美团网 钥匙滑块

声明:
本文章中所有内容仅供学习交流使用，不用于其他任何目的，抓包内容、敏感网址、数据接口等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关！

补环境部分代码

!(() => {

"use strict";

const $toString = Function.toString;

const myFunction_toString_symbol = Symbol('('.concat('', ')_', (Math.random() + '').toString(36)));

const myToString = function () {

return typeof this == 'function' && this[myFunction_toString_symbol] || $toString.call(this);

};

function set_native(func, key, value) {

Object.defineProperty(func, key, {

"enumerable": false,

"configurable": true,

"writable": true,

"value": value

})

};

delete Function.prototype['toString']; //删除原型链上的toString

set_native(Function.prototype, "toString", myToString); //自己定义个getter方法

set_native(Function.prototype.toString, myFunction_toString_symbol, "function toString() { [native code] }"); //套个娃 保护一下我们定义的toString 否则就暴露了

this.func_set_natvie = (func) => {

set_native(func, myFunction_toString_symbol, `function ${myFunction_toString_symbol, func.name || ''}() { [native code] }`);

}; //导出函数到globalThis

}).call(this);

const XMLHttpRequest = require('xhr2');

Window = function Window() {

throw new TypeError('Illegal constructor')

};

this.func_set_natvie(Window);

Window.prototype.PERSISTENT = 1

Window.prototype.TEMPORARY = 0

send: function send() {

}

Navigator = function Navigator() {

throw new TypeError('Illegal constructor')

};

this.func_set_natvie(Navigator);

window = global

Object.defineProperties(Window.prototype, {

[Symbol.toStringTag]: {

value: 'Window',

configurable: true

}

})

Object.defineProperties(Navigator.prototype, {

[Symbol.toStringTag]: {

value: 'Navigator',

configurable: true

}

})

window.__proto__ = Window.prototype

window.DataView = function DataView() {

console.log('window.DataView', arguments)

};

this.func_set_natvie(DataView);

window.Notification = function Notification() {

console.log('window.Notification', arguments)

};

this.func_set_natvie(Notification);

location ={

}

okeys=Object.keys

Object.keys=function keys() {

temp=okeys.apply(this,arguments)

return temp

}

screen = {}

window.H5guardCount = 1

window.wPaths = []

setInterval = function () {

}

setTimeout = function () {

}

Navigator.toString = function toString() {

return 'function Navigator() { [native code] }'

};

this.func_set_natvie(Navigator.toString);

navigator = {}

navigator.__proto__ = Navigator.prototype

document.cookie = {}

window.sessionStorage = {}

window.localStorage.clear = function clear() {

var temp = Object.keys(this)

for (var i = 0; i < temp.length; i++) {

delete this[temp[i]];

}

};

window.sessionStorage.clear = function clear() {

var temp = Object.keys(this)

for (var i = 0; i < temp.length; i++) {

delete this[temp[i]];

}

};

window.localStorage.getItem = function getItem(key) {

return this[key]

};

window.sessionStorage.getItem = function getItem(key) {

return this[key]

};

window.localStorage.key = function key(index) {

return Object.keys(this)[index]

};

window.sessionStorage.key = function key(index) {

return Object.keys(this)[index]

};

window.localStorage.removeItem = function removeItem(key) {

delete this[key]

};

window.sessionStorage.removeItem = function removeItem(key) {

delete this[key]

};

window.localStorage.setItem = function setItem(key, value) {

this[key] = value

};

window.sessionStorage.setItem = function setItem(key, value) {

this[key] = value

};

window.fetchHooked = true

window.wDomains =[

]

window.name = ''

window.indexedDB = {}

window._phantom = undefined

window.phantom = undefined

window.callPhantom = undefined

navigator.plugins = [{name: "PDF Viewer"}, {name: "Chrome PDF Viewer"}, {name: "Chromium PDF Viewer"},

{name: "Microsoft Edge PDF Viewer"}, {name: "WebKit built-in PDF"}]

oph = Object.prototype.hasOwnProperty

Object.prototype.hasOwnProperty = function hasOwnProperty(val) {

if (val === 'webdriver') {

return false

}

return oph.apply(this, arguments)

document.body = {

appendChild: function appendChild() {

},

removeChild: function removeChild() {

},

scrollTop: 0

}

window.AudioContext = function AudioContext() {

console.log('window.AudioContext', arguments)

}

window.screenX = 0

window.screenY = 0

window.screenLeft = 0

window.screenTop = 0

window.parent = window

window.opener = null

window.frames = window

window.closed = false

window.customElements = {}

window.locationbar = {visible: true}

window.menubar = {visible: true}

window.personalbar = {visible: true}

window.scrollbars = {visible: true}

window.statusbar = {visible: true}

window.toolbar = {visible: true}

window.status = ''

window.frameElement = null

window.onsearch = null

window.external = {}

window.styleMedia = {type: "screen"}

window.isSecureContext = true

结果

总结

1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。