技术教程破解资源

某鹅滑块验证码破解笔记

整理:jimmy2025/1/4浏览2
简介0x00 序言很久之前就听说过VM加密,但一直对VM概念很模糊,于是最近便想去下VM壳相关的技术,但在网上各种帖子学习到的知识有限,不能很好的去了解VM壳的一些原理和机制,于是就在想去找个VM壳进行逆向,看看能不能去学习到些什么东西。本次逆向的是某鹅基于JavaScript语言的一个栈式虚拟机,不得

0x00 序言

很久之前就听说过VM加密,但一直对VM概念很模糊,于是最近便想去下VM壳相关的技术,但在网上各种帖子学习到的知识有限,不能很好的去了解VM壳的一些原理和机制,于是就在想去找个VM壳进行逆向,看看能不能去学习到些什么东西。

本次逆向的是某鹅基于JavaScript语言的一个栈式虚拟机,不得不说刚接触这个代码的时候着实看不懂写的是什么东西,可是随着慢慢的深入,越发觉得这个虚拟机犹如一个艺术品,很是奇妙。

下面就随着我一起一步步,揭开这个虚拟机的神秘面纱吧!

注:若有侵权,请联系我立即删除,本文只作为交流学习用途,一些关键信息已做相关处理。

0x01 准备工作

首先说明下我们的目的,验证码在滑动完成以后会向服务器发送一些数据,这些数据包含了一些必要或者非必要的信息。必要的信息如下:

某鹅滑块验证码破解笔记

image-20210910202439882.png

可以看到字段名是collect,根据字段名可以猜测到这个字段值是一些收集的数据,可能包含一些浏览器环境信息以及我们滑动滑块的轨迹或者是鼠标的移动轨迹这类的信息,另一个必要信息如下:

某鹅滑块验证码破解笔记

image-20210910202905631.png

以上两个加密字段值,是如何生成的,里面包含了一些什么数据,如何去模拟达到破解滑块的目的,便是此文章的目的。

0x02 定位加密点

通过浏览器控制台的搜索,我们试着搜索下这个collect字段:

某鹅滑块验证码破解笔记

image-20210910203451250.png

跟进去,在此处下断点:

某鹅滑块验证码破解笔记

image-20210910203537714.png

再次滑动,果不其然在这个地方断了下来:

某鹅滑块验证码破解笔记

image-20210910203711040.png

简单分析了下e的值,发现和我们提交的参数格式基本一致,所以collect应该就是在这个地方赋值的,接下来就是看看R()函数是怎么生成collect的,跟进R函数如下:

某鹅滑块验证码破解笔记

image-20210910203926637.png

现在跟到了getData这个函数,我们下断点,继续执行代码,让断点触发,然后到控制台打印了下a变量,a看起来像是一个接口,提供了一些函数:

某鹅滑块验证码破解笔记

image-20210910204229899.png

继续往上面找找,看看a是怎么来的,在上面几行找到了a的赋值:

某鹅滑块验证码破解笔记

image-20210910204412760.png

a = window.TDC

看起来是在window对象里面又定义了一个TDC对象,然后将TDC对象赋值给了a,现在让我们看看getData函数的实现,跟进来,就跟到了这个地方:

所以getData函数的实现应如下:

//getData实现function k() {        var B = A.slice(0);        B[0] = [this],        B[1] = [arguments],        B[2] = [k];        for (var M = 0; M < G.length && M < arguments.length; M++)                0 < G[M] && (B[G[M]] = [arguments[M]]);        return __TENCENT_CHAOS_VM(w, C, T, B, H, U, J, Z)}//getData外层匿名函数function() {        for (var w = C[D++], A = [], B = C[D++], M = C[D++], G = [], Q = 0; Q < B; Q++)                A[C[D++]] = E[C[D++]];        for (Q = 0; Q < M; Q++)                G[Q] = C[D++];        E.push(        function k() {                        var B = A.slice(0);                        B[0] = [this],                        B[1] = [arguments],                        B[2] = [k];                        for (var M = 0; M < G.length && M < arguments.length; M++)                                0 < G[M] && (B[G[M]] = [arguments[M]]);                        return __TENCENT_CHAOS_VM(w, C, T, B, H, U, J, Z)                })}//getData函数体里面,A、B、G变量对应的都是外层匿名函数的局部变量,就是当getData函数被push进E的时候的变量值

可能解释的有些不太清楚,我们先来看看下面的代码:

var E = []; //声明了一个空数组E,用来存放函数(function TEST(){ //立即执行函数    var rand = Math.random() //生成随机数    console.log(rand)    E.push(function (){ //将函数存入数组        var test = rand;        console.log(test) //打印上文生成的随机数    })    if(E.length > 1)return;    TEST()})()E[0]() E[1]()

运行结果如下:

0.53717861187188860.64748716256169070.53717861187188860.6474871625616907

从这里可以发现,随机数被保存了下来,所以可以通过这种方式去实现函数部分传参的保存,当函数被调用时,所需要的变量值未被销毁,仍可以进行访问使用,那么问题来了,为什么要通过这种方式进行函数调用呢,直接写一个函数去实现相应的功能不行吗?

这个问题就要随着我一步步分析,你就会明白为什么会这样写。

为了验证getData函数是不是通过上述地方进行调用,我们把代码复制过来,通过nodejs的环境来进行调用,为了模拟真实的浏览器环境,用到一个叫做jsdom的库。

jsdom介绍如下:

jsdom 是许多 Web 标准的纯 JavaScript 实现,特别是 WHATWG DOM和HTML标准,用于 Node.js。一般来说,该项目的目标是模拟足够多的 Web 浏览器子集,以用于测试和抓取真实的 Web 应用程序。

node环境下安装:

npm install jsdom

用法:

const jsdom = require("jsdom");const {JSDOM} = jsdom;const dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`);window = dom.window;document = window.document;XMLHttpRequest = window.XMLHttpRequest;

完成环境模拟,我们就可以将代码复制到编辑器里面去,如下图所示:

某鹅滑块验证码破解笔记

image-20210929203518634.png

我们在代码末尾加上:

console.log(window.TDC)

打印结果如下:

{  getInfo: [Function: M],  setData: [Function: M],   clearTc: [Function: M],  getData: [Function: M] //getData函数已经能够进行调用了}

调用getData函数:

console.log(window.TDC.getData())

结果如下:

e43rYszBdPpLFbYEnvf6EH423DMkVfmqhtQV%2BCnQMWEdGBJzm4MFSOGDFX0ykuQGqe4c1cxY5APK40WOd9u7mbdwXIQ1x9OBSgdVHmORAxmVEXILfudlFIYF4KW7ZuOdX9ixo4efmMqIViV1IKT%2B24mEOmUJ2xtr6ULKcsrp0Xg3GQkNZ7iWy2G87RaR5NpSgHnX6q8eD5UIoml8J6bqef1JDKK%2BW4iXKaj3j5PGwLo%2FqrW1 mWy%2BB0MSvS91m%2FYk%2BNtC79fF0pOuSvflUSrAAohWJXUgpP7b%2BTuue9zspkzK8nLSWZGjTc4sycUohsG5owCAZch4y%2FYdttQ4D4nFT4hWJXUgpP7bM3NuzmNY663gs%2FQ7BKUdIk9HX3mnJQOT%2FB2S9xc25mskD87Pieargmi4QVyC1l%2Bnr5VFrxOHLI%2FkcpgPZqPrbVoWKk8cGT03izOvvebVB7xzp4B06AdsZe 7Q%2FnP%2BALoM%2F3Q6Sp0JU7daFipPHBk9N1oWKk8cGT03mCh6%2FirnaBoh%2BZs4V9dDlA%3D%3D

在调用处下断点:

某鹅滑块验证码破解笔记

image-20210929204326642.png

进入调试模式,F7步入:

某鹅滑块验证码破解笔记

image-20210929204442157.png

可以看到函数进入到了前面我们分析的这个地方。接下来先对整个代码的结构进行分析。

0x03 代码结构分析

先把代码全部折叠,主要的函数是TENCENT_CHAOS_STACK函数,又把TENCENT_CHAOS_STACK函数下级进行展开,结构如下:

var __TENCENT_CHAOS_STACK = function() {    function __TENCENT_CHAOS_VM(c, R, H, h, I, C, w, F) {...}        function I(E) {...}    return __TENCENT_CHAOS_VM.v = 0,        __TENCENT_CHAOS_VM(0,                           function(E){...}(["...",[...]]),                           window)        //TENCENT_CHAOS_VM传参分析:(0, 立即函数返回值, window)                   }();

现在我们把这个立即函数单独提取出来运行:

某鹅滑块验证码破解笔记

image-20210929210108491.png

运行结果如下:

某鹅滑块验证码破解笔记

image-20210929210147252.png

其实这个运行结果可以看做是字节码,然后每一个字节码对应一个不同的操作或是数据,函数TENCENT_CHAOS_VM的作用就是解释并且执行字节码,TENCENT_CHAOS_VM函数的第一个传参是0,这个值代表PC寄存器,作用是指向下一个字节码的位置。

代码结构简化如下:

某鹅滑块验证码破解笔记

image-20210929211453882.png

现在我们知道了TENCENT_CHAOS_VM是用来解释并执行字节码的,现在让我们来看看TENCENT_CHAOS_VM的执行过程(其实到这一步各位读者可以自行去调试一下,更容易理解整个执行流程)

0x04 虚拟机执行过程

在函数入口下断点:

某鹅滑块验证码破解笔记

image-20211014213828123.png

进入调试模式,程序在断点处断下来,此时变量表如下:

某鹅滑块验证码破解笔记

image-20211014214141246.png

c是第一个被传入的变量,也就是PC变量,它指向下一个被执行字节码的位置,也就是第二个传入的变量(R,字节码)的第0个元素,即为7,我们将程序继续往下执行,来到这里:

某鹅滑块验证码破解笔记

image-20211014214818737.png

x部分指令如下:

某鹅滑块验证码破解笔记

image-20211014214856357.png

图片里面的"G为此次函数是否完成的标志",这里用"次"的原因是这个VM包含递归调用,也就是在这个函数里面又调用这个函数,我们现在知道这个函数是不停的执行字节码,PC是下一个被执行字节码或是数据的地址,那么就可以通过在不同的地方定义不同的操作,然后通过调用本函数,传入不同的PC,去完成不同的操作(也就是函数调用),通俗来讲就是和程序里面的函数偏移地址是一样的道理,通过偏移地址去找到函数,并执行函数。这个VM的第一个传参就是PC,所以可以通过定义好的函数偏移,去进行函数调用,函数的本质也是一堆指令的集合。

现在PC的值为0,上面说到对应的字节码是7:

某鹅滑块验证码破解笔记

image-20211014215952630.png

所以要执行x数组里面的第七条指令,跟进如下:

某鹅滑块验证码破解笔记

image-20211014220034306.png

h为栈,所有的数据都是通过栈来操作的,也就是把需要用到的数据存到这个栈中,然后需要用的时候取出来或者直接对栈元素进行操作h.length = R[c++]的含义是定义栈的长度,栈的长度为R[1],R(字节码)不但保存了指令,也保存了数据。

然后又回到循环的位置,执行下一个字节码:

某鹅滑块验证码破解笔记

image-20211014220230087.png

可以看到整个字节码的长度有四万多,一条一条的调试就不太现实了,现在就需要要进一步分析。

0x05 collect加密还原

在这些指令集中(x数组),包含了一个相加的指令:

h[h.length - 2] = h[h.length - 2] + h.pop()

一般字符串的拼接,都是直接相加,我们在这条指令后面,加一句console.log(h[h.length - 1]),将栈顶的数据打印出来看一看会不会有什么发现(代码最后记得加上console.log(window.TDC.getData())去调用加密):

某鹅滑块验证码破解笔记

image-20211014221745160.png

输出了很多整数,在继续往下面找,发现一个熟悉的变量:

某鹅滑块验证码破解笔记

image-20211014221847864.png

这个是tea加密的delta常量值乘以十,这个先留意一下,我们打印代码的时候,再加个判断,使控制台只打印字符串:

if(typeof h[h.length - 1] == "string"){        console.log(h[h.length - 1])}

打印的部分结果如下:

{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,""{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other"{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",tel:1634221284{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",tel:1634221284,{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8"[1024[1024,[1024,768[1024,768]{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768]{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,""{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,"",{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,"",[]{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],0{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],0,{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],0,true

看样子是打印了一些环境参数,cd应该就是collectData的缩写,意为收集到的数据,但是在控制台找不到完整的json数据。

上面发现的delta常量,是tea加密的一个常量,tea加密的核心算法如下:

void EncryptTEA(unsigned int *firstChunk, unsigned int *secondChunk, unsigned int* key){    unsigned int y = *firstChunk;    unsigned int z = *secondChunk;    unsigned int sum = 0;    unsigned int delta = 0x9e3779b9;    for (int i = 0; i < 8; i++)//8轮运算(需要对应下面的解密核心函数的轮数一样)    {        sum += delta;//第一轮加密的时候sum值等于delta常量值        y += ((z << 4) + key[0]) ^ (z + sum) ^ ((z  5) + key[1]);        z += ((y << 4) + key[2]) ^ (y + sum) ^ ((y  5) + key[3]);    }    *firstChunk = y;    *secondChunk = z;}

由于第一轮加密的时候sum值等于delta常量值,我们在加法指令处的代码改为:

h[h.length - 2] = h[h.length - 2] + h.pop()if(typeof h[h.length - 2] == "number" && h[h.length - 2] == 0x9e3779b9){ //当加密结果为delta常量时打印bingo        console.log("bingo")}

并在console.log("bingo")处下断点,然后进行调试:

触发断点:

某鹅滑块验证码破解笔记

image-20211014224250603.png

可以看到h变量(栈)中有很多整数,我们通过javaScript写一个把整数转为字符串的代码:

function longsToStr(l) {    var a = new Array(l.length);    for (var i = 0; i < l.length; i++) {        a[i] = String.fromCharCode(l[i] & 0xFF, l[i] > 8 & 0xFF,            l[i] > 16 & 0xFF, l[i] > 24 & 0xFF);    }    return a.join('');}

某鹅滑块验证码破解笔记

image-20211014225614383.png

将h[3]中的两个整数还原得到一个类似原文的字符串:

longsToStr([741432155]) + longsToStr([842083377])"[[1,1,12"

我们重新修改打印代码:

if(typeof h[h.length - 2] == "number" && h[h.length - 2] == 0x9e3779b9){ //当加密结果为delta常量时打印bingo        console.log(longsToStr([h[3][0][0]]) + longsToStr([h[3][0][1]]))}

打印结果如下:

[[1,1,12]]{"cd":[24,"about:blank?rand=1519713624347","0-0-0-24-*-*-|-*",[],tel:176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,tel:1634223750,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",999760772,1634223750,0,"?rand=1512991986334",0,"","other",1634223750,"UTF-8",[1024,768],0,1,0,"",[],0,true,,[],0,0,["en-US","en"],"98k"],"sd":{"od":"C"}}

