腾讯六宫格验证码破解

失踪人口回归ing ~~~
仅供研究学习使用。
今天带来的是腾讯六宫格验证码的逆向

目标站 --> 传送门

aid : 2028665724

GET https://t.captcha.qq.com/cap_union_prehandle?aid=2028665724&protocol=https&accver=1&showtype=popup&ua=TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNi4wLjU4NDUuOTcgU2FmYXJpLzUzNy4zNiBDb3JlLzEuMTE2LjYxNy40MDAgUVFCcm93c2VyLzIwLjEuNzIzMy40MDA%3D&noheader=1&fb=1&aged=0&enableAged=0&enableDarkMode=0&grayscale=1&dyeid=0&clientype=2&cap_cd=&uid=&lang=zh-cn&entry_url=https%3A%2F%2Faccounts.qq.com%2Ffind%2Fpassword&elder_captcha=0&js=&login_appid=&wb=1&version=1.1.0&subsid=7&callback=_aq_734784&sess=s02V95OY9Fugno3s2j_gjQaKrGhBZtW6eCUNQnnl6SZPMGO0NyVUOS28gdGmzqr0cg8VveIM2XFkjH3sqAX9QIhi1OWHRjGYa1p6CS9QnkjiYnGphU8Jco9wXtUV5PkHSG3YbI48mPDPsYwmCyByMqd6g2d9dVLMn2uC2hWDj1TWQ5_cm6OwCgWbMMyOh0SWB6HkrRjLfv6lY7JtTT2erG5xqx7_H4Sw73D9zLpWoPEoOVXtht80UgM6UHadrwqIsA1Eni74swoNpiu0SOcyUZES5G_HrRh7Jh7U_2RmQihkcd-bwCgAbsKBJZcokMfeHqqnK6eO-wxzkYRAvE_wprsoz-qKXcOM0pKK8WpgSDZON1rpDa56C2DnJBnfryhFLv317t2EpP9nqYh8vNLoM2TCG3aJdXgw5NKjaUT5MaRDZbmYqDHktq0TWaHnuJiEZqWM3qAiseEA9EZrG1ha6mRM2QZdKS7txImEG-lCiwDsvOnMNKHyk_y1QOwp2b8-BIpG3IkfK70OSi4Fl2tI0nHg8_Y1gAXqxApU3Kv52TSBJniSuKJiPkOTmhsTV6NZmqnIUOQMKo7KOF1dCgOgCHha2GaKxYOlToIfIAYw3ysHLn870HFVH7WzhBaPDlNkv7QDC3C-bztu6QVriXgB4e6oOVMBbRtuXM HTTP/1.1 Host: t.captcha.qq.com Connection: keep-alive sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Core/1.116.617.400 QQBrowser/20.1.7233.400 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://accounts.qq.com/ Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9

