jsreverser-mcp-javascript-reverse-engineering
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseJSReverser-MCP JavaScript Reverse Engineering
JSReverser-MCP JavaScript逆向工程
Skill by ara.so — MCP Skills collection.
JSReverser-MCP is a specialized MCP server for JavaScript reverse engineering that operates in real browser environments. It helps locate frontend core logic by integrating script retrieval, breakpoint debugging, function hooking, network request tracing, call chain analysis, deobfuscation, and risk assessment into unified MCP tools. Perfect for API analysis, security research, frontend debugging, and understanding encrypted/signed request parameters.
由ara.so开发的Skill——MCP Skills合集。
JSReverser-MCP是一款专注于JavaScript逆向工程的专用MCP服务器,运行于真实浏览器环境中。它将脚本检索、断点调试、函数钩子、网络请求追踪、调用链分析、反混淆和风险评估整合为统一的MCP工具,帮助定位前端核心逻辑。非常适用于API分析、安全研究、前端调试,以及理解加密/签名请求参数。
Core Methodology
核心方法论
The project follows these principles:
- Observe-first: Confirm requests, scripts, functions in browser before intervention
- Hook-preferred: Use minimal hooks for runtime sampling before breakpoints
- Breakpoint-last: Only pause execution when hooks are insufficient
- Rebuild-oriented: Export evidence and reconstruct in Node.js environment
- Evidence-first: Record all findings as task artifacts, not just in conversation
- Pure-extraction-after-pass: Extract pure algorithm only after environment passes
本项目遵循以下原则:
- 先观测:在干预前确认浏览器中的请求、脚本和函数
- 优先使用钩子:在设置断点前,用最小侵入式钩子进行运行时采样
- 最后用断点:仅当钩子不足以满足需求时才暂停执行
- 以重构为导向:导出证据并在Node.js环境中重构
- 证据优先:将所有发现记录为任务工件,而非仅存于对话中
- 验证后再提取纯算法:在环境验证通过后再提取纯算法
Installation
安装
1. Install and Build
1. 安装与构建
bash
git clone https://github.com/NoOne-hub/JSReverser-MCP.git
cd JSReverser-MCP
npm install
npm run buildThe build output is at .
build/src/index.jsbash
git clone https://github.com/NoOne-hub/JSReverser-MCP.git
cd JSReverser-MCP
npm install
npm run build构建输出位于。
build/src/index.js2. Quick Start
2. 快速启动
bash
npm run startbash
npm run start3. Configure MCP Client
3. 配置MCP客户端
Claude Code
Claude Code
bash
claude mcp add js-reverse node /ABSOLUTE/PATH/JSReverser-MCP/build/src/index.jsbash
claude mcp add js-reverse node /ABSOLUTE/PATH/JSReverser-MCP/build/src/index.jsCursor Settings
Cursor设置
json
{
"mcpServers": {
"js-reverse": {
"command": "node",
"args": ["/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js"]
}
}
}json
{
"mcpServers": {
"js-reverse": {
"command": "node",
"args": ["/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js"]
}
}
}Codex (config.toml)
Codex (config.toml)
toml
[mcp_servers.js-reverse]
command = "node"
args = ["/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js"]toml
[mcp_servers.js-reverse]
command = "node"
args = ["/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js"]4. Connect to Existing Browser (Optional)
4. 连接现有浏览器(可选)
Launch Chrome with remote debugging:
bash
undefined启动带远程调试功能的Chrome:
bash
undefinedmacOS
macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222
Linux
Linux
google-chrome --remote-debugging-port=9222
google-chrome --remote-debugging-port=9222
Windows
Windows
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222
Then configure with `--browserUrl`:
```toml
[mcp_servers.js-reverse]
command = "node"
args = [
"/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js",
"--browserUrl=http://localhost:9222"
]"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222
然后通过`--browserUrl`配置:
```toml
[mcp_servers.js-reverse]
command = "node"
args = [
"/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js",
"--browserUrl=http://localhost:9222"
]External AI Configuration
外部AI配置
JSReverser-MCP can integrate external LLMs for enhanced analysis:
toml
[mcp_servers.js-reverse]
command = "node"
