极验验证码(6.0.9)破解(二) 之反混淆

回顾

上篇文章主要分析了极验的请求过程，以及出现的各种参数和配置信息
我们认识到了gt和challenge，极验相关的各种js路径，极验的各种详细配置，以及滑动时生成的参数w
我们的目标是弄明白w参数的生成方式和规则，从而完成破解，今天我们开始对js进行分析

反混淆

为了解析w的值，我们首先想到的是，先搜索一波w，看哪个地方使用了这个参数，但是w的特征就是太没特征了，太多可能含w的字符串或者关键字了，因此我们就直接分析目标js：geetest.6.0.9.js，将该js保存成本地文件geetest609.js,大致看了下这个js，被各种混淆，不管怎么样，先试着搜索一下gt和challenge，发现并搜索不到结果。针对混淆，我随便截图了一段比较有代表性的代码段，有类似’\x63\x6f\x70\x79’这种十六进制字符的，M9r.C8z(32)有点像数据取值这种的，还有各种switch case中的 M9r.k9r()[21][33][21]
我们今天要做的就是把这三类情况，转换成可读字符串。

1. 十六进制字符串转换

利用python正则表达式，将16进制字符串取出来，进行解码

def parse16():content = ''with open('geetest609.js','r+',encoding='utf8') as f:content = f.read()# 匹配16进制字符串pattern = re.compile(r'\\x[a-zA-Z0-9]{2}')for i in pattern.findall(content):# 解码并替换16进制字符串content = content.replace(i,i.encode('utf-8').decode('unicode_escape'))with open('geetest609_1.js','w+',encoding='utf8') as f:f.write(content)