aid：项目的ID，不同网站的aid不同

ua：浏览器的user-agent,进行了base64编码

uid：登录账号，在有些网站可能这个需要

sess： 这个第一次一般为空，我这里是因为浏览器缓存了上一次的。

其他参数固定就可以。

接下来看看返回参数的解析

{ "state": 1, "ticket": "", "capclass": "1", "subcapclass": "1545", "src_1": "cap_union_new_show", "src_2": "template/new_placeholder.html", "src_3": "template/new_slide_placeholder.html", "sess": "s0z8K_9-v9IOcJdua_l5GVCK9mzmHOvIQj1J9P4CCWiiZw2grpnL_AXxAYFnYtCMaLR2c3uxAnlbZ-ZH7F8U6Wy46y-EzGq9Ii79cvPWDMEd1iJXJyv9gh5JYJ1DWQuYFAjcxMpqIzhhrWeiEv8H8kZaDMF9VE05SGWT6CYUm8yVa17lWlQpJxRlHeiKrlh3iMPDz9ZUFGefq65G6ugJ2rj3n6bL-lOxr8Ee-ImuGGWOP-jFuAD8LoZEEiVZ4yJP83gsuvgBNofBRB25Hd8_bBGGgtxbTKOvthkZkjN0rDsXBdKFxzsWBDspn-y_18-cigyiqDrxBhTaRHNJXJo1uStC3UvjLOWRY05TRQcEGsUklAXHX-M7-1xsouwr6q5yYtTJw8rVVkh-svxX9utVEujMU3gmN4X5qOpKPjSOxa0Q95ab0Huy_ry-ZM5vUVomujsnbvLNRsnSk3S6wp4_IVtdJhbOpFnYsVuKlOhIBLsv_GOiBxRyLn_78WT5AoBcGejSxr_7GCBLIwiL-yt3VMtcwVEGi3jo2Bf2kxWx8z-qbOboH1f3rG0KPMBK-fKx0htZJZkkyw4OakcATMWSzggs_oHtGZGJYB4ZtKtn1o7QPCmDRCORVuom4Ba6FKMie3bTuc0VePB_kg9vPJpgbFQM1VgVfOZI_aBrTO47JRGjl8aMh5JAQ-WgAEso3yAn1Ev3wdq5bOOHPkfuZARTCTpF-7NQxzNP0ooVNsFZ057flehNdjz3rlRHKMUWDZoHn0qFu9KQgzIEqwRLGx4x13e4HeHOQAK5arh8pWgbQwXG6jactvFsnTmDLs1CVSNxPQvree38SDDW8SD1T7jwgCkQex0_LqXfP183simIfeto27HF545smLX-3yMBWjX3EKiJ3WeGfWI7S47P1flyp7w_v1qSAQhSTTXuQBvAMVDUwONV8pdOxhGqlzhwcwsKyC4M-C9PwPLCYtoZsBHPZu3UJc9gytl59wp1LNS7ohYNUN4eTJwIJtD-N0Azeo7BSjNhhVKgq6NWyzqHvHdJ1RK9hAVwBqqey_pNqh2agVFUk5-u7zAWnIpPZuSKCKcJDPnZwBneVD0fcr7fvP-LRNYEr8cBq91Ql6l8ypQUcwx4WoO7hCvN1JWuTQSqRRTDQdRzNr-ZaeKqTW8rv7J_WtpMn5-6zy60aT", "randstr": "", "sid": "7438217566588817408", "log_js": "", "extra": "{\"rainbow\":\"{\\n \\\"samplingRate\\\":0.1,\\n \\\"apiReportThrottle\\\":200,\\n \\\"sourceReportThrottle\\\":300,\\n \\\"loadReportThrottle\\\":1000,\\n \\\"sampleAppidList\\\":[\\\"2053860784\\\",\\\"2091569087\\\"]\\n}\"}", "data": { "comm_captcha_cfg": { "tdc_path": "/tdc.js?app_data=7438217566588817408&t=1972833952&appid=2028665724&js_data=d04lm1bsP46Gc-PfIzeVUSCRLw1MvHyvECihsNvzKAboG5xHwkzCoRO2ZQrUKpqu_Jnq5hMbYYACpbX1d8RpP6HmrFFzbs0yPHc2NoORpjEv01zaIaj0ZBJbTaufIr749fdp-x3LJRGjSKAetvLPGrlIqYAfGgRgEgX&a=b", "feedback_url": "https://h5.dcl.qq.com/pc/aisee/submit?pid=1&appid=a13p1dchvh&data=ZF4tsmSgb5u8O32gfC6R3SbT-t6AHYUUaPlmin4wTg4NxqV0HYzMOGEBKE7WEDMGmzQIcFh83Zqp_bo8Y1qPdiK3ty8R72o4QoW43z3O4orIfPNkHLuG529f-Zmib2RQu1K-WEg25v5O6qvfrX1cfXadNBI_g9eX-Ri