JS逆向_腾讯点选_VMP补环境
1.接口分析
1.cap_union_prehandle
说明:图片、jsvmp
GET
QueryString:{
aid: xxxxxx //网站在腾讯登记的id
protocol: https
accver: 1
showtype: popup
ua: //ua atob后的结果
noheader: 1
fb: 1
aged: 0
enableAged: 0
enableDarkMode: 0
grayscale: 1
clientype: 2
cap_cd:
uid:
lang: zh-cn
entry_url: ""//网站url
elder_captcha: 0
js: //js文件
login_appid:
wb: 1
subsid: 1
callback: _aq_185202
sess:
}
响应:{
"state": 1,
"ticket": "",
"capclass": "1",
"subcapclass": "1408",
"src_1": "cap_union_new_show",
"src_2": "template/new_placeholder.html",
"src_3": "template/new_slide_placeholder.html",
"sess": "", //最后验证接口会使用
"randstr": "",
"sid": "",
"log_js": "",
"data": {
"comm_captcha_cfg": {
"tdc_path": "",//VMP文件
"feedback_url": "",
"pow_cfg": {
"prefix": "a5d78a98bc3cd0e1#", //最后验证接口会使用
"md5": "de4c8e266d55500fb9357dad59b9f06a" //最后验证接口会使用
}
},
"dyn_show_info": {
"lang": "zh-cn",
"instruction": "请依次点击:",
"bg_elem_cfg": {
"size_2d": [
672,
480
],
"click_cfg": {
"mark_style": "inc_number",
"data_type": [
"DynAnswerType_POS"
]
},
"img_url": "" //点选图片
},
"sprite_url": "", //提示图片
"verify_trigger_cfg": {
"verify_icon": true
},
"color_scheme": "#0057d4",
"ins_elem_cfg": [
{
"id": 1,
"sprite_pos": [
0,
0
],
"size_2d": [
170,
50
]
}
]
}
},
"uip": "36.26.211.203"
}
2./tdc.js?app_data=7308091291537305600&t=1228349970
GET
说明:VMP文件
3./cap_union_new_verify
说明:验证接口
POST
表单数据:{
collect: "",//vmp(上一个包的tdc_path这个值就是vmp文件)的window.TDC.setData({'ft': '6X_7Pb__H'}); window.TDC.getData(true)
tlg: 1720 //collect的长度
eks: "" //window.TDC.getInfo().info
sess: "" //上一个包返回的sess
ans: [{"elem_id":1,"type":"DynAnswerType_POS","data":"600,434"},{"elem_id":2,"type":"DynAnswerType_POS","data":"119,38"},{"elem_id":3,"type":"DynAnswerType_POS","data":"442,41"}] //data为点选位置
pow_answer: 1f88165cc0c86fe0#85909 //tgJCap.42d74f87.js webpack中有一段代码让work执行,window.e(1).getWorkloadResult({target:md5,nonce:prefix})就会返回这两个参数的值
pow_calc_time: 230
}
成功的响应
{
"errorCode": "0",
"randstr": "@m2X",
"ticket": "tr03SIZEMmLbZmwlz2uMANULUX5h9wcWQMK15MItXHsLjXJpBonQZBCf1ulsqZy1v97m_S-QyBPI26tbe9P_2UDs_ult6_i0U47VinuggfH08WhKfRWJpJhHQg**",
"traceId": "",
"errMessage": "",
"sess": ""
}
2.调试思路
hook window.TDC.setData、window.TDC.getData
补环境就上代理Proxy
插桩位置就两个apply
生成一个数组:
{"cd":[1953007650,1200,0,0,735,1742384971,"Google Inc. (NVIDIA)",1,"GgoAAAANSUhEUgAAASwAAACW","top",1,1920,0,"1920-1200-1160-24-*-*-|-*","",0,"unknown","http://222.132.55.178:8190/newgoods/listPageGoodOrderSocietyDetail?rand=1519713624347",[],0,24,"UTF-8",[360,407],1742384968,"Win32",["zh-CN","zh"],24,
还有一个10位的数组,http应该1011011111 ,https 1111111111,这10位数组就是环境检测的结果大量的dom操作等
3.检测点
supports、Canvas、createElement、异常栈检测、getElementById、getItem、appendChild、getComputedStyle、removeChild、remove、style、ifWindow、body、screen 、navigator、insertBefore、outerHTML、cloneNode 、setAttribute、innerHTML 、addEventListener、setInterval、clearInterval、RTCPeerConnection、localStorage、sessionStorage.....
大概这么多吧,可能有漏下的环境很多
4.效果展示