args = ["/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js"]
[mcp_servers.js-reverse.env]
DEFAULT_LLM_PROVIDER = "anthropic"
ANTHROPIC_API_KEY = "your_anthropic_key_here"
ANTHROPIC_MODEL = "claude-3-5-sonnet-20241022"JSReverser-MCP可集成外部LLM以增强分析能力:
toml
[mcp_servers.js-reverse]
command = "node"
args = ["/ABSOLUTE/PATH/JSReverser-MCP/build/src/index.js"]
[mcp_servers.js-reverse.env]
DEFAULT_LLM_PROVIDER = "anthropic"
ANTHROPIC_API_KEY = "your_anthropic_key_here"
ANTHROPIC_MODEL = "claude-3-5-sonnet-20241022"Alternative: OpenAI
替代方案:OpenAI
DEFAULT_LLM_PROVIDER = "openai"
DEFAULT_LLM_PROVIDER = "openai"
OPENAI_API_KEY = "your_openai_key_here"
OPENAI_API_KEY = "your_openai_key_here"
OPENAI_MODEL = "gpt-4o"
OPENAI_MODEL = "gpt-4o"
Alternative: Gemini
替代方案:Gemini
DEFAULT_LLM_PROVIDER = "gemini"
DEFAULT_LLM_PROVIDER = "gemini"
GEMINI_API_KEY = "your_gemini_key_here"
GEMINI_API_KEY = "your_gemini_key_here"
GEMINI_MODEL = "gemini-2.0-flash-exp"
GEMINI_MODEL = "gemini-2.0-flash-exp"
**AI-dependent features:**
- `understand_code` (required)
- `detect_crypto` (optional with `useAI=true`)
- `deobfuscate_code` (enhanced quality)
- `analyze_target` (optional with `useAI=true`)
**依赖AI的功能:**
- `understand_code`(必填)
- `detect_crypto`(可选,需设置`useAI=true`)
- `deobfuscate_code`(提升反混淆质量)
- `analyze_target`(可选,需设置`useAI=true`)Key Tool Categories
核心工具分类
1. Page Observation & Script Location
1. 页面观测与脚本定位
Identify which scripts exist and where target code lives:
typescript
// List all loaded scripts
list_scripts({ includeSourceMaps: false })
// Get specific script source
get_script_source({
scriptId: "123",
url: "https://example.com/app.js"
})
// Find text in single script
find_in_script({
scriptId: "123",
searchText: "encrypt",
maxResults: 10
})
// Search across all scripts
search_in_scripts({
searchText: "signature",
maxResults: 20
})识别现有脚本及目标代码所在位置:
typescript
// 列出所有已加载脚本
list_scripts({ includeSourceMaps: false })
// 获取指定脚本源码
get_script_source({
scriptId: "123",
url: "https://example.com/app.js"
})
// 在单个脚本中查找文本
find_in_script({
scriptId: "123",
searchText: "encrypt",
maxResults: 10
})
// 在所有脚本中搜索
search_in_scripts({
searchText: "signature",
maxResults: 20
})2. Runtime Hooks & Sampling
2. 运行时钩子与采样
Observe runtime behavior with minimal intrusion:
typescript
// Hook a global function
hook_function({
functionPath: "window.crypto.subtle.encrypt",
options: {
captureArgs: true,
captureReturn: true,
captureStack: true
}
})
// Create reusable hook definition
create_hook({
hookId: "crypto-monitor",
code: `
const original = crypto.subtle.encrypt;
crypto.subtle.encrypt = function(...args) {
console.log('[HOOK] encrypt called:', args);
return original.apply(this, args);
};
`
})
// Inject hook into page
inject_hook({ hookId: "crypto-monitor" })
// Retrieve hook data
get_hook_data({ hookId: "crypto-monitor" })
// Trace function calls
trace_function({
functionName: "generateSignature",
captureStack: true
})以最小侵入式方式观测运行时行为:
typescript
// 钩子全局函数
hook_function({
functionPath: "window.crypto.subtle.encrypt",
options: {
captureArgs: true,
captureReturn: true,
captureStack: true
}
})
// 创建可复用的钩子定义
create_hook({
hookId: "crypto-monitor",
code: `
const original = crypto.subtle.encrypt;
crypto.subtle.encrypt = function(...args) {
console.log('[HOOK] encrypt called:', args);
return original.apply(this, args);
};
`
})
// 将钩子注入页面
inject_hook({ hookId: "crypto-monitor" })
// 获取钩子数据
get_hook_data({ hookId: "crypto-monitor" })
// 追踪函数调用
trace_function({
functionName: "generateSignature",
captureStack: true
})3. Breakpoints & Debug Control
3. 断点与调试控制
Pause execution when hooks aren't enough:
typescript
// Set breakpoint by line number
set_breakpoint({