8Sc_7WObUpcUuQmd28vHVreKm1TFNLXrcZWRFFSLI5ep6GYRXpoOTarE7VLC46wBCgAcQ0sKFwVzxzjgR9HZIrvYz7mn2l9BPyowgHAgh--DPD_576nhhSjew0Da6mpSQTf7puWEG7wUmu7fDXLwBZJs-4Dk7X_na1JOAVTlRR6y6fM-XfQ==", "pow_cfg": { "prefix": "3ba447bc4e32f276#", "md5": "f5d03598108f2eb79e697151dd50691b" } }, "dyn_show_info": { "lang": "zh-cn", "instruction": "包含文字：\"杨\"", "bg_elem_cfg": { "sprite_pos": [ 0, 0 ], "size_2d": [ 672, 480 ], "click_cfg": { "mark_style": "mask", "data_type": [ "DynAnswerType_UC" ] }, "img_url": "/cap_union_new_getcapbysig?img_index=1&image=02090600009d070f0000000bb5df46d04926&sess=s04HHP4larKanKORB8ZQlAEuzlluO5fflga_T4y_-OBDOMtSjvQ2ybcgW5AV19U13bObbmYlU6u_5Yh9kuFnSAqQnifqKk_iH-eWkckUtMkeUYIanSDsSu-FPpla_E7TECF2kjxuR57MNkpsmHIKAwoy7nf4z9rRmQyYCi-Rn9EGLUYMp4_bu1Is2NWPNVmDXamDE3Znsrv_1yZY3RKkEgMLpOviayjk3XpCA-aJVpvpMixRQ2HmuEWs0MxlhMhTTRxjfFmNao8CWnTwoZenZhXg7lSLYYDmsZlqOwyJu1e944j6f-uklB1M8fWPfpqo2bUhnLB5HZLBkKee8K9eLz78QMGJAJeQ8hAQyU3HPXCqTldt_GKWUljAkujckfFPxXBATrHCf9mEzDJBDmOxoM-PsqgirP68bJKtVGZsBbp9-hkBaFKHE1SRHR9882qW_xMOOUx9v6qmeU_FhqCx5NbC5lzEhOp5yFH7Ix1i4b5Wbda-lYWNo-NYIJ2d9kIQL9_oWXmPqZLEJHXJKEv-3PHdgEicvwySgx1MbnZqTyR0FHRrwf3QEcUWe4MwEKVHIGAjwnvYDY0Xu04t07LKvDn2WICaZUD_ATW9uQ5qTYUVgibbwQXdRhUf93QY4KvcrJreO6yxdj9G4GoS33gAd8dNWBBjFQlrG7JJJjZ5zVyCsWj9MbSfiWKY54YuyIUEllEAD0P9kU7TON9MHzYoG8dDIjylvzvpictRRDfvUpQCgmad_s51ikLyu092BWZ9MNhWZWX27OEkDUxJ3w6bvFEf48KU8sFU2ZXjHwfttqNPW1cAsjgS046QVeuDiIAosWQK4nZ9FRqsFS5wCM-X4w0OOVDGNp3j6548yWdGIptPmIhNX1LeFT7SeFQPUdt8rSE-WfpDoKcC0OiUxGWBh_Jj7ODXZfXNLZ-BZ-8rUsk3F0SrVQUFxg-OZHGbf22H10SvosFcUS4wQeIp_8vhFmCx0b9MehsAzCzf7owSnNn-McDu-mu2yjXNhW9nFKFwPsl1lq11fhmOspZyMvrBPxisnVxf1-Tv868uP7Nn6wOM-K7UfS9898xBLFtjRRCk5N9skM55ozhMgoS2aUuXAxe1EPhlo-GpcaPLm7U5xp06lcLMW5C6PEEhErWZqYZg53wtpWU6FtPps5-kP5Y5L6eXVsfdXOybR3" }, "verify_trigger_cfg": { "verify_icon": true }, "color_scheme": "#1a79ff", "json_payload": "{\"select_region_list\": [{\"id\": 1, \"range\": [0, 34, 220, 254]}, {\"id\": 2, \"range\": [226, 34, 446, 254]}, {\"id\": 3, \"range\": [452, 34, 672, 254]}, {\"id\": 4, \"range\": [0, 260, 220, 480]}, {\"id\": 5, \"range\": [226, 260, 446, 480]}, {\"id\": 6, \"range\": [452, 260, 672, 480]}], \"prompt_id\": 647416, \"picture_ids\": [1, 2, 3, 4, 5, 