转换完成发现刚才的十六进制的字符串被替换成可读的字符了

此时搜索gt，意外发现主了人公w，暂时先不管，我们的这集的心思是反混淆

2. M9r.C8z(32)类型的解码

同类型还有M9r.R8z(),T9r.C8z(),T9r.R8z() ,不难发现，其调用的js为


// js 文件 第158行var T9r = B2BB;
// 第188行 var M9r = B2BB;B2BB.R8z = function() {return typeof B2BB.z8z.F === 'function' ? B2BB.z8z.F.apply(B2BB.z8z, arguments) : B2BB.z8z.F;
}
;
function B2BB() {}
B2BB.L9r = function() {return typeof B2BB.y9r.F === 'function' ? B2BB.y9r.F.apply(B2BB.y9r, arguments) : B2BB.y9r.F;
}
;
B2BB.C8z = function() {return typeof B2BB.z8z.F === 'function' ? B2BB.z8z.F.apply(B2BB.z8z, arguments) : B2BB.z8z.F;
}
;
B2BB.X9z = 3;
B2BB.k9r = function() {return typeof B2BB.y9r.F === 'function' ? B2BB.y9r.F.apply(B2BB.y9r, arguments) : B2BB.y9r.F;
}
;B2BB.z8z = function() {var P = 2;while (P !== 1) {switch (P) {case 2:return {F: function(d) {var c = 2;while (c !== 14) {switch (c) {case 3:m = 0;c = 9;break;case 2:var M = '', R = decodeURI("*3!9%3C6r%25?0?%25)x/7%60%22$):k6%3E!#=494r'9!?2$%03;00%25r5s2;48#%3E!%01%228?!0%015)2(6*%0E%7Dqugib%3C%3Es4p68%19?08#)5%25%0A%3C$82%22;%60yelaxp~%7Cw%7Ffjdzquldn%0C%07%0F%16%1A%14%0A%01%05%1C%14%1A%00%0B%03%1A%0E%00%1E%15%19%00%08%06%14%1F%17%0A?3/%22(399%25,&93?#6%3C'%60%1C%1F%16%22%3C0%25)4%09:)?r)#%06*083%3E%1660%22!(k,0%22%22%228%607.x%E3%82%91%E3%83%AA%E3%82%AD%E3%83%83%E7%B4%8E%E7%83%BF%E3%80%B3%E3%80%B2%E3%82%97%E3%82%B8%E3%82%8F%E3%83%A9%E3%80%9A%E3%80%B3%E3%80%91%E3%80%B1%E3%80%99%E3%80%82s&;2l%E7%A6%94%E7%9B%89%E9%81%8A%E5%BB%B8%E8%B7%94%E9%80%82f%3E61#)cm%E7%9B%91%E7%95%B6%E6%89%A7rh*!%01#)%20?0-9%13$8!*%3E%22x%7Cbfc%7Bu=-%60!%25%259%20,4?x*!%012959:3%0E)4?:,o*4%228%0D%25%3E/#2%60%60%7Cv%7Dd%60a%7C%05%7C%10mh%7Fr%09dh%60xr%7B%60%1Cb%7Fvxf%1Bf%0Aru%10%1Be%09%05ub%1C%60x%04t%60%1B%17t~taif%7Du%09gk%14%09%05%0F%13%18f%09qy%16ih%7Bq%09el%15%0Fw%09ljd%7D%00zl%1A%15y%02%7C%16oa%0Ftt%14%1D%13z%07t%17j%15z%00%0Fb%1Aa%0Dv%7Fbg%13zq%7Cl%1B%60%7Bq%7F%60hd%0Avt%14%18g~qzdkh%7D%7F%7Fgo%10%09%00tdfhu%05%0C%10ni%0Fv%09cfg%08qym%1Cc%7C%07~cnb%0E%03%7Ffoi%0F%07%7B%17%1Dc%0Estbngy%7F%7F%14gc%7D%7F%09e%1C%17%7Cs%0El%18gyv%7Ff%1Fc%7D%02%7Ffmatvzgkc%0D%03%7Dehg%08st%16%1B%14%0A%07x%13lfx~%08%14fa%0E%07%0Fmoo%3C'?&;o=3(''%02)*(6*%3E%3Ex5k-$.59'7?+xi&+!)4s0(%25?x=7%60%1E.x/g%60%1D-x%0C7+%22)x%E6%BA%9C%E5%8A%80%E8%86%AD%E6%AC%B5%E5%AF%80%E6%89%96%E9%A8%9A%E8%AC%9C%60w/'!9%3C0/-pk:%3E!%15(9;28)?%10,##4s%EC%9C%AD%EC%A7%83%EC%8A%B5%ED%8D%A4x8&;#%0D!(;*o%08)%20%10(4%222s9;?+2%25k1?)4?:,o$29%25d~c1:%22p6)#90-%25b%25%228q7%254%3E!%01!-!(k94)2(&*%0E:'!%3C:08#s-.%3E?x.'1%22?%09?%3C98%22x%024%60##3#1%60$%22*%224:o%E7%95%B7%E5%82%89%E3%80%81%E6%9A%A1%E6%97%AE%E3%80%84%E3%83%80%E3%80%A0%E3%80%89%E3%80%AB%E3%80%87o#(?0?55594*4/.,;94r%0F#%25+%25r%02,!?o%22#5!%1C(8#%3Ekq%228'9%3C=~r%E0%B9%AC%E0%B9%BE%E0%B8%95%E0%B9%BD%E0%B8%96%E0%B9%84f%E0%B9%89%E0%B9%B2%E0%B9%AC%E0%B9%B0%E0%B8%8C%E0%B9%A5%E0%B8%8A%E0%B9%B2~%22)%25m%E0%B9%B2%E0%B9%AA%E0%B9%88%E0%B9%BE%E0%B9%91%E0%B9%B8u%E0%B8%9E%E0%B9%B2%E0%B8%8B%E0%B9%A1%E0%B9%AC%E0%B9%A7%E0%B9%9F%E0%B8%97r!(!%0C0%22%22%228%080%203(&%60%05%3E?m%1490%25(wkq68k)%3C-%25c*%226?=r?,k.##!$1d%15%14%0F%20494%184,;-7#4%20%7B%138/4%22&178h%0C9.9-%0F%20494%00),1;#d5?6csr%1F,k93r*(3*o%0B#(!;%228x8%25%160%22%22!0,o-**:%60%15%0Ex=%20*%18!'*0%1A08's%06+2/#%3E&do%0D4?k%103r)#%12;48#%3E!%12%3E-%22(1%60;-0,&=#%2569oeo8)=k%0A0'#m&;2?f,;:q(#+0?%25l5.:,4if8&;#?xrk2%3E/-s815r%E0%B9%87%E0%B9%99%E0%B8%94%E0%B9%BB%E0%B9%A1%E0%B9%A9%E0%B9%B4%E0%B9%8C%E0%B8%95%E0%B9%80%E0%B9%A6%E0%B8%84%E0%B9%AB%E0%B9%96%E0%B9%B6%E0%B9%AE%E0%B9%90%E0%B9%A1%E0%B9%9C%E0%B9%AD%E0%B9%A7%E0%B9%80o6.s/6%7C%0F%08s72$%3Exc2*%0E/3?!?8%22%19/2%01&%3E'=k'o%10ds4.!%20?s%7B9%25%13*%224:8%22!%12!;)8xc2*%0E$)!1;#%132%22%25%60%3C#3%3E0:%3E;(su=0%22f#:*q-%25.0-%22rucgpar%13/k%1A%07r%20?:3%18%222s%3C-%14:##k+3r+89*8%3C*4%011o%18/=k%E5%89%A9%E6%97%A1%E9%AB%80%E8%AE%87s6'o%3C)=%20.o%25+*910(x?0.=-%25(k9%25%135%25:)o?2?%3C06%25%204kp68%19?08#)5%25%0A*8%3C5s%7B9%25%136%22%25+!%13%20$;7%22$x.=??+#)%011$/.(&%60%25$#%200%01')4%3E%3C1?r4s%05?o%25(=%20*%7F+#(!;%228%19;428('90%602#64%011o8)8662-(.02o%1D's%18%60!#68%25%0138(s%1B?o%E5%86%B6%E7%8F%B6%E9%95%94%E8%AE%BAdo:pcephl%01(0*4?2m%1C02bxc2*%0E%3C)=%20.%0E%3E#,1'o%3C4%22!12#*s815)x,1:%14:##!%128?2(;;#r./k6%3E:#?%1660%22!(k%083r5=97%25r%E9%A8%91%E8%AC%84%E9%81%8F%E9%80%90krh*!%013#%3E%12=1=(#?k8%14'#5%12&%1E;%134%0C%604%22%22%19%3C34r+%3E%01,0%225$!7%3E%22x.40'-5s%17?%22)x%3E=1&%13%22(9?(r%E4%BD%A6%E5%8E%8F%E9%95%8C%E8%AE%B1kr(%22;;o%223%207;#r)s614*%20s%E5%B8%BE%E5%8B%B7o-*!k%1F%13%0F%02%08%13%19%19%05%0C%06%19%13%1F%03%16%1C%07%0D%05%19%10%1A%0D%07%0B-$.1;7+.$?5=!(%22%25/#?28#))5%3C%7Ddlbxs%7Bbfhdos31#./)1;?r%15;2%1B#%3E)?k%1C4%22%25%258?#'x+'1%3C%023%207;#r%00%22'%3C8(%22(;%60294947?r$%7Ck%1F3r%E5%B1%9B%E8%AE%98%E8%BE%92%E5%A5%84kr%E8%AA%8D%E5%84%85%E5%AF%99%E6%89%8E%E4%B9%9A%E6%97%B5%E9%A8%91%E8%AC%84kq;?x)0-%25%3E)4k%138/4%22&178f%04;*4%3E((!~%1446!:,4%3Ex%3E0,8-*s:87?#9%011!r%255k=$%3E2,%3C0%0E'(%227%60%E3%83%A2%E3%82%AD%E3%82%B5%E3%82%85k948%03!034%222%3E%17'%05-!%03434r(892o/*,&-%1F-+(k948%16,&-%25%25+(k*0r'8!1%03)%20?0-9r%25%254,%108xok%7Fo%0B??:%60+$k9%22%60%0Cr1(7588%12?40%22%252$:0o%1D$s%ED%98%80%EC%9C%A6%ED%94%89%EA%B9%BCf%EC%9D%89%ED%94%A1~%EC%96%BD%EA%B9%BC%EB%A0%9Am%EC%9C%A1%EB%8E%87o%1B):+~%1C#(%3E!;#l#,!-q8.(u7%3C-!(k7?%22#?%01;)8xb2*%7C(/%3E!%605%3E%15%25%3C8%25%18)s0%60=#')%3C06bhck%E5%9A%80%E5%A1%A0%E5%94%83%E9%A0%8As!1%17%25%3E(1%602#3#!%E7%A6%8C%E5%BF%9D%E3%83%8E%E3%80%80%E4%B9%8D%E5%BB%B3%E3%83%9A%E3%83%9B%E7%9A%B8%E3%80%91%E3%80%AB%E3%80%9A%E3%80%BE%E3%80%84%E3%80%88xc%22;3%3Cx%E5%B9%A3%E5%8B%BC%E5%8E%93%E9%A7%99r!9k:o-54;=o%E5%B1%83%E6%81%AC%E7%88%A4%E5%91%96%E6%8F%97%E4%BB%97%E6%8A%B0%E5%9D%90m61$%222m%E7%A6%87%E5%BF%92%E9%86%9C%E8%A8%AAx=4-%228/%200%602#(947??x%25k;?-$!0%60%E3%83%93%E3%80%8A%E4%B9%86%E5%BB%AB%E3%83%91%E3%83%94%E7%9A%A5%E3%80%9B%E3%80%A0%E3%80%82%E3%80%B5%E3%80%8B%E3%80%95r2%22%06*#%25(*k1?/#s%132%3E;x;42$)x%0A0;%05)59u%1B#%3E)?o~#)780-%25lx%22;2%3E-%22s&*0%3E2%19%3C34r((2?%25)xc2*%0E%3C)=%20.%0E/4%22&-o%22#5!%0D8.*$;9ob!9%0A9$%25%22(%0A*8%3Cx%18%01%18%7Ctx;4%60%E0%B9%90%E0%B9%98%E0%B9%82%E0%B8%84%E0%B9%A7%E0%B9%99%E0%B8%90%E0%B9%A9%E0%B9%B6%E0%B9%A8%E0%B9%A7%E0%B9%9F%E0%B8%91%E0%B9%92%E0%B9%B1%E0%B8%85%E0%B9%B8%E0%B9%8B%E0%B8%99%E0%B9%A1%E0%B9%A6%E0%B9%BF%E0%B9%8B%E0%B8%9D%E0%B9%BA%E0%B8%85%E0%B9%AC%E0%B9%AC%E0%B9%8F%E0%B9%A7%E0%B9%B2%E0%B9%9F%E0%B8%8As%E6%9A%A1%E6%97%AE%E9%A8%86%E8%AC%85%E5%9D%90sg:o-$%3Ek~=#59t%60%20-x%3E%20=2)5%3Ek?!%255('(4%3Ex%1E4%605%3E':%1C30+#s%3C3!