难点分析

先看下加密后的数据格式

{"a1":"1.0","a2":1682928275042,"a3":"zw6wu939y3vw518yz12z37z20975y48u812w35vux3197958uzw55090","a4":"176d8b31fddec269318b6d1769c2defd53053ac13ac7e43c","a5":"CSEMXGDYJE4uxa9eJaHJv4EWMIH++1TaT5MwUpnZnUc0N/+QFxDhSFhPqorva8r03A0/OJnF/YRezVBP/+k+19CAtjD=","a6":"h1.2AoCoI8Q22O+sDWshtao39Vt4A/fsDgHpvGC5akzKi6hy5utblLCiAPSBzK+XAt5UxkzK/UBXiWJoBogk4tEjFflcYlbi2ptxDIprzPbDEvFSBnj5xnByrDcLg6AYYSaOMSuLcLNZo0IItHchzC5BMLqiCCN6KKVSM7fdNtN4JI8sn2YH+YSIJ+1N6a29GpD5xfeD7DoF5+4+c1PZ8Ziyhjm5aoGf8JUepKfXMNpb8kmusiFApxd66CXFXjOmT/3KTO1xr5vD6v5FyTHy1y9hAa/v8xJVdbh1+AlKz42N28eWR9B3hg+T64WvSpwOCgidiTFIS3dK2/N45aNHDXmKF3Ju72KXPvBV0KaXaJSri/ExJ8nE5+7dkeyI+SpfokCT41aL3EbR6azUnUerx+4Lve9436HlHryNmbWzHfXrGMLog2t1nWvIvMf5gLDV+FRSpiciBiwNVF4hSFtnH55NA2kRQOxmfKegeRITMB4KM5u3zYgwrTWE/m2lBHFuDfIk","a7":"","x0":4,"d1":"2d90abf95a2c0a9aeb8e39bc0c768dac"}

当你看到上面mtgsig的值之后,还有多少人会想着去搞定它呢?

  • 全局都找不到mtgsig这个参数名
  • js经过混淆编译,很难读懂和调试

解决办法

调试是很费时间而且不好调试的,我们直接补环境运行它,将H5guard.js文件复制到本地,运行会报错,根据报错内容去补环境就可以了,博主是用的jsdom

安装 jsdom

npm install jsdom

直接贴出我已经补好的环境:

const {JSDOM, VirtualConsole} = require("jsdom");
const dom = new JSDOM("<!DOCTYPE html><p>Hello world</p>", {
    url: "https://market.waimai.meituan.com", runScripts: 'dangerously', resources: 'usable', fetchOptions: {
        credentials: 'include'
    },
})
const {
    performance, PerformanceObserver,
} = require('perf_hooks');

window = dom.window;
Window = window;
// 添加matchMedia方法
window.matchMedia = window.matchMedia || function () {
    return {
        matches: false, addListener: function () {
        }, removeListener: function () {
        }
    };
};
document = window.document;
window.performance.timing = performance.nodeTiming
localStorage = window.localStorage;
navigator = window.navigator;
Navigator = navigator
location = window.location;
history = window.history;
screen = window.screen;
XMLHttpRequest = window.XMLHttpRequest;

...H5guard.js

XMLHttpRequest 需要手动修改允许跨域,在博客有文章,这边就不贴出了
直到全部都补完,直接运行不报错,接下来就是找入口函数,直接console.log(window)一下 看看有没有特殊的函数

发现了initinitWithKey两个特殊的方法,搜索一番发现了找到了这段代码:

return t.prototype.init = function() {
                if (!this.hasInit) {
                    var t = window.H5guard;
                    t && "function" == typeof t.init && (t.init({
                        xhrHook: !1,
                        fetchHook: !1,
                        domains: []
                    }),
                    this.hasInit = !0)
                }
            }

大概意思就是window.H5guard是否存在,如果存在则执行window.H5guard.init方法,那么我们直接执行下初始化方法

window.H5guard.init({
        xhrHook: !1, fetchHook: !1, domains: []
    })

接下来就是调用加密方法了,sign 很显然就是加密方法,我们先传个空的obj看下结果

window.H5guard.sign({})


headers:{
    "mtgsig": "{\"a1\":\"1.0\",\"a2\":1682945282946,\"a3\":\"zw6wu939y3vw518yz12z37z20975y48u812w35vux3197958uzw55090\",\"a4\":\"3a32c9280dbce16c28c9323a6ce1bc0daada69edc63bd5e0\",\"a5\":\"lh1kCkKjXDxckXFl608H37Upett9cXQcZzPR7HdKjLQVDjVTE9diJszFgTahqmMt2BxXVTM0iIq4+bh3sx9AcUokqnL=\",\"a6\":\"h1.2/ohTad/E8eliyivrZWYmR3aDmm4ivdwW7Kyvf5PTFBIY2GADZYys/sekn+Q/Hkh14YOOAkkuWXKeu+8V37IHoAASNuJUiySuGG8EgeGm7nVWZwI+DBiSIaIuOTsg/mgyHOsyF9s7so7olVO0IAzIdfSkc7p8u8saQb/xM3MnPTxtDicdyhsfxfA8I/Lx7+7yXsDoPYhDTxqd3FISpe0dNzaVnrwmq2iS7mqdc2aErYiVI0EsLFBoJ1v9NVgDPXROxLXkKgTr/MKeQCwlMMEzkMe2p7F8+yKd12bLV2zM0Hhoc2L2QLChlj+lwK5tf5pPVsoCze29yUXTtfML0xuz8hEJsI6o16oYRxGWfAGOQuyXr5QAUtl4sZ9y5doekGosJbkOPjTTh5B36Dn6DYucP4Svxv54clQjyD+/EUIeZo/nLglr5si52BoeWUucrceHfqfubu/h3F3JtwmPkZSsQXZTfArf9lqWGB4aML44b2CrjQiZDuZiy3JNYra6eM3IPq9pQzBaDG+4oOpp7WWLSI/dJmqPT1fp/dGjOXAytHXTxwSWJWVltvB8gFUHD6oHKbl2nkB2STCCDBIqsfT1CJKtlD/YK+2xA/smYYeAX5zkKI0u5xBnD/7H66Y8f8sAfhUYPJn0uX0kNYBr6FdljDIhL3IFOTuePfMFEjuyS2AgmQVXjawIyT4wPrRZl9++\",\"a7\":\"\",\"x0\":4,\"d1\":\"e69c687a93776ea53039d8dc945d2445\"}"
}

我们可以看到返回了我们想要的结果,接下来就是看下加密方法是传的什么值

站长交流群

QQ群:611987360

最后修改:2023 年 05 月 17 日
如果觉得我的文章对你有用,请随意赞赏