6], \"lang_headers\": [{\"lang\": \"zh-cn\", \"text\": \"\\u9009\\u62e9$\\u6240\\u6709$\\u7b26\\u5408\\u63cf\\u8ff0\\u7684\\u56fe\\u7247\"}, {\"lang\": \"zh-hk\", \"text\": \"\\u9078\\u64c7$\\u6240\\u6709$\\u7b26\\u5408\\u63cf\\u8ff0\\u7684\\u5716\\u7247\"}, {\"lang\": \"zh-tw\", \"text\": \"\\u9078\\u64c7$\\u6240\\u6709$\\u7b26\\u5408\\u63cf\\u8ff0\\u7684\\u5716\\u7247\"}, {\"lang\": \"en\", \"text\": \"Select all images that match\"}, {\"lang\": \"ar\", \"text\": \"\\u062d\\u062f\\u062f \\u0643\\u0644 \\u0627\\u0644\\u0635\\u0648\\u0631 \\u0627\\u0644\\u0645\\u062a\\u0637\\u0627\\u0628\\u0642\\u0629\"}, {\"lang\": \"my\", \"text\": \"\\u1000\\u102d\\u102f\\u1000\\u103a\\u100a\\u102e\\u101e\\u1031\\u102c \\u1015\\u102f\\u1036\\u1021\\u102c\\u1038\\u101c\\u102f\\u1036\\u1038\\u1000\\u102d\\u102f \\u101b\\u103d\\u1031\\u1038\\u1015\\u102b\"}, {\"lang\": \"fr\", \"text\": \"Toutes images match\"}, {\"lang\": \"de\", \"text\": \"W\\u00e4hlen Sie alle entsprechenden Bilder\"}, {\"lang\": \"id\", \"text\": \"Pilih semua gambar yang cocok\"}, {\"lang\": \"it\", \"text\": \"Seleziona tutte img\"}, {\"lang\": \"ja\", \"text\": \"\\u4e00\\u81f4\\u3059\\u308b\\u753b\\u50cf\\u3092\\u3059\\u3079\\u3066\\u9078\\u629e\"}, {\"lang\": \"ko\", \"text\": \"\\uc77c\\uce58\\ud558\\ub294 \\uc774\\ubbf8\\uc9c0\\ub97c \\ubaa8\\ub450 \\uc120\\ud0dd\\ud558\\uc138\\uc694\"}, {\"lang\": \"lo\", \"text\": \"\\u0ec0\\u0ea5\\u0eb7\\u0ead\\u0e81\\u0e97\\u0eb8\\u0e81\\u0eae\\u0eb9\\u0e9a\\u0e97\\u0eb5\\u0ec8\\u0e81\\u0ebb\\u0e87\\u0e81\\u0eb1\\u0e99\"}, {\"lang\": \"ms\", \"text\": \"Pilih imej yang sepadan\"}, {\"lang\": \"pt\", \"text\": \"Selecione imagens certas\"}, {\"lang\": \"ru\", \"text\": \"\\u0412\\u044b\\u0431\\u0435\\u0440\\u0438\\u0442\\u0435 \\u0432\\u0441\\u0435 \\u043f\\u043e\\u0434\\u0445\\u043e\\u0434\\u044f\\u0449\\u0438\\u0435 \\u0438\\u0437\\u043e\\u0431\\u0440\\u0430\\u0436\\u0435\\u043d\\u0438\\u044f\"}, {\"lang\": \"es\", \"text\": \"Todas im\\u00e1genes aptas\"}, {\"lang\": \"th\", \"text\": \"\\u0e40\\u0e25\\u0e37\\u0e2d\\u0e01\\u0e23\\u0e39\\u0e1b\\u0e20\\u0e32\\u0e1e\\u0e17\\u0e31\\u0e49\\u0e07\\u0e2b\\u0e21\\u0e14\\u0e17\\u0e35\\u0e48\\u0e15\\u0e23\\u0e07\\u0e01\\u0e31\\u0e19\"}, {\"lang\": \"tr\", \"text\": \"E\\u015fle\\u015fen t\\u00fcm resimleri se\\u00e7in\"}, {\"lang\": \"vi\", \"text\": \"Ch\\u1ecdn t\\u1ea5t c\\u1ea3 h\\u00ecnh \\u1ea3nh ph\\u00f9 h\\u1ee3p\"}], \"inner_msg\": \"\"}", "show_type": "click_image_uncheck" } }, "uip": "************" }