看来加密前的明文大致是这样子,现在我们需要进一步确认这个tea加密是否为标准的tea加密,密钥是怎么生成的。

接下来就是一步步动态调试,一步步跟进,还原出加解密如下:

function hex2int(hex) {    var len = hex.length, a = new Array(len), code;    for (var i = 0; i < len; i++) {        code = hex.charCodeAt(i);        if (48<=code && code < 58) {            code -= 48;        } else {            code = (code & 0xdf) - 65 + 10;        }        a[i] = code;    }    return a.reduce(function(acc, c) {        acc = 16 * acc + c;        return acc;    }, 0);}function Base64() {    // private property    this._keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";}function strToLongs(s) {    var l = new Array(Math.ceil(s.length/4));    for (var i=0; i<l.length; i++) {        // note little-endian encoding - endianness is irrelevant as long as        // it is the same in longsToStr()        l[i] = s.charCodeAt(i*4) + (s.charCodeAt(i*4+1)<<8) +            (s.charCodeAt(i*4+2)<<16) + (s.charCodeAt(i*4+3)<<24);    }    return l;  // note running off the end of the string generates nulls since}function longsToStr(l) {  // convert array of longs back to string    var a = new Array(l.length);    for (var i = 0; i < l.length; i++) {        a[i] = String.fromCharCode(l[i] & 0xFF, l[i] > 8 & 0xFF,            l[i] > 16 & 0xFF, l[i] > 24 & 0xFF);    }    return a.join('');  // use Array.join() rather than repeated string appends for efficiency in IE}Base64.prototype.encode = function (input) {    var output = "", chr1, chr2, chr3, enc1, enc2, enc3, enc4, i = 0;    //input = this._utf8_encode(input);    while (i < input.length) {        chr1 = input.charCodeAt(i++);        chr2 = input.charCodeAt(i++);        chr3 = input.charCodeAt(i++);        enc1 = chr1  2;        enc2 = ((chr1 & 3) << 4) | (chr2  4);        enc3 = ((chr2 & 15) << 2) | (chr3  6);        enc4 = chr3 & 63;        if (isNaN(chr2)) {            enc3 = enc4 = 64;        } else if (isNaN(chr3)) {            enc4 = 64;        }        output = output +            this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +            this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);    }    return output;}Base64.prototype.decode = function (input) {    var output = [], chr1, chr2, chr3, enc1, enc2, enc3, enc4, i = 0;    input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");    while (i < input.length) {        enc1 = this._keyStr.indexOf(input.charAt(i++));        enc2 = this._keyStr.indexOf(input.charAt(i++));        enc3 = this._keyStr.indexOf(input.charAt(i++));        enc4 = this._keyStr.indexOf(input.charAt(i++));        chr1 = (enc1 << 2) | (enc2  4);        chr2 = ((enc2 & 15) << 4) | (enc3  2);        chr3 = ((enc3 & 3) << 6) | enc4;        output.push(String.fromCharCode(chr1));        if (enc3 != 64) {            output.push(String.fromCharCode(chr2));        }        if (enc4 != 64) {            output.push(String.fromCharCode(chr3));        }    }    //output = this._utf8_decode(output);    return output.join("");}function EncryptBlock(EncryData, Key){    var x = EncryData[0];    var y = EncryData[1];    var sum = 0;    var delta = 0x9E3779B9;    for (var i = 0; i < 32; i++){        if(((sum & 3) == Key[6]) ){            x += (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3] + Key[4]);        }else if((sum & 3) == Key[7]){            x += (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3] + Key[5]);        }else{            x += (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3]);        }        sum += delta;        if(((sum  11) & 3) == Key[6]){            y += (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3]  + Key[4]);        }else if(((sum  11) & 3) == Key[7]){            y += (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3] + Key[5]);        }else{            y += (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3]);        }    }    return [x, y];}function DecryptBlock(DecryData, Key){    var x = DecryData[0];    var y = DecryData[1];    var sum = 0x9E3779B9 * 32;    var delta = 0x9E3779B9;    for (var i = 0; i < 32; i++){        if(((sum  11) & 3) == Key[6]){            y -= (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3]  + Key[4]);        }else if(((sum  11) & 3) == Key[7]){            y -= (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3] + Key[5]);        }else{            y -= (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3]);        }        sum -= delta;        if(((sum & 3) == Key[6]) ){            x -= (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3] + Key[4]);        }else if((sum & 3) == Key[7]){            x -= (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3] + Key[5]);        }else{            x -= (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3]);        }    }    return [x, y];}var teaDecrypt = function (msg, Key){    var res = new Base64().decode(msg);    var rounds = res.length  3;    var tmp;    var final = "";    for(var i = 0; i < rounds; i++){        tmp = DecryptBlock(strToLongs(res.slice(i*8, i*8 + 8)), Key);        final += longsToStr(tmp);    }    return final;}function teaEncrypt(msg, Key){    var final = "";    var rounds = msg.length  3;    for(var i = 0; i < rounds; i++){        tmp = EncryptBlock(strToLongs(msg.slice(i*8, i*8 + 8)), Key);        final += longsToStr(tmp);    }    return new Base64().encode(final)}

经过还原代码发现tea加密有变,具体的如上面的代码所示,正常的tea加密key为16字节,也就是4个int,但是这个变种tea算法在进行加解密时引入了额外8个字节的“密钥”,两个判断变量,判断是否将额外密钥加入计算。

通过测试发现每次密钥都不同,如何得到原本的16字节key,8个额外的key以及判断变量?在这里我想过一个通过tea加密函数入口地址的偏移去计算密钥的地址或是通过一些固定的特征码计算key的地址,但可惜的是只能拿到基本的16字节的地址,额外密钥以及判断变量则不能拿到,不同的滑块对应的不通源码,里面的字节码都会有变化,因此这种方法便放弃了。

加密在执行的时候,肯定会从栈里面取出这些变量,因此我就想到可以通过找到一个代码执行到某一句的时候,栈里面刚好有我们需要的key,然后我们将这些key进行返回。基于这个想法,我写了一个正则表达式去匹配整个代码,并对代码的加法指令进行修改,让代码字节把key吐出来,脚本如下:

function dec(jsText, cipherTxt){    jsText = jsText.replace(/TypeError\(.*?\)/g,"\"error\"");    var pos = jsText.indexOf("TENCENT_CHAOS_VM");    var PC = (pos += 17,jsText.slice(pos, pos + 1));    var PB = (pos += 2,jsText.slice(pos, pos + 1));    var STACK = (pos += 4,jsText.slice(pos, pos + 1));    var HANDLE = /var [A-Za-z]=\[function/.exec(jsText)[0].slice(4,5);    var COD = /try\{for\(var [A-Za-z]=/.exec(jsText)[0].slice(12,13);    jsText = "var key;var flag=0;" + jsText.replace(COD+"="+HANDLE+"["+PB+"["+PC+"++]]();","{if(flag==1){return key;}"+COD+"="+HANDLE+"["+PB+"["+PC+"++]]();"+"}").replace("R[R.length-2]=R[R.length-2]+R.pop()".replace(/R/g,STACK),'if((R[R.length-2]==0x9E3779B9)||(R[R.length-1]==0x9E3779B9)){for(var i=0;i<R.length;i++){if(Array.isArray(R[i][0])&&R[i][0].length==4&&(typeof R[i][0][0])=="number"&&R[i][0][0]>1000){key=R[i][0];break;}};key.push(PB[PB.indexOf(0x9E3779B9) - 19]);key.push(PB[PB.indexOf(0x9E3779B9) - 53]);key.push(PB[PB.indexOf(0x9E3779B9) - 6]);key.push(PB[PB.indexOf(0x9E3779B9) + 15]);flag=1;return key;}R[R.length-2]=R[R.length-2]+R.pop()'.replace(/R/g,STACK).replace(/PB/g,PB));    var tmpKey = eval(jsText+"window.TDC.getData(!0)")    return teaDecrypt(cipherTxt, tmpKey);//teaDecrypt和上面的代码一致}

将tea算法与这个dec进行整合,我们就能实现对collect的解密了,测试如下:

某鹅滑块验证码破解笔记

image-20211014232739353.png

返回值如下:

{"cd":["https://ui.ptlogin2.qq.com/?rand=tel:1512991986334",0,true,[],0,["zh-CN","zh"],0,1630507225,360,640,"360-640-640-24-*-*-|-*",5,[],0,[],0,[],2,                      [[1,1,12]]              ,159,1630507226,"Win","98k","",0,"","Mozilla/5.0 (Linux;Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Mobile Safari/537.36",0,1084792919,0.746999979019165,[],0,0,"UTF-8",1467230630,1630507225,[],[345,345],0,24,"7688915523684241625","true",2,1023],        "sd":{"od":"C"}}

