声明:本文章中所有内容仅供学习交流使用不用于其他任何目的抓包内容、敏感网址、数据接口等均已做脱敏处理严禁用于商业用途和非法用途否则由此产生的一切后果均与作者无关有相关问题请第一时间头像私信联系我删除博客逆向分析部分补环境代码!(() { use strict; const $toString Function.toString; const myFunction_toString_symbol Symbol((.concat(, )_, (Math.random() ).toString(36))); const myToString function () { return typeof this function this[myFunction_toString_symbol] || $toString.call(this); }; function set_native(func, key, value) { Object.defineProperty(func, key, { enumerable: false, configurable: true, writable: true, value: value }) }; delete Function.prototype[toString]; //删除原型链上的toString set_native(Function.prototype, toString, myToString); //自己定义个getter方法 set_native(Function.prototype.toString, myFunction_toString_symbol, function toString() { [native code] }); //套个娃 保护一下我们定义的toString 否则就暴露了 this.func_set_natvie (func) { set_native(func, myFunction_toString_symbol, function ${myFunction_toString_symbol, func.name || }() { [native code] }); }; //导出函数到globalThis }).call(this); clconsole.log appkey XMLHttpRequestfunction(){} Window function Window() { throw new TypeError(Illegal constructor) }; this.func_set_natvie(Window); Window.prototype.PERSISTENT 1 Window.prototype.TEMPORARY 0 Navigator function Navigator() { throw new TypeError(Illegal constructor) }; this.func_set_natvie(Navigator); this.func_set_natvie(atob); this.func_set_natvie(btoa); window global Object.defineProperties(Window.prototype, { [Symbol.toStringTag]: { value: Window, configurable: true } }) Object.defineProperties(Navigator.prototype, { [Symbol.toStringTag]: { value: Navigator, configurable: true } }) window.__proto__ Window.prototype window.Notification function Notification() { console.log(window.Notification, arguments) };结果总结1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。侵权首页联系删除博客