Reverse analysis of slider on a certain game website

Writing is for better thinking

aHR0cHM6Ly93d3cuNTEuY29tLw==
The URL for this issue is as above, obtained by using base64 decoding

The goal of this issue is still the reverse login with the slider. On the login interface, after entering the account and password arbitrarily, if you enter the wrong number several times, a sliding picture verification code login module will appear

. The theme of this issue is the realization of the reverse login. For block gap identification, please refer to my verification code identification column OCR verification code identification.

Let’s first look at the request to obtain the verification code. After multiple requests to capture packets, we finally targeted the slidecode interface. Both the interface name and the response parameters were suspicious. After

analyzing the request, we found that the interface The parameters that need to be passed do not need to be passed, that is, you can directly send the request 'https://authcode.51.com/authcode/slidecode'. We will capture the request locally and observe the response parameters after executing it locally, as follows


. There are three most critical parts. The first is to get the big picture of the verification code, but it is found that the pictures of the verification code are in order.

Then the second key part comes. After observation, it is found that the picture is divided into 80 small pieces. At the same time, a list of 80 divs can also be found in the response request. Each div contains two px values. In fact, this value represents the x and y of the correct location of the small image. We use this As a guess, first split the original image, then correspond 80 small blocks to 80 divs, and try putting each small block into the x and y specified in the div. The code is as follows:

# 请求滑块
response = session.get('https://authcode.51.com/authcode/slidecode', headers=headers)
html_code = response.text
png_urls = re.findall(r'url\([\'\"]?(.*\.png)[\'\"]?\)', html_code)

big_img, small_png = png_urls[0], png_urls[1]
print(png_urls)
# 请求大图
big_img_content = session.get("https:" + big_img, headers=headers).content
# 将二进制数据转换为 NumPy 数组
array_data = np.frombuffer(big_img_content, dtype=np.uint8)

# 解码图像
image = cv2.imdecode(array_data, cv2.IMREAD_COLOR)


# 获取所有小图像素位置
soup = BeautifulSoup(html_code, 'lxml')
divs = soup.find_all('div', class_='gt_cut_fullbg_slice')

px_pairs = []
for div in divs:
    style = div.get('style')
    px_value = re.search(r'-?\d+px\s+-?\d+px', style).group()
    px_pairs.append(px_value)

pxs = []
for p in px_pairs:
    px = p.replace("-", "").replace("px", "")
    p1, p2 = px.split()
    pxs.append([int(p1), int(p2)])
print(pxs)

# 指定图像尺寸和分割大小
image_height, image_width = image.shape[:2]
split_height, split_width = 25, 13

# 计算分割后的小图像数目
num_cols = image_width // split_width
num_rows = image_height // split_height

# 创建一个空列表来存储小图像及其位置
images_list = []

# 分割图像并存储到列表中
pxs_index = 0
for row in range(num_rows):
    for col in range(num_cols):
        # 计算当前小图像的位置
        # x = col * split_width
        # y = row * split_height
        x, y = pxs[pxs_index]

        # 提取当前小图像
        small_image = image[y:y+split_height, x:x+split_width]

        # 将小图像和其位置加入列表中
        images_list.append({
    
    
            'image': small_image,
            'position': [col * split_width, row * split_height]
        })
        pxs_index += 1



# 计算大图像的尺寸
max_x = max(image['position'][0] + image['image'].shape[1] for image in images_list)
max_y = max(image['position'][1] + image['image'].shape[0] for image in images_list)

# 创建一个空白的大图像
final_image = np.zeros((max_y, max_x, 3), dtype=np.uint8)

# 将小图像放置到大图像中
for image in images_list:
    x, y = image['position']
    h, w = image['image'].shape[:2]
    final_image[y:y+h, x:x+w] = image['image']

# 写入最终图像到本地
cv2.imwrite("1.png", final_image)

After code restoration, the guess is verified to be correct.

The slider request ends here. Next, let’s look at the drag verification request. After multiple requests, the final drag verification request is locked as follows. Follow the

stack to see the formation of the parameters

. In fact, the formation of the entire parameters is very obvious, timestamp. and challenge are obtained from the first interface, that is,

the formation of the third key part of the verification code request is actually to do an md5 encryption, point is the dragged value, callback is the response parameter, which can be fixed, and the rest are fixed parameters, so the final sliding verification request is as follows:

_x = 77
params = {
    
    
    'callback': 'jQuery111106087267623987562_1703485072488',
    'point': _x,
    'times': times_value,
    'challenge': challenge_value,
    'token': calculate_md5(challenge_value + times_value + str(_x)),
    'from': 'www',
    'divpre': '',
    '_': '1703485072500',
}


response = session.get('https://authcode.51.com/authcode/yz2', params=params, headers=headers)

Finally got the correct response result