scriptUrl: "https://example.com/sign.js",
lineNumber: 42
})
// Set breakpoint by code text
set_breakpoint_on_text({
scriptUrl: "https://example.com/sign.js",
searchText: "return signature",
lineOffset: 0
})
// Control execution
resume({ mode: "continue" })
pause()
step_over()
step_into()
step_out()当钩子不足以满足需求时,暂停执行:
typescript
// 按行号设置断点
set_breakpoint({
scriptUrl: "https://example.com/sign.js",
lineNumber: 42
})
// 按代码文本设置断点
set_breakpoint_on_text({
scriptUrl: "https://example.com/sign.js",
searchText: "return signature",
lineOffset: 0
})
// 控制执行流程
resume({ mode: "continue" })
pause()
step_over()
step_into()
step_out()4. Network Analysis & Request Tracing
4. 网络分析与请求追踪
Locate target requests and their initiators:
typescript
// List all network requests
list_network_requests({
filterUrl: "api.example.com",
filterMethod: "POST"
})
// Get request details
get_network_request({
requestId: "12345.67"
})
// Find who triggered a request
get_request_initiator({
requestId: "12345.67"
})
// Break when XHR/Fetch fires
break_on_xhr({
urlPattern: "*sign*"
})定位目标请求及其发起者:
typescript
// 列出所有网络请求
list_network_requests({
filterUrl: "api.example.com",
filterMethod: "POST"
})
// 获取请求详情
get_network_request({
requestId: "12345.67"
})
// 查找请求的发起者
get_request_initiator({
requestId: "12345.67"
})
// 当XHR/Fetch触发时暂停
break_on_xhr({
urlPattern: "*sign*"
})5. Code Analysis & Deobfuscation
5. 代码分析与反混淆
Understand and clean obfuscated code:
typescript
// Collect page code
collect_code({
priority: ["inline", "webpack", "vendor"],
maxSize: 500000
})
// Understand code structure (requires AI)
understand_code({
source: "function _0x1234(){...}",
context: "encryption signature generation"
})
// Deobfuscate code
deobfuscate_code({
source: "var _0x1a2b=['push','length'];...",
options: {
renameVariables: true,
removeDeadCode: true,
simplifyExpressions: true
}
})
// Detect crypto usage
detect_crypto({
source: "...",
useAI: true
})
// Comprehensive risk analysis
risk_panel({
useAI: true,
includeNetworkRisk: true
})理解并清理混淆后的代码:
typescript
// 收集页面代码
collect_code({
priority: ["inline", "webpack", "vendor"],
maxSize: 500000
})
// 理解代码结构(需AI支持)
understand_code({
source: "function _0x1234(){...}",
context: "加密签名生成"
})
// 反混淆代码
deobfuscate_code({
source: "var _0x1a2b=['push','length'];...",
options: {
renameVariables: true,
removeDeadCode: true,
simplifyExpressions: true
}
})
// 检测加密算法使用
detect_crypto({
source: "...",
useAI: true
})
// 全面风险分析
risk_panel({
useAI: true,
includeNetworkRisk: true
})6. WebSocket Monitoring
6. WebSocket监控
Track WebSocket connections and message patterns:
typescript
// List active WebSocket connections
list_websocket_connections()
// Analyze message patterns
analyze_websocket_messages({
wsId: "ws-123",
groupBy: "opcode"
})
// Get messages
get_websocket_messages({
wsId: "ws-123",
group: "binary-frames",
limit: 50
})追踪WebSocket连接与消息模式:
typescript
// 列出活跃的WebSocket连接
list_websocket_connections()
// 分析消息模式
analyze_websocket_messages({
wsId: "ws-123",
groupBy: "opcode"
})
// 获取消息
get_websocket_messages({
wsId: "ws-123",
group: "binary-frames",
limit: 50
})7. Local Rebuild & Environment Reconstruction
7. 本地重构与环境重建
Export evidence and recreate runtime in Node.js:
typescript
// Export rebuild bundle
export_rebuild_bundle({
taskId: "jd-h5st-20240517",
includeScripts: true,
includeNetwork: true,
includeStorage: true
})
// Compare environment requirements
diff_env_requirements({
currentEnv: { navigator: true, document: false },
requiredEnv: { navigator: true, document: true, XMLHttpRequest: true }
})
// Record evidence
record_reverse_evidence({
taskId: "jd-h5st-20240517",
evidence: {
type: "hook-capture",
functionName: "h5st",
args: [...],
returnValue: "..."