#4940%25r##6%60%5Br6,'?=%20#!kp68%19%3E975)4s&*(%20#%3E=;48x!:?5%25(*k%0E:/5zk64%206s=?%22%031#%05,%3E%3C#?!'o%0E'%3E0her+%221%0E%3E;%0F#!%60%E6%8F%B4%E5%8E%AFx%E6%8D%84%E4%BC%9A%E5%B6%B8%E9%83%9B%E6%BA%9D%E5%A0%8C%EF%BD%81%E6%8A%83%E5%8A%8B%E5%AF%9D%E6%89%9C%E4%B9%8C%E6%97%B4%E6%8A%A9%E5%9D%88o%0F/==;#%1C'?43%22r%E9%AB%8A%E8%AE%8C%E5%A5%A4%E8%B5%BBkr!9%0A==)'#k%E7%B2%A5%E7%BA%8E%E6%AC%AF%E5%9D%AE%E8%86%A7%E5%8B%BD%E5%89%A9%E6%97%A1%E5%9A%B2%E7%88%81s6,4-2(%1024!##!%60%E0%B9%90%E0%B9%AF%E0%B9%BE%E0%B9%9E%E0%B9%A7%E0%B9%BD%E0%B9%BC%E0%B9%A6%E0%B9%B7%E0%B9%8C%E0%B9%91%E0%B9%BD%E0%B9%A8%E0%B8%84xc2*%0E/3?!?8%22%19/%20*%25#(s%11,0+f9=;q%20#+!~%22%20/)0,q8)m#;#%25%204k-8+%044!;%22rh*!%018%2268!%60%22/4%2292o%25+*k*%3E9%25%25&*0%3E2s%17,%3E;5('%60a%7Cv%7Dena%7Cv%7Dena%7Cv%7Dk-'+fs%0A6%2586%3Ek%1B')(9k%1Fo%15)8u)8%20*m7;q%3E#)%3C,4/2(1~8%22f%7Fu-4/)#1-o?249;%15)2(6*%14%20#s%7B9%25%13%20!4-9rh*!%013#%3Es61?8##!%60%1C%1F%16%22%3C0%25)4%18%25%60%19-xc2*%0E?*$1;#%13-#:%3Co.*%2265%02%25%3C(kq~r%00%1Bkp;?x%064%606)2%00::$%20#s%7B4!+x(;=#569%172%3E/-s%021#(%07?'?(r%048384%3E#)%172%3E/-%0C99%3E%3E/9=3o%09%3E.0-%22%250(o%60:.x='12)5%3E%172%3E/-s%1F%60%10-x'%04+4%3E?s';7%3E#%3E=~4%3E4%22'%60%E9%BA%8F%E6%92%86%E4%B9%8C%E5%9D%9B%E4%B9%B3%E6%B3%A1%E8%B6%BE%E7%B6%96%E6%BA%97%E8%86%BE%E7%B4%97%E9%BA%80o#(%20:+%22)+%22#;o%60x+'1%3C%0F.,'%1D%3E(#s&*08/.%7B94)2(&*%7F/)%20k:4*'89*o+2%124404%199%3C.q+2%12k88%22'!%3C$4ri%3E!?%25%25%25b?-~r%E3%83%84%E3%80%8B%E4%B9%95%E5%BB%B8kr5(98o%E6%8D%85%E4%BC%89%E5%B6%AB%E8%BF%AC%E6%BA%8F%E5%9C%86%EF%BD%80%E6%8A%90%E5%8B%A5%E5%AF%99%E6%89%8E%E4%B9%9B%E6%97%B5%E6%8A%BA%E5%9A%B3k;#%3E)?kp68%19$;8%3E%13/.:0o=x=4:5%25(*%171%258)%20k%EB%B7%96%EB%9E%BD%EC%99%A8%EB%8B%92m%EC%A5%84p%7Fbx%04k#o#%20+97?)x%01:?5)%22s&/$-4(%011o*/!!;#r/##%1A8+/9k%EB%8A%BA%EC%9C%9Dl%EC%9C%BE%EC%A7%90%EC%9C%91~%EC%98%95%EC%85%BD%ED%94%9E%EC%85%B5%EC%9B%81%60446s%25??)*%05076$2s&*083%3E%1660%22!(k9=#$,9%605)$82%1D%3E%22%20$2%60%1C)5%3E494l2%22:~=#(*u8%3E%3Ef%1F%06%1Fo%3E#%3E0*o)$s2*%0E%25(+:%012#(900%25r.$1:4%22x=';')(9%11;7-3!!%60%0Er!9%0A7?*)%12!7!l!9%0A%60%048/!%3C*(rf*!%012%20)#0%60%22)%25s916rh*!%01294947?r*,;9oc6$6*$%3E#%3Ez9%25cx%1D7%60+-x:%3C:%25$x#:~%229%25%25u,4?)8'=4vfs!'!)x$;:44%09+k%0D$/%25(&-o+2%12=75)x%207%603-%25&2,%3E9()%1C30+#s%7B9%25%13/#31%0E8#5!%60#%3Cx.7%60=#%25,9%01!-2%25k%E9%A8%89%E8%AC%98%E5%A5%BD%E6%94%91wk1?%1E#+';%22$x=%20-9r'c2*%0E.)5%0A*8%3C5s8;%22?'*0%60=%25$s%E3%82%B8%E3%83%AE%E3%83%B5%E3%82%BF%E8%AB%8B%E8%A9%B1%E3%83%87%E8%A0%92%E3%80%B2%E3%80%AA%E3%80%89%E3%80%AD%E3%80%80%E3%80%9Aoa%25#k%602%20)#0%1A%3E!x%E8%BD%84%E5%84%B0%E4%B9%B3%7Fbhs&;%25%0D29'7392(k%0D%07%0Bx$k1?%1F3.6;%22?x%E7%B2%B6%E7%B4%A4%E6%AC%BD%E5%9D%B9%E6%9A%B8%E6%97%B6%E5%9D%9B%E7%88%92%60%7F+2%12916#%19/%20*%25#(s%02;3%1C%0A%224:4(x%3E!+';%3E4/%20o9()088%22#)k13&#.!%60%12%256%250,o/)8;*obx/%3C*%1D)(*!6o%09(.''!8)?k0442s9%3Co4$s%16%3Co%E9%A0%B9%E9%9C%A4%E5%B1%8B%E5%9D%BDl%E7%A6%83%E5%91%82%E8%B6%B5%E8%BC%A1kp68%19.%20,%25-/#%0A*8%3Cxlt%60%7F+2%126+%25%13$*kp68%19.%20*%0E/3?!?8%22x*0*%13#3#17?+%05!%3C;?8%14(6*o/'#u0%3E8f!:?5)%22m%3C36?x%60!)o%15x%7F%E7%A6%87%E5%BF%92%E3%80%B6%E3%82%A6%E3%82%86%E3%83%A9%E3%82%B9%E3%83%B1%E3%82%99%E3%80%9B%E3%80%B8%E3%80%94k9o%3E#9''o/*$65o$#$26%25r+,-%60%E5%8E%9C%E9%A7%84x%0Fk'!#5s%E0%B9%94%E0%B9%AD%E0%B9%B4%E0%B9%BD%E0%B9%81%E0%B9%99%E0%B9%A7%E0%B9%B9%E0%B9%88%E0%B8%80%E0%B8%84%E0%B9%A6%E0%B9%B0%E0%B9%8A%7Fbhs8159*(u%60!-%22s4p68%19/2%602-*!7?2'x*0*%12#+=%20*4(%159,24r4(3,4?.s%7B9%25%13*%224:8%22!s%7B9%25%13.(9.%0E8/=&%60%1F)2%3E6?!)x$;28%22#%6072%3E/-s1;'%25%25(:,8)(94*8#(s%20-4l59'728x%25!*!vibk68(#%090205x):=$!##!%60ur1,k30%3E!$;s=)%209kh%0E%7Dw%12b%01%60%7C%19y%0Aoc%13u%12d%01a%13s%12g%01h%13~s%13oo**%22:,o%06$s910(#)%0A*9)+(k%E0%B9%9F%E0%B9%B2%E0%B9%B4%E0%B9%95%E0%B9%BF%E0%B9%8E%E0%B9%AA%E0%B9%85%E0%B8%8D%E0%B9%A3%E0%B9%BD%E0%B8%95%E0%B9%85%E0%B9%A5%E0%B9%98%E0%B8%85%E0%B9%A6%E0%B9%B4%E0%B8%96%E0%B9%BC%E0%B9%B9%E0%B9%87%E0%B9%89%E0%B9%B6%E0%B9%AF%E0%B8%98%E0%B9%8Bx%3E975)xc2*%0E.!s=*%25%3C5wzqo%1E%03%0B7n%04%09%0Cs%25,%3E8)9,.4r%25?,.%25#x*!%019#*)0,q+2%12k'3r%22$#%0C4!%12%22k.%3E%25(90,%3C#0(k.o%1B's';7)4('%014%22%25%221;o/)%20%25?#)%12%22k=9-*!006)xc2;48#%3E!%01'-*$1?%25)x%E3%83%A5%E3%82%BC%E3%82%A2%E3%80%B6%E3%80%95%7Cs%221#(5s1;7%25((k%17?*)s%13+=%206,2;o-h*!%01294947?r%22%22%05+3%20/.k1?%0D$8&;ob!9%0A30?-s%11%3Co%3C)$;*4%3E%22%22%220ob!(0*4?2%12&;2/))0%60%02r0$&73%20#s%7B=%22?x%124%60%228?!0%606)#90-%25%135(6=%3E(#s2;%25%05+,2;%15-2,k%E7%83%A7%E5%86%AA%E4%B9%86%E5%9A%B8%E6%8D%84%E9%93%BB%E5%B8%A8%E6%B3%AE%E9%80%9F%E8%B6%A9%E6%8A%9B%E5%8B%BD%E5%89%AE%E7%BA%99%E7%83%B5%E5%A5%82s620!6s&.=%25%25(k%0B%25*~s%7B9%25%13%258!%0179*!79o6.%6060oc4(3,4?.c%256!r%0B,k%EB%B3%9A%ED%8B%ADl%EB%92%9A%EB%A7%A1%EA%B6%AD%ED%94%86%EC%96%BDl%EC%9C%BE%EC%A7%90%ED%94%8D%EC%85%A6%EC%9B%85r'c2*%0E$#!%25%013929:0ob!9%0A=$%3E2,%3C0%0E.!s%11%13o/.,'%1D%3E(#%0C!%60%228'?!%07o%E7%A6%B7%E5%8B%AE%E5%89%BD%E6%AC%B1%E5%BD%9E%E5%A6%9A%E9%AB%80%E8%AE%87s%01?o?#9%132%3E-2sq?o%03%08%08k%22o$/)0%015)*,,%608%2268!p6)#90-%25%135(6=%3E(#s!1$/.(;:o#(s:0%14%3E4%22'%608(xoo%60%13-x%1D9;0?#m!,(l'*47?l*,!;#r%25!%3C;?8%1Es2*%14%3E4%22'%60%229$%3E!,o/3?&1#r+%22#;o+#9%19??+x.42=r%22,!?k%25+,2;~;#/%25e3-5(cj%7D%19-!%12%0C8x%07%0C%14%1C%09%1E%13%07%04%08=%0Dr%19%16%1B%10%0D%07%0C#%1F%04%0D%07%08%17f&%0D/%00%22%1F6%1F%15%03!-4c%25%15?&(%0F%05%20'%07%1F%1B%16:8%16%03%04%7F'%22%13%10r%0A,!7?%7Dx77%60!%3E))%20=%25r4(81')%079!,8.390%60%3C#0(%1D??(*('%602$/!1%10%3E(#%3Ek=%3E%220('*o%0E*%2265%12%256%250,o+#9%161?8#5!%60'.x*!%01%3C#0$;9o.!s7;?/.%204,:r6%22%3C0%25)48%25%608.x%154%60%3C%3C*s=75)%14(3,4?.s%07?o?4.%1024!##!%600.x%3E972)x*!%019#*)0,q+2%12813%25*(%0A6%3E%20%22('~68%19s%0A%3C=-(&k%EB%B7%96%EB%9E%BD%EC%99%A8%EB%8B%92m%EC%A5%84%600b!9%0A2%3E+)%127+%258)#k-%25-2$6-4%3E0('-o%E0%B9%A9%E0%B8%8F%E0%B9%AC%E0%B8%95%E0%B9%B5%E0%B9%B4%E0%B9%AB%7Cs1%3Co?3/%011o/)#6?%25r%0B%1E%0518%222('%13%3E:#s0&!#49&%606)2%1B428('90%60%E8%AB%BC%E3%80%B3%E8%BF%BA%E3%80%B2%E4%B9%B8%E2%81%B8o%0B's4p68%19+%202=.!s&=#%2569k17*5(!%0E0%3E##!%60#)+%22#;%12$/!1%603#)!0??r%E6%8A%90%E5%8B%A5%E6%BA%84%E5%9C%89%E5%B1%97%E6%83%A0%E6%B4%A8%E5%9A%B3%E5%82%9A%E6%AC%BD%E7%A0%BF%E6%8A%B0%E5%91%8Es&*08/.%0A-4%3E0('-o%E5%87%81%E6%9C%A3%E4%B9%8D%E6%AD%B4do%3C')17?+x%7Dk%22;#4)40o+2%12;1%0E%20)*:%606)#90-%25%13%25%2542=)(*0%609'x%0238=%25((k35yx%3E6?=)x%04;(0%20/)u%0C%02%0Df=%20%3C=%25%25m%3E;(ros;?