常用js逆向hook方法

1.hook eval

(function() { 
'use strict';
//过debuger 
var eval_ = window.eval;
window.eval = function(x){
    eval_(x.replace("debugger;","  ; "));
};
//防debuger检测
window.eval.toString = eval_.toString;
})();

2.hook debugger

//方式1
Function.prototype.constructor=function(){};
Function.prototype.constructor_bc=Function.prototype.constructor;
Function.prototype.constructor=function(){
    if (arguments==="debugger"){return}
    else{return Function.prototype.constructor_bc.apply(this,arguments)}
};
//方式2
n_eval = eval
eval = function () {
    if (arguments.indexOf("debugger") === 0) {
        return
    }
    return n_eval.apply(arguments)
}
//方式3
n_eval = eval
eval = function () {
    reg = RegExp(/debugger/)
    if (reg.exec(arguments)) {
        return
    }
    return n_eval.apply(arguments)
}
//方式4
n_Function = Function
Function = function () {
    if (arguments.indexOf("debugger") === 0) {
        return
    }
    return n_Function.apply(arguments)
}
//方式5
n_Function = Function
Function = function () {
    reg = RegExp(/debugger/)
    if (reg.exec(arguments)) {
        return
    }
    return n_Function.apply(arguments)
}

//当前版本hook工具只支持Content-Type为html的自动hook
(function () {
    'use strict';
    var cookie_cache = document.cookie;
    Object.defineProperty(document, 'cookie', {
        get: function () {
            console.log(cookie_cache);
            return cookie_cache;
        },
        set: function (val) {
            debugger;
            var cookie = val.split(";")[0];
            var ncookie = cookie.split("=");
            var flag = false;
            var cache = cookie_cache.split(";");
            cache = cache.map(function (a) {
                if (a.split("=")[0] === ncookie[0]) {
                    flag = true;
                    return cookie;
                }
                return a;
            });
            cookie_cache = cache.join(";");
            if (!flag) {
                cookie_cache += cookie + ";";
            }
        },
    });
})();

4.hook ajax

!function (t) {
    function n(e) {
        if (r[e]) return r[e].exports;
        var i = r[e] = {
            exports: {},
            id: e,
            loaded: !1
        };
        return t[e].call(i.exports, i, i.exports, n),
            i.loaded = !0,
            i.exports
    }

    var r = {};
    return n.m = t,
        n.c = r,
        n.p = "",
        n(0)
}([function (t, n, r) {
    r(1)(window)
},
    function (t, n) {
        t.exports = function (t) {
            var n = "RealXMLHttpRequest";
            t.hookAjax = function (t) {
                function r(n) {
                    return function () {
                        var r = this.hasOwnProperty(n + "_") ? this[n + "_"] : this.xhr[n],
                            e = (t[n] || {}).getter;
                        return e && e(r, this) || r
                    }
                }

                function e(n) {
                    return function (r) {
                        var e = this.xhr,
                            i = this,
                            o = t[n];
                        if ("function" == typeof o) e[n] = function () {
                            t[n](i) || r.apply(e, arguments)
                        };
                        else {
                            var u = (o || {}).setter;
                            r = u && u(r, i) || r;
                            try {
                                e[n] = r
                            } catch (t) {
                                this[n + "_"] = r
                            }
                        }
                    }
                }

                function i(n) {
                    return function () {
                        var r = [].slice.call(arguments);
                        if (!t[n] || !t[n].call(this, r, this.xhr)) return this.xhr[n].apply(this.xhr, r)
                    }
                }

                return window[n] = window[n] || XMLHttpRequest,
                    XMLHttpRequest = function () {
                        var t = new window[n];
                        for (var o in t) {
                            var u = "";
                            try {
                                u = typeof t[o]
                            } catch (t) {
                            }
                            "function" === u ? this[o] = i(o) : Object.defineProperty(this, o, {
                                get: r(o),
                                set: e(o),
                                enumerable: !0
                            })
                        }
                        this.xhr = t
                    },
                    window[n]
            },
                t.unHookAjax = function () {
                    window[n] && (XMLHttpRequest = window[n]),
                        window[n] = void 0
                },
                t.default = t
        }
    }]);
hookAjax(
    // hook functions and callbacks of XMLHttpRequest object
    {
        onreadystatechange: function (xhr) {
            //console.log("onreadystatechange called: %O", xhr)

        },
        onload: function (xhr) {
            //console.log("onload called: %O", xhr)
            xhr.responseText = "hook" + xhr.responseText;

        },
        open: function (arg, xhr) {
            console.log("open called: method:%s,url:%s,async:%s", arg[0], arg[1], arg[2], xhr);
            // arg[1] += "?hook_tag=1";
            //统一添加请求头
        },
        send: function (arg, xhr) {
            console.log("send called: %O", arg[0]);
            xhr.setRequestHeader("_custom_header_", "ajaxhook")
        },
        setRequestHeader: function (arg, xhr) {
            console.log("setRequestHeader called!", arg)
        },
        // hook attributes of XMLHttpRequest object
        timeout: {
            setter: function (v, xhr) {
                //timeout shouldn't exceed 10s
                return Math.max(v, 1000);
            }
        }
    }
);

5.防止hook检测

// 这段代码防止反hook的检测
orig = window.eval;
window.eval=function(str){debugger;orig(str);}
window.eval.toString = function (){return orig.toString();}

