极验滑块验证码破解最新版

一、简述：

最近无聊想搞一下极验的滑块验证码破解这块，发现破解js代码耗时又耗力出现版本更新可能以前的所有努力都要推翻重做，不够通用性，最后还是选用selenium + PIL 来实现滑块验证码的破解。期间也翻阅过很多文章,大多都已经失效，并且缺口位置查找和模拟滑动轨迹成功率很低，很难应用到实际开发项目中，本次是针对最新版本的极验滑块验证码进行破解。

二、项目环境

大致需要用到以下模块各位看观请提前准备好:

python3.6、selenium、numpy、PIL、chromedriver

三、分析步骤以及代码编写

首先分析目标网站（本次主要以geetest官网滑块demo为参考）

网站大致长这个样子，首先f12打开 开发者工具选择Elements查看节点，发现最新版本的滑块图片是使用画布来进行呈现的，期间查阅大量文档，使用如下代码获得画布中的图片数据，获取到的图片是base64进行编码的

document.getElementsByClassName("geetest_canvas_bg geetest_absolute")[0].toDataURL("image/png")

2.通过分析发现这两个画布放的是所需要的背景图和缺口图（其实一眼就看出来的）

3。接下来就是代码的编写了

3.1 首先是获得背景图和缺口图的数据

def get_images(self):"""获取验证码图片:return: 图片的location信息"""time.sleep(1)self.browser.web_driver_wait_ruishu(10, "class", 'geetest_canvas_slice')fullgb = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_bg geetest_''absolute")[0].toDataURL("image/png")')["value"]bg = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_fullbg geetest_fade'' geetest_absolute")[0].toDataURL("image/png")')["value"]return bg, fullgb

3.2 对数据进行解码操作并保存图片

def get_decode_image(self, filename, location_list):"""解码base64数据"""_, img = location_list.split(",")img = base64.decodebytes(img.encode())new_im: image.Image = image.open(BytesIO(img))return new_im

3.3 接下来就是计算缺口位置了(这里使用的PIL中计算两张图片的差值获得缺口位置)

def compute_gap(self, img1, img2):"""计算缺口偏移 这种方式成功率很高"""# 将图片修改为RGB模式img1 = img1.convert("RGB")img2 = img2.convert("RGB")# 计算差值diff = ImageChops.difference(img1, img2)# 灰度图diff = diff.convert("L")# 二值化diff = diff.point(self.table, '1')left = 43# 这里做了优化为减少误差 纵坐标的像素点大于5时才认为是找到# 防止缺口有凸起时有误差for w in range(left, diff.size[0]):lis = []for h in range(diff.size[1]):if diff.load()[w, h] == 1:lis.append(w)if len(lis) > 5:return w

3.4 当滑块的缺口位置找到以后就需要生成滑动轨迹(其中加20是保证在滑动时先超过缺口位置然后在慢慢还原到正确位置)

def ease_out_quart(self, x):return 1 - pow(1 - x, 4)def get_tracks_2(self, distance, seconds, ease_func):"""根据轨迹离散分布生成的数学 生成 # 参考文档 /p/3f968958af5a成功率很高 90% 往上:param distance: 缺口位置:param seconds: 时间:param ease_func: 生成函数:return: 轨迹数组"""distance += 20tracks = [0]offsets = [0]for t in np.arange(0.0, seconds, 0.1):ease = ease_funcoffset = round(ease(t / seconds) * distance)tracks.append(offset - offsets[-1])offsets.append(offset)tracks.extend([-3, -2, -3, -2, -2, -2, -2, -1, -0, -1, -1, -1])return tracks

3.5 最后也就是滑动滑块到缺口位置

def move_to_gap(self, track):"""移动滑块到缺口处"""slider = self.wait.until(EC.presence_of_element_located((By.CLASS_NAME, 'geetest_slider_button')))ActionChains(self.browser).click_and_hold(slider).perform()while track:x = track.pop(0)ActionChains(self.browser).move_by_offset(xoffset=x, yoffset=0).perform()time.sleep(0.02)ActionChains(self.browser).release().perform()

