Table of contents
foreword
The fourth generation of extreme experience seems to be much simpler, without any skills, the environmental party directly won it in 5 minutes.
URL: aHR0cHM6Ly93d3cuZ2VldGVzdC5jb20vYWRhcHRpdmUtY2FwdGNoYS1kZW1v
1. Analysis
Go directly to its official website, slide the slider to open the console, and you
can see that there is a verify request. The request returned by it should be the place to submit the moving distance. Next, look at what data is submitted, and you can see the extreme The old test is still the w parameter. (Other parameters can be obtained in the load request, so I won’t go into details here, readers can go and see for themselves)
Open the launcher, go up to the stack, and this step is almost the same.
This is the w parameter we want
. Looking at the above, the calling method of r is directly given in this way. Now follow up and look at it. This method
can see the two parameters passed in. The first parameter is obviously the information of the moving distance and time. Regardless of it, look at the second parameter, this is an object, and there is no way to copy it directly (I am very lazy, I have to get it down, double-click the second parameter, you can find that in this r method, just one of its values is used)
We can copy this value (that would be very comfortable), and here, the input of parameters is basically clear.
Next, don’t worry, make up the environment, save time, then we will start to observe its js directly, we can find that it is a whole js loaded, and then fiddle with it, that’s not right, just take it all down, a stud it.
After taking it down, Xiaomo changed the code, and we analyzed it directly. Here only one value of t is needed, so just pass that value in as a parameter.
Then export the whole r and you're done.
Next, of course, instead of running it directly locally, throw it into the browser to see if the code can run normally. The value is normal, and then this parameter can be passed in the request (I won’t demonstrate it here, it’s a waste of time).
Then, of course, it is directly thrown into our nodejs to build.
window=global;
document={
};
better_proxy = function (o, callerName){
return new Proxy(o, {
set(target, property, value){
console.table([{
"类型":"set-->","调用者":callerName,"属性":property,"值":value}]);
return Reflect.set(...arguments);
},
get(target, property, receiver){
console.table([{
"类型":"get<--","调用者":callerName,"属性":property,"值":target[property]}]);
return Reflect.get(...arguments);
},
}
);
}
window = better_proxy(window, "window")
document = better_proxy(document, "document")
Here is a simple proxy for you, once you create an object (the method is a bit stupid, but you don’t need to think too much, just fill it up without thinking). .
The following are the two that I added casually. Every time you add an object, remember to add a proxy to it.
window=global;
document={
};
better_proxy = function (o, callerName){
return new Proxy(o, {
set(target, property, value){
console.table([{
"类型":"set-->","调用者":callerName,"属性":property,"值":value}]);
return Reflect.set(...arguments);
},
get(target, property, receiver){
console.table([{
"类型":"get<--","调用者":callerName,"属性":property,"值":target[property]}]);
return Reflect.get(...arguments);
},
}
);
}
window = better_proxy(window, "window")
document = better_proxy(document, "document")
window.location = {
"ancestorOrigins": {
},
"href": "https://www.geetest.com/adaptive-captcha-demo",
"origin": "https://www.geetest.com",
"protocol": "https:",
"host": "www.geetest.com",
"hostname": "www.geetest.com",
"port": "",
"pathname": "/adaptive-captcha-demo",
"search": "",
"hash": ""
};
window.navigator= {
userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36',
appName:'Netscape'
}
document.body = {
}
document.head = {
}
document.documentElement = {
}
window.location = better_proxy(window.location, "window.location")
window.navigator = better_proxy(window.navigator, "window.navigator")
document.body = better_proxy(document.body, "document.body")
document.documentElement = better_proxy(document.documentElement, "document.documentElement")
In fact, all the supplements above are almost done, and the last one is missing (make it up yourself). It seems that it is not very good to give them all.
The result is as follows:
Don’t talk about any confusion, just make it up violently, but, there are so many second parameters, are they all used for encryption?
As a lazy person, I directly put an agent on it, and you can see One pt is used for so many, then just give one pt and you're done.
At this point, this extreme experiment 4 is over.
Two, verification
Then it’s all over, let’s play without verification, go back to the previous load request, and you can see that many parameters are required by the verify request. It also contains the background picture of the verification code and the picture of the verification code gap.
Get postman to convert it to python, and then we can do the next step, the verification code gap recognition.
I used the code from the big guy below.
How to use python to identify the gap in the slider verification code_python
import cv2
def identify_gap(bg,tp,out):
'''
bg: 背景图片
tp: 缺口图片
out:输出图片
'''
# 读取背景图片和缺口图片
bg_img = cv2.imread(bg) # 背景图片
tp_img = cv2.imread(tp) # 缺口图片
# 识别图片边缘
bg_edge = cv2.Canny(bg_img, 100, 200)
tp_edge = cv2.Canny(tp_img, 100, 200)
# 转换图片格式
bg_pic = cv2.cvtColor(bg_edge, cv2.COLOR_GRAY2RGB)
tp_pic = cv2.cvtColor(tp_edge, cv2.COLOR_GRAY2RGB)
# 缺口匹配
res = cv2.matchTemplate(bg_pic, tp_pic, cv2.TM_CCOEFF_NORMED)
min_val, max_val, min_loc, max_loc = cv2.minMaxLoc(res) # 寻找最优匹配
# 绘制方框
th, tw = tp_pic.shape[:2]
tl = max_loc # 左上角点的坐标
br = (tl[0]+tw,tl[1]+th) # 右下角点的坐标
cv2.rectangle(bg_img, tl, br, (0, 0, 255), 2) # 绘制矩形
cv2.imwrite(out, bg_img) # 保存在本地
# 返回缺口的X坐标
return tl[0]
Just pass in two pictures, and the last parameter is the position of the input result picture. (The two pictures are on the return body returned by the load request)
Finally, the distance he needs to move is obtained.
Call js again, just pass in the moving distance (pass to the first parameter)
function init(data_x){
let mydata = '{"setLeft":'+data_x+',"passtime":1915,"userresponse":'+data_x+'.81178591310345,"device_id":"自己搞(网页上都有的)","lot_number":"自己搞(网页上都有的)","pow_msg":"自己搞(网页上都有的)","pow_sign":"自己搞(网页上都有的)","geetest":"captcha","lang":"zh","ep":"123","rigp":"199241198","yeg6":"d6w9","em":{"ph":0,"cp":0,"ek":"11","wd":1,"nt":0,"si":0,"sc":0}}'
mydata_obj={
"pt": "1",
}
mydata_obj = better_proxy(mydata_obj, "mydata_obj")
result = window.code(mydata, mydata_obj)
console.log(result)
}
module.exports = {
init
}
Summarize
It's not difficult, it's getting easier and easier, and beginners can use it as an introductory course