uip: 你本机的ip或者代理ip （tx对ip的校验比较严格）

sess、prefix、md5： 在请求最终校验接口时需要用到

tdc_path： js 加密地址

img_url：验证码背景图地址

instruction： 文字描述（对接打码平台需要拼接）

再接下来就是核心的地方了

tdc.js 接口：核心加密逻辑代码

由上一个接口返回的 tdc_path 即 tdc 接口的动态链接地址
代码是动态的且里面有个动态参数需要提取出来

cap_union_new_verify 接口：最终校验

请求载荷

{ "collect": "zmYrBMby6gZ7vW88Ou/5qruWFSo4YcCU3yESaozDaxH2ZWBEBMAOuQQHVkij/V4V5dqiLv4UVgtM1RPTViaZTNOauG1mITDf9lqsNEA2Dz56Fz78pZWN068kDzKh/R+eombDfJPCUvm4/2eADzwS1ErqsGX/xxUE+RoTgG+Z7Wl5c3bttiH36CZzS2fw++9SlRZg/lzZKA1Ggesv8Pu63i1AyEAHVpVBvUawFbMWIoLEuHS8VDTOkE0sYmjga+nOYHTMNYawvoiJ/1IlVdahsXH6QhpAyIx0sb35KTosw3APGBN9y/4RFytGDNh7OT6eBRIsiRZn42CKpaznhMUV+CULSVBLePN6kXPh96HmmWtIhmr3HbWOwDBIJCPiQeq49Is1PNFU7bnj6F5OOx2T4eZi12ksdsDD6ILEkXIgrG8B3xEbDKPleGkSC9iwm93kFVYCxd+Xk88+zmWGvsGCd3hJNzSeNh7XtDCW0yeDWjSOAjZi/Tu2Q32fuw1rWmX/RVkQ/dKqWylcOWJG6OpmfdsVdTRKHVC/N/EpUCmIf4OI1Ei9JIOL9YorYIXc7i5KDEgbqbUZykaqubYKgXpDMwCqEZ+T7EH8NCijWgy6NhU4nYe68Cvu0emWUuNF/qmkXsfhspWrKKgyQMsb17RZSeXaoi7+FFYLTNUT01YmmUzTmrhtZiEw3xL/vjIVpyeEQvSyzmkdXT6zaQBKHYPudY6SN5whARHp3NAP5xhhysUkMSBik6+XPfakkGC0fg0GsC8lDrU/gISB/ud78ZntmMosvaV3f22IFnBzWucZt+l0ChQyuZ54uU8SRVeUwnPgweNQXClkTm/kX4b5Yg+92ijqgvPJx3ZIHfXFTx65NqkbeoGJL3lQBwcjjbnW2HU54lAvyRv3BFTaxC5M4vAHkFpotJMowKcr7BqRPqxCoulseCsNeptkZzkIHVEnMVGtjPgMvzxLFD/YIZelqavhn7KkbaVBw7JJM5cUEbJA+8pJm9W63Fw6DxA/lTK51penB6Ow3/7koXbYIZelqavhnztNaq5CQ9a6QXM+hmWvOR2Z7bonNUYfWZntuic1Rh9Zz6nFWKbDdgRcL/w9o7W6wL198ju5xlkykHHGgGx5tw9ZlZ9K1IRx3WOf74f6314+", "tlg": "1152", "eks": "YpMdeabfJP9oIDHGlRJgN4wFu6N5NqFciAKOKvw+Ta4GLXgij3RcgvtB1WhLfuue+pBwbeEXPlO0utJV/65bNIepXFFK6mVwY6dvYlkQCDLdLLYQyBppkGtW9flHMHIcuCXByDa4U0Jnhl+aubSld67Yh9yib8X5N+Ly2Z7LF9tnVeIZEWtre+yAZvwjZgsHyYnNOPLzOJQ6gKQsa21KH6bQhwExUqJQb4jgutXQBRaLoSZGgJWiGQ==", "sess": "s0r5HE_7x2HXVn5XaHc1tr5L3HM74Y-mCOzAuwv6Zq0P9jgq2ED2bqp3IXMI3FVkSNORSl_-_DZZwDBCO-iyWpja3v2Zfg1vBKmHXirfFabS9xApkfSui5n92f7Jezwaz1bMJERDVaxN9MlxvgtUHJLkUcKk2EB6k3amcmg0XaCTBKkTmF9XUwqFxTMgrX2uWwqm___m8L5mfvY-eu9Grb5iOw2srMuXpqahBmYnjFyjAF2spdKh62eHGojG-XrYp4oN1ws3DYhXYTcoorDQ7i4QarTXnl5T3Fzz4S3MHyo-EfPTR0zxbT41B-cq2ZLCjxMEFH89akQ9DuXQRtMm297qYTDI8sn-ZGnWO95F7U6kOEjypYkPw_-tTpn4lZfmV6qLYUiXg9oUZDcvzJV25R8ravQTbNhdxLv8cG6osX5F1m0tfvzQ3dKDS8PGB_8SYrs51tNzO5kro-HUkED-Sc4FGo2R6j-nGrzjwUcL5_kzXHTUyb7c28jVFErnSTHWmehKJ4S93Bw_FAv7zyIesON3ZwYwdYJcbtNCJfB1YNSNub9IJx-w-fOe-Pkl6IU2KvKPC6jJrcUuFrCnIg-56en8q1Qs3eBS6CHtA47kyFhno*", "ans": "[{\"elem_id\":0,\"type\":\"DynAnswerType_TIME\",\"data\":\"\"}]", "pow_answer": "1686228626712722#118", "pow_calc_time": "3" }

