美团滑块(1

2023-04-21 07:53| 来源: 网络整理| 查看: 265

整体流程： 1、获取主页参数 2、逆向pwd、h5Fingerprint 3、请求page_data链接 4、逆向Authencation、behavior、token_ 5、最终请求验证

一、获取主页参数

url_ = "https://passporituan.com" + re.search(r'id="J-normal-form" action="(.*?)"', response).group(1).replace('=', '=').replace('amp;', '') csrf = re.search(r'"csrf" value="(.*?)"', response).group(1) uuid = re.search(r'uuid=(.*?)&', url_).group(1) token_id = re.search(r'token_id=(.*?)&', url_).group(1) continues = url_.split('continue=')[1]

二、逆向pwd、h5Fingerprint

（1）pwd，跟进去发现是个rsa,简单扣下就ok

（2） h5Fingerprint，定位：

继续跟进这个混淆后的js，看到是通过n生成sign的，n是主页返回的一些东西

再往后跟就会发现是btoa,直接改写下就ok

然后到这里，将sign赋值给C，再加密，ts和cts稍微改下，其他固定即可（注意这里的环境值，后面滑块也会有，需要保持一致）注：这个js如果觉得看得麻烦可以用ast反混淆下变量名，代码如下：

// 这个文件是run.js，demo.js放需要需要解混淆的js,decrypt_func.js是解密函数 const fs = require('fs'); const {parse} = require("@babel/parser"); const traverse = require("@babel/traverse").default; const types = require("@babel/types"); const generator = require("@babel/generator").default; const _0x24f5 = require("./decrypt_func"); let jscode = fs.readFileSync("./demo.js", { encoding: "utf-8" }); let ast = parse(jscode); // 十六进制转换 function delete_unicode(path){ if (path.node.extra == undefined){return;} delete path.node.extra path.skip() } // 找到需要替换的调用函数，push到数组 name_array = ['a7_0x3a83'] function find_decode_name(path){ let node = path.node; if (!node.declarations || node.declarations[0].init == null || node.declarations[0].init.name == undefined){return} let call_name = node.declarations[0].id.name; let binding = path.scope.getBinding(call_name); if (call_name == '_0x41c885' || binding.references name_array.push(call_name) } } // 替换字符串 function replace_name(path){ let node = path.node; if (!node.arguments[0]){return} if(node.arguments[0].type == 'NumericLiteral' && node.callee.type == 'Identifier'){ const key = node.callee.name; const value = node.arguments[0].value; if (key == '_0x24f5'){ let value_new = _0x24f5(value); console.log(value_new,"",key,"",value) let string_node = types.stringLiteral(value_new) path.replaceWith(string_node) } } } traverse(ast,{"NumericLiteral|StringLiteral": delete_unicode}) console.log("十六进制还原结束~~") traverse(ast,{"CallExpression": replace_name}) console.log("变量名还原结束~~") let {code} = generator(ast,opts = {jsescOption:{"minimal":true}}); fs.writeFile('decode.js', code, (err)=>{}); //这个文件是decrypt_func.js function _0x5b47() { var _0x25463d = ["Freefrm721 Blk BT", "postInfo", "slice", "NETWORK_FAILURE_TIP", "

\n ", "Vivaldi", "YodaKNB", "RISK_GET_VERIFYINFO_LIMIT", "Date", "getUniformIndices", "121011", "OscillatorNode", "121042", "HIGH_FLOAT", "Vagabond", "SimSun-ExtB", "FrankRuehl", "127032", "setTimeout", "fill", "Bradley Hand", "isMobile", "AvantGarde Md BT", "Float32Array", "FRUTIGER", "Adobe Garamond", "pay", "request_code", "constructor,hasOwnProperty,isPrototypeOf,propertyIsEnumerable,toLocaleString,toString,valueOf", "Tw Cen MT", "Geeza Pro", "_yoda_riskLevel", "NEVIS", "cts", "assign", "-9999px", "MAX_COMBINED_UNIFORM_BLOCKS", " : null", "globalLoadModel", "GOTHAM BOLD", "getActiveUniformBlockName", "toFixed", "TRIANGLES", "Cambria", "121125", "_timelimit", "resetVariable", "root", "yodaCommonThemeColor", "failCallbackFun", "__core-js_shared__", "name", "Serifa BT", "RISK_FACE_POLICE_DATABASE_NOT_FOUND", "RISK_MOBILE_NOT_VALID", "isNeedLoad", "quickapp_miniProgram", "yodaMoveingBar", "rejected", "getContext", "MT Extra", "Bradley Hand ITC", "Arial", "write", "AliApp", "decode", "boxError", "_selenium", "classof", "COMPILE_STATUS", "isLoading", "sliderMaxLenth", "bindEvents", "MS Reference Specialty", "buttonName", "Lithograph Light", "setValueAtTime", "TypoUpright BT", "symbol-registry", "getExtension", "121005", "Khmer UI", "uniform4uiv", "byteOffset", "RISK_USER_NOT_LOAD", "2.2.2", "Vladimir Script", "toDataURL", "MS PGothic", "getUniformBlockIndex", "abnormal", "checkRiskLevel", "EUROSTILE", "customElements", "succCallbackFun", "last", "Noteworthy", "121053", "111", "wRU", "findChild", "00101", "substr", "b_techportal_property_mv", "language", "return (function() ", "bind", "waimai", "precision", "RISK_GET_VERIFY_INFO_ERROR_RETRY", "scrollLeft", "Freestyle Script", "A promise cannot be resolved with itself.", "CordiaUPC", "Footlight MT Light", "Centaur", "121064", "121133", "setResult", "MY_miniProgram", "passive", "padding: .3em .8em; border: 1px solid #999; border-radius: .3em; background: transparent; margin: .6em auto; outline: none; color: ", "floor", "MingLiU_HKSCS-ExtB", "getQuery", "navigator", "_bytes", " \n 请求地址", "51d7c9ad", "apply", "Gill Sans", "Timestamp", "function", "options", "pathname", "[object]", "removeHandler", "MAX_COMBINED_FRAGMENT_UNIFORM_COMPONENTS", "makeDOMException", "121001", "Raavi", "切换验证方式", "RISK_VERIFY_REQUEST_TIME_OUT", "pageX", "NewsGoth BT", "key", "#A4A3A3", "Mrs Eaves", "title", "request_null", "GeoSlab 703 Lt BT", "Pickwick", "121057", "getProgramParameter", "delta", "Iskoola Pota", "' src='https://s3plus.meituan.net/v1/mss_f231eb419c414559a1837748d11d4312/yoda-resources/help_icon.png'>\n \n

\n \n \n ", "customStyle", "ALPHA", "Harrington", "Aparajita", "getInt32", "MUSEO", "exponentialRampToValueAtTime", "\n \n \n

【本文地址】

美团滑块(1

美团滑块(1

今日新闻

推荐新闻