文章目录
概要
提示:仅供学习,不得用做商业交易,如有侵权请及时联系
逆向:JS逆向 - Akamai阿迪达斯(三次) 补环境、纯算
URL:aHR0cHM6Ly93d3cuYWRpZGFzLmNvbS5jbi8=
整体架构流程
提示:分析整体流程
1、访问首页
- 会发三次包:第二次发包是事件触发,不用管,第三次是轨迹达到21次触发:POST =》sensor_data
- 我们可以XHR断点,然后往回跟栈
- js混淆还原(墨竹大佬的还原脚本)
2、din对象的键值的顺序 是每次都变的,ajr的值算法 也是会变的,dvc的值是vmp的 算法固定(b+j+g+i+e+h+c+k+l+d+f+动态的),mev的值则是轨迹计算得到的
3、扣算法(第三次接口返回的cookie里面:0)
技术名词解释
提示:补环境
- 描述符检测:
javascript
Object.getOwnPropertyDescriptor = function getOwnPropertyDescriptor() {
if (arguments[1] === 'contentWindow') {
contentWindow_getter = function contentWindow() { }
contentWindow_getter.toString = function toString() {
return "function get contentWindow() { [native code] }"
}
return {
get:contentWindow_getter
}
}
if (arguments[1] === 'loading') {
loading_getter = function loading() { }
loading_getter.toString = function toString() {
return "function get loading() { [native code] }"
}
return {
get:loading_getter
}
}
if (arguments[0] === navigator.__proto__ && arguments[1] === 'plugins') {
plugins_getter = function plugins() { }
plugins_getter.toString = function toString() {
return "function get plugins() { [native code] }"
}
return {
get:plugins_getter
}
}
if (arguments[0] === navigator.__proto__ && arguments[1] === 'mimeTypes') {
mimeTypes_getter = function mimeTypes() { }
mimeTypes_getter.toString = function toString() {
return "function get mimeTypes() { [native code] }"
}
return {
get:mimeTypes_getter
}
}
if (arguments[1] === 'path') {
return undefined
}
if (arguments[1] === 'createElement') {
return undefined
}
return Object.getOwnPropertyDescriptor_.apply(this,arguments);
}- SharedWorker检测:onmessage的回调
javascript
Object.defineProperty(wroker_port, 'onmessage', {
set: function (value) {
debugger
value({
data:{
"ts": (new Date(window.bmak.startTs+1000)).toString(),
"oscpu": null,
"tz": "Asia/Shanghai",
"la": navigator.language,
"las": navigator.languages,
"dm": navigator.deviceMemory,
"hc": navigator.hardwareConcurrency,
"net": [
navigator.connection.effectiveType,
-1,
"null"
],
"ua": navigator.userAgent,
"av": navigator.appVersion,
"pl": "xxx",
"uad": {
"architecture": "xxx",
"bitness": "xxx",
"brands": xxx,
"fullVersionList": xxx,
"mobile": false,
"model": "",
"platform": "xxx",
"platformVersion": "10.0.0",
"uaFullVersion": "xxx",
"wow64": false
},
"gpu": {
"gpuVendor": "xxx",
"gpuRenderer": "xxx",
"gpu2Vendor": "xxx",
"gpu2Renderer": "xxx"
}
}
})
}
})- speechSynthesis.getVoices检测:第一次返回的是空,第二、三次返回的有值voiceURI、lang
- 各种原型链检测、toString检测、navigator的属性回调检测、plugins的原型+item、refresh
- document.cookie里面必须带有首页返回的bm_sz、document.currentScript必须是第一次返回的js的url、等等
小结
提示:学习交流主页,星球持续更新中:(+星球主页+v)