collect：关键加密参数

tlg：collect 长度

eks：tdc.js 中提取

sess：验证码信息接口返回的

ans：前面固定，后面 data 是点选图的序号

pow_answer：#号前部分是验证码信息接口返回的后部分需要过算法计算

pow_calc_time：同样需算法计算和 pow_answer 一块的

function get_collect(pows){return window.calculate_collect(JSON.stringify(riskData),pows)};

响应内容

{"errorCode":"51","randstr":"","ticket":"","errMessage":"","sess":"s02V95OY9Fugno3s2j_gjQaKrGhBZtW6eCUNQnnl6SZPMGO0NyVUOS28gdGmzqr0cg8VveIM2XFkjH3sqAX9QIhi1OWHRjGYa1p6CS9QnkjiYnGphU8Jco9wXtUV5PkHSG3YbI48mPDPsYwmCyByMqd6g2d9dVLMn2uC2hWDj1TWQ5_cm6OwCgWbMMyOh0SWB6HkrRjLfv6lY7JtTT2erG5xqx7_H4Sw73D9zLpWoPEoOVXtht80UgM6UHadrwqIsA1Eni74swoNpiu0SOcyUZES5G_HrRh7Jh7U_2RmQihkcd-bwCgAbsKBJZcokMfeHqqnK6eO-wxzkYRAvE_wprsoz-qKXcOM0pKK8WpgSDZON1rpDa56C2DnJBnfryhFLv317t2EpP9nqYh8vNLoM2TCG3aJdXgw5NKjaUT5MaRDZbmYqDHktq0TWaHnuJiEZqWM3qAiseEA9EZrG1ha6mRM2QZdKS7txImEG-lCiwDsvOnMNKHyk_y1QOwp2b8-BIpG3IkfK70OSi4Fl2tI0nHg8_Y1gAXqxApU3Kv52TSBJniSuKJiPkOTmhsTV6NZmqnIUOQMKo7KOF1dCgOgCHha2GaKxYOlToIfIAYw3ysHLn870HFVH7WzhBaPDlNkv7QDC3C-bztu6QVriXgB4e6oOVMBbRtuXM"}