%3C)x%E0%B9%A0%E0%B9%AD%E0%B8%94%E0%B9%B3mf%E0%B9%98%E0%B8%9D%E0%B9%B3%E0%B9%B1%E0%B9%BE%E0%B9%98%E0%B8%89%E0%B9%B4%E0%B8%96%E0%B9%87%E0%B9%B5%E0%B9%87%E0%B9%98%E0%B8%9C%E0%B9%B3%E0%B9%96%E0%B9%8D%E0%B9%A5%E0%B9%B5%E0%B9%86%E0%B9%AC%E0%B9%B4%E0%B9%A1%E0%B9%81%E0%B8%8E%E0%B9%BE%E0%B9%BF%E0%B8%99r%25s024?xc2*%0E-,,-%01%25%256s%3C0!92s%20%60%1B-xb&*(%20#s%172%3E/-%0E%3C.9)4%00::4r%03,k8$%22%259%3C1?r)#%131#./)1;?r%03/k:48'.=%1B')(9k*9)+(k%EA%B1%AF%EC%8A%B1r*$;5o%0B*%227?=r!9%0A=$8%19s%000%229%25.0-%22*3!o%603929:0o#%20+&;%25%00#+!%602$'?&;%25r%01(0*4?2m';%209/?0-q-f:%3C05#1m%227%25$f,u:%3E/3%2000%25r%25%228.=)2(k:?a594*8/%22%22%220%7F=$%22-p%3C)x%EA%B9%B5%EC%9C%91~%EB%95%A1%EB%9C%B0f%EB%B3%89%ED%8B%A9%EC%9C%9Aq%EB%92%90%EB%9F%9E%EA%B6%B5k~o%1E#+';%22$xc2*%0E;/)2;%25rh*!%01!#68%25%01&%3E'=k=7+x%22;%180%25*s4.!)()%011o%01))%2024?x=:)o&$s&64%20*s:+%25)4%05%01%13%1Dr/#%3C*o+2%126+%228)%20%0A?;-%3Es&*0%3E2%15k7?rh*!%013#29:3o**%224*o%08#.::4%3Ex%3E0*%01%3E)=0,%255x,8%6068%19.%20-%25#+%12';7%3E#%3E=%60%3C?k9:+2$k,6*8#(s!1%03-%22$-%606%06%15%02%1B%6085x':7?r%E5%8B%A6%E8%BC%B0%E4%B9%B8p%7Fbx%044%60%60~uy%60hft%7F%7D%7B%60442(;:o%3C%3Emk%E8%AB%93%E8%A9%AD%E3%80%80%E5%AF%8A%E4%BB%8B%E3%80%82%E3%80%A0%E3%80%86%E3%80%93x,%25.%1F-+(k=0%20*/4=:%094?:,o-,,-%603r=sz-%25-2$6%60%25.x#:%1D%3E%22%20!%3C=%25r'8!1o%E3%83%B5%E3%82%AF%E3%83%A9%E3%82%9C%E3%80%89%E3%80%B7%E8%AB%81%E8%A9%BA%E3%83%9F%E5%AF%99%E6%89%8E%E3%80%84%E3%80%97%E3%80%A0%E3%80%82%E3%80%B5%E3%80%8B%E3%80%95r%20,%3C2o():;%60#)'),%60#%1F.$3*%05#x%20!lo.)),%60%12#+=9;%25)f9=;q%3C37/24?x%03k,4!);0%1B')(9%197%228##0,o%20%15%25%3C8%25%18)s%0A-=%25%25(k%E0%B9%BD%E0%B9%A4%E0%B8%8C%E0%B9%99%E0%B9%AE%E0%B9%9F%60)-x,%257%0E?#?#;#r%20%0B!%04a%1A'%14a%196bx*0;%25)59%0A%60#)%2286;o%E8%AE%BB%E5%84%8E%E5%AF%81%E6%89%85%E4%B9%95%E6%97%A8%E9%AB%80%E8%AE%87s;%60%03.x*!%010%22/%204*4r594*$?x%20%256o%E8%AB%81%E8%A9%BA%E5%AF%81%E4%BB%93do~p%7D%25&o%22's!1$/.%604=%25%25)#k.0%3E##!%10%3E(#s2;%25%09*(8;?8%044%1C:o%E9%AB%80%E8%AE%87%E9%81%97%E8%BE%92do!)8&;$%3Cx.';08#%190&%25%02))0%60=#!%22kq%22'/#%7B%607)#)7?2'x%25!*!?x%E0%B9%AE%E0%B9%A5%E0%B9%84%E0%B9%8B%E0%B9%8D%E0%B9%B5%E0%B9%A8%E0%B9%A4%E0%B9%99%E0%B9%85%E0%B9%BF%E0%B8%86%E0%B9%94%E0%B9%A1%E0%B9%87%E0%B9%90%E0%B9%BE%E0%B9%A5%E0%B8%8D%E0%B9%8E%E0%B9%BB%E0%B9%A4%E0%B8%84%E0%B9%A4%E0%B9%94%E0%B9%B5%E0%B9%AC%E0%B9%8F%E0%B8%8F%E0%B9%AD%E0%B9%AC%E0%B8%9D%60%02%20/)0%60%7F+#(!;%228%19.=?=%20##2;o%1E#%3C%20;%228x$;.$8h*0;%25)59%0A=9-*!006)x,7+%22)x)8/%60rh%3E#9o%1A'seoc%7Frxciiu'/6:4*!%25%3C4:%20+#:.%20%3E59%20(&4?7k1')4+91&r%E7%95%BD%E5%82%82%E6%9A%A1%E6%97%AEo%0B$s13!%7Dx%09%1A%13%03)'),%60654%22&=%3E%3C#s!?#+#9k.%3E%3C3=%0A,4-%224k-!-(s%16+#8'$;%60%7F+2%12=;=%3C%19/%20*%25#(s%14%1B%02r5/k,4%20x%E9%A1%8C%E9%9C%B7%E5%B1%99%E5%9D%B9~%E7%A6%94%E5%BF%81%E8%B6%A6%E8%BC%97o?7?%011o%20),1;5r%EC%9F%96%EB%8E%94%EC%9F%B9%ED%97%97q%EC%A5%9Dx%0E:3!%20#90~')4$372-2$:0q.#!:)o%09%0A%08%18%1B%1F%18%19%03%1A%1A%14r%00,%3C2o&x$&%1F#%3E'4k%1F?-*4&;o+2%12%3C07#%199,.4r4(4:(%1F2,!;o%08)%20k%0D4%3E0('~8?f?08#)5%25%3C06l2%250~8!'*0%6084x%25!*!vib%22)&b!(0*4?2c61%3Cc%25%22;*0/2n';!#49k)4.6s628)(9%02758.s%06+!%3C)?!%604:##!%60%04-x;428('90%609%25%22(k.%3E%3C3=%0A=%3E%3C?%127*?r%22$#%60%13.x8%25%60#)0('*o8#%3E!%60%25#%0A%22%22;#%0F'%3E0%604%22%25?,.%25r%60s%3C0?)4%05%01%13%1Dr'=%3Cp6)#90-%25b%25%228%60$%3E*ek3o%EC%9C%B4%EC%A7%9B%EC%85%BC%EA%B2%A0%609-()9;#%00/%3E!%60%7F%3C(*k%E5%92%99%E5%92%B7%EF%BC%92%E6%81%AC%E7%88%A4%E5%91%96%E4%BB%98%E6%8A%AD%E5%9A%B2f.:+?8f%E7%A6%9F%E5%91%9B%E9%86%93%E8%AE%84r%3C%22:3o#$s%E8%AA%9E%E5%B1%99%E6%86%A9%E6%B4%A2%E5%9D%90%E7%88%8A%E6%8A%A9%E5%91%96o/3?';?8%159,24r%20892!-!(k3%3E95(81')x%20:$%05%3E'#&7%25%25)#k==)'#k=8%3C.('*442s11%3Cr%E8%AA%8D%E9%96%91%E9%97%9C%E9%A8%89%E8%AC%98%E5%BF%80%E9%86%8B%E8%A8%ABk,483?;%080%203(k7??#?!%1C4*)?0%60%12r%0B/k=%3E!6,';%15#%2588;?8%16%22&7%25%25)#k.%3E%3C3=7*?%25%22s&?o?%25%22';o%16's%13lo+#9%05,%3E%3C#?!'%07-*80%60%12%0E%05s62%3E%22#%03::4r%20?:3%03-%22$-%60%25%3E'#&7%25%25)#k%3C8%22%22%02;%60%3E%3E/*%3C0%0Er6%22%25+!%13%20$;7%22$x;42$)%09+k%E3%82%86%E3%82%BA%E3%82%9Bx%1E7%604%22%22s%13;4($,65o%E5%87%81%E4%BF%80%E4%B9%8D%E6%AD%B4do%E8%AB%81%E8%A9%BA%E5%A5%BC%E6%94%82do%3E#%3Ek%E3%80%8D%E3%80%82%E3%80%87%E3%83%8F%E8%AB%80%E8%A9%A9%E3%83%8C%E5%A6%9A%E3%83%8D%E3%80%B8%E3%80%94k3$%20%12%22k948%12$8;o%E8%AE%BB%E5%84%B5%E9%96%A0%E9%AB%99%E8%AE%9F%E9%86%9C%E8%AE%99xc2*%0E%25(+:%60%20.xc2*%0E%3C)=%20.%0E$#,1;#rf%3E%3E7?b,%3Eu=0%22f#:*q%20),1;5r%00,k%E3%82%8F%E3%83%AB%E3%82%A7%E3%83%94%E5%91%85%E3%83%9A%E3%80%85%E3%80%B7%E3%80%83%E3%80%A6%E3%80%98%E3%80%91%60%7F+2%12%251!96%1271)rpcephr/#31%19%25%22(k*%3E9%25%2581')x%0C;7%3C-2(k%13%3E:#m=;#)f9:~')4$3'o%084,2~%25$#m7+%258)#u?=#(*u*9)f?:?5r%7Bs4,#r%22$&?3%20#su=0%22f#:*q%20),1;5r2:kp68%19%3E972)x$#%60%3C#0$;9o%18)%229%605%20%15%25%3C8%25%18)s%06;#:#?u%1B#%3E)?o%607#4%204*ob!9%0A8$%20*/2%60%7F+2%12910(/#2%018/)#kqo!/5%1C0o8x%3E!,8%22!s4%60%7F+2%126+%25%13xc2*%0E.)5%0A*8%3C5s31295s%7B9%25%13/(%0A-$/%25(&-o%20x%20%3C0o%1C)=%20.o%22))0%0A(%3C#sx%60%18.x?7%603-%25&2,%3E9()%051%22%252$:0o%17x=-%60%7F+2%12%3C07#%199%3C.o+)!1;?r%E0%B9%8C%E0%B8%85%E0%B9%B2%E0%B9%BC%E0%B8%91%E0%B9%A7%E0%B9%A3%E0%B9%BA%E0%B9%B8%604%22'/9;%01#68%25%60%EB%AD%A9%EC%9C%94x%16:%3C;)%259u%1F#%3E'4%08%60%02)4$4286'/9;%12%256%250,o?#.u%E7%A6%8C%E7%9B%95%E9%81%93%E5%BB%A0%E8%B7%88%E8%BE%92~%22/)?0%7Bq%E7%9B%88%E7%95%AE%E6%89%BAk%7Do!)/%3C24r%25?0?%25)%03#6,(%3C2%22'%60%17.x)%3C-!%20'4k?!%3C##1%1D9%25*)k-48%168728/x.07=r+=k%1F?#(481$?x%25';7r%1C%08%07%11o%E0%B9%8D%E0%B9%A5%E0%B9%B5%E0%B9%86%E0%B9%AC%E0%B9%85%E0%B9%BF%E0%B8%86%E0%B9%94%E0%B9%A1%E0%B9%87%E0%B9%90%E0%B9%BE%E0%B9%A5%E0%B9%98%E0%B9%B6%E0%B9%B9%E0%B9%99%E0%B9%A6%E0%B9%AB%E0%B9%97%E0%B9%81%E0%B8%97%E0%B9%A3%E0%B9%95%E0%B9%A3%E0%B8%85%E0%B9%A7%E0%B9%99o!)/%3C24%1F-$;-o;$s:0%03)'),%60%16)#%190-%25%1F-$;-o/*$00%25%15xc2*%0E/3?!?8%22%19&;13r%0A/k-0%22%22/:&o9+s#;#?/%22;%60sex%3E'=o%E5%86%B6%E7%8E%B8%E9%8D%A2%E8%AB%B1do%07$s%EB%8A%B1%EC%8A%82q%EC%8A%90%EB%8E%82%ED%94%95%EC%85%AD%EC%9B%8Ao$#,1%60%15-x%E5%99%9A%E8%A8%B3%E9%80%90%E5%A5%8B%E6%AD%AD%7C");c = 1;break;case 4:c = m === d.length ? 3 : 9;break;case 8:J++,m++;c = 5;break;case 1:var J = 0, m = 0;c = 5;break;case 5:c = J < R.length ? 4 : 7;break;case 9:M += String.fromCharCode(R.charCodeAt(J) ^ d.charCodeAt(m));c = 8;break;case 7:M = M.split('>');return function(l) {var D = 2;while (D !== 1) {switch (D) {case 2:return M[l];D = 1;break;}}};c = 14;break;}}}('LFMU^Q')};P = 1;break;}}
}();