贴出完整代码

(注意selenium有些方法会被极验检测到所以使用js命令直接运行的方式来达到效果)

crack.py

# -*-coding:utf-8 -*-import base64import timeimport functoolsimport numpy as npfrom tools.selenium_spider import SeleniumSpiderfrom selenium.webdriver import ActionChainsfrom selenium.webdriver.support import expected_conditions as ECfrom selenium.webdriver.support.ui import WebDriverWaitfrom mon.by import Byimport PIL.Image as imagefrom PIL import ImageChops, PngImagePluginfrom io import BytesIOclass Crack(object):"""解决三代极验滑块验证码"""def __init__(self):self.url = ''self.browser = SeleniumSpider(path="/personalwork/personal_tools_project/adbtools/chromedriver", max_window=True)self.wait = WebDriverWait(self.browser, 100)self.BORDER = 8self.table = []for i in range(256):if i < 50:self.table.append(0)else:self.table.append(1)def open(self):"""打开浏览器,并输入查询内容"""self.browser.get(self.url)self.browser.get(self.url + "/Sensebot/")self.browser.web_driver_wait_ruishu(10, "class", 'experience--area')time.sleep(1)self.browser.execute_js('document.getElementsByClassName("experience--area")[0].getElementsByTagName("div")''[2].getElementsByTagName("ul")[0].getElementsByTagName("li")[1].click()')time.sleep(1)self.browser.web_driver_wait_ruishu(10, "class", 'geetest_radar_tip')self.browser.execute_js('document.getElementsByClassName("geetest_radar_tip")[0].click()')def check_status(self):"""检测是否需要滑块验证码:return:"""self.browser.web_driver_wait_ruishu(10, "class", 'geetest_success_radar_tip_content')try:time.sleep(0.5)message = self.browser.find_element_by_class_name("geetest_success_radar_tip_content").textif message == "验证成功":return Falseelse:return Trueexcept Exception as e:return Truedef get_images(self):"""获取验证码图片:return: 图片的location信息"""time.sleep(1)self.browser.web_driver_wait_ruishu(10, "class", 'geetest_canvas_slice')fullgb = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_bg geetest_''absolute")[0].toDataURL("image/png")')["value"]bg = self.browser.execute_js('document.getElementsByClassName("geetest_canvas_fullbg geetest_fade'' geetest_absolute")[0].toDataURL("image/png")')["value"]return bg, fullgbdef get_decode_image(self, filename, location_list):"""解码base64数据"""_, img = location_list.split(",")img = base64.decodebytes(img.encode())new_im: PngImagePlugin.PngImageFile = image.open(BytesIO(img))# new_im.convert("RGB")# new_im.save(filename)return new_imdef compute_gap(self, img1, img2):"""计算缺口偏移 这种方式成功率很高"""# 将图片修改为RGB模式img1 = img1.convert("RGB")img2 = img2.convert("RGB")# 计算差值diff = ImageChops.difference(img1, img2)# 灰度图diff = diff.convert("L")# 二值化diff = diff.point(self.table, '1')left = 43for w in range(left, diff.size[0]):lis = []for h in range(diff.size[1]):if diff.load()[w, h] == 1:lis.append(w)if len(lis) > 5:return wdef ease_out_quad(self, x):return 1 - (1 - x) * (1 - x)def ease_out_quart(self, x):return 1 - pow(1 - x, 4)def ease_out_expo(self, x):if x == 1:return 1else:return 1 - pow(2, -10 * x)def get_tracks_2(self, distance, seconds, ease_func):"""根据轨迹离散分布生成的数学 生成 # 参考文档 /p/3f968958af5a成功率很高 90% 往上:param distance: 缺口位置:param seconds: 时间:param ease_func: 生成函数:return: 轨迹数组"""distance += 20tracks = [0]offsets = [0]for t in np.arange(0.0, seconds, 0.1):ease = ease_funcoffset = round(ease(t / seconds) * distance)tracks.append(offset - offsets[-1])offsets.append(offset)tracks.extend([-3, -2, -3, -2, -2, -2, -2, -1, -0, -1, -1, -1])return tracksdef get_track(self, distance):"""根据物理学生成方式 极验不能用 成功率基本为0:param distance: 偏移量:return: 移动轨迹"""distance += 20# 移动轨迹track = []# 当前位移current = 0# 减速阈值mid = distance * 3 / 5# 计算间隔t = 0.5# 初速度v = 0while current < distance:if current < mid:# 加速度为正2a = 2else:# 加速度为负3a = -3# 初速度v0v0 = v# 当前速度v = v0 + atv = v0 + a * t# 移动距离x = v0t + 1/2 * a * t^2move = v0 * t + 0.5 * a * (t ** 2)# 当前位移current += move# 加入轨迹track.append(round(move))track.extend([-3, -3, -2, -2, -2, -2, -2, -1, -1, -1, -1])return trackdef move_to_gap(self, track):"""移动滑块到缺口处"""slider = self.wait.until(EC.presence_of_element_located((By.CLASS_NAME, 'geetest_slider_button')))ActionChains(self.browser).click_and_hold(slider).perform()while track:x = track.pop(0)ActionChains(self.browser).move_by_offset(xoffset=x, yoffset=0).perform()time.sleep(0.02)ActionChains(self.browser).release().perform()def crack(self, n):# 打开浏览器self.open()if self.check_status():# 保存的图片名字bg_filename = 'bg.png'fullbg_filename = 'fullbg.png'# 获取图片bg_location_base64, fullbg_location_64 = self.get_images()# 根据位置对图片进行合并还原bg_img = self.get_decode_image(bg_filename, bg_location_base64)fullbg_img = self.get_decode_image(fullbg_filename, fullbg_location_64)# 获取缺口位置gap = pute_gap(fullbg_img, bg_img)print('缺口位置', gap)track = self.get_tracks_2(gap - self.BORDER, 1, self.ease_out_quart)print("滑动轨迹", track)print("滑动距离", functools.reduce(lambda x, y: x+y, track))self.move_to_gap(track)time.sleep(1)if not self.check_status():print('验证成功')return Trueelse:print('验证失败')# 保存图片方便调试bg_img.save(f"bg_img{n}.png")fullbg_img.save(f"fullbg{n}.png")return Falseelse:print("验证成功")return Trueif __name__ == '__main__':print('开始验证')crack = Crack()# crack.crack(0)count = 0for i in range(200):if crack.crack(i):count += 1print(f"成功率：{count / 200 * 100}%")

