美团滑块(1-18，js逆向)

网址：aHR0cHM6Ly9wYXNzcG9ydC5tZWl0dWFuLmNvbS9hY2NvdW50L3VuaXRpdmVsb2dpbg==

整体流程：
1、获取主页参数
2、逆向pwd、h5Fingerprint
3、请求page_data链接
4、逆向Authencation、behavior、token_
5、最终请求验证

一、获取主页参数

url_ = "https://passport.meituan.com" + re.search(r'id="J-normal-form" action="(.*?)"', response).group(1).replace('=', '=').replace('amp;', '')
csrf = re.search(r'"csrf" value="(.*?)"', response).group(1)
uuid = re.search(r'uuid=(.*?)&', url_).group(1)
token_id = re.search(r'token_id=(.*?)&', url_).group(1)
continues = url_.split('continue=')[1]

二、逆向pwd、h5Fingerprint

（1）pwd，跟进去发现是个rsa,简单扣下就ok

（2） h5Fingerprint，定位：

继续跟进这个混淆后的js，看到是通过n生成sign的，n是主页返回的一些东西

再往后跟就会发现是btoa,直接改写下就ok

然后到这里，将sign赋值给C，再加密，ts和cts稍微改下，其他固定即可（注意这里的环境值，后面滑块也会有，需要保持一致）

注：这个js如果觉得看得麻烦可以用ast反混淆下变量名，代码如下：

// 这个文件是run.js，demo.js放需要需要解混淆的js,decrypt_func.js是解密函数
const fs = require('fs');
const {parse} = require("@babel/parser");
const traverse = require("@babel/traverse").default;
const types = require("@babel/types");
const generator = require("@babel/generator").default;
const _0x24f5 = require("./decrypt_func");

let jscode = fs.readFileSync("./demo.js", {
    encoding: "utf-8"
});
let ast = parse(jscode);

// 十六进制转换
function delete_unicode(path){
    if (path.node.extra == undefined){return;}
    delete path.node.extra
    path.skip()
}

// 找到需要替换的调用函数，push到数组
name_array = ['a7_0x3a83']
function find_decode_name(path){
    let node = path.node;
    if (!node.declarations || node.declarations[0].init == null || node.declarations[0].init.name == undefined){return}
    let call_name = node.declarations[0].id.name;
    let binding = path.scope.getBinding(call_name);
    if (call_name == '_0x41c885' || binding.references<=0){return}
    if (name_array.indexOf(call_name) == -1){
           name_array.push(call_name)
    }
}

// 替换字符串
function replace_name(path){
    let node = path.node;
    if (!node.arguments[0]){return}
    if(node.arguments[0].type == 'NumericLiteral' && node.callee.type == 'Identifier'){
         const key = node.callee.name;
         const value = node.arguments[0].value;
         if (key == '_0x24f5'){
              let value_new = _0x24f5(value);
              console.log(value_new,"<-->",key,"<-->",value)
              let string_node = types.stringLiteral(value_new)
              path.replaceWith(string_node)
         }
    }
}

traverse(ast,{"NumericLiteral|StringLiteral": delete_unicode})
console.log("十六进制还原结束~~")
traverse(ast,{"CallExpression": replace_name})
console.log("变量名还原结束~~")

let {code} = generator(ast,opts = {jsescOption:{"minimal":true}});
fs.writeFile('decode.js', code, (err)=>{});