我们不妨在return M[l]之前，打印下M的值，通过Google浏览器执行下这段js，整理得到M

M = ["fullbg", "create", "bb", "show", "homepage", "attachEvent", "s", "geetest_style_detect_178273px", "a.gt_refresh_button", "()*,-./0123456789:?@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqr", "MSPointerDown", "onStatusChange", "random", "fb", "ボタンを終点までドラックしてください", "sec 秒的速度超過 score% 的用戶", ".gt_refresh_button", "178273px", "pictures", "gt_custom_error", "fromString", "10001", "00C1E3934D1614465B33053E7F48EE4EC87B14B95EF88947713D25EECBFF7E74C7977D02DC1D9451F79DD5D1C10C29ACB6A9B4D6FB7D0A0279B6719E1772565F09AF627715919221AEF91899CAE08C0D686D748B20A3603BE2318CA6BC2B59706592A9219D0BF05C9F65023A21D2330807252AE0066D59CEEFA5F2748EA80BAB81", "parse", "querySelector", "x", "substring", "$super", "evts", "pb", "Ob", "b2", "La", "Abuse", "滑動至此完成驗證", "&callback=", "domSelectorError", "인증실패", "userAgent", "DomEvent", "length", "onerror", "http://www.geetest.com/first_page", "geetest_validate", "xpos", "crossOrigin", "Oa", "round", "unload", "画像が更新されています", "onreadystatechange", "Input", "Data", "nextBytes", "/static/", "สำเร็จ ความเร็ว sec วินาที เร็วมากๆ", "getRandomValues", "Try Again:", "/gt-dist/local", "ya", "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\"", "Ya", "gb", "left", "Geetest", "upHandler", "algo", "DB", "putImageData", "Success:", "Arr", "Nb", "onGeetestLoaded", "javascript:;", "top", "Take secs and defeat score% users", "?", "lock", "mod", "กดและลากเพื่อประกอบภาพ", "zh", "zh-CN", "blur", ".gt_curtain_bg_wrap", "y", "\"", "apply", ".gt_loading_text", ".gt_holder_top", "mousedown", " can not access", "3.2.0", "Ub", "DV", "fromInt", "isEven", "ub", "multiplyTo", "Tip", "刷新验证", "cy", "popup", "imgload", "replace", "gt_show", "stringify", ".gt_refresh_tips", ".gt_popup_finish", "changedTouches", "theme_version", "r", "Pa", "input.geetest_validate", "copyTo", "touchcancel", "Qa", "M", "popup_btn", "Na", "出现错误:", "v6.0.9 Geetest Inc.", ".gt_popup_ready", "protocol", "mode", "addEventListener", "hb", "hoverChange", "Vb", "split", "驗證通過:", ".gt_box_holder", "fEkexGxOwUyY", "endTime", "msTransition", "canvas", "Base", "show_delay", "传参错误:", "none", "number", "o", "coeff", "幫助", "all", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789()", "forbidden", "SvgError", "Benchmark", "fromNumber", "Forbidden", "curtain", "b1", "Ab", "尝试过多:", "請先完成下方驗證", "/js", "destroy", "Microsoft Internet Explorer", "serial", "offsetTop", "cx", "curtain_knob", "コメント", "getElementsByTagName", "null", "className", "getPasstime", "ta", "autoRefresh", "charAt", "\"", "!", "Gyro", "zh-tw", "]", "webkitTransition", "Qb", "확인하기 위해 여기로 이동", "Wow~ Monster eats the image", "innerText", "/gt-dist", "drShiftTo", "e", "loading...", "回報問題", "toFixed", "count秒後もう一度やり直してください", ".webp", "帮助反馈", "gt", "d", "async", "小怪物吃掉了拼圖 count 秒後重試", "passtime", "contains", "h", "enable", "もう一度やり直してください", "toString", "once", "Flow", "value", "GeeTest Error: request ", "onload", "startTime", "negate", ".gt_popup_cross", "nextSibling", ".gt_guide_tip", "UTF-8", "va", "กดค้างและลากเพื่อต่อภาพให้สมบูรณ์", "更新驗證圖", "2d", "abs", " lost!", "qa", "success", "apiserver", "Sa", "drawImage", "important", "enc", "", "parallel", ".gt_slider", "stylesheet", "loading", "Pkcs7", "help", "hasOwnProperty", "Base64", "modPowInt", "接口", "按住左邊滑塊，拖動完成上方拼圖", "CipherParams", "验证失败:", "gt_clean", "系统正在自动刷新图片", "createElement", "กรุณารอสักครู่", ".gt_curtain_button", "Drag the left slider to verify", "sigBytes", ".gt_input", "scroll", "img", "touchstart", "Browser", "0000000000000000", "svg ", "_https", "Event", "A", "You will be redirected in 2 seconds", "styleDetectEle", ".gt_flash", ".gt_box", "content", "MSPointerUp", "Ha", ".gt_slider_knob", "blockSize", "//", "FV", ".js", "Ka", "getModule", ".jpg", "encryptBlock", "WordArray", "BufferedBlockAlgorithm", "Excessive:", "kb", "processBlock", "J", "Aa", "jQuery", "refresh error", "點擊上圖並沿路線滑至終點", "onmousemove", ",", "fromCharCode", "static.geetest.com", "default", "gt_ajax_tip gt_", "finalize", "/static/js/", "もう一度:", "self", "按住左边滑块，拖动完成上方拼图", "error", ".gt_info_icon", "q", "paddingBottom", "불러오는 중...", "I", "}", "offline", "Loaded", "squareTo", "filter", "invDigit", "다음 인증을 완성하세요", "exp", "panelHeight", "statusChange", "global", "debugConfig", "Message too long for RSA", "reset", "eb", "gt_info_content", "hidden", "preventDefault", "_", "gt_info_tip gt_", "Utility", " gt_clone", "sec", "log", ".gt_curtain", "lang", "/pictures/gt/", "Pb", "za", "width", "no such resource: ", "type", "indexOf", "Success", "gt_hide", "mb", "backgroundImage", ".gt_info_text", "rp", "cb", "local_path", "驗證失敗:", "onRefresh", "push", "a.gt_box_tips", "message", "lib", "ログイン認証を行ってください", "-cn", "", "cloneDom", "載入中...", "setAttribute", "SVG", "i", "onSuccess", "系統正在更新圖片", ".gt_logo_button", "WebPLoaded", "stuvwxyz~", "undefined", "object", "Cipher", "count", ".", "bitLength", "Encryptor", "next", "lb", "xb", "Cb", "页面将在2秒后跳转", ".gt_curtain_tip", "!!", ".gt_cut_bg", ".gt_cut_curtain", "getBoundingClientRect", "can not loaded imgs", "-tw", "Y", "2秒後でリダイレクトします", "g", "retry", "click", "height", "max", "反馈", "B", "ypos", "กำลังดาวน์โหลด...", "module ", "pad", "a.gt_bg", "callback", "getComputedStyle", "refresh", ".gt_loading", ".gt_help_tips", "Netscape", "inline-block", "deviceorientation", "use strict", "http://", "hideDelay", "document", "$", "wa", "margin-left", "6_11_7_10_4_12_3_1_0_5_2_9_8", "F1", "floor", "Jb", "loaded_theme", "กรุณาปิดและเปิดใหม่อีกครั้ง", "slide", ".gt_bg", "https://", "REFb0UEJ", "prototype", "crypto", "gt_holder gt_", "yb", "divRemTo", "pointermove", "p", "Wa", "referer_encode", "compareTo", "challenge", ".geetest_validate", "エラーです:", "words", "define", "Info", "Fullpage", "a.gt_curtain", "doPublic", "onAbuse", ".gt_mask", "Db", "pointerdown", ".geetest_seccode", "S", "visible", ".css", "_a", "style", "geetest_seccode", "getImageData", "点击上图按钮并沿道路拖动到终点处", "clamp", "splice", "Utf8", ".gt_cut_fullbg", "zh-cn", "/refresh.php", "Ma", "버튼 드리그하여 인증하세요", "a.gt_help_button", ".gt_curtain_bg", "DM", "charCodeAt", "startY", "移动到此开始验证", "Ta", "setFloat", "$a", "ONE", "|", "hide_delay", "input.geetest_seccode", "touchend", "on", "onError", "id", "\":", "Ba", "Please try again later", "clientX", "gtError", "substr", "cursor", "move", "getLang", "call", "data:image/webp;base64,UklGRi4AAABXRUJQVlA4TCEAAAAvAUAAEB8wAiMwAgSSNtse/cXjxyCCmrYNWPwmHRH9jwMA", "Latin1", "zb", "product", "removeAttribute", "moveHandler", "childNodes", "convert", "BlockCipher", "getContext", "vb", "gt_moving", "bg", "benchmark", "pointerup", "ib", "Xa", "mpl", "hideRefresh", "Ra", "srcElement", "ab", "slice", "gt_holder gt_mobile_holder gt_", "_blank", "불러오는 중", "a.gt_logo_button", "staticservers", "ล้มเหลว:", "db", "subTo", "concat", "MSPointerMove", "exports", "getValidate", "読み込み中…", "Ga", "a.gt_fullbg", "script", "offsetParent", "removeChild", "boolean", "拖动滑块将悬浮图像正确拼合", "static_servers", "再来一次:", "padding", "0", "|jordan", "gt_no_logo", "geetest_challenge", "hk", "Offline", "md5", "scale", "Invalid RSA public key", ")", "name", "อุ๊ย! ต่อภาพไม่ถูกต้องกรุณาลองใหม่", "c", "eles", ".gt_ajax_tip", "input", "u", "Ja", "/style", "BlockCipherMode", "Ea", "function", "onForbidden", "Eb", "detachEvent", "theme", "갱신", "link", "Global", "gt_cut_", "Unsuccessful:", "button", "offsetLeft", "charset", "Geetest requires a window with a document", "complete", "dn-staticdown.qbox.me", "길을 따라 버튼을 드래그", " ", "Refresh", ".gt_widget", ".gt_popup_wrap", "cfg", "onFail", "appendTo", "Modules", "pow", "jb", "shell", "outerHTML", "init", "gt_custom_ajax", "startX", "in", ".gt_bottom", "float", "Decoder", "setProperty", "am", "gt_custom_refresh", "ms-touch-action", "toRadix", "gJSON", "iy", "join", "加载中...", "Ia", "1234567890.", "extend", "px ", "認証が完了しました", "appName", "callbackError", "ajax", "b", "{", "/static", "tb", "noConflict", "auto", "スライドして認証を完成させてください", "fail", "down", "ready", "rShiftTo", "mt2", "body", "Complete the puzzles", "N", "removeEventListener", "lShiftTo", "_slice", "รีเฟรช", "xa", "api_server", "fFtZ0VaY4Gg.", "geetest_", "reduce", "请先完成下方验证", "n", "Rb", "gt_animate", "status", "mph", "認証完了:", "260px", "na", "touch-action", "parentNode", "getElementById", "验证通过:", "mouseup", "createTextNode", "logo", "/skin.", "feedback", "https", "ระบบกำลังดำเนินการเปลี่ยนภาพใหม่", "Slide", ".geetest_challenge", "Request", "input.geetest_challenge", "abuse", "dmq1", ".svg", "Va", "0123456789abcdefghijklmnopqrstuvwxyz", "overflow", "画像更新", "Gb", "dmp1", "DOMReady", "gyroscope", "target", "popup_ready", "span", "Curtain", ".gt_help_button", "AES", "sb", "rel", "頁面將在2秒後跳轉", "sqrTo", "loaded", "자동재행 중", "Complete verification below", "ELEMENT_NODE", "Fail", "j", "isArray", "Analyse", "gt_info_type", "readyState", "Dom", "Server is refreshing the image", "ix", "http://www.geetest.com/contact#report", "webp", "clientWidth", "Support", "event", "Ua", "validate", "hide", "popup_copy_btn", "div", "Bb", "up", "revert", "test", "toLowerCase", "encrypt", "&", "innerHTML", "api.geetest.com", "url(", "m", "인증성공", "handlerList", ".png", "哇哦～怪物吃了拼图 count 秒后重试", "zoom", "ob", "請將懸浮圖片拼合", "currentStyle", "fullpage", "mousemove", "mozTransition", "clean", "ciphertext", "dom", "請關閉驗證後重試", "returnValue", "insertBefore", "C", "Mb", "compareDocumentPosition", "popupbtnid", "sa", "score", "Za", "F2", "getPropertyValue", "CBC", "cloneNode", "fromRadix", "transition", "bindOn", "origin_", "popup_finish", "valueOf", "ヘルプ", "Sb", "end", "Feedback", "再來一次:", "認証失敗:", "res", "ここから認証を始めます", "mulTo", "getTime", "请关闭验证重试", ".gt_info", "qb", ".gt_popup_header", " skin.js can not loaded", "Fa", "パズルを合わせてください", ".gt_popup_box", "6.0.9", "infoHide", "touchmove", "Animate", "Move here to verify", "Drag the button along the road", "=", "arr", "disable", " can not loaded", "tw", ".gt_slice", "iv", "moving", "Tool", "dlShiftTo", "Server Error:", "format", ".gt_fullbg", ".gt_loading_icon", "/", "mixIn", "t", "string", "a", ".gt_cut_", ".gt_box_tips", "focus", ".gt_ie_success", "l", "min", "Popup", "nodeType", "-", "Ib", "rb", "backgroundPosition", "[", "px", ".gt_info_tip", "golden", "ช่วยเหลือ", "enablePopup", "문의", "[object Array]", "SerializableCipher", "sec 秒的速度超过 score% 的用户", "#", "mobile", "createEncryptor", "Fb", "display", "appendChild", "setPublic", "ceil", "mp", "Anonymous", "href", "ZERO", "กรุณาดำเนินการตรวจสอบด้านล่าง", "mobileSkins", "wb", "onReady", "GeeTestSkins", "clientY", ".gt_curtain_knob", "Lb", "sandbox", "um", "version", "\")", "src", "出現錯誤:", "Kb", "다시 시도하세요", "head", "Da", "嘗試過多次:"]

拿到M 之后，就很容易知道M9r.C8z(32) = M[32] = ‘La’,我们按照这个规则，依旧使用正则，将M9r.C8z(32)类似这种替换成其真实的数据