selenium_spider.py

#!/usr/local/bin/python# coding:utf-8"""@author: Liubing@software: PyCharm@file: selenium_spider.py@time: -03-11 13:46@describe: 基于selenium版本进一步封装 只针对于谷歌浏览器 其他浏览器需要自己封装"""import jsonimport time as time_from lxml import etreefrom selenium.webdriver.support.wait import WebDriverWaitfrom selenium.webdriver.support import expected_conditions as ECfrom selenium.webdriver.chrome.webdriver import WebDriverfrom selenium.webdriver.chrome.options import Optionsclass SeleniumSpider(WebDriver):"""基于selenium进一步封装"""def __init__(self, path, params=None, max_window=False, *args, **kwargs):"""初始化:param path: str selenium驱动路径:param params: list driver 附加参数:param args: tuple:param kwargs:"""self.__path = pathself.__params = params# 初始化self.__options = Options()self.__options.add_argument('--dns-prefetch-disable')self.__options.add_argument('--disable-gpu') # 谷歌文档提到需要加上这个属性来规避bugself.__options.add_argument('disable-infobars') # 隐藏"Chrome正在受到自动软件的控制"# self.__options.add_argument('--headless')self.is_maximize_window = max_window # 是否开启全屏模式# 过检测 具体参考文档: https://juejin.im/post/5c62b6d5f265da2dab17ae3cself.__options.add_experimental_option('excludeSwitches', ['enable-automation'])if params:for i in params:self.__options.add_argument(i)super(SeleniumSpider, self).__init__(executable_path=self.__path, options=self.__options, *args, **kwargs)# 过检测准备工作self.execute_chrome_protocol_js(protocol="Page.addScriptToEvaluateOnNewDocument",params={"source": """Object.defineProperty(navigator, 'webdriver', {get: () => false,});"""})if self.is_maximize_window:self.maximize_window()# 规则部分self.ID = "id"self.XPATH = "xpath"self.LINK_TEXT = "link text"self.PARTIAL_LINK_TEXT = "partial link text"self.NAME = "name"self.TAG_NAME = "tag name"self.CLASS_NAME = "class name"self.CSS_SELECTOR = "css selector"def cookies_dict_to_selenium_cookies(self, cookies: dict, domain):"""requests cookies 转换到 selenium cookies:param cookies: requests cookies:return: selenium 支持的cookies"""temp_cookies = []for key, value in cookies.items():# requests 有bug 域区分的不是很清楚 手动区分 只限全国电信接口能用temp_cookies.append({"name": key, "value": value, "domain": domain})return temp_cookiesdef get(self, url: str, cookies=None, domain=None):"""请求数据:param url: 待请求的url:param cookies: 添加cookies cookies 格式 [{"name": key, "value": value, "domain": domain},...]:param domain: cookie作用域:return:"""super().get(url)if cookies:# 执行if type(cookies) == list:for cookie in cookies:if "name" in cookie.keys() and "value" in cookie.keys() and "domain" in cookie.keys():self.add_cookie(cookie)else:raise TypeError('cookies错误请传入正确格式[{"name": key, "value": value, "domain": domain},...''] 或者{key: vale,...}')elif type(cookies) == dict:if domain:for i in self.cookies_dict_to_selenium_cookies(cookies, domain):self.add_cookie(i)else:raise ValueError("{key:vale}格式必须传入doamin参数")# 刷新页面self.refresh()def web_driver_wait(self, time: int, rule: str, num: str):"""页面等待 瑞数产品弃用这种方法 不然会400错误:param time: 等待时间:param rule: 规则 [id, xpath, link text, partial link text, name, tag name, class name, css selector]:param num: 根据元素id:return:"""WebDriverWait(self, time, 0.5).until(EC.presence_of_element_located((rule, num)))def web_driver_wait_ruishu(self, time: int, rule: str, num: str):"""笨方法 遍历页面匹配:param time: 等待时间:param rule: 规则 [id, class]:param num: 根据元素id:return:"""while time:response = self.execute_js("document.documentElement.outerHTML")try:html = etree.HTML(text=response["value"])inp = html.xpath("//*[contains(@%s, '%s')]" % (rule, num))if inp:breakexcept Exception as e:continuetime_.sleep(1)time -= 1if not time:raise Exception("未找到 %s" % num)def execute_chrome_protocol_js(self, protocol, params: dict):"""Chrome DevTools 协议操作 具体协议请参考 https://chromedevtools.github.io/devtools-protocol/:param protocol: str 协议名称:param params: dict 参数:return:"""resource = "/session/%s/chromium/send_command_and_get_result" % self.session_idcommand_executor = mand_executorurl = command_executor._url + resourcebody = json.dumps({'cmd': protocol, 'params': params})response = command_executor._request('POST', url, body)if response['status']:return responsereturn response["value"]def execute_js(self, js):"""执行js 过瑞数检测:param js: str 待执行的js:return: {"type": "xxx", value: "xxx"}"""resource = "/session/%s/chromium/send_command_and_get_result" % self.session_idcommand_executor = mand_executorurl = command_executor._url + resourcebody = json.dumps({'cmd': "Runtime.evaluate", 'params': {"expression": js}})response = command_executor._request('POST', url, body)if response['status']:return responsereturn response["value"]["result"]

最后以极验官网demo为例进行了200次的测试，准确率高达了99%。