难点分析
先看下加密后的数据格式
{"a1":"1.0","a2":1682928275042,"a3":"zw6wu939y3vw518yz12z37z20975y48u812w35vux3197958uzw55090","a4":"176d8b31fddec269318b6d1769c2defd53053ac13ac7e43c","a5":"CSEMXGDYJE4uxa9eJaHJv4EWMIH++1TaT5MwUpnZnUc0N/+QFxDhSFhPqorva8r03A0/OJnF/YRezVBP/+k+19CAtjD=","a6":"h1.2AoCoI8Q22O+sDWshtao39Vt4A/fsDgHpvGC5akzKi6hy5utblLCiAPSBzK+XAt5UxkzK/UBXiWJoBogk4tEjFflcYlbi2ptxDIprzPbDEvFSBnj5xnByrDcLg6AYYSaOMSuLcLNZo0IItHchzC5BMLqiCCN6KKVSM7fdNtN4JI8sn2YH+YSIJ+1N6a29GpD5xfeD7DoF5+4+c1PZ8Ziyhjm5aoGf8JUepKfXMNpb8kmusiFApxd66CXFXjOmT/3KTO1xr5vD6v5FyTHy1y9hAa/v8xJVdbh1+AlKz42N28eWR9B3hg+T64WvSpwOCgidiTFIS3dK2/N45aNHDXmKF3Ju72KXPvBV0KaXaJSri/ExJ8nE5+7dkeyI+SpfokCT41aL3EbR6azUnUerx+4Lve9436HlHryNmbWzHfXrGMLog2t1nWvIvMf5gLDV+FRSpiciBiwNVF4hSFtnH55NA2kRQOxmfKegeRITMB4KM5u3zYgwrTWE/m2lBHFuDfIk","a7":"","x0":4,"d1":"2d90abf95a2c0a9aeb8e39bc0c768dac"}
当你看到上面mtgsig的值之后,还有多少人会想着去搞定它呢?
- 全局都找不到mtgsig这个参数名
- js经过混淆编译,很难读懂和调试
解决办法
调试是很费时间而且不好调试的,我们直接补环境运行它,将H5guard.js
文件复制到本地,运行会报错,根据报错内容去补环境就可以了,博主是用的jsdom
安装 jsdom
npm install jsdom
直接贴出我已经补好的环境:
const {JSDOM, VirtualConsole} = require("jsdom");
const dom = new JSDOM("<!DOCTYPE html><p>Hello world</p>", {
url: "https://market.waimai.meituan.com", runScripts: 'dangerously', resources: 'usable', fetchOptions: {
credentials: 'include'
},
})
const {
performance, PerformanceObserver,
} = require('perf_hooks');
window = dom.window;
Window = window;
// 添加matchMedia方法
window.matchMedia = window.matchMedia || function () {
return {
matches: false, addListener: function () {
}, removeListener: function () {
}
};
};
document = window.document;
window.performance.timing = performance.nodeTiming
localStorage = window.localStorage;
navigator = window.navigator;
Navigator = navigator
location = window.location;
history = window.history;
screen = window.screen;
XMLHttpRequest = window.XMLHttpRequest;
...H5guard.js
XMLHttpRequest 需要手动修改允许跨域,在博客有文章,这边就不贴出了
直到全部都补完,直接运行不报错,接下来就是找入口函数,直接console.log(window)
一下 看看有没有特殊的函数
发现了init
和initWithKey
两个特殊的方法,搜索一番发现了找到了这段代码:
return t.prototype.init = function() {
if (!this.hasInit) {
var t = window.H5guard;
t && "function" == typeof t.init && (t.init({
xhrHook: !1,
fetchHook: !1,
domains: []
}),
this.hasInit = !0)
}
}
大概意思就是window.H5guard
是否存在,如果存在则执行window.H5guard.init
方法,那么我们直接执行下初始化方法
window.H5guard.init({
xhrHook: !1, fetchHook: !1, domains: []
})
接下来就是调用加密方法了,sign
很显然就是加密方法,我们先传个空的obj
看下结果
window.H5guard.sign({})
headers:{
"mtgsig": "{\"a1\":\"1.0\",\"a2\":1682945282946,\"a3\":\"zw6wu939y3vw518yz12z37z20975y48u812w35vux3197958uzw55090\",\"a4\":\"3a32c9280dbce16c28c9323a6ce1bc0daada69edc63bd5e0\",\"a5\":\"lh1kCkKjXDxckXFl608H37Upett9cXQcZzPR7HdKjLQVDjVTE9diJszFgTahqmMt2BxXVTM0iIq4+bh3sx9AcUokqnL=\",\"a6\":\"h1.2/ohTad/E8eliyivrZWYmR3aDmm4ivdwW7Kyvf5PTFBIY2GADZYys/sekn+Q/Hkh14YOOAkkuWXKeu+8V37IHoAASNuJUiySuGG8EgeGm7nVWZwI+DBiSIaIuOTsg/mgyHOsyF9s7so7olVO0IAzIdfSkc7p8u8saQb/xM3MnPTxtDicdyhsfxfA8I/Lx7+7yXsDoPYhDTxqd3FISpe0dNzaVnrwmq2iS7mqdc2aErYiVI0EsLFBoJ1v9NVgDPXROxLXkKgTr/MKeQCwlMMEzkMe2p7F8+yKd12bLV2zM0Hhoc2L2QLChlj+lwK5tf5pPVsoCze29yUXTtfML0xuz8hEJsI6o16oYRxGWfAGOQuyXr5QAUtl4sZ9y5doekGosJbkOPjTTh5B36Dn6DYucP4Svxv54clQjyD+/EUIeZo/nLglr5si52BoeWUucrceHfqfubu/h3F3JtwmPkZSsQXZTfArf9lqWGB4aML44b2CrjQiZDuZiy3JNYra6eM3IPq9pQzBaDG+4oOpp7WWLSI/dJmqPT1fp/dGjOXAytHXTxwSWJWVltvB8gFUHD6oHKbl2nkB2STCCDBIqsfT1CJKtlD/YK+2xA/smYYeAX5zkKI0u5xBnD/7H66Y8f8sAfhUYPJn0uX0kNYBr6FdljDIhL3IFOTuePfMFEjuyS2AgmQVXjawIyT4wPrRZl9++\",\"a7\":\"\",\"x0\":4,\"d1\":\"e69c687a93776ea53039d8dc945d2445\"}"
}
我们可以看到返回了我们想要的结果,接下来就是看下加密方法是传的什么值
站长交流群
QQ群:611987360