def replace_z8z():# 运行js ，拿到M的值M = ["fullbg", "create", "bb", "show", "homepage", "attachEvent", "s", "geetest_style_detect_178273px", "a.gt_refresh_button", "()*,-./0123456789:?@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqr", "MSPointerDown", "onStatusChange", "random", "fb", "ボタンを終点までドラックしてください", "sec 秒的速度超過 score% 的用戶", ".gt_refresh_button", "178273px", "pictures", "gt_custom_error", "fromString", "10001", "00C1E3934D1614465B33053E7F48EE4EC87B14B95EF88947713D25EECBFF7E74C7977D02DC1D9451F79DD5D1C10C29ACB6A9B4D6FB7D0A0279B6719E1772565F09AF627715919221AEF91899CAE08C0D686D748B20A3603BE2318CA6BC2B59706592A9219D0BF05C9F65023A21D2330807252AE0066D59CEEFA5F2748EA80BAB81", "parse", "querySelector", "x", "substring", "$super", "evts", "pb", "Ob", "b2", "La", "Abuse", "滑動至此完成驗證", "&callback=", "domSelectorError", "인증실패", "userAgent", "DomEvent", "length", "onerror", "http://www.geetest.com/first_page", "geetest_validate", "xpos", "crossOrigin", "Oa", "round", "unload", "画像が更新されています", "onreadystatechange", "Input", "Data", "nextBytes", "/static/", "สำเร็จ ความเร็ว sec วินาที เร็วมากๆ", "getRandomValues", "Try Again:", "/gt-dist/local", "ya", "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\"", "Ya", "gb", "left", "Geetest", "upHandler", "algo", "DB", "putImageData", "Success:", "Arr", "Nb", "onGeetestLoaded", "javascript:;", "top", "Take secs and defeat score% users", "?", "lock", "mod", "กดและลากเพื่อประกอบภาพ", "zh", "zh-CN", "blur", ".gt_curtain_bg_wrap", "y", "\"", "apply", ".gt_loading_text", ".gt_holder_top", "mousedown", " can not access", "3.2.0", "Ub", "DV", "fromInt", "isEven", "ub", "multiplyTo", "Tip", "刷新验证", "cy", "popup", "imgload", "replace", "gt_show", "stringify", ".gt_refresh_tips", ".gt_popup_finish", "changedTouches", "theme_version", "r", "Pa", "input.geetest_validate", "copyTo", "touchcancel", "Qa", "M", "popup_btn", "Na", "出现错误:", "v6.0.9 Geetest Inc.", ".gt_popup_ready", "protocol", "mode", "addEventListener", "hb", "hoverChange", "Vb", "split", "驗證通過:", ".gt_box_holder", "fEkexGxOwUyY", "endTime", "msTransition", "canvas", "Base", "show_delay", "传参错误:", "none", "number", "o", "coeff", "幫助", "all", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789()", "forbidden", "SvgError", "Benchmark", "fromNumber", "Forbidden", "curtain", "b1", "Ab", "尝试过多:", "請先完成下方驗證", "/js", "destroy", "Microsoft Internet Explorer", "serial", "offsetTop", "cx", "curtain_knob", "コメント", "getElementsByTagName", "null", "className", "getPasstime", "ta", "autoRefresh", "charAt", "\"", "!", "Gyro", "zh-tw", "]", "webkitTransition", "Qb", "확인하기 위해 여기로 이동", "Wow~ Monster eats the image", "innerText", "/gt-dist", "drShiftTo", "e", "loading...", "回報問題", "toFixed", "count秒後もう一度やり直してください", ".webp", "帮助反馈", "gt", "d", "async", "小怪物吃掉了拼圖 count 秒後重試", "passtime", "contains", "h", "enable", "もう一度やり直してください", "toString", "once", "Flow", "value", "GeeTest Error: request ", "onload", "startTime", "negate", ".gt_popup_cross", "nextSibling", ".gt_guide_tip", "UTF-8", "va", "กดค้างและลากเพื่อต่อภาพให้สมบูรณ์", "更新驗證圖", "2d", "abs", " lost!", "qa", "success", "apiserver", "Sa", "drawImage", "important", "enc", "", "parallel", ".gt_slider", "stylesheet", "loading", "Pkcs7", "help", "hasOwnProperty", "Base64", "modPowInt", "接口", "按住左邊滑塊，拖動完成上方拼圖", "CipherParams", "验证失败:", "gt_clean", "系统正在自动刷新图片", "createElement", "กรุณารอสักครู่", ".gt_curtain_button", "Drag the left slider to verify", "sigBytes", ".gt_input", "scroll", "img", "touchstart", "Browser", "0000000000000000", "svg ", "_https", "Event", "A", "You will be redirected in 2 seconds", "styleDetectEle", ".gt_flash", ".gt_box", "content", "MSPointerUp", "Ha", ".gt_slider_knob", "blockSize", "//", "FV", ".js", "Ka", "getModule", ".jpg", "encryptBlock", "WordArray", "BufferedBlockAlgorithm", "Excessive:", "kb", "processBlock", "J", "Aa", "jQuery", "refresh error", "點擊上圖並沿路線滑至終點", "onmousemove", ",", "fromCharCode", "static.geetest.com", "default", "gt_ajax_tip gt_", "finalize", "/static/js/", "もう一度:", "self", "按住左边滑块，拖动完成上方拼图", "error", ".gt_info_icon", "q", "paddingBottom", "불러오는 중...", "I", "}", "offline", "Loaded", "squareTo", "filter", "invDigit", "다음 인증을 완성하세요", "exp", "panelHeight", "statusChange", "global", "debugConfig", "Message too long for RSA", "reset", "eb", "gt_info_content", "hidden", "preventDefault", "_", "gt_info_tip gt_", "Utility", " gt_clone", "sec", "log", ".gt_curtain", "lang", "/pictures/gt/", "Pb", "za", "width", "no such resource: ", "type", "indexOf", "Success", "gt_hide", "mb", "backgroundImage", ".gt_info_text", "rp", "cb", "local_path", "驗證失敗:", "onRefresh", "push", "a.gt_box_tips", "message", "lib", "ログイン認証を行ってください", "-cn", "", "cloneDom", "載入中...", "setAttribute", "SVG", "i", "onSuccess", "系統正在更新圖片", ".gt_logo_button", "WebPLoaded", "stuvwxyz~", "undefined", "object", "Cipher", "count", ".", "bitLength", "Encryptor", "next", "lb", "xb", "Cb", "页面将在2秒后跳转", ".gt_curtain_tip", "!!", ".gt_cut_bg", ".gt_cut_curtain", "getBoundingClientRect", "can not loaded imgs", "-tw", "Y", "2秒後でリダイレクトします", "g", "retry", "click", "height", "max", "反馈", "B", "ypos", "กำลังดาวน์โหลด...", "module ", "pad", "a.gt_bg", "callback", "getComputedStyle", "refresh", ".gt_loading", ".gt_help_tips", "Netscape", "inline-block", "deviceorientation", "use strict", "http://", "hideDelay", "document", "$", "wa", "margin-left", "6_11_7_10_4_12_3_1_0_5_2_9_8", "F1", "floor", "Jb", "loaded_theme", "กรุณาปิดและเปิดใหม่อีกครั้ง", "slide", ".gt_bg", "https://", "REFb0UEJ", "prototype", "crypto", "gt_holder gt_", "yb", "divRemTo", "pointermove", "p", "Wa", "referer_encode", "compareTo", "challenge", ".geetest_validate", "エラーです:", "words", "define", "Info", "Fullpage", "a.gt_curtain", "doPublic", "onAbuse", ".gt_mask", "Db", "pointerdown", ".geetest_seccode", "S", "visible", ".css", "_a", "style", "geetest_seccode", "getImageData", "点击上图按钮并沿道路拖动到终点处", "clamp", "splice", "Utf8", ".gt_cut_fullbg", "zh-cn", "/refresh.php", "Ma", "버튼 드리그하여 인증하세요", "a.gt_help_button", ".gt_curtain_bg", "DM", "charCodeAt", "startY", "移动到此开始验证", "Ta", "setFloat", "$a", "ONE", "|", "hide_delay", "input.geetest_seccode", "touchend", "on", "onError", "id", "\":", "Ba", "Please try again later", "clientX", "gtError", "substr", "cursor", "move", "getLang", "call", "data:image/webp;base64,UklGRi4AAABXRUJQVlA4TCEAAAAvAUAAEB8wAiMwAgSSNtse/cXjxyCCmrYNWPwmHRH9jwMA", "Latin1", "zb", "product", "removeAttribute", "moveHandler", "childNodes", "convert", "BlockCipher", "getContext", "vb", "gt_moving", "bg", "benchmark", "pointerup", "ib", "Xa", "mpl", "hideRefresh", "Ra", "srcElement", "ab", "slice", "gt_holder gt_mobile_holder gt_", "_blank", "불러오는 중", "a.gt_logo_button", "staticservers", "ล้มเหลว:", "db", "subTo", "concat", "MSPointerMove", "exports", "getValidate", "読み込み中…", "Ga", "a.gt_fullbg", "script", "offsetParent", "removeChild", "boolean", "拖动滑块将悬浮图像正确拼合", "static_servers", "再来一次:", "padding", "0", "|jordan", "gt_no_logo", "geetest_challenge", "hk", "Offline", "md5", "scale", "Invalid RSA public key", ")", "name", "อุ๊ย! ต่อภาพไม่ถูกต้องกรุณาลองใหม่", "c", "eles", ".gt_ajax_tip", "input", "u", "Ja", "/style", "BlockCipherMode", "Ea", "function", "onForbidden", "Eb", "detachEvent", "theme", "갱신", "link", "Global", "gt_cut_", "Unsuccessful:", "button", "offsetLeft", "charset", "Geetest requires a window with a document", "complete", "dn-staticdown.qbox.me", "길을 따라 버튼을 드래그", " ", "Refresh", ".gt_widget", ".gt_popup_wrap", "cfg", "onFail", "appendTo", "Modules", "pow", "jb", "shell", "outerHTML", "init", "gt_custom_ajax", "startX", "in", ".gt_bottom", "float", "Decoder", "setProperty", "am", "gt_custom_refresh", "ms-touch-action", "toRadix", "gJSON", "iy", "join", "加载中...", "Ia", "1234567890.", "extend", "px ", "認証が完了しました", "appName", "callbackError", "ajax", "b", "{", "/static", "tb", "noConflict", "auto", "スライドして認証を完成させてください", "fail", "down", "ready", "rShiftTo", "mt2", "body", "Complete the puzzles", "N", "removeEventListener", "lShiftTo", "_slice", "รีเฟรช", "xa", "api_server", "fFtZ0VaY4Gg.", "geetest_", "reduce", "请先完成下方验证", "n", "Rb", "gt_animate", "status", "mph", "認証完了:", "260px", "na", "touch-action", "parentNode", "getElementById", "验证通过:", "mouseup", "createTextNode", "logo", "/skin.", "feedback", "https", "ระบบกำลังดำเนินการเปลี่ยนภาพใหม่", "Slide", ".geetest_challenge", "Request", "input.geetest_challenge", "abuse", "dmq1", ".svg", "Va", "0123456789abcdefghijklmnopqrstuvwxyz", "overflow", "画像更新", "Gb", "dmp1", "DOMReady", "gyroscope", "target", "popup_ready", "span", "Curtain", ".gt_help_button", "AES", "sb", "rel", "頁面將在2秒後跳轉", "sqrTo", "loaded", "자동재행 중", "Complete verification below", "ELEMENT_NODE", "Fail", "j", "isArray", "Analyse", "gt_info_type", "readyState", "Dom", "Server is refreshing the image", "ix", "http://www.geetest.com/contact#report", "webp", "clientWidth", "Support", "event", "Ua", "validate", "hide", "popup_copy_btn", "div", "Bb", "up", "revert", "test", "toLowerCase", "encrypt", "&", "innerHTML", "api.geetest.com", "url(", "m", "인증성공", "handlerList", ".png", "哇哦～怪物吃了拼图 count 秒后重试", "zoom", "ob", "請將懸浮圖片拼合", "currentStyle", "fullpage", "mousemove", "mozTransition", "clean", "ciphertext", "dom", "請關閉驗證後重試", "returnValue", "insertBefore", "C", "Mb", "compareDocumentPosition", "popupbtnid", "sa", "score", "Za", "F2", "getPropertyValue", "CBC", "cloneNode", "fromRadix", "transition", "bindOn", "origin_", "popup_finish", "valueOf", "ヘルプ", "Sb", "end", "Feedback", "再來一次:", "認証失敗:", "res", "ここから認証を始めます", "mulTo", "getTime", "请关闭验证重试", ".gt_info", "qb", ".gt_popup_header", " skin.js can not loaded", "Fa", "パズルを合わせてください", ".gt_popup_box", "6.0.9", "infoHide", "touchmove", "Animate", "Move here to verify", "Drag the button along the road", "=", "arr", "disable", " can not loaded", "tw", ".gt_slice", "iv", "moving", "Tool", "dlShiftTo", "Server Error:", "format", ".gt_fullbg", ".gt_loading_icon", "/", "mixIn", "t", "string", "a", ".gt_cut_", ".gt_box_tips", "focus", ".gt_ie_success", "l", "min", "Popup", "nodeType", "-", "Ib", "rb", "backgroundPosition", "[", "px", ".gt_info_tip", "golden", "ช่วยเหลือ", "enablePopup", "문의", "[object Array]", "SerializableCipher", "sec 秒的速度超过 score% 的用户", "#", "mobile", "createEncryptor", "Fb", "display", "appendChild", "setPublic", "ceil", "mp", "Anonymous", "href", "ZERO", "กรุณาดำเนินการตรวจสอบด้านล่าง", "mobileSkins", "wb", "onReady", "GeeTestSkins", "clientY", ".gt_curtain_knob", "Lb", "sandbox", "um", "version", "\")", "src", "出現錯誤:", "Kb", "다시 시도하세요", "head", "Da", "嘗試過多次:"]content = ''# 以geetest609_1.js(该文件内容已经处理过十六进制字符串)为基础进行替换with open('geetest609_1.js','r+',encoding='utf8') as f:content = f.read()# 利用整理匹配出需要替换的地方，并替换成M对应索引的值c8z = re.findall(r'(M9r\.C8z\((\d+?)\))',content)for (name,num) in c8z:content = content.replace(name,'"'+M[int(num)]+'"')r8z = re.findall(r'(M9r\.R8z\((\d+?)\))',content)for (name,num) in r8z:content = content.replace(name,'"'+M[int(num)]+'"')for (name,num) in re.findall(r'(T9r\.C8z\((\d+?)\))',content):content = content.replace(name,'"'+M[int(num)]+'"')for (name,num) in re.findall(r'(T9r\.R8z\((\d+?)\))',content):content = content.replace(name,'"'+M[int(num)]+'"')# js中 var T9r = B2BB;,则把T9r.替换成B2BB. 方便进行下一步数据处理if 'T9r.' in content and 'var T9r = B2BB;' in content:content = content.replace('T9r.', 'B2BB.')# js中 var M9r = B2BB;,则把M9r.替换成B2BB. 方便进行下一步数据处理if 'M9r.' in content and 'var M9r = B2BB;' in content:content = content.replace('M9r.', 'B2BB.')# 将处理后的js内容，记录在geetest609_2.js中with open('geetest609_2.js','w+',encoding='utf8') as f:f.write(content)

经过这步处理，在js中，已经看不到如 M9r.R8z(),T9r.C8z(),T9r.R8z() 此类的标识了

3. case: M9r.k9r()[21][33][21]类型的解码

其调用js为

// js 文件 第158行var T9r = B2BB;
// 第188行 var M9r = B2BB;function B2BB() {}
B2BB.L9r = function() {return typeof B2BB.y9r.F === 'function' ? B2BB.y9r.F.apply(B2BB.y9r, arguments) : B2BB.y9r.F;
}
;
B2BB.X9z = 3;
B2BB.k9r = function() {return typeof B2BB.y9r.F === 'function' ? B2BB.y9r.F.apply(B2BB.y9r, arguments) : B2BB.y9r.F;
}
;
B2BB.y9r = function() {var c = 2;while (c !== 1) {switch (c) {case 2:return {F: function M(m, P) {var D = 2;while (D !== 10) {switch (D) {case 13:d -= 1;D = 6;break;case 8:D = R < m ? 7 : 11;break;case 7:var d = m - 1;D = 6;break;case 1:var l = 0;D = 5;break;case 3:l += 1;D = 5;break;case 11:return J;D = 10;break;case 14:J[R][(d + P * R) % m] = J[d];D = 13;break;case 9:var R = 0;D = 8;break;case 6:D = d >= 0 ? 14 : 12;break;case 4:J[(l + P) % m] = [];D = 3;break;case 2:var J = [];D = 1;break;case 5:D = l < m ? 4 : 9;break;case 12:R += 1;D = 8;break;}}}(48, 14)};c = 1;break;}}
}();

