Foreword
I won’t introduce Ruishu too much, it is considered the ceiling among domestic second-tier products. The 4th generation is actually not that difficult, but it does take a lot of time and patience to get it out. Today I will briefly talk about how to use the supplementary environment to easily pass Ruisu.
The first link of this article is: Reverse actual combat to supplement the environment through a certain real estate Ruishu 4.0
Foreword
All content in this article is for learning and communication only. Packet capture content, sensitive URLs, and data interfaces have been desensitized. Commercial and illegal use is strictly prohibited. Otherwise, all consequences arising therefrom will have nothing to do with the author. If there is any infringement , please contact me to delete immediately! Also for some reason. Most of the debugging in this chapter will be omitted, and only a brief outline will be given.
target website
aHR0cDovL3d3dy5mYW5nZGkuY29tLmNuL25ld19ob3VzZS9uZXdfaG91c2VfZGV0YWlsLmh0bWw=
Ruisu cookie introduction
Official website: https://www.riversecurity.com
For the rest, check out the official website introduction.
website analysis
The first request is as shown below 
It can be seen that firstly this is a 202 request, and secondly it returns a cookie: FSSBBIl1UgzbN7N80S.
And a js c.FxJzG50F.dfe1675.js is also generated.
The second time new_house_detail.html
The second request needs to carry the first request and a new cookie to return to the normal page. As shown below
Reverse process analysis
In fact, I think there is a big difference between supplementing the environment and normal analysis.
We don’t need to know the real and fake cookies in Ruishu.
Just define a function to accept and return docuement.cookie.
before formal analysis. We need to fix a static code. Because the content returned by Ruisu’s website is dynamic every time, it is inconvenient for us to debug. Later, we can put this static code into node and make up for it slowly.
To supplement the environment here, four parts are needed, as shown in the three circles in the red circle in the picture above. and the generated virtual machine code. These four parts of code can generateFSSBBIl1UgzbN7N80T
Here is a brief explanation of their functions
- The content in the meta tag: (that is, the content in content) will be used in subsequent eval
- External link js: c.FxJzG50F.dfe1675.js part of the code. The following self-executing function will decrypt this js to generate virtual machine code
- Self-executing function: decrypt external link js. Generate virtual machine code. and add attributes
- Generated virtual machine code. Generate new cookies
We need to put these three pieces of code into a file
(The generated virtual machine file is not needed, it will be generated by itself.)
Supplement the environment
Before that. Let’s see what the cookie returned to us by a normal page looks like. And observe how the length is 
We add two lines of code to the head of our code,
document.getElementsByTagName = ...
The complete code is on the WeChat public account. Reverse actual combat to supplement the environment through a certain real estate Ruishu 4.0
Directly put it into the browser and execute 
It is found that Figure 9 successfully generated the cookie. But it seems like the length is 22 extra bits. What’s going on?
Here I guess it may not correspond to some environmental parameters of the website. Because I opened and debugged it using a custom page.
The custom debugging code is shown below
The code structure of the environment supplement is roughly like this. As shown in the figure below. 
We directly right-click to run this JS
I found that I reported window is not defined and added it.
window = glob;
then continue running
As shown in the figure below, I found that another error was reported. It seems that location
is missing.
Then let’s add location = {} (it’s best to copy all locations on the website)
Then continue to run 
Then I found that it was still the same as Figure 13. There was no location reported. What was going on?
Don’t panic, at this time we hang up the proxy proxy to see which object does not have the location attribute on it. 
Hang up the proxy object. I found that everything seemed to become brighter. We add these objects to the environment. By the way, the document is also attached to the proxy.
window = global;
window.top = window;
document = {};
Continue to run 
Continue to fake
Don’t ask how to fake it, just go to the original website to compare. 
document.createElement = function (val){if(val==='div'){return div} if(val==='form'){return {}} if(val== ='a'){return {}}}
Then it’s easy. Make up for whatever is missing. Due to space issues, I will not explain them in detail here. Then complete it to this place and there will be an error. Report something as undefined. As shown below
Here you can see that the error content is _$x[$46[441]] is not a function
The specific reason is because addEventListener and attachEvent are not defined.
So let’s simply complete it. The focus here is on a value addEventListener, which also needs to be added in the window environment. The purpose of this method is to add an event listener. Rewrite very very important. But it’s not needed in this chapter. Just complete and disguise it as an ordinary function
> The complete code is on the WeChat public account. Reverse actual combat to supplement the environment through a certain real estate Ruishu 4.0
Then run 
Then it was discovered that it was successful. And the length is also 217.
By the way, there is also a timer on the website, which prevents the program from exiting and reports an error. We also need to leave the setInterva method blank.
setInterval= function(){};
result
We put it into python code and run it. Remember to replace dynamic code. Then go run. The results are as follows
Conclusion
to be honest. It’s still quite troublesome. Many thanks to Meteor Studio for the pointers. In fact, once you learn the supplementary environment framework, it is generally quite simple. There may be an environment tutorial for the rs5 generation in the future.