// SPDX-FileCopyrightText: 2023 The Pion community // SPDX-License-Identifier: MIT package main import ( "bytes" "context" "crypto/md5" "crypto/sha256" "crypto/tls" "encoding/base64" "encoding/hex" "encoding/json" "flag" "fmt" "io" "log" "math/rand" "net" neturl "net/url" "os" "os/signal" "strconv" "strings" "sync" "sync/atomic" "syscall" "time" fhttp "github.com/bogdanfinn/fhttp" tlsclient "github.com/bogdanfinn/tls-client" "github.com/bogdanfinn/tls-client/profiles" "github.com/bschaatsbergen/dnsdialer" "github.com/cbeuw/connutil" "github.com/google/uuid" "github.com/pion/dtls/v3" "github.com/pion/dtls/v3/pkg/crypto/selfsign" "github.com/pion/logging" "github.com/pion/turn/v5" ) // Global state trackers var ( globalCaptchaLockout atomic.Int64 isDebug bool manualCaptcha bool autoCaptchaSliderPOC bool globalAppCancel context.CancelFunc ) type captchaSolveMode int const ( captchaSolveModeAuto captchaSolveMode = iota captchaSolveModeSliderPOC captchaSolveModeManual ) func captchaSolveModeForAttempt(attempt int, manualOnly bool, enableSliderPOC bool) (captchaSolveMode, bool) { if manualOnly { return captchaSolveModeManual, attempt == 0 } switch attempt { case 0: return captchaSolveModeAuto, true case 1: if enableSliderPOC { return captchaSolveModeSliderPOC, true } return captchaSolveModeManual, true case 2: if enableSliderPOC { return captchaSolveModeManual, true } } return 0, false } func captchaSolveModeLabel(mode captchaSolveMode) string { switch mode { case captchaSolveModeAuto: return "auto captcha" case captchaSolveModeSliderPOC: return "auto captcha slider POC" case captchaSolveModeManual: return "manual captcha" default: return "captcha" } } // region Helper: HTTP Headers Injection func applyBrowserProfileFhttp(req *fhttp.Request, profile Profile) { req.Header.Set("User-Agent", profile.UserAgent) req.Header.Set("sec-ch-ua", profile.SecChUa) req.Header.Set("sec-ch-ua-mobile", profile.SecChUaMobile) req.Header.Set("sec-ch-ua-platform", profile.SecChUaPlatform) req.Header.Set("Accept-Language", "en-US,en;q=0.9") req.Header.Set("DNT", "1") } func generateBrowserFp(profile Profile) string { data := profile.UserAgent + profile.SecChUa + "1920x1080x24" + strconv.FormatInt(time.Now().UnixNano(), 10) h := md5.Sum([]byte(data)) return hex.EncodeToString(h[:]) } func getCustomNetDialer() net.Dialer { return net.Dialer{ Timeout: 20 * time.Second, KeepAlive: 30 * time.Second, Resolver: &net.Resolver{ PreferGo: true, Dial: func(ctx context.Context, network, address string) (net.Conn, error) { var d net.Dialer dnsServers := []string{"77.88.8.8:53", "77.88.8.1:53", "8.8.8.8:53", "8.8.4.4:53", "1.1.1.1:53", "1.0.0.1:53"} var lastErr error for _, dns := range dnsServers { conn, err := d.DialContext(ctx, "udp", dns) if err == nil { return conn, nil } lastErr = err } return nil, lastErr }, }, } } func generateFakeCursor() string { startX := 600 + rand.Intn(400) startY := 300 + rand.Intn(200) startTime := time.Now().UnixMilli() - int64(rand.Intn(2000)+1000) var points []string for i := 0; i < 15+rand.Intn(10); i++ { startX += rand.Intn(15) - 5 startY += rand.Intn(15) + 2 startTime += int64(rand.Intn(40) + 10) points = append(points, fmt.Sprintf(`{"x":%d,"y":%d,"t":%d}`, startX, startY, startTime)) } return "[" + strings.Join(points, ",") + "]" } // endregion // region Automatic Captcha Solver & Authentication type VkCaptchaError struct { ErrorCode int ErrorMsg string CaptchaSid string CaptchaImg string RedirectURI string IsSoundCaptchaAvailable bool SessionToken string CaptchaTs string CaptchaAttempt string } func ParseVkCaptchaError(errData map[string]interface{}) *VkCaptchaError { // Extract error_code codeFloat, ok := errData["error_code"].(float64) if !ok { log.Printf("missing error_code in captcha error data") return nil } code := int(codeFloat) // Extract redirect_uri RedirectURI, ok := errData["redirect_uri"].(string) if !ok { log.Printf("missing redirect_uri in captcha error data") return nil } // Extract captcha_sid captchaSid, ok := errData["captcha_sid"].(string) if !ok { // try numeric if sidNum, ok2 := errData["captcha_sid"].(float64); ok2 { captchaSid = fmt.Sprintf("%.0f", sidNum) } else { log.Printf("missing captcha_sid in captcha error data") return nil } } // Extract captcha_img captchaImg, ok := errData["captcha_img"].(string) if !ok { log.Printf("missing captcha_img in captcha error data") return nil } // Extract error_msg errorMsg, ok := errData["error_msg"].(string) if !ok { log.Printf("missing error_msg in captcha error data") return nil } // Extract session token if redirect_uri present var sessionToken string if RedirectURI != "" { if parsed, err := neturl.Parse(RedirectURI); err == nil { sessionToken = parsed.Query().Get("session_token") } else { log.Printf("failed to parse redirect_uri: %v", err) return nil } } // Extract is_sound_captcha_available isSound, ok := errData["is_sound_captcha_available"].