//这个文件是decrypt_func.js
function _0x5b47() {
  var _0x25463d = ["Freefrm721 Blk BT", "postInfo", "slice", "NETWORK_FAILURE_TIP", "
\n                    ", "Vivaldi", "YodaKNB", "RISK_GET_VERIFYINFO_LIMIT", "Date", "getUniformIndices", "121011", "OscillatorNode", "121042", "HIGH_FLOAT", "Vagabond", "SimSun-ExtB", "FrankRuehl", "127032", "setTimeout", "fill", "Bradley Hand", "isMobile", "AvantGarde Md BT", "Float32Array", "FRUTIGER", "Adobe Garamond", "pay", "request_code", "constructor,hasOwnProperty,isPrototypeOf,propertyIsEnumerable,toLocaleString,toString,valueOf", "Tw Cen MT", "Geeza Pro", "_yoda_riskLevel", "NEVIS", "cts", "assign", "-9999px", "MAX_COMBINED_UNIFORM_BLOCKS", " : null", "globalLoadModel", "GOTHAM BOLD", "getActiveUniformBlockName", "toFixed", "TRIANGLES", "Cambria", "121125", "_timelimit", "resetVariable", "root", "yodaCommonThemeColor", "failCallbackFun", "__core-js_shared__", "name", "Serifa BT", "RISK_FACE_POLICE_DATABASE_NOT_FOUND", "RISK_MOBILE_NOT_VALID", "isNeedLoad", "quickapp_miniProgram", "yodaMoveingBar", "rejected", "getContext", "MT Extra", "Bradley Hand ITC", "Arial", "write", "AliApp", "decode", "boxError", "_selenium", "classof", "COMPILE_STATUS", "isLoading", "sliderMaxLenth", "bindEvents", "MS Reference Specialty", "buttonName", "Lithograph Light", "setValueAtTime", "TypoUpright BT", "symbol-registry", "getExtension", "121005", "Khmer UI", "uniform4uiv", "byteOffset", "RISK_USER_NOT_LOAD", "2.2.2", "Vladimir Script", "toDataURL", "MS PGothic", "getUniformBlockIndex", "abnormal", "checkRiskLevel", "EUROSTILE", "customElements", "succCallbackFun", "last", "Noteworthy", "121053", "111", "wRU", "findChild", "00101", "substr", "b_techportal_property_mv", "language", "return (function() ", "bind", "waimai", "precision", "RISK_GET_VERIFY_INFO_ERROR_RETRY", "scrollLeft", "Freestyle Script", "A promise cannot be resolved with itself.", "CordiaUPC", "Footlight MT Light", "Centaur", "121064", "121133", "setResult", "MY_miniProgram", "passive", "padding: .3em .8em; border: 1px solid #999; border-radius: .3em; background: transparent; margin: .6em auto; outline: none; color: ", "floor", "MingLiU_HKSCS-ExtB", "getQuery", "navigator", "_bytes", " \n 请求地址", "51d7c9ad", "apply", "Gill Sans", "Timestamp", "function", "options", "pathname", "[object]", "removeHandler", "MAX_COMBINED_FRAGMENT_UNIFORM_COMPONENTS", "makeDOMException", "121001", "Raavi", "切换验证方式", "RISK_VERIFY_REQUEST_TIME_OUT", "pageX", "NewsGoth BT", "key", "#A4A3A3", "Mrs Eaves", "title", "request_null", "GeoSlab 703 Lt BT", "Pickwick", "121057", "getProgramParameter", "delta", "Iskoola Pota", "' src='https://s3plus.meituan.net/v1/mss_f231eb419c414559a1837748d11d4312/yoda-resources/help_icon.png'>\n                

\n

, "callPhantom", "lwc", "/v2/ext_api/", "shaderSource", "getDate", "121154", "121123", "close", "ネットワークがリダイレクトしました、後でもう一度やり直してください", "925458AfqHQn", "getBufferSubData", "0-0-0-0", "rangeMax", "boxStatic", "Party LET", "ontouchmove", "'>\n ", "enableVertexAttribArray", "wsh", "Goudy Stout", "bindBuffer", "RISK_NOT_VERIFY_BY_ORDER", "wordBreak", "121112", "mouseout", "symbols", "setPrototypeOf", "新版签名正常", "drag", "40zdFOiH", "\n ", "header", "callHandle", "RISK_BOOM_PROOF_DENY", "defenseForm", "style", "no support webgl", "maxContainer", "moveingBar ", "__driver_unwrapped", "Content-MD5", "utf8", "globalCompositeOperation", "getFonts", "formDataPost", "RISK_PARAMS_INVALID_FORMART", "Trident", "isSync", "'>\n

\n

\n

", "customStyle", "ALPHA", "Harrington", "Aparajita", "getInt32", "MUSEO", "exponentialRampToValueAtTime", "\n

\n

, "__selenium_evaluate", "none", "Serifa Th BT", "121050", "call", "Cuckoo", "pageY", "allSettled", "webgl", "moveTo", "RISK_COMMON_PARAMS_LOST", "Lucida Calligraphy", "localStorage", "DFKai-SB", "_setter", "Viner Hand ITC", "Onyx BT", "isKNBEnv", "Kalinga", "getBoundingClientRect", "boxOk ", "arc", "setUint8", "'>\n

\n

为了完成验证，需要您提供多项信息\n

\n \n class='btn ", "Cooper Black", "Array", "Offset plus length of array is out of range", "_yoda_listIndex", "shadowOffsetY", "whiteSpace", "Bitstream Vera Sans Mono", "DataView", "buttons", "createbgImage", "MAX_3D_TEXTURE_SIZE", "beginQuery", "Lucida Sans", "duration", "\n