现在collectData的解密工作已完成,接下来我们需要对解密后的代码进行分析

0x05 collect数据分析以及生成

其中cd是收集到的数据,用一个数组进行保存,而经过多次测试后发现,数组里面的数据顺序是不固定的,也就是一个滑块对应着一种顺序,所以如果我们要通过明文伪造加密数据,还需要知道数据存放的顺序,在庞大的字节码中找到数据存放的数据也是一个很大的工程,但是如果是不伪造数据,通过jsdom的环境生成出来的加密数据又过不去滑块。思前想后,我想到一个办法,那就是通过正则匹配来对代码进行改造,找到不同数据生成的地方,对生成后的数据进行修改(对照正常的数据),所以接下来就是通过不断的调试代码,找到代码是如何生成的,找到生成代码的地方,对代码进行修改。如果修改有效,制定正则匹配方案。如此循环,直到生成出来的数据和浏览器抓包得到的数据差不多,能过滑块的环境识别,那么就成功了。然后将整个过程封装成一个函数,传入js代码,自动修改代码,并且eval运行代码得到collect。

这里我就不分析每个数据的意义了,只是提供大概的思路以及方向。如果要定位到某个代码的生成地方,可以先看到在我们进行数据解密的时候,拿到的一些数据:

{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8",[1024,768]

比如上面的数据,第一次打印的时候,还没有[1024,768]这个数据,那么我们就可以在这个数据打印之前,也就是打印完这句话以后,进行单步调试:

{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"","other",1634221284,"UTF-8"

通过这种方法,就能跟踪到[1024,768]的来源。当然这只是一种方法,还有别的定位方法,就等着大家去发现了。

调试这里面坑很多,不但要定位生成的地方、制定正则匹配规则,还需要不断去加密提交到滑块服务器去验证生成的数据能不能用,总之就是需要耐心。

破解的核心思路总结起来就是:正则匹配(或是AST)修改特征代码到可运行状态,eval进行调用得到目标值。

0x06 vData参数分析

上次我们讲到了collect的加密方式以及怎么去生成这个参数的思路,现在我们来讲讲另一个加密参数,vData

某鹅滑块验证码破解笔记

image-20211015201512985.png

定位过程就不再赘述了,本小节的目的主要是讨论vData的生成方式。

vData是由vm-slide.js生成的,代码结构和生成collect参数的js代码一致,代码如下:

var __TENCENT_CHAOS_STACK = function() {    function __TENCENT_CHAOS_VM(g, m, U, n, E, F, Y, c) {        var A = !n;        g = +g,        m = m || [0],        n = n || [[this], [{}]],        E = E || {};        var w, C = [], K = null;        function p() {            return function(A, C, K) {                return new (Function.bind.apply(A, C))            }            .apply(null, arguments)        }        Function.prototype.bind || (w = [].slice,        Function.prototype.bind = function(A) {            if ("function" != typeof this)                throw new TypeError("bind101");            var C = w.call(arguments, 1)              , K = C.length              , p = this              , Q = function() {}              , B = function() {                return C.length = K,                C.push.apply(C, arguments),                p.apply(Q.prototype.isPrototypeOf(this) ? this : A, C)            };            return this.prototype && (Q.prototype = this.prototype),            B.prototype = new Q,            B        }        );        var Q = [function() {            n.push(n[m[g++]][0])        }        , function() {            var A, C = [];            for (A in n.pop())                C.push(A);            n.push(C)        }        , function() {            var A = m[g++]              , C = A ? n.slice(-A) : [];            n.length -= A;            A = n.pop();            n.push(A[0][A[1]].apply(A[0], C))        }        , function() {            n.push([n.pop(), n.pop()].reverse())        }        , function() {            n.push("")        }        , function() {            n.pop()        }        , function() {            g = m[g++]        }        , function() {            n[n.length - 2] = n[n.length - 2] ^ n.pop()        }        , function() {            n.push(m[g++])        }        , , function() {            n[n.length - 1] += String.fromCharCode(m[g++])        }        , function() {            n[n.length - 2] = n[n.length - 2] & n.pop()        }        , function() {            n[n.length - 2] = n[n.length - 2] == n.pop()        }        , function() {            n[n.length - 1] = U[n[n.length - 1]]        }        , , function() {            n[n.length - 1].length ? n.push(n[n.length - 1].shift(), !0) : n.push(undefined, !1)        }        , function() {            return !0        }        , function() {            n.push(undefined)        }        , , , function() {            n[n.length - 2] = n[n.length - 2] + n.pop()        }        , function() {            n[n.length - 2] = n[n.length - 2] - n.pop()        }        , , function() {            n.push(!n.pop())        }        , function() {            var A = n[n.length - 2];            A[0][A[1]] = n[n.length - 1]        }        , function() {            var A = m[g++]              , C = A ? n.slice(-A) : [];            n.length -= A,            C.unshift(null);            A = n.pop();            n.push(p(A[0][A[1]], C))        }        , , , function() {            n[n.length - 2] = n[n.length - 2] === n.pop()        }        , , , function() {            n[n.length - 2] = n[n.length - 2] > n.pop()        }        , function() {            n.push([U, n.pop()])        }        , function() {            K = null        }        , , function() {            C.push([m[g++], n.length, m[g++]])        }        , function() {            n[n[n.length - 2][0]][0] = n[n.length - 1]        }        , function() {            n[n.length - 2] = n[n.length - 2] % n.pop()        }        , function() {            n[n.length - 2] = n[n.length - 2] / n.pop()        }        , function() {            n.push(n[n.length - 1])        }        , function() {            n.length = m[g++]        }        , function() {            var A = n.pop()              , C = n.pop();            n.push([C[0][C[1]], A])        }        , function() {            var A = m[g++];            n[A] = n[A] === undefined ? [] : n[A]        }        , , , function() {            n.push(null)        }        , function() {            n[n.length - 2] = n[n.length - 2]  n.pop()        }        , function() {            n.push([m[g++]])        }        , , function() {            C.pop()        }        , function() {            n[n.length - 1] = m[g++]        }        , function() {            n[n.length - 2] = n[n.length - 2] << n.pop()        }        , function() {            n.push(typeof n.pop())        }        , , function() {            var A = n.pop();            n.push(A[0][A[1]])        }        , function() {            var A = m[g++]              , C = A ? n.slice(-A) : [];            n.length -= A,            C.unshift(null),            n.push(p(n.pop(), C))        }        , function() {            n[n.length - 2] = n[n.length - 2] | n.pop()        }        , , function() {            for (var K = m[g++], p = [], A = m[g++], C = m[g++], Q = [], B = 0; B < A; B++)                p[m[g++]] = n[m[g++]];            for (B = 0; B < C; B++)                Q[B] = m[g++];            n.push(function w() {                var A = p.slice(0);                A[0] = [this],                A[1] = [arguments],                A[2] = [w];                for (var C = 0; C < Q.length && C < arguments.length; C++)                    0 < Q[C] && (A[Q[C]] = [arguments[C]]);                return __TENCENT_CHAOS_VM(K, m, U, A, E, F, Y, c)            })        }        , function() {            var A = n.pop();            n.push([n[n.pop()][0], A])        }        , function() {            var A = m[g++];            n[n.length - 1] && (g = A)        }        , function() {            return !!K        }        , function() {            n[n.length - 2] = n[n.length - 2] >= n.pop()        }        , function() {            n.push(n[n.pop()[0]][0])        }        , function() {            var A = m[g++]              , C = n[n.length - 2 - A];            n[n.length - 2 - A] = n.pop(),            n.push(C)        }        , , function() {            var A = m[g++]              , C = A ? n.slice(-A) : [];            n.length -= A,            n.push(n.pop().apply(U, C))        }        , function() {            n[n.length - 2] = n[n.length - 2] * n.pop()        }        , function() {            n[n.length - 2] = n[n.length - 2] > n.pop()        }        ];        for (0; ; )            try {                for (var B = !1; !B; )                    B = Q[m[g++]]();                if (0,                K)                    throw K;                return A ? (n.pop(),                n.slice(3 + __TENCENT_CHAOS_VM.v)) : n.pop()            } catch (I) {                0;                var o = C.pop();                if (o === undefined)                    throw I;                K = I,                g = o[0],                n.length = o[1],                o[2] && (n[o[2]][0] = K)            }    }    function E(A) {        for (var C, K, p = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".split(""), Q = String(A).replace(/[=]+$/, ""), B = 0, w = 0, g = ""; K = Q.charAt(w++); ~K && (C = B % 4 ? 64 * C + K : K,        B++ % 4) && (g += String.fromCharCode(255 & C  (-2 * B & 6))))            K = function(A, C, K) {                if ("function" == typeof Array.prototype.indexOf)                    return Array.prototype.indexOf.call(A, C, K);                var p;                if (null == A)                    throw new TypeError('"array" is null or not defined');                var Q = Object(A)                  , B = Q.length > 0;                if (0 == B)                    return -1;                if (B <= (K |= 0))                    return -1;                for (p = Math.max(0 <= K ? K : B - Math.abs(K), 0); p < B; p++)                    if (p in Q && Q[p] === C)                        return p;                return -1            }(p, K);        return g    }    return __TENCENT_CHAOS_VM.v = 0,    __TENCENT_CHAOS_VM(0, function(A) {        var C = A[0]          , K = A[1]          , p = []          , Q = E(C)          , B = K.shift()          , w = K.shift()          , g = 0;        function m() {            for (; g === B; )                p.push(w),                g++,                B = K.shift(),                w = K.shift()        }        for (var U = 0; U < Q.length; U++) {            var n = Q.charAt(U).charCodeAt(0);            m(),            p.push(n),            g++        }        return m(),        p    }(["", [5, 1568, 18, 289, 353, 492, 378, 489, 493, 355, 511, 846, 556, 560, 558, 600, 601, 605, 603, 738, 847, 513, 861, 1281, 881, 885, 883, 898, 905, 910, 908, 914, 920, 924, 922, 942, 943, 947, 945, 950, 951, 955, 953, 981, 982, 987, 985, 991, 1170, 1174, 1172, 1193, 1194, 1199, 1197, 1277, 1205, 1211, 1209, 1273, 1230, 1245, 1246, 1232, 1271, 1203, 1275, 1277, 1282, 863, 1299, 1422, 1314, 1318, 1316, 