(bool) if !ok { isSound = false } // Extract captcha_ts var captchaTs string if tsFloat, ok := errData["captcha_ts"].(float64); ok { captchaTs = fmt.Sprintf("%.0f", tsFloat) } else if tsStr, ok := errData["captcha_ts"].(string); ok { captchaTs = tsStr } // Extract captcha_attempt var captchaAttempt string if attFloat, ok := errData["captcha_attempt"].(float64); ok { captchaAttempt = fmt.Sprintf("%.0f", attFloat) } else if attStr, ok := errData["captcha_attempt"].(string); ok { captchaAttempt = attStr } // Build VkCaptchaError return &VkCaptchaError{ ErrorCode: code, ErrorMsg: errorMsg, CaptchaSid: captchaSid, CaptchaImg: captchaImg, RedirectURI: RedirectURI, IsSoundCaptchaAvailable: isSound, SessionToken: sessionToken, CaptchaTs: captchaTs, CaptchaAttempt: captchaAttempt, } } func (e *VkCaptchaError) IsCaptchaError() bool { return e.ErrorCode == 14 && e.RedirectURI != "" && e.SessionToken != "" } func solveVkCaptcha(ctx context.Context, captchaErr *VkCaptchaError, streamID int, client tlsclient.HttpClient, profile Profile, useSliderPOC bool) (string, error) { if useSliderPOC { log.Printf("[STREAM %d] [Captcha] Solving captcha with slider POC...", streamID) } else { log.Printf("[STREAM %d] [Captcha] Solving captcha...", streamID) } if captchaErr.SessionToken == "" { return "", fmt.Errorf("no session_token in redirect_uri for auto-solve") } if captchaErr.RedirectURI == "" { return "", fmt.Errorf("no redirect_uri for auto-solve") } bootstrap, err := fetchCaptchaBootstrap(ctx, captchaErr.RedirectURI, client, profile) if err != nil { return "", fmt.Errorf("failed to fetch captcha bootstrap: %w", err) } log.Printf("[STREAM %d] [Captcha] PoW input: %s, difficulty: %d", streamID, bootstrap.PowInput, bootstrap.Difficulty) hash := solvePoW(bootstrap.PowInput, bootstrap.Difficulty) log.Printf("[STREAM %d] [Captcha] PoW solved: hash=%s", streamID, hash) var successToken string if useSliderPOC { successToken, err = callCaptchaNotRobotWithSliderPOC( ctx, captchaErr.SessionToken, hash, streamID, client, profile, bootstrap.Settings, ) } else { successToken, err = callCaptchaNotRobot(ctx, captchaErr.SessionToken, hash, streamID, client, profile) } if err != nil { return "", fmt.Errorf("captchaNotRobot API failed: %w", err) } log.Printf("[STREAM %d] [Captcha] Success! Got success_token", streamID) return successToken, nil } func fetchCaptchaBootstrap(ctx context.Context, redirectURI string, client tlsclient.HttpClient, profile Profile) (*captchaBootstrap, error) { parsedURL, err := neturl.Parse(redirectURI) if err != nil { return nil, err } domain := parsedURL.Hostname() req, err := fhttp.NewRequestWithContext(ctx, "GET", redirectURI, nil) if err != nil { return nil, err } req.Host = domain applyBrowserProfileFhttp(req, profile) req.Header.Set("Sec-Fetch-Site", "none") req.Header.Set("Sec-Fetch-Mode", "navigate") req.Header.Set("Sec-Fetch-Dest", "document") req.Header.Set("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") resp, err := client.Do(req) if err != nil { return nil, err } defer func(Body io.ReadCloser) { _ = Body.Close() }(resp.Body) body, err := io.ReadAll(resp.Body) if err != nil { return nil, err } return parseCaptchaBootstrapHTML(string(body)) } func solvePoW(powInput string, difficulty int) string { target := strings.Repeat("0", difficulty) for nonce := 1; nonce <= 10000000; nonce++ { data := powInput + strconv.Itoa(nonce) hash := sha256.Sum256([]byte(data)) hexHash := hex.EncodeToString(hash[:]) if strings.HasPrefix(hexHash, target) { return hexHash } } return "" } func callCaptchaNotRobot(ctx context.Context, sessionToken, hash string, streamID int, client tlsclient.HttpClient, profile Profile) (string, error) { vkReq := func(method string, postData string) (map[string]interface{}, error) { reqURL := "https://api.vk.ru/method/" + method + "?v=5.131" parsedURL, err := neturl.Parse(reqURL) if err != nil { return nil, fmt.Errorf("parse request URL: %w", err) } domain := parsedURL.Hostname() req, err := fhttp.NewRequestWithContext(ctx, "POST", reqURL, strings.NewReader(postData)) if err != nil { return nil, err } req.Host = domain applyBrowserProfileFhttp(req, profile) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Accept", "*/*") req.Header.Set("Origin", "https://id.vk.ru") req.Header.Set("Referer", "https://id.vk.ru/") req.Header.Set("Sec-Fetch-Site", "same-site") req.Header.Set("Sec-Fetch-Mode", "cors") req.Header.Set("Sec-Fetch-Dest", "empty") req.Header.Set("Sec-GPC", "1") req.Header.Set("Priority", "u=1, i") httpResp, err := client.Do(req) if err != nil { return nil, err } defer func(Body io.ReadCloser) { _ = Body.Close() }(httpResp.Body) body, err := io.ReadAll(httpResp.Body) if err != nil { return nil, err } var resp map[string]interface{} if err := json.Unmarshal(body, &resp); err != nil { return nil, err } return resp, nil } baseParams := fmt.Sprintf("session_token=%s&domain=vk.com&adFp=&access_token=", neturl.QueryEscape(sessionToken)) log.Printf("[STREAM %d] [Captcha] Step 