声明本文章中所有内容仅供学习交流使用不用于其他任何目的抓包内容、敏感网址、数据接口等均已做脱敏处理严禁用于商业用途和非法用途否则由此产生的一切后果均与作者无关分析图启动流程在这里发起xml进去加密地方。根据true/false生成在url后面还是请求头里面。加密文件大部分关键代码!(() { use strict; const $toString Function.toString; const myFunction_toString_symbol Symbol((.concat(, )_, (Math.random() ).toString(36))); const myToString function () { return typeof this function this[myFunction_toString_symbol] || $toString.call(this); }; function set_native(func, key, value) { Object.defineProperty(func, key, { enumerable: false, configurable: true, writable: true, value: value }) }; delete Function.prototype[toString]; //删除原型链上的toString set_native(Function.prototype, toString, myToString); //自己定义个getter方法 set_native(Function.prototype.toString, myFunction_toString_symbol, function toString() { [native code] }); //套个娃 保护一下我们定义的toString 否则就暴露了 this.func_set_natvie (func) { set_native(func, myFunction_toString_symbol, function ${myFunction_toString_symbol, func.name || }() { [native code] }); }; //导出函数到globalThis }).call(this); const XMLHttpRequest require(xhr2); Window function Window() { throw new TypeError(Illegal constructor) }; this.func_set_natvie(Window); Window.prototype.PERSISTENT 1 Window.prototype.TEMPORARY 0 Navigator function Navigator() { throw new TypeError(Illegal constructor) }; this.func_set_natvie(Navigator); window global Object.defineProperties(Window.prototype, { [Symbol.toStringTag]: { value: Window, configurable: true } }) Object.defineProperties(Navigator.prototype, { [Symbol.toStringTag]: { value: Navigator, configurable: true } }) window.__proto__ Window.prototype window.DataView function DataView() { console.log(window.DataView, arguments) }; this.func_set_natvie(DataView); window.Notification function Notification() { console.log(window.Notification, arguments) }; this.func_set_natvie(Notification); location { } screen {} screen.width 0 screen.height 0 screen.availHeight 0 screen.availWidth 0 screen.orientation { } screen.pixelDepth 24 screen.colorDepth 24 window.XMLHttpRequest function XMLHttpRequest() { console.log(window.XMLHttpRequest.arguments) return { open: function open() { }, send: function send() { } } } window.MouseEvent function MouseEvent() { console.log(window.MouseEvent.arguments) } window.scroll function scroll() { console.log(window.scroll.arguments) } window.scrollBy function scrollBy() { console.log(window.scrollBy.arguments) } window.scrollBy function scrollBy() { console.log(window.scrollBy.arguments) } window.WebGLRenderingContext function WebGLRenderingContext() { console.log(window.WebGLRenderingContext.arguments) } window.H5guardCount 1 window.wPaths [] window.xhrHook true window.fetchHook true window.xhrHooked true window.xhrHook true window.xhrHooked true window.onbeforeinstallprompt null window.onhashchange null window.ondevicemotion null window.ondeviceorientation null window.ondeviceorientationabsolute null setInterval function () { } setTimeout function () { } Navigator.toString function toString() { return function Navigator() { [native code] } }; this.func_set_natvie(Navigator.toString); navigator {} navigator.__proto__ Navigator.prototype window.self window window.top window window.localStorage {} window.document {} document.createEvent function createEvent(type) { console.log(document.createEvent, arguments) } document.cookie {} document.documentElement { appendChild: function appendChild() { console.log(appendChild) }, removeChild: function removeChild() { console.log(removeChild) }, clientHeight: 760, clientWidth: 150, scrollTop: function scrollTop() { } } window.sessionStorage {} window.localStorage.clear function clear() { var temp Object.keys(this) for (var i 0; i temp.length; i) { delete this[temp[i]]; } }; window.sessionStorage.clear function clear() { var temp Object.keys(this) for (var i 0; i temp.length; i) { delete this[temp[i]]; } }; window.localStorage.getItem function getItem(key) { return this[key] }; window.sessionStorage.getItem function getItem(key) { return this[key] }; window.localStorage.key function key(index) { return Object.keys(this)[index] }; window.sessionStorage.key function key(index) { return Object.keys(this)[index] }; window.localStorage.removeItem function removeItem(key) { delete this[key] }; window.sessionStorage.removeItem function removeItem(key) { delete this[key] }; window.localStorage.setItem function setItem(key, value) { this[key] value }; window.sessionStorage.setItem function setItem(key, value) { this[key] value }; window.fetchHooked true window.wDomains [ ] window.name window.indexedDB {} window._phantom undefined window.phantom undefined window.callPhantom undefined navigator.plugins [{name: PDF Viewer}, {name: Chrome PDF Viewer}, {name: Chromium PDF