1344, 1345, 1366, 1348, 1357, 1358, 1350, 1364, 1400, 1368, 1394, 1395, 1370, 1423, 1301, 1439, 1530, 1531, 1441, 1595, 2261, 1616, 1620, 1618, 1656, 1657, 1965, 1689, 1771, 1692, 1760, 1730, 1734, 1732, 1743, 1761, 1694, 1769, 1965, 1773, 1957, 1811, 1815, 1813, 1824, 1928, 1941, 1942, 1930, 1958, 1775, 1973, 1977, 1975, 2007, 2008, 2174, 2011, 2166, 2028, 2034, 2032, 2160, 2061, 2143, 2144, 2156, 2158, 2026, 2162, 2164, 2167, 2013, 2262, 1597, 2277, 4211, 2556, 2698, 2613, 2664, 2662, 2697, 2699, 2558, 2711, 3126, 2729, 2780, 2781, 2786, 2784, 2791, 2865, 2869, 2867, 2917, 2918, 2922, 2920, 3011, 3042, 3046, 3044, 3050, 3051, 3055, 3053, 3059, 3060, 3065, 3063, 3070, 3076, 3082, 3080, 3093, 3091, 3074, 3095, 3097, 3105, 3125, 3127, 2713, 3141, 3402, 3154, 3158, 3156, 3192, 3193, 3239, 3237, 3399, 3403, 3143, 3416, 3522, 3449, 3454, 3452, 3515, 3475, 3480, 3478, 3483, 3487, 3492, 3490, 3515, 3523, 3418, 3554, 4194, 3648, 3652, 3650, 3698, 3669, 3687, 3704, 3752, 3725, 3729, 3727, 3752, 3753, 3757, 3755, 3780, 3789, 3794, 3792, 4190, 3811, 3816, 3814, 4176, 3822, 3828, 3826, 4172, 3868, 3872, 3870, 4168, 3876, 3880, 3878, 3883, 3884, 3888, 3886, 3910, 3896, 3910, 3911, 3991, 3921, 3925, 3923, 4168, 3989, 4168, 3995, 4045, 4002, 4006, 4004, 4013, 4014, 4035, 4033, 4038, 4043, 4097, 4059, 4063, 4061, 4070, 4071, 4090, 4088, 4093, 4170, 3820, 4174, 4176, 4188, 3781, 4195, 3556, 4212, 2279, 4229, 4769, 4315, 4516, 4330, 4334, 4332, 4513, 4373, 4467, 4403, 4425, 4423, 4513, 4465, 4513, 4517, 4317, 4542, 4754, 4557, 4561, 4559, 4751, 4606, 4699, 4636, 4657, 4655, 4751, 4697, 4751, 4755, 4544, 4770, 4231, 4787, 9215, 4810, 4922, 4825, 4918, 4851, 4855, 4853, 4921, 4884, 4921, 4916, 4921, 4925, 4812, 4935, 4975, 4949, 4953, 4951, 4974, 4978, 4937, 4990, 4994, 4992, 5030, 5031, 5128, 5034, 5123, 5045, 5049, 5047, 5075, 5076, 5119, 5117, 5122, 5124, 5036, 5586, 6072, 5665, 5669, 5667, 5679, 5680, 5684, 5682, 5706, 5710, 5714, 5712, 5738, 5739, 5743, 5741, 5793, 6073, 5588, 6097, 6233, 6137, 6199, 6197, 6232, 6234, 6099, 6259, 6396, 6276, 6280, 6278, 6283, 6284, 6288, 6286, 6313, 6314, 6319, 6317, 6394, 6325, 6331, 6329, 6386, 6340, 6350, 6344, 6382, 6348, 6382, 6353, 6342, 6384, 6323, 6388, 6390, 6397, 6261, 6428, 6591, 6466, 6553, 6506, 6512, 6510, 6516, 6551, 6589, 6592, 6430, 6627, 6946, 6665, 6670, 6668, 6712, 6947, 6629, 6992, 7354, 7275, 7281, 7279, 7346, 7330, 7335, 7333, 7273, 7344, 7273, 7348, 7350, 7355, 6994, 7410, 8163, 7529, 7539, 7534, 400, 7563, 7594, 7625, 7630, 7628, 7692, 7690, 7602, 7695, 7994, 7728, 7759, 7790, 7795, 7793, 7863, 7861, 7767, 7907, 7911, 7909, 7991, 7995, 7697, 8053, 8086, 8084, 8160, 8164, 7412, 8196, 8344, 8345, 8198, 8380, 8542, 8424, 8428, 8426, 8541, 8543, 8382, 8572, 9151, 8648, 8652, 8650, 8684, 8690, 8695, 8693, 9149, 8806, 8810, 8808, 8865, 8893, 8897, 8895, 9075, 8928, 8953, 8977, 8980, 9014, 9041, 9067, 9070, 9152, 8574, 9216, 4789, 9233, 9529, 9326, 9443, 9335, 9435, 9436, 9337, 9444, 9328, 9530, 9235, 9547, 10824, 9568, 9572, 9570, 9608, 9609, 9706, 9612, 9701, 9623, 9627, 9625, 9653, 9654, 9697, 9695, 9700, 9702, 9614, 9916, 9937, 9975, 10380, 10026, 10031, 10029, 10035, 10059, 10077, 10103, 10107, 10105, 10148, 10171, 10175, 10173, 10197, 10230, 10235, 10233, 10311, 10250, 10254, 10252, 10287, 10309, 10222, 10333, 10337, 10335, 10376, 10381, 9977, 10445, 10812, 10494, 10499, 10497, 10503, 10508, 10526, 10552, 10556, 10554, 10568, 10591, 10595, 10593, 10617, 10703, 10708, 10706, 10743, 10741, 10681, 10765, 10769, 10767, 10808, 10813, 10447, 10825, 9549, 10842, 11264, 10937, 11255, 11056, 11061, 11059, 11251, 11129, 11133, 11131, 11166, 11167, 11172, 11170, 11177, 11229, 11233, 11231, 11240, 11241, 11246, 11244, 11251, 11256, 10939, 11265, 10844, 11280, 12635, 11483, 11590, 11494, 11551, 11498, 11587, 11501, 11511, 11505, 11546, 11509, 11546, 11514, 11503, 11549, 11587, 11554, 11496, 11591, 11485, 11618, 11840, 11641, 11647, 11645, 11650, 11654, 11780, 11658, 11837, 11661, 11671, 11665, 11775, 11669, 11775, 11674, 11663, 11742, 11747, 11745, 11774, 11778, 11837, 11783, 11656, 11841, 11620, 11875, 12109, 11987, 11992, 11990, 12105, 12057, 12061, 12059, 12081, 12103, 11964, 12110, 11877, 12149, 12190, 12191, 12151, 12203, 12406, 12248, 12274, 12272, 12402, 12345, 12366, 12364, 12399, 12407, 12205, 12443, 12622, 12460, 12466, 12464, 12614, 12503, 12507, 12505, 12610, 12612, 12458, 12616, 12618, 12623, 12445, 12636, 11282, 12653, 15200, 12682, 12686, 12684, 12722, 12723, 13031, 12755, 12837, 12758, 12826, 12796, 12800, 12798, 12809, 12827, 12760, 12835, 13031, 12839, 13023, 12877, 12881, 12879, 12890, 12994, 13007, 13008, 12996, 13024, 12841, 13039, 13043, 13041, 13085, 13086, 13312, 13118, 13165, 13121, 13156, 13157, 13123, 13163, 13312, 13167, 13306, 13307, 13169, 13320, 13324, 13322, 13354, 13355, 13616, 13358, 13607, 13373, 13377, 13375, 13403, 13404, 13409, 13407, 13413, 13440, 13445, 13443, 13594, 13451, 13457, 13455, 13590, 13485, 13489, 13487, 13570, 13571, 13575, 13573, 13586, 13588, 13449, 13592, 13594, 13608, 13360, 13785, 13820, 13821, 13787, 13858, 13970, 13895, 13905, 13899, 13967, 13903, 13967, 13908, 13897, 13971, 13860, 13987, 14140, 14117, 14122, 14120, 14136, 14134, 14094, 14141, 13989, 14151, 14556, 14205, 14210, 14208, 14214, 14398, 14403, 14401, 14552, 14438, 14443, 14441, 14516, 14514, 14430, 14550, 14390, 14557, 14153, 14591, 15188, 14600, 14712, 14639, 14644, 14642, 14647, 14713, 14602, 14718, 15123, 14772, 14777, 14775, 14781, 14965, 14970, 14968, 15119, 15005, 15010, 15008, 15083, 15081, 14997, 15117, 14957, 15124, 14720, 15189, 14593, 15201, 12655, 15218, 16835, 15239, 15402, 15285, 84941944608, 15291, 15296, 15294, 15380, 15353, 2654435769, 15378, 15284, 15405, 15241, 15414, 15577, 15455, 84941944608, 15466, 15471, 15469, 15555, 15531, 2654435769, 15553, 15459, 15580, 15416, 15589, 15722, 15623, 15628, 15626, 15694, 15692, 15615, 15711, 15718, 15716, 15721, 15725, 15591, 15733, 15813, 15816, 15735, 15916, 16231, 15997, 16002, 16e3, 16067, 16065, 15989, 16097, 16102, 16100, 16227, 16225, 16074, 16232, 15918, 16265, 16818, 16346, 16351, 16349, 16416, 16414, 16338, 16477, 16573, 16574, 16479, 16613, 16618, 16616, 16743, 16741, 16590, 16819, 16267, 16836, 15220, 16853, 19487, 17082, 17582, 17144, 17149, 17147, 17578, 17369, 17404, 17388, 17392, 17390, 17419, 17402, 17419, 17576, 17121, 17583, 17084, 17606, 18332, 17748, 17753, 17751, 18293, 18165, 18169, 18167, 18223, 18231, 18235, 18233, 18289, 18291, 17725, 18333, 17608, 18370, 18928, 18476, 18481, 18479, 18924, 18522, 18846, 18530, 18534, 18532, 18541, 18538, 2048, 18542, 18725, 18723, 18900, 18844, 18900, 18922, 18453, 18929, 18372, 18964, 19451, 19031, 19036, 19034, 19447, 19075, 19371, 19083, 19087, 19085, 19094, 19095, 19256, 19254, 19443, 19369, 19443, 19445, 19008, 19452, 18966, 19488, 16855, 19505, 20087, 19602, 20073, 19637, 19666, 19664, 20070, 19700, 20059, 19770, 19774, 19772, 19823, 19824, 19828, 19826, 19838, 19871, 19879, 19877, 19883, 19938, 19943, 19941, 20057, 2e4, 20005, 20003, 20034, 20030, 20033, 20055, 19915, 20060, 19702, 20074, 19604, 20088, 19507, 20105, 20823, 20138, 20813, 20351, 20463, 20364, 20374, 20368, 20441, 20372, 20441, 20377, 20366, 20426, 20430, 20428, 20439, 20464, 20353, 20537, 20797, 20550, 20560, 20554, 20775, 20558, 20775, 20563, 20552, 20584, 20588, 20586, 20606, 20607, 20612, 20610, 20774, 20687, 20691, 20689, 20701, 20734, 20742, 20740, 20746, 20798, 20539, 20814, 20140, 20824, 20107, 20841, 20950, 20951, 20843, 20968, 24257, 20999, 21003, 21001, 21039, 21040, 21137, 21043, 21132, 21054, 21058, 21056, 21084, 21085, 21128, 21126, 21131, 21133, 21045, 21253, 21321, 21322, 21255, 21331, 22025, 21854, 21859, 21857, 21939, 21891, 21896, 21894, 21916, 21937, 21831, 22026, 21333, 22036, 22273, 22116, 22121, 22119, 22269, 22152, 22157, 22155, 22246, 22222, 22227, 22225, 22246, 22237, 22240, 22244, 22269, 22267, 22093, 22274, 22038, 22315, 24234, 22398, 22663, 22411, 22441, 22415, 22660, 22439, 22660, 22444, 22413, 22523, 22526, 22593, 22597, 22595, 22615, 22607, 22611, 22621, 22625, 22623, 22628, 22629, 22655, 22653, 22658, 22664, 22400, 22707, 22715, 22713, 22719, 22728, 22972, 22750, 22755, 22753, 22807, 22889, 22894, 22892, 22968, 22966, 22866, 22973, 22730, 22988, 23004, 23025, 23056, 23091, 23111, 23112, 23140, 23138, 23142, 23148, 23156, 23157, 23181, 23179, 23183, 23184, 23208, 23206, 23224, 23263, 23268, 23266, 23331, 23329, 23240, 23365, 23383, 23381, 23391, 23397, 23727, 23575, 23580, 23578, 23662, 23604, 23608, 23606, 23638, 23660, 23567, 23728, 23399, 23896, 23945, 23929, .5, 23932, 23941, 23939, 23944, 23946, 23898, 24018, 24023, 24021, 24086, 24084, 23995, 24235, 22317, 24258, 20970]]), window)}();__TENCENT_CHAOS_STACK.g = function() {    return __TENCENT_CHAOS_STACK.shift()[0]};