1/4: settings", streamID) if _, err := vkReq("captchaNotRobot.settings", baseParams); err != nil { return "", fmt.Errorf("settings failed: %w", err) } time.Sleep(200 * time.Millisecond) log.Printf("[STREAM %d] [Captcha] Step 2/4: componentDone", streamID) browserFp := generateBrowserFp(profile) deviceJSON := buildCaptchaDeviceJSON(profile) componentDoneData := baseParams + fmt.Sprintf("&browser_fp=%s&device=%s", browserFp, neturl.QueryEscape(deviceJSON)) if _, err := vkReq("captchaNotRobot.componentDone", componentDoneData); err != nil { return "", fmt.Errorf("componentDone failed: %w", err) } time.Sleep(200 * time.Millisecond) log.Printf("[STREAM %d] [Captcha] Step 3/4: check", streamID) cursorJSON := generateFakeCursor() answer := base64.StdEncoding.EncodeToString([]byte("{}")) // Dynamically generate debug_info to avoid static fingerprint bans debugInfoBytes := md5.Sum([]byte(profile.UserAgent + strconv.FormatInt(time.Now().UnixNano(), 10))) debugInfo := hex.EncodeToString(debugInfoBytes[:]) connectionRtt := "[50,50,50,50,50,50,50,50,50,50]" connectionDownlink := "[9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5,9.5]" checkData := baseParams + fmt.Sprintf( "&accelerometer=%s&gyroscope=%s&motion=%s&cursor=%s&taps=%s&connectionRtt=%s&connectionDownlink=%s&browser_fp=%s&hash=%s&answer=%s&debug_info=%s", neturl.QueryEscape("[]"), neturl.QueryEscape("[]"), neturl.QueryEscape("[]"), neturl.QueryEscape(cursorJSON), neturl.QueryEscape("[]"), neturl.QueryEscape(connectionRtt), neturl.QueryEscape(connectionDownlink), browserFp, hash, answer, debugInfo, ) checkResp, err := vkReq("captchaNotRobot.check", checkData) if err != nil { return "", fmt.Errorf("check failed: %w", err) } respObj, ok := checkResp["response"].(map[string]interface{}) if !ok { return "", fmt.Errorf("invalid check response: %v", checkResp) } status, ok := respObj["status"].(string) if !ok || status != "OK" { return "", fmt.Errorf("check status: %s", status) } successToken, ok := respObj["success_token"].(string) if !ok || successToken == "" { return "", fmt.Errorf("success_token not found") } time.Sleep(200 * time.Millisecond) log.Printf("[STREAM %d] [Captcha] Step 4/4: endSession", streamID) _, err = vkReq("captchaNotRobot.endSession", baseParams) if err != nil { log.Printf("[STREAM %d] [Captcha] Warning: endSession failed: %v", streamID, err) } return successToken, nil } func isAuthError(err error) bool { if err == nil { return false } errStr := err.Error() return strings.Contains(errStr, "401") || strings.Contains(errStr, "Unauthorized") || strings.Contains(errStr, "authentication") || strings.Contains(errStr, "invalid credential") || strings.Contains(errStr, "stale nonce") } func handleAuthError(streamID int) bool { cache := getStreamCache(streamID) cacheID := getCacheID(streamID) now := time.Now().Unix() if now-cache.lastErrorTime.Load() > int64(errorWindow.Seconds()) { cache.errorCount.Store(0) } count := cache.errorCount.Add(1) cache.lastErrorTime.Store(now) log.Printf("[STREAM %d] Auth error (cache=%d, count=%d/%d)", streamID, cacheID, count, maxCacheErrors) if count >= maxCacheErrors { log.Printf("[VK Auth] Multiple auth errors detected (%d), invalidating cache %d for stream %d...", count, cacheID, streamID) cache.invalidate(streamID) return true } return false } // region VK Credentials Layer type VKCredentials struct { ClientID string ClientSecret string } var vkCredentialsList = []VKCredentials{ {ClientID: "6287487", ClientSecret: "QbYic1K3lEV5kTGiqlq2"}, // VK_WEB_APP_ID //{ClientID: "7879029", ClientSecret: "aR5NKGmm03GYrCiNKsaw"}, // VK_MVK_APP_ID //{ClientID: "52461373", ClientSecret: "o557NLIkAErNhakXrQ7A"}, // VK_WEB_VKVIDEO_APP_ID //{ClientID: "52649896", ClientSecret: "WStp4ihWG4l3nmXZgIbC"}, // VK_MVK_VKVIDEO_APP_ID //{ClientID: "51781872", ClientSecret: "IjjCNl4L4Tf5QZEXIHKK"}, // VK_ID_AUTH_APP } func vkDelayRandom(minMs, maxMs int) { ms := minMs + rand.Intn(maxMs-minMs+1) time.Sleep(time.Duration(ms) * time.Millisecond) } func getVkCredsCached(ctx context.Context, link string, streamID int, dialer *dnsdialer.Dialer) (string, string, string, error) { cache := getStreamCache(streamID) cacheID := getCacheID(streamID) cache.mutex.RLock() if cache.creds.Link == link && time.Now().Before(cache.creds.ExpiresAt) { expires := time.Until(cache.creds.ExpiresAt) u, p, a := cache.creds.Username, cache.creds.Password, cache.creds.ServerAddr cache.mutex.RUnlock() if isDebug { log.Printf("[STREAM %d] [VK Auth] Using cached credentials (cache=%d, expires in %v)", streamID, cacheID, expires) } return u, p, a, nil } cache.mutex.RUnlock() cache.mutex.Lock() defer cache.mutex.Unlock() // Double-check inside lock if cache.creds.Link == link && time.Now().Before(cache.creds.ExpiresAt) { return cache.creds.Username, cache.creds.Password, cache.creds.ServerAddr, nil } user, pass, addr, err := fetchVkCredsSerialized(ctx, link, streamID, dialer) if err != nil { return "", "", "", err } cache.creds = TurnCredentials{Username: user, Password: pass, ServerAddr: addr, ExpiresAt: time.Now().Add(credentialLifetime - cacheSafetyMargin), Link: link} return user, pass, addr, nil } var ( vkRequestMu sync.Mutex globalLastVkFetchTime time.Time ) func fetchVkCredsSerialized(ctx context.Context, link string, streamID int, dialer *dnsdialer.Dialer) (string, string, string, error) { vkRequestMu.Lock() defer vkRequestMu.Unlock() // Ensure a minimum cooldown between credential requests to avoid VK rate limits minInterval := 3*time.Second + time.Duration(rand.Intn(3000))*time.Millisecond elapsed := time.Since(globalLastVkFetchTime) if !globalLastVkFetchTime.IsZero() && elapsed < minInterval { wait := minInterval - elapsed log.Printf("[STREAM %d] [VK Auth] Throttling: waiting %v to prevent rate limit...", streamID, wait.Truncate(time.Millisecond)) select { case <-ctx.Done(): return "", "", "", ctx.Err() case <-time.After(wait): } } defer func() { globalLastVkFetchTime = time.Now() }() return fetchVkCreds(ctx, link, streamID, dialer) } func fetchVkCreds(ctx context.Context, link string, streamID int, dialer *dnsdialer.Dialer) (string, string, string, error) { // Check Global Lockout to prevent API bans if time.Now().Unix() < globalCaptchaLockout.Load() { return "", "", "", fmt.Errorf("CAPTCHA_WAIT_REQUIRED: global lockout active") } var lastErr error jar := tlsclient.NewCookieJar() for _, creds := range vkCredentialsList { log.Printf("[STREAM %d] [VK Auth] Trying credentials: client_id=%s", streamID, creds.ClientID) user, pass, addr, err := getTokenChain(ctx, link, streamID, creds, dialer, jar) if err == nil { log.Printf("[STREAM %d] [VK Auth] Success with client_id=%s", streamID, creds.ClientID) return user, pass, addr, nil } lastErr = err log.Printf("[STREAM %d] [VK Auth] Failed with client_id=%s: %v", streamID, creds.ClientID, err) // Hard abort on captcha/fatal conditions instead of trying next creds if strings.Contains(err.Error(), "CAPTCHA_WAIT_REQUIRED") || strings.Contains(err.Error(), "FATAL_CAPTCHA") { return "", "", "", err } if strings.Contains(err.Error(), "error_code:29") || strings.Contains(err.Error(), "error_code: 29") || strings.Contains(err.Error(), "Rate limit") { log.Printf("[STREAM %d] [VK Auth] Rate limit detected, trying next credentials...", streamID) } } return "", "", "", fmt.Errorf("all VK credentials failed: %w", lastErr) } func getTokenChain(ctx context.Context, link string, streamID int, creds VKCredentials, dialer *dnsdialer.Dialer, jar tlsclient.CookieJar) (string, string, string, error) { profile := Profile{ UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36", SecChUa: `"Not(A:Brand";v="99", "Google Chrome";v="146", "Chromium";v="146"`, SecChUaMobile: "?0", SecChUaPlatform: `"Windows"`, } client, err := tlsclient.NewHttpClient(tlsclient.NewNoopLogger(), tlsclient.WithTimeoutSeconds(20), tlsclient.WithClientProfile(profiles.Chrome_146), tlsclient.WithCookieJar(jar), tlsclient.WithDialer(getCustomNetDialer()), ) if err != nil { return "", "", "", fmt.Errorf("failed to initialize tls_client: %w", err) } name := generateName() escapedName := neturl.QueryEscape(name) log.Printf("[STREAM %d] [VK Auth] Connecting Identity - Name: %s | User-Agent: %s", streamID, name, profile.UserAgent) doRequest := func(data string, url string) (resp map[string]interface{}, err error) { parsedURL, err := neturl.Parse(url) if err != nil { return nil, fmt.Errorf("parse request URL: %w", err) } domain := parsedURL.Hostname() req, err := fhttp.NewRequestWithContext(ctx, "POST", url, bytes.NewBuffer([]byte(data))) if err != nil { return nil, err } req.Host = domain applyBrowserProfileFhttp(req, profile) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Accept", "*/*") req.Header.Set("Origin", "https://vk.ru") req.Header.Set("Referer", "https://vk.ru/") req.Header.Set("Sec-Fetch-Site", "same-site") req.Header.Set("Sec-Fetch-Mode", "cors") req.Header.Set("Sec-Fetch-Dest", "empty") req.Header.Set("Priority", "u=1, i") httpResp, err := client.Do(req) if err != nil { return nil, err } defer func() { if closeErr := httpResp.Body.Close(); closeErr != nil { log.Printf("close response body: %s", closeErr) } }() body, err := io.ReadAll(httpResp.Body) if err != nil { return nil, err } err = json.Unmarshal(body, &resp) if err != nil { return nil, err } return resp, nil } // Token 1 data := fmt.Sprintf("client_id=%s&token_type=messages&client_secret=%s&version=1&app_id=%s", creds.ClientID, creds.ClientSecret, creds.ClientID) resp, err := doRequest(data, "https://login.vk.ru/?act=get_anonym_token") if err != nil { return "", "", "", err } dataMap, ok := resp["data"].(map[string]interface{}) if !ok { return "", "", "", fmt.Errorf("unexpected anon token response: %v", resp) } token1, ok := dataMap["access_token"].