6.防原型链检测

//如hook了split方法
String.prototype.split_bk=String.prototype.split;
String.prototype.split = function(val){
str = this.toString()
debugger;
return str.spilt_bk(val)
}
//伪装原型链
String.prototype.split.toString=function(){
return 'function split() { [native code] }'
}

7.新增一些hook方法

// Hook Cookie
(function () {
    'use strict';
    var cookieTemp = '';
    Object.defineProperty(document, 'cookie', {
        set: function (val) {
            if (val.indexOf('__dfp') != -1) {
                debugger;
            }
            console.log('Hook捕获到cookie设置->', val);
            cookieTemp = val;
            return val;
        }, get: function () {
            return cookieTemp;
        },
    });
})();

(function () {
    'use strict';
    var org = document.cookie.__lookupSetter__('cookie');
    document.__defineSetter__('cookie', function (cookie) {
        if (cookie.indexOf('__dfp') != -1) {
            debugger;
        }
        org = cookie;
    });
    document.__defineGetter__('cookie', function () {
        return org;
    });
})();

// Hook Header
(function () {
    var org = window.XMLHttpRequest.prototype.setRequestHeader;
    window.XMLHttpRequest.prototype.setRequestHeader = function (key, value) {
        if (key == 'Authorization') {
            debugger;
        }
        return org.apply(this, arguments);
    };
})();


// Hook URL
(function () {
    var open = window.XMLHttpRequest.prototype.open;
    window.XMLHttpRequest.prototype.open = function (method, url, async) {
        if (url.indexOf("login") != -1) {
            debugger;
        }
        return open.apply(this, arguments);
    };
})();

// Hook JSON.stringify
(function () {
    var stringify = JSON.stringify;
    JSON.stringify = function (params) {
        console.log("Hook JSON.stringify ——> ", params);
        debugger;
        return stringify(params);
    }
})();


// Hook JSON.parse
(function () {
    var parse = JSON.parse;
    JSON.parse = function (params) {
        console.log("Hook JSON.parse ——> ", params);
        debugger;
        return parse(params);
    }
})();


// Hook eval
(function () {
    // 保存原始方法
    window.__cr_eval = window.eval;
    // 重写 eval
    var myeval = function (src) {
        console.log(src);
        console.log("=============== eval end ===============");
        debugger;
        return window.__cr_eval(src);
    }
    // 屏蔽 JS 中对原生函数 native 属性的检测
    var _myeval = myeval.bind(null);
    _myeval.toString = window.__cr_eval.toString;
    Object.defineProperty(window, 'eval', {value: _myeval});
})();

// Hook Function
(function () {
    // 保存原始方法
    window.__cr_fun = window.Function;
    // 重写 function
    var myfun = function () {
        var args = Array.prototype.slice.call(arguments, 0, -1).join(","), src = arguments[arguments.length - 1];
        console.log(src);
        console.log("=============== Function end ===============");
        debugger;
        return window.__cr_fun.apply(this, arguments);
    }
    // 屏蔽js中对原生函数native属性的检测
    myfun.toString = function () {
        return window.__cr_fun + ""
    }
    Object.defineProperty(window, 'Function', {value: myfun});
})();

// 获取Canvas指纹DataURL
function getCanvasData() {
    t = []
    a = document.createElement("canvas");
    a.width = 2e3,
        a.height = 200,
        a.style.display = "inline";
    var n = a.getContext("2d");
    n.rect(0, 0, 10, 10),
        n.rect(2, 2, 6, 6),
        t.push("canvas winding:" + (!1 === n.isPointInPath(5, 5, "evenodd") ? "yes" : "no")),
        n.textBaseline = "alphabetic",
        n.fillStyle = "#f60",
        n.fillRect(125, 1, 62, 20),
        n.fillStyle = "#069",
        n.font = '11pt no-real-font-123',
        n.fillText("Cwm fjordbank glyphs vext quiz, 😃", 2, 15),
        n.fillStyle = "rgba(102, 204, 0, 0.2)",
        n.font = "18pt Arial",
        n.fillText("Cwm fjordbank glyphs vext quiz, 😃", 4, 45),
        n.globalCompositeOperation = "multiply",
        n.fillStyle = "rgb(255,0,255)",
        n.beginPath(),
        n.arc(50, 50, 50, 0, 2 * Math.PI, !0),
        n.closePath(),
        n.fill(),
        n.fillStyle = "rgb(0,255,255)",
        n.beginPath(),
        n.arc(100, 50, 50, 0, 2 * Math.PI, !0),
        n.closePath(),
        n.fill(),
        n.fillStyle = "rgb(255,255,0)",
        n.beginPath(),
        n.arc(75, 100, 50, 0, 2 * Math.PI, !0),
        n.closePath(),
        n.fill(),
        n.fillStyle = "rgb(255,0,255)",
        n.arc(75, 75, 75, 0, 2 * Math.PI, !0),
        n.arc(75, 75, 25, 0, 2 * Math.PI, !0),
        n.fill("evenodd");
    return "canvas fp:" + a.toDataURL()
}

// Hook toDataURL
var toDataURL = HTMLCanvasElement.prototype.toDataURL;
HTMLCanvasElement.prototype.toDataURL = function (type, encoderOptions) {
    var uri = toDataURL.call(this, type, encoderOptions);
    console.log(uri);
    return uri;
}
posted @ 2021-12-03 09:14  Maple_feng  阅读(3058)  评论(0编辑  收藏  举报