网址：aHR0cHM6Ly93d3cuaXFpeWkuY29tLw==

一、整体流程分析
爱qiyi整个登录滑块流程主要分五步：

1、访问dfp_pcw/sign拿到dfp参数
2、访问login.action拿到token参数
3、访问sbox_init_key拿到sig,sid,sr参数
4、访问verifycenter/initpage拿到滑块相关数据(包括图片的地址以及还原图片的数组)
5、访问verifycenter/verify，然后"msg":"成功"即通过滑块

二、根据每个包需要的参数逐个跟栈

1、dfp_pcw/sign链接，加密参数为dim和sig，主要加密方式分别为RSA和HmacSHA1,这里面会涉及到一些环境值，其他的都固定即可，有两个值是从cookie拿的，都随机一下就行,主要代码如下：

function get_data(){
    guid1 = guid() //随机 找到相应方法名扣下来就行
    generateQC0051 = generateQC005() //随机 找到相应方法名扣下来就行
    var t = '{"jn":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36","cm":"zh-CN","gu":24,"uf":1.25,"jr":[1536,864],"di":[1536,824],"zp":-480,"uh":1,"sh":1,"he":1,"zo":1,"rv":"unknown","nx":"Win32","iw":"unknown","qm":["PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chrome PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Chromium PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf","WebKit built-in PDF::Portable Document Format::application/pdf~pdf,text/pdf~pdf"],"fk":false,"rg":false,"xy":false,"jm":false,"ba":false,"tm":[0,false,false],"hl":false,"ht":"","au":true,"mi":"'+guid1+'","cl":"PCWEB","sv":"1.0","jg":"'+generateQC0051+'","ifm":[false,null,null,null],"ex":"","dv":"off"}';
    var dim = n(o(t));  //base64
    word = "" + dim + "PCWEB" + "1.0";
    sig = HmacSHA1_Encrypt(word, 'eade56028e252b77f7a0b8792e58b9cc').toUpperCase()
    return [dim,sig]
}

2、携带dfp访问login.action链接，加密参数为pwd,加密方式为RSA,网上也有很多博客是讲这个站的pwd的，所以略过

3、sbox_init_key链接，加密参数为secure，加密方式为RSA+SHA256，这个RSA我扣的办法是导出关键函数，加密位置如下

注意，这里会有两个随机字符串(f 和 s)，这个我当时找了半天才找到，下面是他们的生成方式（这俩两个字符串是后面生成aeskey和hmackey的关键）

function getRandom(e) {
	var x = ["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"];
    var t = (x = x || [0, 1, 2, 3, 4, 5, 6, 7, 8, 9])["length"];
    r = (new Date).getTime() + Math["ceil"](10 * Math["random"]() * x["length"]);
    for (var _ = "", i = 0; i < e; i++) {
        var n = Math["ceil"]((r = (9301 * r + 49297) % 233280) / 233280 * t) - 1;
        _ += x[n = t < (n = n < 0 ? 0 : n) ? t : n]
    }
    return _
}
 f = getRandom(32);
 c = getRandom(64);

4、访问initpage链接，这里的加密参数是 cryptSrcData和cryptVersion ,这里的加密会涉及到上面提到的aeskey和hmackey,加密位置如下：

cryptSrcData生成方式如下：

    extend = {
        "dfp":dfp,
        "ptid":"01010021010000000000",
        "agentType":"1",
        "deviceId":"....",
        "cellphoneNumber":phone,
        "areaCode":"86"
    }

    var ee = {
        "t": time_,
        "token": token,
        "width": 290,
        "height": 170,
        "clientVersion": 1,
        "riskData": JSON.stringify(data), //这里是一些鼠标轨迹，稍微仿造一下即可
        "dfp": dfp,
        "extend": JSON.stringify(extend)
    };
    var e = AES_Encrypt(JSON.stringify(ee),aeskey,"qwertyuiopasdfgh");
    var cryptSrcData = e + "|" + HmacSHA256_Encrypt(e, hmackey);

cryptVersion生成方式如下：

cryptVersion = 'web|20180418xkdewxe3dkxu9|' + sid

5、拿到滑块数据后，发现是乱序的还得根据所放回的数组进行还原，还原主要思路如下：

至于这个pic_list是怎么来的，打个canvas断点去看下网站是怎么做的就知道了

三、请求验证
注：verifycenter/verify链接所需要的参数和initpage链接的基本一样的，只是轨迹那里需要变化，就不多说啦，这个站轨迹检测还是比较严格的，收工，拜拜！