Viewer}, {name: Microsoft Edge PDF Viewer}, {name: WebKit built-in PDF}] oph Object.prototype.hasOwnProperty Object.prototype.hasOwnProperty function hasOwnProperty(val) { if (val webdriver) { return false } return oph.apply(this, arguments) document.body { appendChild: function appendChild() { }, removeChild: function removeChild() { }, scrollTop: 0 } window.AudioContext function AudioContext() { console.log(window.AudioContext, arguments) } window.status window.frameElement null window.onsearch null window.external {} window.styleMedia {type: screen} window.isSecureContext true window.getSelection function getSelection() { return { anchorOffset: 0, baseOffset: 0, extentOffset: 0, focusOffset: 0, isCollapsed: true, rangeCount: 0, type: None, } } window.find function find() { console.log(window.find, arguments) } window.dispatchEvent function dispatchEvent() { console.log(window.dispatchEvent , arguments) } window.postMessage function postMessage() { console.log(window.postMessage, arguments) } window.removeEventListener function removeEventListener() { console.log(window.removeEventListener, arguments) } document.removeEventListener function removeEventListener(val1, val2) { console.log(document.removeEventListener, arguments) } window.addEventListener function addEventListener(val1, val2, val3) { console.log(window.addEventListener, arguments) // val2() } window.PointerEvent function PointerEvent() { console.log(windo.wPointerEvent, arguments) } document.addEventListener function addEventListener(val1, val2, val3) { } window.createImageBitmap function createImageBitmap() { console.log(window.createImageBitmap, arguments) } navigator.sendBeacon function sendBeacon() { console.log(navigator.sendBeacon, arguments) } navigator.javaEnabled function javaEnabled() { console.log(navigator.javaEnabled, arguments) } navigator.vibrate function vibrate() { console.log(navigator.vibrate, arguments) } navigator.userActivation { hasBeenActive: true, isActive: false } navigator.mediaSession { playbackState: none } navigator.clipboard {} navigator.credentials {} navigator.keyboard {} navigator.locks {} navigator.mediaCapabilities {} navigator.onLine true navigator.serviceWorker {} navigator.storage {} navigator.presentation {} navigator.bluetooth {} navigator.usb {}结果总结1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。
web 美团 mtgsig
声明本文章中所有内容仅供学习交流使用不用于其他任何目的抓包内容、敏感网址、数据接口等均已做脱敏处理严禁用于商业用途和非法用途否则由此产生的一切后果均与作者无关分析图启动流程在这里发起xml进去加密地方。根据true/false生成在url后面还是请求头里面。加密文件大部分关键代码!(() { use strict; const $toString Function.toString; const myFunction_toString_symbol Symbol((.concat(, )_, (Math.random() ).toString(36))); const myToString function () { return typeof this function this[myFunction_toString_symbol] || $toString.call(this); }; function set_native(func, key, value) { Object.defineProperty(func, key, { enumerable: false, configurable: true, writable: true, value: value }) }; delete Function.prototype[toString]; //删除原型链上的toString set_native(Function.prototype, toString, myToString); //自己定义个getter方法 set_native(Function.prototype.toString, myFunction_toString_symbol, function toString() { [native code] }); //套个娃 保护一下我们定义的toString 否则就暴露了 this.func_set_natvie (func) { set_native(func, myFunction_toString_symbol, function ${myFunction_toString_symbol, func.name || }() { [native code] }); }; //导出函数到globalThis }).call(this); const XMLHttpRequest require(xhr2); Window function Window() { throw new TypeError(Illegal constructor) }; this.func_set_natvie(Window); Window.prototype.PERSISTENT 1 Window.prototype.TEMPORARY 0 Navigator function Navigator() { throw new TypeError(Illegal constructor) }; this.func_set_natvie(Navigator); window global Object.defineProperties(Window.prototype, { [Symbol.toStringTag]: { value: Window, configurable: true } }) Object.defineProperties(Navigator.prototype, { [Symbol.toStringTag]: { value: Navigator, configurable: true } }) window.__proto__ Window.prototype window.DataView function DataView() { console.log(window.DataView, arguments) }; this.func_set_natvie(DataView); window.Notification function Notification() { console.log(window.Notification, arguments) }; this.func_set_natvie(Notification); location { } screen {} screen.width 0 screen.height 0 screen.availHeight 0 screen.availWidth 0 screen.orientation { } screen.pixelDepth 24 screen.colorDepth 24 window.XMLHttpRequest function XMLHttpRequest() { console.log(window.XMLHttpRequest.arguments) return { open: function open() { }, send: function send() { } } } window.MouseEvent function MouseEvent() { console.log(window.MouseEvent.arguments) } window.scroll function scroll() { console.log(window.scroll.arguments) } window.scrollBy function