在函数调用处下断点:

某鹅滑块验证码破解笔记

image-20211019202756322.png

移动滑块,触发断点,其中K参数(PC,此处为调用函数的地址)和A参数(传入参数)分别为:

某鹅滑块验证码破解笔记

image-20211019203024158.png

目前首要的是考虑怎么去拿到vData的加密方式,我们再将密文进行解密,分析里面的数据,会更直观,这次我们选择和collect一样的处理方式,就是通过修改代码,让他打印日志信息,暂且将这种行为称之为hook。

我们选择对加法指令进行hook,并查看日志,具体操作如下(这里直接通过浏览器开发者工具进行操作,并没有选择node环境模拟,原因是因为此VM代码涉及到网络请求,选择开发者工具直接进行操作会简单很多):

(1)、首先找到加法指令所在的行(可以看到是89行):

某鹅滑块验证码破解笔记

image-20211019203715106.png

(2)在90行(指令执行完成处)行标处右键,选择Add logpoint...

某鹅滑块验证码破解笔记

image-20211019204215073.png

(3)输入n[n.length - 1],然后回车:

某鹅滑块验证码破解笔记

image-20211019204337071.png


hook代码就插入完成了,当运行了加法指令时,就会将栈顶的值打印出来,也就是相加以后的结果。

我们让代码执行,控制台就自动对代码进行了打印,打印的前部分结果如下:

1VM171:1 2VM172:1 3VM173:1 4VM174:1 5VM175:1 6VM176:1 7VM177:1 8VM178:1 9VM179:1 10VM180:1 11VM181:1 12VM182:1 13VM183:1 14VM184:1 15VM185:1 16VM186:1 17VM187:1 18VM188:1 19VM189:1 20VM190:1 21VM191:1 22VM192:1 23VM193:1 24VM194:1 25VM195:1 26VM196:1 27VM197:1 28VM198:1 29VM199:1 30VM200:1 31VM201:1 tlg=(.*)VM202:1 1VM203:1 2VM204:1 3VM205:1 4VM206:1 1VM207:1 2VM208:1 3VM209:1 4VM210:1 5VM211:1 6VM212:1 7VM213:1 8VM214:1 9VM215:1 10VM216:1 11VM217:1 12VM218:1 13VM219:1 sess=(.*)VM220:1 PVM221:1 1VM222:1 PsVM223:1 2VM224:1 PslVM225:1 3VM226:1 PslPVM227:1 4VM228:1 1VM229:1 2VM230:1 3VM231:1 4VM232:1 5VM233:1 6VM234:1 7VM235:1 1VM236:1 8VM237:1 1VM238:1 2VM239:1 9VM240:1 1VM241:1 2VM242:1 3VM243:1 4VM244:1 10VM245:1 11VM246:1 11,VM247:1 11,tdc,slide,vmVM248:1 ss=VM249:1 ss=11%2Ctdc%2Cslide%2CvmVM250:1 1VM251:1 env=VM252:1 env=0VM253:1 2VM254:1 py=VM255:1 py=0VM256:1 3VM257:1 inf=VM258:1 inf=iframeVM259:1 4VM260:1 key=VM261:1 key=PslPVM262:1 5VM263:1 cLod=VM264:1 cLod=loadTDCVM265:1 6VM266:1 tp=VM267:1 tp=5547380864951241219VM268:1 7VM269:1 version=VM270:1 version=2VM271:1 8VM272:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kVM273:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkVM274:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkVM275:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkVM276:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkVM277:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkVM278:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkVM279:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkVM280:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkVM281:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkkVM282:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkkkVM283:1 0VM284:1 1VM285:1 4VM286:1 2VM287:1 8VM288:1 3VM289:1 12VM290:1 42VM291:1 5VM293:1 9VM294:1 6VM295:1 13VM296:1 7VM297:1 1VM298:1 8VM299:1 10VM300:1 9VM301:1 14VM302:1 10VM303:1 2VM304:1 11VM305:1 6VM306:1 12VM307:1 15VM308:1 13VM309:1 3VM310:1 14VM311:1 7VM312:1 15VM313:1 11VM314:1 16VM315:1 s1t2%dCscs=2l1C%2VM316:1 16VM318:1 1VM319:1 20VM320:1 2VM321:1 24VM322:1 3VM323:1 28VM324:1 4VM325:1 21VM326:1 5VM327:1 25VM328:1 6VM329:1 29VM330:1 7VM331:1 17VM332:1 8VM333:1 26VM334:1 9VM335:1 30VM336:1 10VM337:1 18VM338:1 11VM339:1 22VM340:1 12VM341:1 31VM342:1 13VM343:1 19VM344:1 14VM345:1 23VM346:1 15VM347:1 27VM348:1 16VM349:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mv2VM350:1 32VM352:1 1VM353:1 36VM354:1 2VM355:1 40VM356:1 3VM357:1 44VM358:1 4VM359:1 37VM360:1 5VM361:1 41VM362:1 6VM363:1 45VM364:1 7VM365:1 33VM366:1 8VM367:1 42VM368:1 9VM369:1 46VM370:1 10VM371:1 34VM372:1 11VM373:1 38VM374:1 12VM375:1 47VM376:1 13VM377:1 35VM378:1 14VM379:1 39VM380:1 15VM381:1 43VM382:1 16VM383:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=a2VM384:1 48VM386:1 1VM387:1 52VM388:1 2VM389:1 56VM390:1 3VM391:1 60VM392:1 4VM393:1 53VM394:1 5VM395:1 57VM396:1 6VM397:1 61VM398:1 7VM399:1 49VM400:1 8VM401:1 58VM402:1 9VM403:1 62VM404:1 10VM405:1 50VM406:1 11VM407:1 54VM408:1 12VM409:1 63VM410:1 13VM411:1 51VM412:1 14VM413:1 55VM414:1 15VM415:1 59VM416:1 16VM417:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&d2VM418:1 64VM420:1 1VM421:1 68VM422:1 2VM423:1 72VM424:1 3VM425:1 76VM426:1 4VM427:1 69VM428:1 5VM429:1 73VM430:1 6VM431:1 77VM432:1 7VM433:1 65VM434:1 8VM435:1 74VM436:1 9VM437:1 78VM438:1 10VM439:1 66VM440:1 11VM441:1 70VM442:1 12VM443:1 79VM444:1 13VM445:1 67VM446:1 14VM447:1 71VM448:1 15VM449:1 75VM450:1 16VM451:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=72VM452:1 80VM454:1 1VM455:1 84VM456:1 2VM457:1 88VM458:1 3VM459:1 92VM460:1 4VM461:1 85VM462:1 5VM463:1 89VM464:1 6VM465:1 93VM466:1 7VM467:1 81VM468:1 8VM469:1 90VM470:1 9VM471:1 94VM472:1 10VM473:1 82VM474:1 11VM475:1 86VM476:1 12VM477:1 95VM478:1 13VM479:1 83VM480:1 14VM481:1 87VM482:1 15VM483:1 91VM484:1 16VM485:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7642v81e49r94s51&2VM486:1 96VM488:1 1VM489:1 100VM490:1 2VM491:1 104VM492:1 3VM493:1 108VM494:1 4VM495:1 101VM496:1 5VM497:1 105VM498:1 6VM499:1 109VM500:1 7VM501:1 97VM502:1 8VM503:1 106VM504:1 9VM505:1 110VM506:1 10VM507:1 98VM508:1 11VM509:1 102VM510:1 12VM511:1 111VM512:1 13VM513:1 99VM514:1 14VM515:1 103VM516:1 15VM517:1 107VM518:1 16VM519:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7642v81e49r94s51&i2kkkkkokknkk=kkVM520:1 112VM521:1 1VM522:1 1VM523:1 2VM524:1 3VM525:1 4VM526:1 1VM527:1 2VM528:1 1VM529:1 2VM530:1 3VM531:1 4VM532:1 2VM533:1 3VM534:1 1VM535:1 2VM536:1 3VM537:1 4VM538:1 3VM539:1 4VM540:1 1VM541:1 2VM542:1 3VM543:1 42VM544:1 4VM546:1 1VM547:1 2VM548:1 3VM549:1 4VM550:1 4VM551:1 8VM552:1 1VM553:1 2VM554:1 3VM555:1 4VM556:1 2867838358VM557:1 845493299VM558:1 -889275624VM559:1 -2336555152VM560:1 2654435769VM561:1 4338529007VM562:1 3915755972VM563:1 2054546322VM564:1 3466441244VM565:1 -2149118810VM566:1 -2190016853VM567:1 5308871538

可以看到里面有一些有用的信息,如下:

VM201:1 tlg=(.*) //正则表达式,取出tlgVM219:1 sess=(.*) //正则表达式,取出tlgVM282:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkkk //很可能是加密之前的明文,而多出来的k也应该是补齐方式VM519:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7642v81e49r94s51&i2kkkkkokknkk=kk //被乱序的字符串VM560:1 2654435769 //熟悉的delta常量

既然找到了delta常量,那么我们只需要添加一个条件断点,当栈顶值为delta常量时断点断下来,操作和日志断点类似,右键的时候选择Add conditional breakpoint...

