This is the 886th technical sharing of “Attack Coder”
Author: TheWeiJun
Source: The story of reverse engineering and reptiles
“
This article should take approximately 7 minutes to read.
”
Hello everyone, my name is TheWeiJun. In the past two months, I have been thinking about how to present more interesting and valuable content to everyone. Today, I finally have a new update! This article will take you to explore the mystery behind a certain cloud slider verification code and let you understand its working principle, application scenarios and related technologies. I hope this article can bring you new insights and inspiration. Thank you all for your support and welcome to read!
Special statement:This public account article is only for academic research and not for other illegal purposes; if there is any infringement, please contact the author to delete it.
Star now
Good news every month
Table of contents
1. Introduction
2. Website analysis
3. Parameter analysis
4. Algorithm Restoration
5. Summary of ideas
1. Introduction
Have you ever thought about how the familiar slider verification code identifies us as humans instead of machines every time we register an account or log in online? Just like playing a game, you need to swipe lightly on the slider to pass the verification. But have you ever thought about the technological secrets behind this seemingly simple slider? In this article, we’ll demystify the slider CAPTCHA, explore how it works, and learn how it cleverly identifies real people. In this interesting journey, we will take a peek behind the technology and take you into a digital world full of challenges and innovations. Come explore with me!
2. Website analysis
1. Packet capture analysis, open the website we analyzed this time, deliberately trigger the slider verification code, and do not slide it yet. Then view the request process as follows:
2. At this moment we can see the http protocol interface of the slider as well as the gap image and background image. We can check the response body from the response of the http request to determine. The screenshot is shown below:
Summary: Looking at the picture above, we can see that the value values of the bg and front parameters correspond to the background image and the gap image in the screenshot respectively. In this interface, we even see the sliderWidth slider distance. I thought this slider was so simple, but this place is actually confusing. It has no effect, please listen to my practical analysis later.
3. Then we analyze this interface request to see if reverse analysis is needed. The screenshot is as follows:
4. Then drag the verification code gap directly to the correct position and view the request body and response body. The screenshot is as follows:
Summary: Combining the request bodies in steps 3 and 4, we can see that the slider interface and the verification interface should use the same set of encryption logic. Next, let’s enter the parameter reverse analysis step.
3. Parameter analysis
1. We refreshed the slider interface and verification interface many times, and the initial judgment and analysis of the five parameters in the screenshot above are as follows:
-
cb is a random value, 11 characters long.
-
i The encrypted value, what exactly is encrypted, is not clear.
-
k is the encrypted value. The specific encryption is not clear.
-
token parameter returned by the previous interface.
-
captchald fixed value, related to version, can be ignored.
Summary: We can ignore the token and captchald parameters, and only need to reversely analyze cb, i, k to complete the restoration of the slider algorithm. Next, let’s start stack analysis for breakpoint debugging.
2. Directly analyze the verification code interface, view the stack, and locate the js encryption location. The screenshot is as follows:
3. After setting the breakpoint, trigger the verification code interface again and view the xhr request interface. The screenshot is as follows:
4. At this time, the encryption parameters have been generated. We can see that the return value of this.encrypt(e) is the data we want. After tracing back the stack, we determine the encryption location as follows:
Summary: Simply confirm the encryption method. The i parameter should be AES-CBC mode encryption, and the K parameter should be RSA encryption. Then we will confirm that the 11 bits of the cb parameter are also randomly generated, and then enter the algorithm. Restoration stage. (Attached is a screenshot of the positioning of the cb parameter)
4. Algorithm Restoration
1. After determining the encryption position of the i parameter, analyze the js code and convert the Python code as follows:
def encrypt_aes_cbc(self, text):
self.key: str = self.generate_random_string(16)
self.iv: str = self.generate_random_string(16)
# Create an encryptor using AES algorithm and CBC mode
cipher = AES.new(self.key.encode(), AES.MODE_CBC, self.iv.encode())
# Calculate the number of padding bytes to add
padding_length = 16 - (len(text) % 16)
# Add padding bytes, use PKCS7 padding
padded_text = text.encode() + bytes([padding_length] * padding_length)
# Encrypt text
ciphertext = cipher.encrypt(padded_text)
# Convert the encryption result to a Base64 string
encrypted_base64 = base64.b64encode(ciphertext).decode('utf-8')
return encrypted_base64
2. After determining the encryption position of the k parameter, analyze the js code and convert the Python code as follows:
def rsa_encrypt(self):
msg = f"{self.key}{self.iv}"
pub_obj = Cipher_pkcs1_v1_5.new(RSA.importKey(self.rsa_public_key))
encrypted = pub_obj.encrypt(msg.encode())
return base64.b64encode(encrypted).decode()
3. After determining the encryption location of the cb parameter, analyze the js code and convert the Python code as follows:
def generate_random_string(self, length):
# Define a character set containing English uppercase letters and numbers
characters = string.ascii_lowercase + string.digits
# Randomly select length characters from the character set and concatenate them
random_string = ''.join(random.choice(characters) for _ in range(length))
return random_string
4. At this point, we have restored the interface requested in the first step. Send the request to see if we can get a response with the verification code. The screenshot is as follows:
5. Next, analyze the verify interface to see how the i and k encryption of the verification interface are generated. The screenshot is as follows:
6. We determine the input parameters of the i parameter as above, and then use Python to restore the encryption algorithm as follows:
7. Among the parameters entered in the above interface, the most important ones are the distanceX coordinate and points trajectory data. Continue to use Python to restore it as follows:
8. The whole process is over here. After we package the code, we send 20 requests as usual to see how the pass rate is. The screenshot is as follows:
Summary: The sliding success rate is still quite high, 19/20=95%; if you want to pursue a higher pass rate, you can further optimize image recognition and trajectory simulation.
5. Summary of ideas
Reviewing the entire analysis process, the main points this time are summarized as follows:
-
AES CBC algorithm restoration implementation
-
Slider notch position coordinate positioning
-
Slider array trajectory simulation generation
-
RSA algorithm and public key restoration implementation
This sharing ends here. Welcome everyone to pay attention to the next article. See you there
End
Welcome everyone to join [ChatGPT & AI Monetization Circle] and master AI artifacts with zero threshold! We will take you from novice to master, unlocking the infinite possibilities of intelligent Q&A, automated creation, and technology monetization. Grow with us and start a new journey in AI! Act now, the future is already here! (For details, please click: Knowledge Planet: ChatGPT & AI Monetization Circle, officially launched!)
Scan the QR code to join:
Good article to read with friends~