Bypassing Shumei Slider Captcha: Extract Dynamic Params and DES Keys with Python

Introduction

Hello, I am 黑脸怪. In this article I share a practical analysis of the Shumei slider captcha, which uses simple DES encryption and frequently changes its JavaScript implementation.

Obtaining the Captcha Configuration

The endpoint /ca/v1/conf returns a JSON payload containing the domain list and the URL of the JavaScript file that drives the slider.

{
  "code": 1100,
  "detail": {"css": "/pr/auto-build/v1.0.3-151/style.min.css", ...},
  "domains": ["castatic.fengkongcloud.cn","castatic.fengkongcloud.com","castatic-a.fengkongcloud.com",...],
  "js": "/pr/auto-build/v1.0.3-151/captcha-sdk.min.js",
  "message": "success",
  "requestId": "88aac752cd02b26a54e13b5c577652cc",
  "riskLevel": "PASS",
  "score": 0
}

The js field points to the script that generates the slider.

Analyzing the Submission Parameters

When the slider is submitted, the request contains many parameters. Apart from a few static ones (

sdkver, organization, rid, act.os, rversion, ostype, callback

), there are eleven dynamic parameters whose names and values change on each version.

To retrieve these, we need to locate the decryption function inside the downloaded JavaScript.

Extracting the Decryption Function

The JavaScript can be split into two parts: a function that receives an integer, subtracts a constant, uses the result as an index into a large array, and returns a string (the decryption logic), and a webpack‑generated wrapper that can be ignored.

Using a regular expression we capture the function name and the array definition:

main_reCom = re.compile(',function\(\)\{function(.+)\]\)')
main_array_dec = re.sub(main_reCom, "", content)
js = execjs.compile(main_array_dec)
get_arrayValue_FcuntionName = re.search('function (_0x\d\w+)\(_\d\w+,', main_array_dec).group(1)
print("Decryption function name:", get_arrayValue_FcuntionName)

Now we have the decryption function and can use it to decode the hex‑encoded parameters.

Matching the Dynamic Parameters

First, we capture the two‑digit parameters (either a plain string or a hex value that needs decryption) with the following regex:

all_args_rule = '\[\'(\w{2})\'\]=this.*?,(_0x[\d\w]{6}\((0x[\d\w]{3})\)|\'([\d\w]{8})\')'
all_args = re.findall(all_args_rule, content)

This yields 19 matches, covering most of the slider‑related fields.

Next, we locate the remaining three dynamic parameters using a similar pattern:

checkApi_args_rule = '\'(\w{2})\',this.*?,(_0x[\d\w]{6}\((0x[\d\w]{3})\)|\'([\d\w]{8})\')'
checkApi_args = re.findall(checkApi_args_rule, content)

In total, eleven dynamic parameters are extracted.

Resolving Parameter Values

For each parameter we check whether the third capture group contains a plain DES key or the second group holds a hex value. Hex values are converted to integers and passed to the previously extracted decryption function to obtain the actual key.

data_json = {}
data_json["QueKouWeiZhi"] = [all_args[5][0], all_args[5][3] if all_args[5][3] != "" else get_des_key(int(all_args[5][2], 16))]

Finally, we build the request payload by merging static fields with the dynamically resolved ones.

Conclusion

The Shumei slider updates its JavaScript frequently (e.g., version 148 → 151). The regex approach works for versions 147‑151, but earlier versions have a different obfuscation structure, making a universal solution challenging. Using AST‑based analysis could be more robust, though it requires additional expertise.