某鹅滑块验证码破解笔记

image-20211019211318256.png

添加条件n[n.length - 1]==2654435769

某鹅滑块验证码破解笔记

image-20211019211419211.png

然后滑动滑块,断点断下来,此时PC(对应__TENCENT_CHAOS_VM函数第一个传参,我这里变量名是g)的值是15355:

某鹅滑块验证码破解笔记

image-20211019211706995.png

现在我们将此时代码的PC值拿到了,现在我们要考虑如何将密钥取出来,在什么地方可以取得密钥。由于这个地方的tea加密我们不确定是不是被魔改过的,所以也只能老老实实的调试,将每一步进行的操作记录下来,还原成JavaScript代码,调试也没有什么特别的技巧,最重要的还是耐心,核心代码还原如下(固定密钥):

function EncryptBlock(EncryData){    var Key = [845493299, 812005475, 825582135, 1684093238];    var x = EncryData[0];    var y = EncryData[1];    var sum = 0;    var delta = 0x9E3779B9;    for (var i = 0; i < 32; i++){        x += (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3]);        sum += delta;        y += (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3]);    }    return [x, y];}

根据加密代码,反推得到解密代码:

function DecryptBlock(DecryData){    var Key = [845493299, 812005475, 825582135, 1684093238];    var x = DecryData[0];    var y = DecryData[1];    var sum = 0x9E3779B9 * 32;    var delta = 0x9E3779B9;    for (var i = 0; i < 32; i++){        y -= (((x << 4) ^ (x > 5)) + x) ^ (sum + Key[(sum  11) & 3]);        sum -= delta;        x -= (((y << 4) ^ (y > 5)) + y) ^ (sum + Key[sum & 3]);    }    return [x, y];}

将两段代码替换collect的加解密函数即可对密文进行解密.

现在我们来解决被乱序的字符串的算法:

字符串乱序一般都会有一个映射表,可参考以下代码:

var msg = "0123"var map = [3,2,1,0]var res = ""var mlength = msg.lengthfor(var i = 0; i < mlength; i++){        res += msg.charAt(keyMap[i])}//执行结果为"3210"

我们对charAt函数进行hook,代码如下(直接复制后放在控制台回车即可):

var hookCharAt = String.prototype.charAt;String.prototype.charAt = function (index) {    var res = hookCharAt.call(this, index)    console.log(this, index)    return res}

hook日志如下:

String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 1VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 7VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 8VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 4VM22081:4 String {"0abcdefghijklmnop"} 11//乱序从这里开始VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 0VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 4VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 8VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 12VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 5VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 9VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 13VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 1VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 10VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 14VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 2VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 6VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 15VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 3VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 7VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 11VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 16VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 20VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 24VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 28VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 21VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 25VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 29VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 17VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 26VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 30VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 18VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 22VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 31VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 19VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 23VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 27VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 32VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 36VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 40VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 44VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 37VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 41VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 45VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 33VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 42VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 46VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 34VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 38VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 47VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 35VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 39VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 43VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 48VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 52VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 56VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 60VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 53VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 57VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 61VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 49VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 58VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 62VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 50VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 54VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 63VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 51VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 55VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 59VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 64VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 68VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 72VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 76VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 69VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 73VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 77VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 65VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 74VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 78VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 66VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 70VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 79VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 67VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 71VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 75VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 80VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 84VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 88VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 92VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 85VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 89VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 93VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 81VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 90VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 94VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 82VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 86VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 95VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 83VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 87VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 91VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 96VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 100VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 104VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 108VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 101VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 105VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 109VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 97VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 106VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 110VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 98VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 102VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 111VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 99VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 103VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 107VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 17VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 39VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 45VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 13VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 60VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 17VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 47VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 62VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 5VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 54VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 13VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 18VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 40VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 3VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 4VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 4VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 25VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 34VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 50VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 14VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 34VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 8VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 39VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 40VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 63VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 35VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 61VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 8VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 52VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 24VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 44VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 60VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 24VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 52VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 9VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 11VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 10VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 51VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 34VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 20VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 49VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 40VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 32VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 59VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 23VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 2VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 24VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 22VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 9VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 11VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 36VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 55VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 58VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 55VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 2VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 22VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 13VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 33VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 11VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 3VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 60VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 43VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 8VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 39VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 26VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 21VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 10VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 12VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 14VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 35VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 21VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 59VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 3VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 25VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 2VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 62VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 32VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 45VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 17VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 29VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 10VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 14VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 9VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 58VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 48VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 32VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 64VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 64

可以看到,index被打印了出来,其中String {"0abcdefghijklmnop"} 11这个charAt的结果刚好是字母k,对应明文的padding,明文py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0的长度为101,补齐了11个字符,补齐的码表为0abcdefghijklmnop,补齐后长度为16的倍数,所以应该是以16个字符为一轮进行乱序,所以我们只需要得到前16位的index,就能还原乱序,正序算法,算法还原如下:

function seqEncode(msg){    var tmp = msg.length % 16;    var ch = "0abcdefghijklmnop".charAt(tmp)    while(tmp&&(16 - tmp)){        msg += ch;        tmp++;    }    var keyMap = [0, 4, 8, 12, 5, 9, 13, 1, 10, 14, 2, 6, 15, 3, 7, 11];    tmp = msg.length  4;    var res = "";    for(var i = 0; i < tmp; i++){        var cut = msg.slice(i*16,i*16+16);        console.log(cut)        for(var j = 0; j < 16; j++){            console.log()            res += cut.charAt(keyMap[j])        }    }    return res;}function seqDecode(msg){    var keyMap = [0, 7, 10, 13, 1, 4, 11, 14, 2, 5, 8, 15, 3, 6, 9, 12];    var tmp = msg.length  4;    var res = "";    for(var i = 0; i < tmp; i++){        var cut = msg.slice(i*16,i*16+16);        for(var j = 0; j < 16; j++){            res += cut.charAt(keyMap[j])        }    }    return res;}

接下来先看到最后一段:

VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 48

其中GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY为base64码表,将这个base64码表对标准的base64编码码表进行替换,然后将密文解码,再解密,再正序,发现可以还原到最初的明文,加密部分就完成了。

现在进行明文参数分析,完整的明文如下:

py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2Cvm&key=0T3E&tp=7250156632690052586&version=2&env=0kkkkkkkkkkk

现在应该就只剩下最后的key字段,key=0T3E

通过上面的hook日志可以发现,前几行:

String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 1VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 7VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 8VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 4

1784实际上对应提交参数里面的tlg,这个参数为collect的长度,s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**正好是服务器返回参数sess,所以key的算法还原如下:

function getKey(sess,tlg){    tlg = tlg + "";    var length = tlg.length;    var res = "";    for(var i = 0; i < length; i++){        res += sess.charAt(tlg.slice(i,i+1))    }    return res;}

0x07 结束语

至此,两个核心参数的加密就还原完成了,剩下的就是模拟参数生成,就能实现对验证码进行破解。其中这个滑块并没有对滑动数据以及鼠标移动数据进行相关校验,所以为空值也能过去,重点是collect里面的环境参数的校验以及还原。从刚开始接触这个vm到滑块的自动破解大概一共用了四五天左右,对jsvmp的了解又更深了一些,特别是执行流程和一些核心的设计思想。打算在近期内看看能不能研发一款js代码的虚拟化工具出来,如果有什么成果,会再次与大家分享!

上一篇:万能变声器9.7.8.8的破解思路、补丁和源码

下一篇:WindowTabs2022.2.26汉化