", "Gill Sans MT Condensed", "Niagara Solid", "fontSize", "Tubular", "Internet Explorer", "normal", "103", "Error: ", "Century Schoolbook", "Bookshelf Symbol 7", "RISK_AUTHORIZE_CODE_EXPIRE", "charCodeAt", "Marion", "Bodoni 72 Smallcaps", "nativeSign sign fail", "Sketch Rockwell", "targetTouches", "新版签名异常", "ネットワークのつなぎ状態が不安定です", "'>\n , "rangeMin", "getStringHashMD5", "availWidth", "Bernard MT Condensed", "drawArrays", "jump", "https://s3plus.meituan.net/v1/mss_f231eb419c414559a1837748d11d4312/yoda-resources/slider/m_loading.png", "invalidateFramebuffer", "top", "Uint16Array", "loadSource", "moveingBarError ", "Vrinda", "withCredentials", "Heiti SC", "label", "Wingdings 3", "Kannada Sangam MN", "[null]", "not a function", "Curlz MT", "Forte", "Constantia", "Amazone BT", "iterator", "动态签名", "121002", "Bandy", "op-symbols", "Pegasus", "RISK_NO_SUCH_METHOD", "getShaderPrecisionFormat", "getwd", "hash", "done", "succCallbackUrl", "Can't call method on ", "MONO", "Tahoma", "BankGothic Md BT", "MAX_COLOR_ATTACHMENTS", "forEach", "safari", "127021", "code=", "FILLPHONENUMBER", "Old English Text MT", "startX", "Bodoni 72", "'>

\n

\n

, "Jester", "constructor", "Browallia New", "String", "121129", "session", "OPR", "121049", "count", "getSourcePath", "Bauer Bodoni", "freeze", "99999", " class='sel ", "then", "UNIFORM_BUFFER_OFFSET_ALIGNMENT", "FRAGMENT_SHADER", "{}.constructor(\"return this\")( )", "keyboardEvent", "onFulfilled", "Wingdings", "MAX_UNIFORM_BLOCK_SIZE", "textDecoration", "Lao UI", "Microsoft Edge", "MingLiU", "handlerHelp", "time", "BatangChe", "Andalus", "CopperplGoth Bd BT", "Matura MT Script Capitals", "clientWaitSync", "race", "loading", "data-verifyid", "utils", "Book Antiqua", "callee", "Yes, D3D9", "_deferreds", "MAX_PROGRAM_TEXEL_OFFSET", "doms", "touchstart", "compileShader", "ceil", "uniformMatrix2x4fv", "isDrag", "setItem", "Rockwell", "createElement", "Kaito", "RISK_PARAMS_LOST", "bufferData", "getOwnPropertySymbols", "Nyala", "WX_miniProgram", "click", "configurable", "Microsoft JhengHei", "clientHeight", "promise", "DOM Exception 5", "#FD9B29", "您的请求出现了异常", "Bank Gothic", "Segoe Print", "chrome", "listenwd", "Fixedsys", "Tw Cen MT Condensed", "globalTimer", "PC上显示了i版的滑动", "RISK_AUTHORIZE_CODE_FAIL", "actualMove", "buffer", "b_techportal_7nezp2sy_mc", "American Typewriter", "Microsoft Yi Baiti", "Corbel", "ChelthmITC Bk BT", "YODA_Bridge", "AES must be instanitated with `new`", "setFloat64", "NETWORK_FAILURE_CODE", "Not available", "Antique Olive", "connect", "Palatino", "Wingdings 2", "GulimChe", "MingLiU-ExtB", "isFrozen", "replace", "English 111 Vivace BT", "dianping", "Url", "\n precision mediump float;\n varying vec4 v_color;\n void main() {\n gl_FragColor = v_color; // return reddish-purple\n }\n ", "RISK_NAME_IDENTITY_INFO_NOT_FOUND", "getElementById", "texImage3D", "Kokila", "MV Boli", "riskLevelInfo", "lowp", "Korinna BT", "render", "加载图片失败", "sendBatch", "#490F44", "121046", "reduce", "circle9", "tagName", "Magneto", "Reflect", "knbFun", "Sinhala Sangam MN", "HIGH_INT", "onVerifySuccess", "PKCS#7 invalid padding byte", "Helvetica Neue", "_getter", "webdriver-evaluate", "Malformed string", "Zurich Ex BT", "editFinishedTimeStamp", "DELICIOUS", "BANKCARDREALNAME", "Rockwell Extra Bold", "Accessors not supported!", "'>\n

立即验证\n

", "webdriverScriptFn", "Gloucester MT Extra Condensed", "valueOf", "'>为了您的账号安全请选择一种方式完成验证

\n