(string) if !ok { return "", "", "", fmt.Errorf("missing access_token in response: %v", resp) } vkDelayRandom(100, 150) // Token 1 -> getCallPreview data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&fields=photo_200&access_token=%s", link, token1) _, err = doRequest(data, "https://api.vk.ru/method/calls.getCallPreview?v=5.275&client_id="+creds.ClientID) if err != nil { log.Printf("[STREAM %d] [VK Auth] Warning: getCallPreview failed: %v", streamID, err) } vkDelayRandom(200, 400) // Token 2 data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&name=%s&access_token=%s", link, escapedName, token1) urlAddr := fmt.Sprintf("https://api.vk.ru/method/calls.getAnonymousToken?v=5.275&client_id=%s", creds.ClientID) var token2 string for attempt := 0; ; attempt++ { resp, err = doRequest(data, urlAddr) if err != nil { return "", "", "", err } if errObj, hasErr := resp["error"].(map[string]interface{}); hasErr { captchaErr := ParseVkCaptchaError(errObj) if captchaErr != nil && captchaErr.IsCaptchaError() { solveMode, hasSolveMode := captchaSolveModeForAttempt(attempt, manualCaptcha, autoCaptchaSliderPOC) if !hasSolveMode { log.Printf("[STREAM %d] [Captcha] No more solve modes available (attempt %d)", streamID, attempt+1) // Engage global lockout to protect API globalCaptchaLockout.Store(time.Now().Add(60 * time.Second).Unix()) return "", "", "", fmt.Errorf("CAPTCHA_WAIT_REQUIRED") } var successToken string var captchaKey string var solveErr error switch solveMode { case captchaSolveModeAuto: if captchaErr.SessionToken != "" && captchaErr.RedirectURI != "" { successToken, solveErr = solveVkCaptcha(ctx, captchaErr, streamID, client, profile, false) if solveErr != nil { log.Printf("[STREAM %d] [Captcha] Auto captcha failed: %v", streamID, solveErr) } } else { solveErr = fmt.Errorf("missing fields for auto solve") } case captchaSolveModeSliderPOC: if captchaErr.SessionToken != "" && captchaErr.RedirectURI != "" { successToken, solveErr = solveVkCaptcha(ctx, captchaErr, streamID, client, profile, true) if solveErr != nil { log.Printf("[STREAM %d] [Captcha] Auto captcha slider POC failed: %v", streamID, solveErr) } } else { solveErr = fmt.Errorf("missing fields for slider POC auto solve") } case captchaSolveModeManual: log.Printf("[STREAM %d] [Captcha] Triggering manual captcha fallback...", streamID) manualCtx, manualCancel := context.WithTimeout(ctx, 60*time.Second) type manualRes struct { token string key string err error } resCh := make(chan manualRes, 1) go func() { var t, k string var e error if captchaErr.RedirectURI != "" { t, e = solveCaptchaViaProxy(captchaErr.RedirectURI, dialer) } else if captchaErr.CaptchaImg != "" { k, e = solveCaptchaViaHTTP(captchaErr.CaptchaImg) } else { e = fmt.Errorf("no redirect_uri or captcha_img") } resCh <- manualRes{t, k, e} }() select { case res := <-resCh: successToken = res.token captchaKey = res.key solveErr = res.err case <-manualCtx.Done(): solveErr = fmt.Errorf("manual captcha timed out after 60s") } manualCancel() } // If solving failed (auto or manual) or timed out if solveErr != nil { log.Printf("[STREAM %d] [Captcha] %s failed (attempt %d): %v", streamID, captchaSolveModeLabel(solveMode), attempt+1, solveErr) nextSolveMode, hasNextSolveMode := captchaSolveModeForAttempt(attempt+1, manualCaptcha, autoCaptchaSliderPOC) if hasNextSolveMode { log.Printf("[STREAM %d] [Captcha] Falling back to %s...", streamID, captchaSolveModeLabel(nextSolveMode)) continue } // Engage global lockout to protect API globalCaptchaLockout.Store(time.Now().Add(60 * time.Second).Unix()) return "", "", "", fmt.Errorf("CAPTCHA_WAIT_REQUIRED") } if captchaErr.CaptchaAttempt == "0" || captchaErr.CaptchaAttempt == "" { captchaErr.CaptchaAttempt = "1" } if captchaKey != "" { data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&name=%s&captcha_key=%s&captcha_sid=%s&access_token=%s", link, escapedName, neturl.QueryEscape(captchaKey), captchaErr.CaptchaSid, token1) } else { data = fmt.Sprintf("vk_join_link=https://vk.com/call/join/%s&name=%s&captcha_key=&captcha_sid=%s&is_sound_captcha=0&success_token=%s&captcha_ts=%s&captcha_attempt=%s&access_token=%s", link, escapedName, captchaErr.CaptchaSid, neturl.QueryEscape(successToken), captchaErr.CaptchaTs, captchaErr.CaptchaAttempt, token1) } continue } return "", "", "", fmt.Errorf("VK API error: %v", errObj) } respMap, okLoop := resp["response"].(map[string]interface{}) if !okLoop { return "", "", "", fmt.Errorf("unexpected getAnonymousToken response: %v", resp) } token2, okLoop = respMap["token"].(string) if !okLoop { return "", "", "", fmt.Errorf("missing token in response: %v", resp) } break } vkDelayRandom(100, 150) // Token 3 sessionData := fmt.Sprintf(`{"version":2,"device_id":"%s","client_version":1.1,"client_type":"SDK_JS"}`, uuid.New()) data = fmt.Sprintf("session_data=%s&method=auth.anonymLogin&format=JSON&application_key=CGMMEJLGDIHBABABA", neturl.QueryEscape(sessionData)) resp, err = doRequest(data, "https://calls.okcdn.ru/fb.do") if err != nil { return "", "", "", err } token3, ok := resp["session_key"].