{"errorCode":"0","randstr":"@FCJ","ticket":"t03SMsKO9iSTCeqmH4xM36tU_W7QE3vyIDG_sp2twkSP2qUcNujOJl0UQcNClf3wsOMTFX9nTLIKmfoFtGgWv1r5URBUPWkasA8kRRCbSgPwNBzbZ-kJ_rNG4fmxr2QUhpZdV7j0k8-iGZ1U2N8QpmJmdpPsZEgD7WmOPS79n7ZM21oLV_j1NLrJrK4ZAefvrRYqsgmeCXIUIrDm8eyBd78IuLsJFHtjv2igMv77YQAjeVeJXACcM2JEmbxJy1tVSIqjzew5mGMvwtcKRxcqnV--TZCKEaK0JxjcV-2116vBdmxnapcWEQkuKqvrQFrp86MOk_bbK1jfbWpYJayQAbM7Urpp7GkIKxonHEB6c7LCLPcfGTO88FyN6JGgG0zGKXK","errMessage":"","sess":""}

errorCode 为 0 则表示校验通过并返回 ticket 票据

errorCode 为 51 则表示点选位置不对

分析完毕~ 进入正题

搜索关键词 collect: 定位到如图位置

下好断点，正确选对图片验证码后跳转至断点位置

可知 collect 是由 o.getTdcData 方法而来

进入 getTdcData 方法去

先执行 a 方法传入一个固定参数

主要执行的是 window.TDC.setData方法

再回过头来

a 方法执行完后接着执行 window.TDC.getData(!0) 方法

返回的结果就是 collect

继续进入 getData 里去

跳转到了 tdc.js 文件中，定位到 function U 里面

开头也说过了这是动态的 js 文件

代码不多才三百来行，jsvmp的混淆

不过咱们是补环境，不用管代码是啥样式的

将代码拿到本地准备开始补环境了

普通的属性就不说了，上代理都能查出来，捡几个重点

window.RTCPeerConnection

RTCPeerConnection 是 WebRTC（Web Real-Time Communications）API 中的核心对象，用于在两个浏览器或设备之间建立点对点（P2P）实时通信通道，支持音频、视频和数据流的直接传输，无需中介服务器参与，从而实现高效、私密的实时通信

这里会校验几个原型链

RTCPeerConnection.prototype.createDataChannel

RTCPeerConnection.prototype.createOffer

RTCPeerConnection.prototype.setLocalDescription

其中后两者需要构建返回一个Promise对象

window.matchMedia

matchMedia 是一个 Web API，用于检测用户的设备是否匹配特定的 CSS 媒体查询条件，并可以监听这些条件的变化

会查询多个条件获取对象属性

document.getElementById

用于根据元素的 id 属性获取对应的 HTML 元素节点

document.createElement

用于动态创建 HTML 元素的方法，它在内存中创建一个新的指定标签名的元素节点，但不会自动添加到文档中，需配合 appendChild() 等方法添加

这块是检测的重点，也是补环境中的难点

不仅仅是能创建标签就完事了，还要补全操作标签的一系列动作

创建标签、插入标签、删除标签、克隆标签、设置属性、删除属性等

除普通标签外还有 canvas 标签也是重点

比如获取 webgl 信息的相关操作

画图获取图片操作

其它也没啥难补的了

可以看到补完最终出值的长度在九百左右，而浏览器上是一千七百左右

明显少不少，这其实主要是因为我们还没有把轨迹加进去

不加也没关系，这个网站的轨迹没有校验，如果有校验的，再加上去就完事~

Ending

附跑通成果图

PS 我这里对接的是三方打码平台（非广子） 目前很多都能对接，tx这个图更新实在太快，也只有三方平台能对接了。

Github传送门

持续更新ing （欢迎各种star与fork）

联系q见个人简介

如有权益问题可以发私信联系我删除