丑团-h5-Mtgsig算法-分析
目标地址
aHR0cHM6Ly9oNS53YWltYWkubWVpdHVhbi5jb20vd2FpbWFpL21pbmRleC9raW5na29uZz9uYXZpZ2F0ZVR5cGU9MTkmdGl0bGU9JUU3JTk0JTlDJUU3JTgyJUI5JUU5JUE1JUFFJUU1JTkzJTgxJmluZGV4PTMmcmVzb3VyY2VfaWQ9MTA2Mzg=接口地址
aHR0cHM6Ly9pLndhaW1haS5tZWl0dWFuLmNvbS90c3Avb3Blbi9vcGVuaDUvY2hhbm5lbC9zaG9wTGlzdD9zZXRfbmFtZT0mcmVnaW9uX2lkPSZfPTE3NTI0ODgxOTcyMjYmeW9kYVJlYWR5PWg1JmNzZWNwbGF0Zm9ybT00JmNzZWN2ZXJzaW9uPTMuMi4xCg==Mtgsig分析
xhr断点
断到这个点
可以看到 他是通过 就可以拿到值了
H5guard.sign(settings).then(function (res) {console.log(res.headers.mtgsig);})他是个异步的东西
这个时候 可以看到 传入对应的参数 进行加密 给返回结果
但是你拿着 加密的结果 去发起请求 会发现 不给数据
原因在于 这次只是障眼法 并非真正用于发送请求 获取数据的mtgsig加密参数 和 加密结果
这个时候就要断点到 H5guard.sign 中 看关于 "channel/shopList" 这个接口 实际是怎么运行的
下方就是 运行结果 多看下就会发现 其实都是走的 k0 方法进行的加密
直接断点 k0 方法 通过下方条件断点 断到最后return的时候 你会发现 会断住2次
其实这个第二次 才是真正 "channel/shopList" 接口 生成 mtgsig 值的点
下面直接 看入参 和 返回值
// 入参
{"url": "https://i.waimai.meituan.com/tsp/open/openh5/channel/shopList?set_name=®ion_id=&_=1752503590891&yodaReady=h5&csecplatform=4&csecversion=3.2.1","method": "POST","headers": {"Accept": "application/json","Content-Type": "application/x-www-form-urlencoded"},"openArg": ["POST","https://i.waimai.meituan.com/tsp/open/openh5/channel/shopList?set_name=®ion_id=&_=1752503590891&yodaReady=h5&csecplatform=4&csecversion=3.2.1",true,null,null],"signType": 1,"oriUrl": "https://i.waimai.meituan.com/tsp/open/openh5/channel/shopList?set_name=®ion_id=&_=1752503590891","SCaApp": false,"openHookedCount": 1,"isRaptor": false,"sendHookedCount": 1,"data": "optimus_code=10&optimus_risk_level=71&pageSize=20&page_index=0&offset=0&first_category_type=19&navigate_type=19&content_personalized_switch=0&wm_latitude=35275300&wm_longitude=113896758&wmUuidDeregistration=0&wmUserIdDeregistration=0&openh5_uuid=1980956e4c9c8-0af1f2bb35a14e-26011151-1fa400-1980956e4cac8&uuid=1980956e4c9c8-0af1f2bb35a14e-26011151-1fa400-1980956e4cac8"
}// 加密结果
{"url": "https://i.waimai.meituan.com/tsp/open/openh5/channel/shopList?set_name=®ion_id=&_=1752503590891&yodaReady=h5&csecplatform=4&csecversion=3.2.1","method": "POST","headers": {"Accept": "application/json","Content-Type": "application/x-www-form-urlencoded","mtgsig": "{\"a1\":\"1.2\",\"a2\":1752503621192,\"a3\":\"7v784wuy817v5z8wz39w02w3z33yz07y8019043v85997958xu12w446\",\"a5\":\"Cxw0xSrmBS/jRpoFlKD2zY9lgvvsCdJDWUn+eE72yXg7K9wEM0Daf2s7xM2LOf+le4r=\",\"a6\":\"h1.8X+q4tlpBosNvaNZ9EzugJM8VtwVqO04PQgb0hhItN6+y0no2Io7hUPzQ1dMRFwRw0dm8MgPore2n1LIV0JPnjhk6oW1FFuTPRTRmYlrgsE/0gBAMHlM8QFKAdjEx/xGEFvYh4DM7ryeCATaVJ2LipF5tvuEfGL5yRFrjgnlF49wG1lxhtAodIFRLUGyAnKLTP2UQm77M7MlF6lSAL8KhEQK7eiSNyW1/wCOCjh4KVksEAMBUqTuzN4In2C4TfLGHp6s27d1+P8Ngxyn14JAVfvP1USCen6Hl4gwTwS/VVNHSvFtvxdl592mMXL6ey5TsYgtDO0O8ymCNVOHbe1IQDB40AZlEfYlIQ65tniZQAEG0WGvlPXk1bVTnvWafkZoo+HQ8v0x3h1g949OsKMv2cQ==\",\"a8\":\"f88ef60932840f481c3fd599b3f3a199\",\"a9\":\"3.2.1,7,63\",\"a10\":\"67\",\"x0\":4,\"d1\":\"e682c59f6173762351b6831187f1b3b0\"}"},"openArg": ["POST","https://i.waimai.meituan.com/tsp/open/openh5/channel/shopList?set_name=®ion_id=&_=1752503590891&yodaReady=h5&csecplatform=4&csecversion=3.2.1",true,null,null],"signType": 1,"oriUrl": "https://i.waimai.meituan.com/tsp/open/openh5/channel/shopList?set_name=®ion_id=&_=1752503590891","SCaApp": false,"openHookedCount": 1,"isRaptor": false,"sendHookedCount": 1,"data": "optimus_code=10&optimus_risk_level=71&pageSize=20&page_index=0&offset=0&first_category_type=19&navigate_type=19&content_personalized_switch=0&wm_latitude=35275300&wm_longitude=113896758&wmUuidDeregistration=0&wmUserIdDeregistration=0&openh5_uuid=1980956e4c9c8-0af1f2bb35a14e-26011151-1fa400-1980956e4cac8&uuid=1980956e4c9c8-0af1f2bb35a14e-26011151-1fa400-1980956e4cac8"
}直接取 mtgsig 发包测试 可以看到是没有问题的
所以接下来 直接把整个js 扣下来补环境就行了
给 H5guard.sign 的指向方法
修改成以下代码 把异步给删了 让他调用直接反值
kC[b(3977)] = function(kF) {return k0(kF, !0)}具体的细节大家自己探索吧
<----感谢观看---->