(string) if !ok { return "", "", "", fmt.Errorf("missing session_key in response: %v", resp) } vkDelayRandom(100, 150) // Token 4 -> TURN Creds data = fmt.Sprintf("joinLink=%s&isVideo=false&protocolVersion=5&capabilities=2F7F&anonymToken=%s&method=vchat.joinConversationByLink&format=JSON&application_key=CGMMEJLGDIHBABABA&session_key=%s", link, token2, token3) resp, err = doRequest(data, "https://calls.okcdn.ru/fb.do") if err != nil { return "", "", "", err } tsRaw, ok := resp["turn_server"].(map[string]interface{}) if !ok { return "", "", "", fmt.Errorf("missing turn_server in response: %v", resp) } user, ok := tsRaw["username"].(string) if !ok { return "", "", "", fmt.Errorf("missing username in turn_server") } pass, ok := tsRaw["credential"].(string) if !ok { return "", "", "", fmt.Errorf("missing credential in turn_server") } urlsRaw, ok := tsRaw["urls"].([]interface{}) if !ok || len(urlsRaw) == 0 { return "", "", "", fmt.Errorf("missing or empty urls in turn_server") } urlStr, ok := urlsRaw[0].(string) if !ok { return "", "", "", fmt.Errorf("turn server url is not a string") } clean := strings.Split(urlStr, "?")[0] address := strings.TrimPrefix(strings.TrimPrefix(clean, "turn:"), "turns:") return user, pass, address, nil } // endregion func dtlsFunc(ctx context.Context, conn net.PacketConn, peer *net.UDPAddr) (net.Conn, error) { certificate, err := selfsign.GenerateSelfSigned() if err != nil { return nil, err } config := &dtls.Config{ Certificates: []tls.Certificate{certificate}, InsecureSkipVerify: true, ExtendedMasterSecret: dtls.RequireExtendedMasterSecret, CipherSuites: []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, ConnectionIDGenerator: dtls.OnlySendCIDGenerator(), } // Extended timeout to accommodate serialized credential fetching via mutex ctx1, cancel := context.WithTimeout(ctx, 120*time.Second) defer cancel() dtlsConn, err := dtls.Client(conn, peer, config) if err != nil { return nil, err } if err := dtlsConn.HandshakeContext(ctx1); err != nil { return nil, err } return dtlsConn, nil } func oneDtlsConnection(ctx context.Context, peer *net.UDPAddr, listenConn net.PacketConn, connchan chan<- net.PacketConn, okchan chan<- struct{}, c chan<- error, sessionID []byte, streamID byte, v1 bool) { var err error = nil defer func() { c <- err }() dtlsctx, dtlscancel := context.WithCancel(ctx) defer dtlscancel() var conn1, conn2 net.PacketConn conn1, conn2 = connutil.AsyncPacketPipe() go func() { for { select { case <-dtlsctx.Done(): return case connchan <- conn2: } } }() dtlsConn, err1 := dtlsFunc(dtlsctx, conn1, peer) if err1 != nil { err = fmt.Errorf("failed to connect DTLS: %s", err1) return } defer func() { if closeErr := dtlsConn.Close(); closeErr != nil { err = fmt.Errorf("failed to close DTLS connection: %s", closeErr) return } log.Printf("Closed DTLS connection\n") }() // Phase 1: Send Session ID + Stream ID (17 bytes) - only for v2 protocol if !v1 { dtlsConn.SetWriteDeadline(time.Now().Add(time.Second * 5)) idBuf := make([]byte, 17) copy(idBuf[:16], sessionID) idBuf[16] = streamID if _, err1 = dtlsConn.Write(idBuf); err1 != nil { err = fmt.Errorf("failed to send session ID: %s", err1) return } log.Printf("Established DTLS connection and sent session ID with stream %d!\n", streamID) } else { log.Printf("Established DTLS connection (v1 protocol, no session ID)!\n") } go func() { for { select { case <-dtlsctx.Done(): return case okchan <- struct{}{}: } } }() wg := sync.WaitGroup{} wg.Add(2) context.AfterFunc(dtlsctx, func() { listenConn.SetDeadline(time.Now()) dtlsConn.SetDeadline(time.Now()) }) var addr atomic.Value // Start read-loop on listenConn go func() { defer wg.Done() defer dtlscancel() buf := make([]byte, 1600) for { select { case <-dtlsctx.Done(): return default: } n, addr1, err1 := listenConn.ReadFrom(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr.Store(addr1) // store peer _, err1 = dtlsConn.Write(buf[:n]) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() // Start read-loop on dtlsConn go func() { defer wg.Done() defer dtlscancel() buf := make([]byte, 1600) for { select { case <-dtlsctx.Done(): return default: } n, err1 := dtlsConn.Read(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr1, ok := addr.Load().