浅析 天涯论坛 回复验证策略

发帖没多久，算法就更新了，就算我重新分析，人家依然会更新，所以还是自己学着分析吧。

对于现在 POST 技术满天飞的时代，防机器人确实是很头疼的一件事情，类似流量精灵这样的东西，他可以做到 100% 的真实信息，大批量的访问。当然今天不谈这些，只是分析下 天涯论坛 回复时的验证策略。

昨天谈到 packer 压缩，今天我们来看个实例吧。http://bbs.tianya.cn/m/reply.jsp?item=funinfo&id=4339425这个是天涯论坛手机端的回复帖子页面，里面有一个关于回复验证的js，就是用的 packer压缩。http://static.tianyaui.com/global/ty/util/TY.util.userAction.js?v=201404111018

真心不知道他们是怎么想的，1秒还原大法。。。

jQuery(function() {    function i(B) {        var D, l, n, C = document.cookie.substr(document.cookie.indexOf("&id=") + "&id=".length);        C = C.substr(0, C.indexOf("&")), C = "" == C ? 8980291 : C, D = jQuery(B.target), l = (new Date).getTime(), n = "focusout" == B.type ? "blur" : "focusin" == B.type ? "focus" : B.type, n = n.replace("key", "").substring(0, 1), 0 == c && (c = l), d >= f && (d = 2), a["c" == n ? 1 : "f" == n ? 0 : d++] = n + e+++"." + ("c" == n ? B.pageX + ":" + B.pageY : "b" == n ? d : "f" == n ? c : B.which) + "." + (l - ("c" == n || "f" == n ? c : b)), b = l, ("b" == n || 17 == B.which) && (v = a.join(",") + "|" + k(a.join(",") + a[0] + C) + "|" + k(D.val() + a[0]) + "|" + navigator.userAgent + "|v2", 0 == jQuery("#" + h).length ? jQuery('<input type="hidden" id="' + h + '" name="action" value="' + v + '" />').insertAfter(D) : jQuery("#" + h).val(v))    }    function k(l) {        return o(m(p(l)))    }    function m(l) {        return s(t(r(l), 8 * l.length))    }    function o(D) {        var l, n, B, C;        try {} catch (E) {            j = 0        }        for (l = j ? "0123456789ABCDEF" : "0123456789abcdef", n = "", C = 0; C < D.length; C++) {            B = D.charCodeAt(C), n += l.charAt(15 & B >>> 4) + l.charAt(15 & B)        }        return n    }    function p(C) {        for (var n, B, D = "", l = -1; ++l < C.length;) {            n = C.charCodeAt(l), B = l + 1 < C.length ? C.charCodeAt(l + 1) : 0, n >= 55296 && 56319 >= n && B >= 56320 && 57343 >= B && (n = 65536 + ((1023 & n) << 10) + (1023 & B), l++), 127 >= n ? D += String.fromCharCode(n) : 2047 >= n ? D += String.fromCharCode(192 | 31 & n >>> 6, 128 | 63 & n) : 65535 >= n ? D += String.fromCharCode(224 | 15 & n >>> 12, 128 | 63 & n >>> 6, 128 | 63 & n) : 2097151 >= n && (D += String.fromCharCode(240 | 7 & n >>> 18, 128 | 63 & n >>> 12, 128 | 63 & n >>> 6, 128 | 63 & n))        }        return D    }    function r(n) {        var l, B = Array(n.length >> 2);        for (l = 0; l < B.length; l++) {            B[l] = 0        }        for (l = 0; l < 8 * n.length; l += 8) {            B[l >> 5] |= (255 & n.charCodeAt(l / 8)) << l % 32        }        return B    }    function s(n) {        var l, B = "";        for (l = 0; l < 32 * n.length; l += 8) {            B += String.fromCharCode(255 & n[l >> 5] >>> l % 32)        }        return B    }    function t(E, F) {        var G, H, I, J, l, n, B, C, D;        for (E[F >> 5] |= 128 << F % 32, E[(F + 64 >>> 9 << 4) + 14] = F, G = 1732584193, H = -271733879, I = -1732584194, J = 271733878, l = 0; l < E.length; l += 16) {            n = G, B = H, C = I, D = J, G = w(G, H, I, J, E[l + 0], 7, -680876936), J = w(J, G, H, I, E[l + 1], 12, -389564586), I = w(I, J, G, H, E[l + 2], 17, 606105819), H = w(H, I, J, G, E[l + 3], 22, -1044525330), G = w(G, H, I, J, E[l + 4], 7, -176418897), J = w(J, G, H, I, E[l + 5], 12, 1200080426), I = w(I, J, G, H, E[l + 6], 17, -1473231341), H = w(H, I, J, G, E[l + 7], 22, -45705983), G = w(G, H, I, J, E[l + 8], 7, 1770035416), J = w(J, G, H, I, E[l + 9], 12, -1958414417), I = w(I, J, G, H, E[l + 10], 17, -42063), H = w(H, I, J, G, E[l + 11], 22, -1990404162), G = w(G, H, I, J, E[l + 12], 7, 1804603682), J = w(J, G, H, I, E[l + 13], 12, -40341101), I = w(I, J, G, H, E[l + 14], 17, -1502002290), H = w(H, I, J, G, E[l + 15], 22, 1236535329), G = x(G, H, I, J, E[l + 1], 5, -165796510), J = x(J, G, H, I, E[l + 6], 9, -1069501632), I = x(I, J, G, H, E[l + 11], 14, 643717713), H = x(H, I, J, G, E[l + 0], 20, -373897302), G = x(G, H, I, J, E[l + 5], 5, -701558691), J = x(J, G, H, I, E[l + 10], 9, 38016083), I = x(I, J, G, H, E[l + 15], 14, -660478335), H = x(H, I, J, G, E[l + 4], 20, -405537848), G = x(G, H, I, J, E[l + 9], 5, 568446438), J = x(J, G, H, I, E[l + 14], 9, -1019803690), I = x(I, J, G, H, E[l + 3], 14, -187363961), H = x(H, I, J, G, E[l + 8], 20, 1163531501), G = x(G, H, I, J, E[l + 13], 5, -1444681467), J = x(J, G, H, I, E[l + 2], 9, -51403784), I = x(I, J, G, H, E[l + 7], 14, 1735328473), H = x(H, I, J, G, E[l + 12], 20, -1926607734), G = y(G, H, I, J, E[l + 5], 4, -378558), J = y(J, G, H, I, E[l + 8], 11, -2022574463), I = y(I, J, G, H, E[l + 11], 16, 1839030562), H = y(H, I, J, G, E[l + 14], 23, -35309556), G = y(G, H, I, J, E[l + 1], 4, -1530992060), J = y(J, G, H, I, E[l + 4], 11, 1272893353), I = y(I, J, G, H, E[l + 7], 16, -155497632), H = y(H, I, J, G, E[l + 10], 23, -1094730640), G = y(G, H, I, J, E[l + 13], 4, 681279174), J = y(J, G, H, I, E[l + 0], 11, -358537222), I = y(I, J, G, H, E[l + 3], 16, -722521979), H = y(H, I, J, G, E[l + 6], 23, 76029189), G = y(G, H, I, J, E[l + 9], 4, -640364487), J = y(J, G, H, I, E[l + 12], 11, -421815835), I = y(I, J, G, H, E[l + 15], 16, 530742520), H = y(H, I, J, G, E[l + 2], 23, -995338651), G = z(G, H, I, J, E[l + 0], 6, -198630844), J = z(J, G, H, I, E[l + 7], 10, 1126891415), I = z(I, J, G, H, E[l + 14], 15, -1416354905), H = z(H, I, J, G, E[l + 5], 21, -57434055), G = z(G, H, I, J, E[l + 12], 6, 1700485571), J = z(J, G, H, I, E[l + 3], 10, -1894986606), I = z(I, J, G, H, E[l + 10], 15, -1051523), H = z(H, I, J, G, E[l + 1], 21, -2054922799), G = z(G, H, I, J, E[l + 8], 6, 1873313359), J = z(J, G, H, I, E[l + 15], 10, -30611744), I = z(I, J, G, H, E[l + 6], 15, -1560198380), H = z(H, I, J, G, E[l + 13], 21, 1309151649), G = z(G, H, I, J, E[l + 4], 6, -145523070), J = z(J, G, H, I, E[l + 11], 10, -1120210379), I = z(I, J, G, H, E[l + 2], 15, 718787259), H = z(H, I, J, G, E[l + 9], 21, -343485551), G = A(G, n), H = A(H, B), I = A(I, C), J = A(J, D)        }        return Array(G, H, I, J)    }    function u(D, E, l, n, B, C) {        return A(q(A(A(E, D), A(n, C)), B), l)    }    function w(C, D, E, F, l, n, B) {        return u(D & E | ~D & F, C, D, l, n, B)    }    function x(C, D, E, F, l, n, B) {        return u(D & F | E & ~F, C, D, l, n, B)    }    function y(C, D, E, F, l, n, B) {        return u(D ^ E ^ F, C, D, l, n, B)    }    function z(C, D, E, F, l, n, B) {        return u(E ^ (D | ~F), C, D, l, n, B)    }    function A(B, C) {        var l = (65535 & B) + (65535 & C),            n = (B >> 16) + (C >> 16) + (l >> 16);        return n << 16 | 65535 & l    }    function q(l, n) {        return l << n | l >>> 32 - n    }    var j, a = [],        b = 0,        c = 0,        d = 2,        e = 0,        f = 20,        g = "#textAreaContainer,#sendMsg_content,#msg_textarea",        h = "user_action";    jQuery(document).delegate(g, "blur", i).delegate(g, "keydown", i).delegate(g, "keyPRess", i).delegate(g, "keyup", i).delegate(g, "focus", i), j = 0});

中间的加密算法可以忽略，可能是md5之类的算法，直接看这部分即可：

var j, a = [],    b = 0,    c = 0,    d = 2,    e = 0,    f = 20, // 以上是一些初始化    g = "#textAreaContainer,#sendMsg_content,#msg_textarea", // 输入区域    h = "user_action"; // 最终验证值放在ID为 user_action 的元素里jQuery(document).delegate(g, "blur", i).delegate(g, "keydown", i).delegate(g, "keypress", i).delegate(g, "keyup", i).delegate(g, "focus", i), j = 0;// 监听 g 变量里的元素，当 聚焦，失去焦点，键盘按下，抬起，按键 都会触发 i 函数。那详细的分析下 i 都做了些什么吧。function i(B) {    var D, l, n, C = document.cookie.substr(document.cookie.indexOf("&id=") + "&id=".length);    C = C.substr(0, C.indexOf("&")), C = "" == C ? 8980291 : C, D = jQuery(B.target), l =