同样，在return J; 之前添加console.log(J);打印下J的值

发现返回的是数组对象，M9r.k9r()[21][33][21]则表示列表中的某个元素,我们当然希望case后能跟一个数字，所以此时想到用数组的下标作为元素的值，因为索引能保证唯一性，另外，我们最后是要用python来替换js文件中的各种M9r.k9r()[21][33][21]标识，因此我对js进行了简单的改造，让我能够通过python，传入要查询元素的索引列表（如[21,33,21]），找到该元素值在列表中的索引位置

function M(m, P) {var D = 2;while (D !== 10) {switch (D) {case 13:d -= 1;D = 6;break;case 8:D = R < m ? 7 : 11;break;case 7:var d = m - 1;D = 6;break;case 1:var l = 0;D = 5;break;case 3:l += 1;D = 5;break;case 11:return J;D = 10;break;case 14:J[R][(d + P * R) % m] = J[d];D = 13;break;case 9:var R = 0;D = 8;break;case 6:D = d >= 0 ? 14 : 12;break;case 4:J[(l + P) % m] = [];D = 3;break;case 2:var J = [];D = 1;break;case 5:D = l < m ? 4 : 9;break;case 12:R += 1;D = 8;break;}}
};function get_y9r(indexs){var H = M(48, 14);var temp = H;for (i = 0; i < indexs.length; i++) {temp = temp[indexs[i]];}// console.log(H.indexOf(temp));return H.indexOf(temp);
};var H = M(48, 14);
console.log(H.indexOf(H[21][33][21]));
console.log(get_y9r([21,33,21]));

利用python的execjs包，调用该段js

def get_y9r(indexs):jscontent = """function M(m, P) {var D = 2;while (D !== 10) {switch (D) {case 13:d -= 1;D = 6;break;case 8:D = R < m ? 7 : 11;break;case 7:var d = m - 1;D = 6;break;case 1:var l = 0;D = 5;break;case 3:l += 1;D = 5;break;case 11:return J;D = 10;break;case 14:J[R][(d + P * R) % m] = J[d];D = 13;break;case 9:var R = 0;D = 8;break;case 6:D = d >= 0 ? 14 : 12;break;case 4:J[(l + P) % m] = [];D = 3;break;case 2:var J = [];D = 1;break;case 5:D = l < m ? 4 : 9;break;case 12:R += 1;D = 8;break;}}};function get_y9r(indexs){var H = M(48, 14);var temp = H;for (i = 0; i < indexs.length; i++) {temp = temp[indexs[i]];}// console.log(H.indexOf(temp));return H.indexOf(temp);};var H = M(48, 14);// lists = H;console.log(H.indexOf(H[31][29][21][21]));// console.log(get_y9r([7,28,6]));"""# with open('y9r.js','r+',encoding='utf8') as f:#     jscontent = f.read()ctx = execjs.compile(jscontent)results = ctx.call("get_y9r",indexs)# print(ctx.call("get_y9r",[7,28,16]))return int(results)print(get_y9r([21,33,21]))

输出27，和浏览器测试输出一致，此时我们利用python 正则表达式，将B2BB.k9r()[13][17][21]此类转换成其索引值

def replace_y9r():content = ''replace_lists = []# 按行读取geetest609_2.js文件with open('geetest609_2.js', 'r+', encoding='utf8') as f:content = f.readlines()# 按行处理,形成要替换的如'B2BB.k9r()[13][17][21]'和对应值的对照关系列表for con in content:temp = re.findall(r'(B2BB.(L9r|k9r)\(\)(\[\d+\])+)', con)if temp:# temp = [('B2BB.k9r()[13][17][21]', 'k9r', '[21]')] for (b2bb,lrkr,num) in temp:indexs = list(map(lambda x:int(x),re.findall(r'\[(\d+)\]', b2bb)))# indexs = [13, 17, 21]y9r = get_y9r(indexs)# y9r = 27replace_lists.append((b2bb,y9r))# 对结果列表按照待替换字符串(如'B2BB.k9r()[13][17][21]')的长度进行降序排序# 不排序则可能会导致B2BB.k9r()[13][17][21][20]的值呗B2BB.k9r()[13][17][21]替换掉replace_lists = sorted(replace_lists,key=lambda x:len(x[0]),reverse=True)# 读取geetest609_2.js文件内容，准备替换字符串with open('geetest609_2.js', 'r+', encoding='utf8') as f:content = f.read()# 替换字符串和对应的值for (b2bb,y9r) in replace_lists:content = content.replace(b2bb,str(y9r))# 将替换后内容写入文本geetest609_3.jswith open('geetest609_3.js', 'w+', encoding='utf8') as f:f.write(content)