(net.Addr) if !ok { log.Printf("Failed: no listener ip") return } _, err1 = listenConn.WriteTo(buf[:n], addr1) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() wg.Wait() listenConn.SetDeadline(time.Time{}) dtlsConn.SetDeadline(time.Time{}) } type connectedUDPConn struct { *net.UDPConn } func (c *connectedUDPConn) WriteTo(p []byte, _ net.Addr) (int, error) { return c.Write(p) } type turnParams struct { host string port string link string udp bool streamID int getCreds getCredsFunc } func oneTurnConnection(ctx context.Context, turnParams *turnParams, peer *net.UDPAddr, conn2 net.PacketConn, c chan<- error) { var err error = nil defer func() { c <- err }() user, pass, url, err1 := turnParams.getCreds(ctx, turnParams.link, turnParams.streamID) if err1 != nil { err = fmt.Errorf("failed to get TURN credentials: %s", err1) return } urlhost, urlport, err1 := net.SplitHostPort(url) if err1 != nil { err = fmt.Errorf("failed to parse TURN server address: %s", err1) return } if turnParams.host != "" { urlhost = turnParams.host } if turnParams.port != "" { urlport = turnParams.port } var turnServerAddr string turnServerAddr = net.JoinHostPort(urlhost, urlport) turnServerUdpAddr, err1 := net.ResolveUDPAddr("udp", turnServerAddr) if err1 != nil { err = fmt.Errorf("failed to resolve TURN server address: %s", err1) return } turnServerAddr = turnServerUdpAddr.String() fmt.Println(turnServerUdpAddr.IP) // Dial TURN Server var cfg *turn.ClientConfig var turnConn net.PacketConn var d net.Dialer ctx1, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel() if turnParams.udp { conn, err2 := net.DialUDP("udp", nil, turnServerUdpAddr) // nolint: noctx if err2 != nil { err = fmt.Errorf("failed to connect to TURN server: %s", err2) return } defer func() { if err1 = conn.Close(); err1 != nil { err = fmt.Errorf("failed to close TURN server connection: %s", err1) return } }() turnConn = &connectedUDPConn{conn} } else { conn, err2 := d.DialContext(ctx1, "tcp", turnServerAddr) // nolint: noctx if err2 != nil { err = fmt.Errorf("failed to connect to TURN server: %s", err2) return } defer func() { if err1 = conn.Close(); err1 != nil { err = fmt.Errorf("failed to close TURN server connection: %s", err1) return } }() turnConn = turn.NewSTUNConn(conn) } var addrFamily turn.RequestedAddressFamily if peer.IP.To4() != nil { addrFamily = turn.RequestedAddressFamilyIPv4 } else { addrFamily = turn.RequestedAddressFamilyIPv6 } // Start a new TURN Client and wrap our net.Conn in a STUNConn // This allows us to simulate datagram based communication over a net.Conn cfg = &turn.ClientConfig{ STUNServerAddr: turnServerAddr, TURNServerAddr: turnServerAddr, Conn: turnConn, Username: user, Password: pass, RequestedAddressFamily: addrFamily, LoggerFactory: logging.NewDefaultLoggerFactory(), } client, err1 := turn.NewClient(cfg) if err1 != nil { err = fmt.Errorf("failed to create TURN client: %s", err1) return } defer client.Close() // Start listening on the conn provided. err1 = client.Listen() if err1 != nil { err = fmt.Errorf("failed to listen: %s", err1) return } // Allocate a relay socket on the TURN server. On success, it // will return a net.PacketConn which represents the remote // socket. relayConn, err1 := client.Allocate() if err1 != nil { err = fmt.Errorf("failed to allocate: %s", err1) return } defer func() { if err1 := relayConn.Close(); err1 != nil { err = fmt.Errorf("failed to close TURN allocated connection: %s", err1) } }() // The relayConn's local address is actually the transport // address assigned on the TURN server. log.Printf("relayed-address=%s", relayConn.LocalAddr().String()) wg := sync.WaitGroup{} wg.Add(2) turnctx, turncancel := context.WithCancel(context.Background()) context.AfterFunc(turnctx, func() { relayConn.SetDeadline(time.Now()) conn2.SetDeadline(time.Now()) }) var addr atomic.Value // Start read-loop on conn2 (output of DTLS) go func() { defer wg.Done() defer turncancel() buf := make([]byte, 1600) for { select { case <-turnctx.Done(): return default: } n, addr1, err1 := conn2.ReadFrom(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr.Store(addr1) // store peer _, err1 = relayConn.WriteTo(buf[:n], peer) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() // Start read-loop on relayConn go func() { defer wg.Done() defer turncancel() buf := make([]byte, 1600) for { select { case <-turnctx.Done(): return default: } n, _, err1 := relayConn.ReadFrom(buf) if err1 != nil { log.Printf("Failed: %s", err1) return } addr1, ok := addr.Load().(net.Addr) if !ok { log.Printf("Failed: no listener ip") return } _, err1 = conn2.WriteTo(buf[:n], addr1) if err1 != nil { log.Printf("Failed: %s", err1) return } } }() wg.Wait() relayConn.SetDeadline(time.Time{}) conn2.SetDeadline(time.Time{}) } func oneDtlsConnectionLoop(ctx context.Context, peer *net.UDPAddr, listenConnChan <-chan net.PacketConn, connchan chan<- net.PacketConn, okchan chan<- struct{}, sessionID []byte, streamID byte, v1 bool) { for { select { case <-ctx.Done(): return case listenConn := <-listenConnChan: c := make(chan error) go oneDtlsConnection(ctx, peer, listenConn, connchan, okchan, c, sessionID, streamID, v1) if err := <-c; err != nil { log.Printf("%s", err) } } } } func oneTurnConnectionLoop(ctx context.Context, turnParams *turnParams, peer *net.UDPAddr, connchan <-chan net.PacketConn, t <-chan time.Time, streamID int) { // Create a copy of turnParams with the streamID tp := *turnParams tp.streamID = streamID for { select { case <-ctx.Done(): return case conn2 := <-connchan: select { case <-t: c := make(chan error) go oneTurnConnection(ctx, &tp, peer, conn2, c) if err := <-c; err != nil { if