊驗證相關js程式碼 ``` ### 請求7：get.php #### （1）請求介紹 ​ 獲取驗證碼相關資訊，例如圖片路徑、圖片還原陣列，請求串聯引數challenge、y座標等資料。 #### （2）請求詳情 ```json geetest_1605982735902({ "hide_delay": 800, "static_servers": ["static.geetest.com/", "dn-staticdown.qbox.me/"], "logo": false, "https": true, "width": "100%", "feedback": "", "product": "embed", "so": 0, "ypos": 37, "link": "", "version": "6.0.9", "fullbg": "pictures/gt/7d068eca5/7d068eca5.jpg", "clean": false, "height": 160, "xpos": 0, "theme_version": "1.2.4", "id": "aa812df54ff9aee0ddb35400abe906992", "gt": "25ba81caec944f8d74c98befd841a667", "s": "476e6b52", "api_server": "https://api.geetest.com/", "slice": "pictures/gt/7d068eca5/slice/b5afeb19a.png", "i18n_labels": { "logo": "\u7531\u6781\u9a8c\u63d0\u4f9b\u6280\u672f\u652f\u6301", "cancel": "\u53d6\u6d88", "close": "\u5173\u95ed\u9a8c\u8bc1", "error": "\u8bf7\u91cd\u8bd5", "feedback": "\u5e2e\u52a9\u53cd\u9988", "voice": "\u89c6\u89c9\u969c\u788d", "success": "sec \u79d2\u7684\u901f\u5ea6\u8d85\u8fc7 score% \u7684\u7528\u6237", "tip": "\u8bf7\u5b8c\u6210\u4e0b\u65b9\u9a8c\u8bc1", "read_reversed": false, "refresh": "\u5237\u65b0\u9a8c\u8bc1", "fail": "\u8bf7\u6b63\u786e\u62fc\u5408\u56fe\u50cf", "forbidden": "\u602a\u7269\u5403\u4e86\u62fc\u56fe\uff0c\u8bf7\u91cd\u8bd5", "loading": "\u52a0\u8f7d\u4e2d...", "slide": "\u62d6\u52a8\u6ed1\u5757\u5b8c\u6210\u62fc\u56fe" }, "theme": "ant", "bg": "pictures/gt/7d068eca5/bg/b5afeb19a.jpg", "mobile": true, "challenge": "a812df54ff9aee0ddb35400abe906992lw", "show_delay": 250, "benchmark": false, "type": "multilink", "fullpage": false, "template": "", "c": [12, 58, 98, 36, 43, 95, 62, 15, 12] }) ``` ### 請求8：ajax.php #### （1）請求介紹 該請求就是最重要的一步，驗證碼驗證資料收集，主要收集資料包括滑塊相對偏移位置（x座標）、滑鼠滑動軌跡、c引數、s引數、版本資訊等。 #### （2）請求詳情 ```json # Request URL https://api.geetest.com/ajax.php? # Query String Param gt: 25ba81caec944f8d74c98befd841a667 challenge: a812df54ff9aee0ddb35400abe906992g1 lang: zh-cn pt: 0 client_type: web w: 01xw)7RkAQTxgt5(KAirHJNk(GQHPSqovqV(huofhVj6LOrChUNg6NV)sMQYfBVZFGoug6B7VB0X)0rw3kI3rEXkMGOk1ewLqxZTVSDud7N6ryucakpAMXzhXRimQa4vPmjYz1nus80DQKvG7iq6XPSbdFxARitg0b4TIcRgX(3AOGK)V2cujs6ExkH7puvD9M8887mK6lCSee6FfBXrO2PdgmlamfM8omcLDwkDECw4g9fODBjYzKnSb1qq27JIyEfyBT77A1xmfhBtgJ8vKEIsm5MyR7LZGMIrXYMwd5IL0317NtnpvpeMGXey8DbABEt43y0UQDpIxkkfwbzJs6BGUKI)FGKlmO5ZA4gX5V(t951E76rZVmSAJBuNuv(doL5nYt(LdhoEq2ElpMts02jxmGT9Zkf0(H3McshaIWT5pcyM6ReRXVbOo2WFzxXZz9ITykQjFtoTr(ld4ydqpvejZSxyUZk5FIhKe4PYExT1Lms2sMXZu)gHYGFRmJf8KlYfsArButqV4zkhSajAnvE0cN1dhkB5J36rlwDqT6tG4XqJ9GbY1BcCisT1GKCEy402TCeCHeE)PfDKBeMzJ0ZeWpnVEEYmciKtc9eCfdklIrEUefWMYDdX0IUIDyjQ7rvPghprHhdw(uFp1UPAmTraHyxqVAOcJBd1YFkOLI9xoBdmFP9n0UJVXtuzcCvVNIPPBznXmw6RaEoGg(i1((OkQeu9lp4BqFRQmS76NFd5oJ1LVT5o)((CzOsB03X2L6FIeLVw(v6Y09QAmFRfqw..7bce8d8ab16eaf8c1342a4a7b3e7b0100f58082dd49d8cc5d8ee528f161bb0ba579580015dce1747d454b545158b47f0bf4660f293adf3fc8392a86f498eec6ebb5fb6bc891e696987aef7d9d5282d9dce43729ac87a3515283b833b028bca48a5d5004842cd88bee068f495fbcb02ae4c493bc51dbb67811bb49852f498be64 callback: geetest_1605984542722 # Response geetest_1605984542722({"message": "success", "success": 0}) ``` #### 關鍵步驟 ​ **a、圖片還原** ​ 配合前序請求返回的c陣列和圖片還原演算法對被切割打亂的圖片進行還原。 ​ **b、缺口識別** ​ 計算x座標可以參考我的另一篇文章《第三代驗證碼研究》https://www.cnblogs.com/boycelee/p/11363611.html ​ **c、w引數** ​ `（gt, challenge, x座標, 滑動軌跡, c引數, s引數, 版本）對稱加密 + 使用非對稱加密對“對稱加密金鑰”進行加密後的加密串` ​ 使用對稱加密對引數進行加密，再使用非對稱加密對金鑰進行加密 ​ **d、資料圖** ​ 此處加密結構實在是太過於冗餘，所以用圖的方式更清晰 ## 4、整體流程 # 三、成果展示 一旦驗證碼驗證通過就會返回validate。validate可以理解為通行令牌，該令牌會將環境檢測資料、行為資料以及風險結果等資料進行串聯，一般情況下如果成功獲取到validate引數，就預示著我們破解極驗驗證碼工作取得成功。 # 四、總結 總體來說，極驗驗證碼的整體設計不算複雜，但資料加密實在是太過於冗餘複雜了。 # 五、最後 如果想系統地瞭解第三代驗證碼，可以結合我的另一篇文章《第三代驗證碼研究》https://www.cnblogs.com/boycelee/p/11363611.html。 **本文不提供完整解決方案和完整資料，僅用於理論研究，維護網路安全，人人有