这个过程大概需要4-5分钟，至此，三种方式均已完成解密，截图对比下，会发现可读性强了很多
最后，附上完整的python3代码

#!/usr/bin/env python
# -*- coding: utf-8 -*-# @Time    : 2019/7/22 10:50
# @File    : js_opera
# @Software: PyCharm
# @Description :处理Geetest混淆import  re
import  execjsdef get_y9r(indexs):jscontent = """function M(m, P) {var D = 2;while (D !== 10) {switch (D) {case 13:d -= 1;D = 6;break;case 8:D = R < m ? 7 : 11;break;case 7:var d = m - 1;D = 6;break;case 1:var l = 0;D = 5;break;case 3:l += 1;D = 5;break;case 11:return J;D = 10;break;case 14:J[R][(d + P * R) % m] = J[d];D = 13;break;case 9:var R = 0;D = 8;break;case 6:D = d >= 0 ? 14 : 12;break;case 4:J[(l + P) % m] = [];D = 3;break;case 2:var J = [];D = 1;break;case 5:D = l < m ? 4 : 9;break;case 12:R += 1;D = 8;break;}}};function get_y9r(indexs){var H = M(48, 14);var temp = H;for (i = 0; i < indexs.length; i++) {temp = temp[indexs[i]];}// console.log(H.indexOf(temp));return H.indexOf(temp);};var H = M(48, 14);// lists = H;console.log(H.indexOf(H[31][29][21][21]));// console.log(get_y9r([7,28,6]));"""# with open('y9r.js','r+',encoding='utf8') as f:#     jscontent = f.read()ctx = execjs.compile(jscontent)results = ctx.call("get_y9r",indexs)# print(ctx.call("get_y9r",[7,28,16]))return int(results)
def replace_y9r():content = ''replace_lists = []# 按行读取geetest609_2.js文件with open('geetest609_2.js', 'r+', encoding='utf8') as f:content = f.readlines()# 按行处理,形成要替换的如'B2BB.k9r()[13][17][21]'和对应值的对照关系列表for con in content:temp = re.findall(r'(B2BB.(L9r|k9r)\(\)(\[\d+\])+)', con)if temp:# temp = [('B2BB.k9r()[13][17][21]', 'k9r', '[21]')] for (b2bb,lrkr,num) in temp:indexs = list(map(lambda x:int(x),re.findall(r'\[(\d+)\]', b2bb)))# indexs = [13, 17, 21]y9r = get_y9r(indexs)# y9r = 27replace_lists.append((b2bb,y9r))# 对结果列表按照待替换字符串(如'B2BB.k9r()[13][17][21]')的长度进行降序排序# 不排序则可能会导致B2BB.k9r()[13][17][21][20]的值呗B2BB.k9r()[13][17][21]替换掉replace_lists = sorted(replace_lists,key=lambda x:len(x[0]),reverse=True)# 读取geetest609_2.js文件内容，准备替换字符串with open('geetest609_2.js', 'r+', encoding='utf8') as f:content = f.read()# 替换字符串和对应的值for (b2bb,y9r) in replace_lists:content = content.replace(b2bb,str(y9r))# 将替换后内容写入文本geetest609_3.jswith open('geetest609_3.js', 'w+', encoding='utf8') as f:f.write(content)def replace_z8z():# 运行js ，拿到M的值M = ["fullbg", "create", "bb", "show", "homepage", "attachEvent", "s", "geetest_style_detect_178273px", "a.gt_refresh_button", "()*,-./0123456789:?@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqr", "MSPointerDown", "onStatusChange", "random", "fb", "ボタンを終点までドラックしてください", "sec 秒的速度超過 score% 的用戶", ".gt_refresh_button", "178273px", "pictures", "gt_custom_error", "fromString", "10001", "00C1E3934D1614465B33053E7F48EE4EC87B14B95EF88947713D25EECBFF7E74C7977D02DC1D9451F79DD5D1C10C29ACB6A9B4D6FB7D0A0279B6719E1772565F09AF627715919221AEF91899CAE08C0D686D748B20A3603BE2318CA6BC2B59706592A9219D0BF05C9F65023A21D2330807252AE0066D59CEEFA5F2748EA80BAB81", "parse", "querySelector", "x", "substring", "$super", "evts", "pb", "Ob", "b2", "La", "Abuse", "滑動至此完成驗證", "&callback=", "domSelectorError", "인증실패", "userAgent", "DomEvent", "length", "onerror", "http://www.geetest.com/first_page", "geetest_validate", "xpos", "crossOrigin", "Oa", "round", "unload", "画像が更新されています", "onreadystatechange", "Input", "Data", "nextBytes", "/static/", "สำเร็จ ความเร็ว sec วินาที เร็วมากๆ", "getRandomValues", "Try Again:", "/gt-dist/local", "ya", "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\"", "Ya", "gb", "left", "Geetest", "upHandler", "algo", "DB", "putImageData", "Success:", "Arr", "Nb", "onGeetestLoaded", "javascript:;", "top", "Take secs and defeat score% users", "?", "lock", "mod", "กดและลากเพื่อประกอบภาพ", "zh", "zh-CN", "blur", ".gt_curtain_bg_wrap", "y", "\"", "apply", ".gt_loading_text", ".gt_holder_top", "mousedown", " can not access", "3.2.0", "Ub", "DV", "fromInt", "isEven", "ub", "multiplyTo", "Tip", "刷新验证", "cy", "popup", "imgload", "replace", "gt_show", "stringify", ".gt_refresh_tips", ".gt_popup_finish", "changedTouches", "theme_version", "r", "Pa", "input.geetest_validate", "copyTo", "touchcancel", "Qa", "M", "popup_btn", "Na", "出现错误:", "v6.0.9 Geetest Inc.", ".gt_popup_ready", "protocol", "mode", "addEventListener", "hb", "hoverChange", "Vb", "split", "驗證通過:", ".gt_box_holder", "fEkexGxOwUyY", "endTime", "msTransition", "canvas", "Base", "show_delay", "传参错误:", "none", "number", "o", "coeff", "幫助", "all", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789()", "forbidden", "SvgError", "Benchmark", "fromNumber", "Forbidden", "curtain", "b1", "Ab", "尝试过多:", "請先完成下方驗證", "/js", "destroy", "Microsoft Internet Explorer", "serial", "offsetTop", "cx", "curtain_knob", "コメント", "getElementsByTagName", "null", "className", "getPasstime", "ta", "autoRefresh", "charAt", "\"", "!", "Gyro", "zh-tw", "]", "webkitTransition", "Qb", "확인하기 위해 여기로 이동", "Wow~ Monster eats the image", "innerText", "/gt-dist", "drShiftTo", "e", "loading...", "回報問題", "toFixed", "count秒後もう一度やり直してください", ".webp", "帮助反馈", "gt", "d", "async", "小怪物吃掉了拼圖 count 秒後重試", "passtime", "contains", "h", "enable", "もう一度やり直してください", "toString", "once", "Flow", "value", "GeeTest Error: request ", "onload", "startTime", "negate", ".gt_popup_cross", "nextSibling", ".gt_guide_tip", "UTF-8", "va", "กดค้างและลากเพื่อต่อภาพให้สมบูรณ์", "更新驗證圖", "2d", "abs", " lost!", "qa", "success", "apiserver", "Sa", "drawImage", "important", "enc", "", "parallel", ".gt_slider", "stylesheet", "loading", "Pkcs7", "help", "hasOwnProperty", "Base64", "modPowInt", "接口", "按住左邊滑塊，拖動完成上方拼圖", "CipherParams", "验证失败:", "gt_clean", "系统正在自动刷新图片", "createElement", "กรุณารอสักครู่", ".gt_curtain_button", "Drag the left slider to verify", "sigBytes", ".gt_input", "scroll", "img", "touchstart", "Browser", "0000000000000000", "svg ", "_https", "Event", "A", "You will be redirected in 2 seconds", "styleDetectEle", ".gt_flash", ".gt_box", "content", "MSPointerUp", "Ha", ".gt_slider_knob", "blockSize", "//", "FV", ".js", "Ka", "getModule", ".jpg", "encryptBlock", "WordArray", "BufferedBlockAlgorithm", "Excessive:", "kb", "processBlock", "J", "Aa", "jQuery", "refresh error", "點擊上圖並沿路線滑至終點", "onmousemove", ",", "fromCharCode", "static.geetest.com", "default", "gt_ajax_tip gt_", "finalize", "/static/js/", "もう一度:", "self", "按住左边滑块，拖动完成上方拼图", "error", ".gt_info_icon", "q", "paddingBottom", "불러오는 중...", "I", "}", "offline", "Loaded", "squareTo", "filter", "invDigit", "다음 인증을 완성하세요", "exp", "panelHeight", "statusChange", "global", "debugConfig", "Message too long for RSA", "reset", "eb", "gt_info_content", "hidden", "preventDefault", "_", "gt_info_tip gt_", "Utility", " gt_clone", "sec", "log", ".gt_curtain", "lang", "/pictures/gt/", "Pb", "za", "width", "no such resource: ", "type", "indexOf", "Success", "gt_hide", "mb", "backgroundImage", ".gt_info_text", "rp", "cb", "local_path", "驗證失敗:", "onRefresh", "push", "a.gt_box_tips", "message", "lib", "ログイン認証を行ってください", "-cn", "", "cloneDom", "載入中...", "setAttribute", "SVG", "i", "onSuccess", "系統正在更新圖片", ".gt_logo_button", "WebPLoaded", "stuvwxyz~", "undefined", "object", "Cipher", "count", ".", "bitLength", "Encryptor", "next", "lb", "xb", "Cb", "页面将在2秒后跳转", ".gt_curtain_tip", "!!", ".gt_cut_bg", ".gt_cut_curtain", "getBoundingClientRect", "can not loaded imgs", "-tw", "Y", "2秒後でリダイレクトします", "g", "retry", "click", "height", "max", "反馈", "B", "ypos", "กำลังดาวน์โหลด...", "module ", "pad", "a.gt_bg", "callback", "getComputedStyle", "refresh", ".gt_loading", ".gt_help_tips", "Netscape", "inline-block", "deviceorientation", "use strict", "http://", "hideDelay", "document", "$", "wa", "margin-left", "6_11_7_10_4_12_3_1_0_5_2_9_8", "F1", "floor", "Jb", "loaded_theme", "กรุณาปิดและเปิดใหม่อีกครั้ง", "slide", ".gt_bg", "https://", "REFb0UEJ", "prototype", "crypto", "gt_holder gt_", "yb", "divRemTo", "pointermove", "p", "Wa", "referer_encode", "compareTo", "challenge", ".geetest_validate", "エラーです:", "words", "define", "Info", "Fullpage", "a.gt_curtain", "doPublic", "onAbuse", ".gt_mask", "Db", "pointerdown", ".geetest_seccode", "S", "visible", ".css", "_a", "style", "geetest_seccode", "getImageData", "点击上图按钮并沿道路拖动到终点处", "clamp", "splice", "Utf8", ".gt_cut_fullbg", "zh-cn", "/refresh.php", "Ma", "버튼 드리그하여 인증하세요", "a.gt_help_button", ".gt_curtain_bg", "DM", "charCodeAt", "startY", "移动到此开始验证", "Ta", "setFloat", "$a", "ONE", "|", "hide_delay", "input.geetest_seccode", "touchend", "on", "onError", "id", "\":", "Ba", "Please try again later", "clientX", "gtError", "substr", "cursor", "move", "getLang", "call", "data:image/webp;base64,UklGRi4AAABXRUJQVlA4TCEAAAAvAUAAEB8wAiMwAgSSNtse/cXjxyCCmrYNWPwmHRH9jwMA", "Latin1", "zb", "product", "removeAttribute", "moveHandler", "childNodes", "convert", "BlockCipher", "getContext", "vb", "gt_moving", "bg", "benchmark", "pointerup", "ib", "Xa", "mpl", "hideRefresh", "Ra", "srcElement", "ab", "slice", "gt_holder gt_mobile_holder gt_", "_blank", "불러오는 중", "a.gt_logo_button", "staticservers", "ล้มเหลว:", "db", "subTo", "concat", "MSPointerMove", "exports", "getValidate", "読み込み中…", "Ga", "a.gt_fullbg", "script", "offsetParent", "removeChild", "boolean", "拖动滑块将悬浮图像正确拼合", "static_servers", "再来一次:", "padding", "0", "|jordan", "gt_no_logo", "geetest_challenge", "hk", "Offline", "md5", "scale", "Invalid RSA public key", ")", "name", "อุ๊ย! ต่อภาพไม่ถูกต้องกรุณาลองใหม่", "c", "eles", ".gt_ajax_tip", "input", "u", "Ja", "/style", "BlockCipherMode", "Ea", "function", "onForbidden", "Eb", "detachEvent", "theme", "갱신", "link", "Global", "gt_cut_", "Unsuccessful:", "button", "offsetLeft", "charset", "Geetest requires a window with a document", "complete", "dn-staticdown.qbox.me", "길을 따라 버튼을 드래그", " ", "Refresh", ".gt_widget", ".gt_popup_wrap", "cfg", "onFail", "appendTo", "Modules", "pow", "jb", "shell", "outerHTML", "init", "gt_custom_ajax", "startX", "in", ".gt_bottom", "float", "Decoder", "setProperty", "am", "gt_custom_refresh", "ms-touch-action", "toRadix", "gJSON", "iy", "join", "加载中...", "Ia", "1234567890.", "extend", "px ", "認証が完了しました", "appName", "callbackError", "ajax", "b", "{", "/static", "tb", "noConflict", "auto", "スライドして認証を完成させてください", "fail", "down", "ready", "rShiftTo", "mt2", "body", "Complete the puzzles", "N", "removeEventListener", "lShiftTo", "_slice", "รีเฟรช", "xa", "api_server", "fFtZ0VaY4Gg.", "geetest_", "reduce", "请先完成下方验证", "n", "Rb", "gt_animate", "status", "mph", "認証完了:", "260px", "na", "touch-action", "parentNode", "getElementById", "验证通过:", "mouseup", "createTextNode", "logo", "/skin.", "feedback", "https", "ระบบกำลังดำเนินการเปลี่ยนภาพใหม่", "Slide", ".geetest_challenge", "Request", "input.geetest_challenge", "abuse", "dmq1", ".svg", "Va", "0123456789abcdefghijklmnopqrstuvwxyz", "overflow", "画像更新", "Gb", "dmp1", "DOMReady", "gyroscope", "target", "popup_ready", "span", "Curtain", ".gt_help_button", "AES", "sb", "rel", "頁面將在2秒後跳轉", "sqrTo", "loaded", "자동재행 중", "Complete verification below", "ELEMENT_NODE", "Fail", "j", "isArray", "Analyse", "gt_info_type", "readyState", "Dom", "Server is refreshing the image", "ix", "http://www.geetest.com/contact#report", "webp", "clientWidth", "Support", "event", "Ua", "validate", "hide", "popup_copy_btn", "div", "Bb", "up", "revert", "test", "toLowerCase", "encrypt", "&", "innerHTML", "api.geetest.com", "url(", "m", "인증성공", "handlerList", ".png", "哇哦～怪物吃了拼图 count 秒后重试", "zoom", "ob", "請將懸浮圖片拼合", "currentStyle", "fullpage", "mousemove", "mozTransition", "clean", "ciphertext", "dom", "請關閉驗證後重試", "returnValue", "insertBefore", "C", "Mb", "compareDocumentPosition", "popupbtnid", "sa", "score", "Za", "F2", "getPropertyValue", "CBC", "cloneNode", "fromRadix", "transition", "bindOn", "origin_", "popup_finish", "valueOf", "ヘルプ", "Sb", "end", "Feedback", "再來一次:", "認証失敗:", "res", "ここから認証を始めます", "mulTo", "getTime", "请关闭验证重试", ".gt_info", "qb", ".gt_popup_header", " skin.js can not loaded", "Fa", "パズルを合わせてください", ".gt_popup_box", "6.0.9", "infoHide", "touchmove", "Animate", "Move here to verify", "Drag the button along the road", "=", "arr", "disable", " can not loaded", "tw", ".gt_slice", "iv", "moving", "Tool", "dlShiftTo", "Server Error:", "format", ".gt_fullbg", ".gt_loading_icon", "/", "mixIn", "t", "string", "a", ".gt_cut_", ".gt_box_tips", "focus", ".gt_ie_success", "l", "min", "Popup", "nodeType", "-", "Ib", "rb", "backgroundPosition", "[", "px", ".gt_info_tip", "golden", "ช่วยเหลือ", "enablePopup", "문의", "[object Array]", "SerializableCipher", "sec 秒的速度超过 score% 的用户", "#", "mobile", "createEncryptor", "Fb", "display", "appendChild", "setPublic", "ceil", "mp", "Anonymous", "href", "ZERO", "กรุณาดำเนินการตรวจสอบด้านล่าง", "mobileSkins", "wb", "onReady", "GeeTestSkins", "clientY", ".gt_curtain_knob", "Lb", "sandbox", "um", "version", "\")", "src", "出現錯誤:", "Kb", "다시 시도하세요", "head", "Da", "嘗試過多次:"]content = ''# 以geetest609_1.js(该文件内容已经处理过十六进制字符串)为基础进行替换with open('geetest609_1.js','r+',encoding='utf8') as f:content = f.read()# 利用整理匹配出需要替换的地方，并替换成M对应索引的值c8z = re.findall(r'(M9r\.C8z\((\d+?)\))',content)for (name,num) in c8z:content = content.replace(name,'"'+M[int(num)]+'"')r8z = re.findall(r'(M9r\.R8z\((\d+?)\))',content)for (name,num) in r8z:content = content.replace(name,'"'+M[int(num)]+'"')for (name,num) in re.findall(r'(T9r\.C8z\((\d+?)\))',content):content = content.replace(name,'"'+M[int(num)]+'"')for (name,num) in re.findall(r'(T9r\.R8z\((\d+?)\))',content):content = content.replace(name,'"'+M[int(num)]+'"')# js中 var T9r = B2BB;,则把T9r.替换成B2BB. 方便进行下一步数据处理if 'T9r.' in content and 'var T9r = B2BB;' in content:content = content.replace('T9r.', 'B2BB.')# js中 var M9r = B2BB;,则把M9r.替换成B2BB. 方便进行下一步数据处理if 'M9r.' in content and 'var M9r = B2BB;' in content:content = content.replace('M9r.', 'B2BB.')# 将处理后的js内容，记录在geetest609_2.js中with open('geetest609_2.js','w+',encoding='utf8') as f:f.write(content)# print (c8z)def parse16():content = ''with open('geetest609.js','r+',encoding='utf8') as f:content = f.read()pattern = re.compile(r'\\x[a-zA-Z0-9]{2}')for i in pattern.findall(content):content = content.replace(i,i.encode('utf-8').decode('unicode_escape'))print(content)with open('geetest609_1.js','w+',encoding='utf8') as f:f.write(content)def main():# replace_z8z()# parse16()# parse16()# get_M()# replace_y9r()# print(get_y9r([21,33,21]))replace_y9r()if __name__ == '__main__':main()

总结

我们针对三种不同方式的混淆方式进行了解密，替换成可读文本

js调试和阅读均需要很大的耐心，一定要耐住性子

本地最好装一个nodejs环境，方便调试js，当然，用Google浏览器的console窗口也是可以的

要懂得利用自己的技能和工具，为自己做事情，制造便捷。

这么劳心费神的搞这一步，对后面js调试和理解js逻辑，以及改写成python版本，太有帮助了，也算是值得把

接下来，我们会先介绍’userresponse’, ‘passtime’, ‘imgload’, ‘aa’, 'ep’参数的js处理，并通过这几个参数，了解将js转换成python代码

文档仅作学习和记录使用，请不要用于商业和违法用途，如有侵权，请告知删除。