strings.Contains(err.Error(), "FATAL_CAPTCHA") { log.Printf("[STREAM %d] Fatal manual captcha error. Shutting down application.", streamID) if globalAppCancel != nil { globalAppCancel() } return } if strings.Contains(err.Error(), "CAPTCHA_WAIT_REQUIRED") { if !strings.Contains(err.Error(), "global lockout active") { log.Printf("[STREAM %d] Backing off for 60 seconds to avoid IP ban...", streamID) select { case <-ctx.Done(): return case <-time.After(60 * time.Second): } } else { lockoutEnd := globalCaptchaLockout.Load() sleepDuration := time.Until(time.Unix(lockoutEnd, 0)) if sleepDuration < 0 { sleepDuration = 5 * time.Second } select { case <-ctx.Done(): return case <-time.After(sleepDuration): } } } else { log.Printf("[STREAM %d] %s", streamID, err) time.Sleep(2 * time.Second) } } default: } } } } func main() { //nolint:cyclop ctx, cancel := context.WithCancel(context.Background()) globalAppCancel = cancel defer cancel() signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT) go func() { <-signalChan log.Printf("Terminating...\n") cancel() select { case <-signalChan: case <-time.After(5 * time.Second): } log.Fatalf("Exit...\n") }() host := flag.String("turn", "", "override TURN server ip") port := flag.String("port", "", "override TURN port") listen := flag.String("listen", "127.0.0.1:9000", "listen on ip:port") vklink := flag.String("vk-link", "", "VK calls invite link \"https://vk.com/call/join/...\"") wb := flag.Bool("wb", false, "use WB Stream instead of VK") peerAddr := flag.String("peer", "", "peer server address (host:port)") n := flag.Int("n", 0, "connections to TURN (default 4)") udp := flag.Bool("udp", false, "connect to TURN with UDP") direct := flag.Bool("no-dtls", false, "connect without obfuscation. DO NOT USE") v1 := flag.Bool("v1", false, "use v1 server protocol (no session_id and stream_id)") sessionIDFlag := flag.String("session-id", "", "override session ID (hex, 32 chars)") debugFlag := flag.Bool("debug", false, "enable debug logging") manualCaptchaFlag := flag.Bool("manual-captcha", false, "skip auto captcha solving, use manual mode immediately") flag.Parse() if *peerAddr == "" { log.Panicf("Need peer address!") } peer, err := net.ResolveUDPAddr("udp", *peerAddr) if err != nil { panic(err) } if !*wb && *vklink == "" { log.Panicf("Need either -wb or -vk-link!") } isDebug = *debugFlag manualCaptcha = *manualCaptchaFlag autoCaptchaSliderPOC = !manualCaptcha var link string var getCreds getCredsFunc dialer := dnsdialer.New( dnsdialer.WithResolvers("77.88.8.8:53", "77.88.8.1:53", "8.8.8.8:53", "8.8.4.4:53", "1.1.1.1:53", "1.0.0.1:53"), dnsdialer.WithStrategy(dnsdialer.Fallback{}), dnsdialer.WithCache(100, 10*time.Hour, 10*time.Hour), ) if *wb { link = "wb" getCreds = func(ctx context.Context, lk string, streamID int) (string, string, string, error) { return getCredsCached(ctx, lk, streamID, wbFetch) } } else { parts := strings.Split(*vklink, "join/") link = parts[len(parts)-1] getCreds = func(ctx context.Context, lk string, streamID int) (string, string, string, error) { return getVkCredsCached(ctx, lk, streamID, dialer) } } if *n <= 0 { *n = 4 } if idx := strings.IndexAny(link, "/?#"); idx != -1 { link = link[:idx] } params := &turnParams{ host: *host, port: *port, link: link, udp: *udp, streamID: 0, getCreds: getCreds, } var sessionID []byte if *sessionIDFlag != "" { sessionID = make([]byte, 16) if _, err := fmt.Sscanf(*sessionIDFlag, "%x", &sessionID); err != nil { log.Panicf("Invalid session ID: %v", err) } } else { sessionID, _ = uuid.New().MarshalBinary() } log.Printf("Session ID: %x", sessionID) listenConnChan := make(chan net.PacketConn) listenConn, err := net.ListenPacket("udp", *listen) // nolint: noctx if err != nil { log.Panicf("Failed to listen: %s", err) } context.AfterFunc(ctx, func() { if closeErr := listenConn.Close(); closeErr != nil { log.Panicf("Failed to close local connection: %s", closeErr) } }) go func() { for { select { case <-ctx.Done(): return case listenConnChan <- listenConn: } } }() wg1 := sync.WaitGroup{} t := time.Tick(100 * time.Millisecond) if *direct { for i := 0; i < *n; i++ { wg1.Add(1) streamID := i go func() { defer wg1.Done() oneTurnConnectionLoop(ctx, params, peer, listenConnChan, t, streamID) }() } } else { okchan := make(chan struct{}) connchan := make(chan net.PacketConn) wg1.Add(1) go func() { defer wg1.Done() oneDtlsConnectionLoop(ctx, peer, listenConnChan, connchan, okchan, sessionID, 0, *v1) }() wg1.Add(1) go func() { defer wg1.Done() oneTurnConnectionLoop(ctx, params, peer, connchan, t, 0) }() select { case <-okchan: case <-ctx.Done(): } for i := 0; i < *n-1; i++ { connchan := make(chan net.PacketConn) streamID := i + 1 wg1.Add(1) go func(sID byte) { defer wg1.Done() oneDtlsConnectionLoop(ctx, peer, listenConnChan, connchan, nil, sessionID, sID, *v1) }(byte(streamID)) wg1.Add(1) go func() { defer wg1.Done() oneTurnConnectionLoop(ctx, params, peer, connchan, t, streamID) }() } } wg1.Wait() }