web 美团 mtgsig-平芜编程栈

声明

本文章中所有内容仅供学习交流使用，不用于其他任何目的，抓包内容、敏感网址、数据接口等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关！

分析图

启动流程在这里，发起xml进去加密地方。根据true/false生成在url后面还是请求头里面。

加密文件

大部分关键代码

!(() => { "use strict"; const $toString = Function.toString; const myFunction_toString_symbol = Symbol('('.concat('', ')_', (Math.random() + '').toString(36))); const myToString = function () { return typeof this == 'function' && this[myFunction_toString_symbol] || $toString.call(this); }; function set_native(func, key, value) { Object.defineProperty(func, key, { "enumerable": false, "configurable": true, "writable": true, "value": value }) }; delete Function.prototype['toString']; //删除原型链上的toString set_native(Function.prototype, "toString", myToString); //自己定义个getter方法 set_native(Function.prototype.toString, myFunction_toString_symbol, "function toString() { [native code] }"); //套个娃 保护一下我们定义的toString 否则就暴露了 this.func_set_natvie = (func) => { set_native(func, myFunction_toString_symbol, `function ${myFunction_toString_symbol, func.name || ''}() { [native code] }`); }; //导出函数到globalThis }).call(this); const XMLHttpRequest = require('xhr2'); Window = function Window() { throw new TypeError('Illegal constructor') }; this.func_set_natvie(Window); Window.prototype.PERSISTENT = 1 Window.prototype.TEMPORARY = 0 Navigator = function Navigator() { throw new TypeError('Illegal constructor') }; this.func_set_natvie(Navigator); window = global Object.defineProperties(Window.prototype, { [Symbol.toStringTag]: { value: 'Window', configurable: true } }) Object.defineProperties(Navigator.prototype, { [Symbol.toStringTag]: { value: 'Navigator', configurable: true } }) window.__proto__ = Window.prototype window.DataView = function DataView() { console.log('window.DataView', arguments) }; this.func_set_natvie(DataView); window.Notification = function Notification() { console.log('window.Notification', arguments) }; this.func_set_natvie(Notification); location ={ } screen = {} screen.width = 0 screen.height = 0 screen.availHeight = 0 screen.availWidth = 0 screen.orientation = { } screen.pixelDepth = 24 screen.colorDepth = 24 window.XMLHttpRequest = function XMLHttpRequest() { console.log('window.XMLHttpRequest'.arguments) return { open: function open() { }, send: function send() { } } } window.MouseEvent = function MouseEvent() { console.log('window.MouseEvent'.arguments) } window.scroll = function scroll() { console.log('window.scroll'.arguments) } window.scrollBy = function scrollBy() { console.log('window.scrollBy'.arguments) } window.scrollBy = function scrollBy() { console.log('window.scrollBy'.arguments) } window.WebGLRenderingContext = function WebGLRenderingContext() { console.log('window.WebGLRenderingContext'.arguments) } window.H5guardCount = 1 window.wPaths = [] window.xhrHook = true window.fetchHook = true window.xhrHooked = true window.xhrHook = true window.xhrHooked = true window.onbeforeinstallprompt = null window.onhashchange = null window.ondevicemotion = null window.ondeviceorientation = null window.ondeviceorientationabsolute = null setInterval = function () { } setTimeout = function () { } Navigator.toString = function toString() { return 'function Navigator() { [native code] }' }; this.func_set_natvie(Navigator.toString); navigator = {} navigator.__proto__ = Navigator.prototype window.self = window window.top = window window.localStorage ={} window.document = {} document.createEvent = function createEvent(type) { console.log('document.createEvent', arguments) } document.cookie = {} document.documentElement = { appendChild: function appendChild() { console.log('appendChild') }, removeChild: function removeChild() { console.log('removeChild') }, clientHeight: 760, clientWidth: 150, scrollTop: function scrollTop() { } } window.sessionStorage = {} window.localStorage.clear = function clear() { var temp = Object.keys(this) for (var i = 0; i < temp.length; i++) { delete this[temp[i]]; } }; window.sessionStorage.clear = function clear() { var temp = Object.keys(this) for (var i = 0; i < temp.length; i++) { delete this[temp[i]]; } }; window.localStorage.getItem = function getItem(key) { return this[key] }; window.sessionStorage.getItem = function getItem(key) { return this[key] }; window.localStorage.key = function key(index) { return Object.keys(this)[index] }; window.sessionStorage.key = function key(index) { return Object.keys(this)[index] }; window.localStorage.removeItem = function removeItem(key) { delete this[key] }; window.sessionStorage.removeItem = function removeItem(key) { delete this[key] }; window.localStorage.setItem = function setItem(key, value) { this[key] = value }; window.sessionStorage.setItem = function setItem(key, value) { this[key] = value }; window.fetchHooked = true window.wDomains =[ ] window.name = '' window.indexedDB = {} window._phantom = undefined window.phantom = undefined window.callPhantom = undefined navigator.plugins = [{name: "PDF Viewer"}, {name: "Chrome PDF Viewer"}, {name: "Chromium PDF Viewer"}, {name: "Microsoft Edge PDF Viewer"}, {name: "WebKit built-in PDF"}] oph = Object.prototype.hasOwnProperty Object.prototype.hasOwnProperty = function hasOwnProperty(val) { if (val === 'webdriver') { return false } return oph.apply(this, arguments) document.body = { appendChild: function appendChild() { }, removeChild: function removeChild() { }, scrollTop: 0 } window.AudioContext = function AudioContext() { console.log('window.AudioContext', arguments) } window.status = '' window.frameElement = null window.onsearch = null window.external = {} window.styleMedia = {type: "screen"} window.isSecureContext = true window.getSelection = function getSelection() { return { anchorOffset: 0, baseOffset: 0, extentOffset: 0, focusOffset: 0, isCollapsed: true, rangeCount: 0, type: "None", } } window.find = function find() { console.log("window.find", arguments) } window.dispatchEvent = function dispatchEvent() { console.log("window.dispatchEvent ", arguments) } window.postMessage = function postMessage() { console.log("window.postMessage", arguments) } window.removeEventListener = function removeEventListener() { console.log("window.removeEventListener", arguments) } document.removeEventListener = function removeEventListener(val1, val2) { console.log("document.removeEventListener", arguments) } window.addEventListener = function addEventListener(val1, val2, val3) { console.log("window.addEventListener", arguments) // val2() } window.PointerEvent = function PointerEvent() { console.log('windo.wPointerEvent', arguments) } document.addEventListener = function addEventListener(val1, val2, val3) { } window.createImageBitmap = function createImageBitmap() { console.log("window.createImageBitmap", arguments) } navigator.sendBeacon = function sendBeacon() { console.log('navigator.sendBeacon', arguments) } navigator.javaEnabled = function javaEnabled() { console.log('navigator.javaEnabled', arguments) } navigator.vibrate = function vibrate() { console.log('navigator.vibrate', arguments) } navigator.userActivation = { hasBeenActive: true, isActive: false } navigator.mediaSession = { playbackState: "none" } navigator.clipboard = {} navigator.credentials = {} navigator.keyboard = {} navigator.locks = {} navigator.mediaCapabilities = {} navigator.onLine = true navigator.serviceWorker = {} navigator.storage = {} navigator.presentation = {} navigator.bluetooth = {} navigator.usb = {}