scrollBy() { console.log(window.scrollBy.arguments) } window.scrollBy function scrollBy() { console.log(window.scrollBy.arguments) } window.WebGLRenderingContext function WebGLRenderingContext() { console.log(window.WebGLRenderingContext.arguments) } window.H5guardCount 1 window.wPaths [] window.xhrHook true window.fetchHook true window.xhrHooked true window.xhrHook true window.xhrHooked true window.onbeforeinstallprompt null window.onhashchange null window.ondevicemotion null window.ondeviceorientation null window.ondeviceorientationabsolute null setInterval function () { } setTimeout function () { } Navigator.toString function toString() { return function Navigator() { [native code] } }; this.func_set_natvie(Navigator.toString); navigator {} navigator.__proto__ Navigator.prototype window.self window window.top window window.localStorage {} window.document {} document.createEvent function createEvent(type) { console.log(document.createEvent, arguments) } document.cookie {} document.documentElement { appendChild: function appendChild() { console.log(appendChild) }, removeChild: function removeChild() { console.log(removeChild) }, clientHeight: 760, clientWidth: 150, scrollTop: function scrollTop() { } } window.sessionStorage {} window.localStorage.clear function clear() { var temp Object.keys(this) for (var i 0; i temp.length; i) { delete this[temp[i]]; } }; window.sessionStorage.clear function clear() { var temp Object.keys(this) for (var i 0; i temp.length; i) { delete this[temp[i]]; } }; window.localStorage.getItem function getItem(key) { return this[key] }; window.sessionStorage.getItem function getItem(key) { return this[key] }; window.localStorage.key function key(index) { return Object.keys(this)[index] }; window.sessionStorage.key function key(index) { return Object.keys(this)[index] }; window.localStorage.removeItem function removeItem(key) { delete this[key] }; window.sessionStorage.removeItem function removeItem(key) { delete this[key] }; window.localStorage.setItem function setItem(key, value) { this[key] value }; window.sessionStorage.setItem function setItem(key, value) { this[key] value }; window.fetchHooked true window.wDomains [ ] window.name window.indexedDB {} window._phantom undefined window.phantom undefined window.callPhantom undefined navigator.plugins [{name: PDF Viewer}, {name: Chrome PDF Viewer}, {name: Chromium PDF Viewer}, {name: Microsoft Edge PDF Viewer}, {name: WebKit built-in PDF}] oph Object.prototype.hasOwnProperty Object.prototype.hasOwnProperty function hasOwnProperty(val) { if (val webdriver) { return false } return oph.apply(this, arguments) document.body { appendChild: function appendChild() { }, removeChild: function removeChild() { }, scrollTop: 0 } window.AudioContext function AudioContext() { console.log(window.AudioContext, arguments) } window.status window.frameElement null window.onsearch null window.external {} window.styleMedia {type: screen} window.isSecureContext true window.getSelection function getSelection() { return { anchorOffset: 0, baseOffset: 0, extentOffset: 0, focusOffset: 0, isCollapsed: true, rangeCount: 0, type: None, } } window.find function find() { console.log(window.find, arguments) } window.dispatchEvent function dispatchEvent() { console.log(window.dispatchEvent , arguments) } window.postMessage function postMessage() { console.log(window.postMessage, arguments) } window.removeEventListener function removeEventListener() { console.log(window.removeEventListener, arguments) } document.removeEventListener function removeEventListener(val1, val2) { console.log(document.removeEventListener, arguments) } window.addEventListener function addEventListener(val1, val2, val3) { console.log(window.addEventListener, arguments) // val2() } window.PointerEvent function PointerEvent() { console.log(windo.wPointerEvent, arguments) } document.addEventListener function addEventListener(val1, val2, val3) { } window.createImageBitmap function createImageBitmap() { console.log(window.createImageBitmap, arguments) } navigator.sendBeacon function sendBeacon() { console.log(navigator.sendBeacon, arguments) } navigator.javaEnabled function javaEnabled() { console.log(navigator.javaEnabled, arguments) } navigator.vibrate function vibrate() { console.log(navigator.vibrate, arguments) } navigator.userActivation { hasBeenActive: true, isActive: false } navigator.mediaSession { playbackState: none } navigator.clipboard {} navigator.credentials {} navigator.keyboard {} navigator.locks {} navigator.mediaCapabilities {} navigator.onLine true navigator.serviceWorker {} navigator.storage {} navigator.presentation {} navigator.bluetooth {} navigator.usb {}结果总结1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。