}
})导出证据并在Node.js中重建运行时环境:
typescript
// 导出重构包
export_rebuild_bundle({
taskId: "jd-h5st-20240517",
includeScripts: true,
includeNetwork: true,
includeStorage: true
})
// 对比环境需求
diff_env_requirements({
currentEnv: { navigator: true, document: false },
requiredEnv: { navigator: true, document: true, XMLHttpRequest: true }
})
// 记录证据
record_reverse_evidence({
taskId: "jd-h5st-20240517",
evidence: {
type: "hook-capture",
functionName: "h5st",
args: [...],
returnValue: "..."
}
})8. Session & Login State Management
8. 会话与登录状态管理
Save and restore browser sessions:
typescript
// Save current session
save_session_state({
snapshotId: "logged-in-state"
})
// Restore session
restore_session_state({
snapshotId: "logged-in-state"
})
// Export to file
dump_session_state({
snapshotId: "logged-in-state",
outputPath: "artifacts/tasks/my-task/session.json"
})
// Load from file
load_session_state({
source: "artifacts/tasks/my-task/session.json"
})保存与恢复浏览器会话:
typescript
// 保存当前会话
save_session_state({
snapshotId: "logged-in-state"
})
// 恢复会话
restore_session_state({
snapshotId: "logged-in-state"
})
// 导出到文件
dump_session_state({
snapshotId: "logged-in-state",
outputPath: "artifacts/tasks/my-task/session.json"
})
// 从文件加载
load_session_state({
source: "artifacts/tasks/my-task/session.json"
})9. Page Automation
9. 页面自动化
Minimal automation to trigger target behavior:
typescript
// Navigate
navigate_page({ url: "https://example.com/login" })
// Query DOM
query_dom({ selector: "button.submit" })
// Click element
click_element({ selector: "button.submit" })
// Type text
type_text({
selector: "input[name='username']",
text: "testuser"
})
// Take screenshot
take_screenshot({
outputPath: "artifacts/tasks/my-task/screenshot.png"
})通过最小化自动化触发目标行为:
typescript
// 导航页面
navigate_page({ url: "https://example.com/login" })
// 查询DOM
query_dom({ selector: "button.submit" })
// 点击元素
click_element({ selector: "button.submit" })
// 输入文本
type_text({
selector: "input[name='username']",
text: "testuser"
})
// 截图
take_screenshot({
outputPath: "artifacts/tasks/my-task/screenshot.png"
})Standard Workflow Example
标准工作流示例
Scenario: Reverse Engineer API Signature Parameter
场景:逆向分析API签名参数
typescript
// Step 1: Check browser connection
check_browser_health()
// Step 2: Navigate to target page
navigate_page({ url: "https://example.com/api-page" })
// Step 3: List network requests
const requests = list_network_requests({
filterUrl: "*api*",
filterMethod: "POST"
})
// Step 4: Find target request
const targetRequest = get_network_request({
requestId: requests[0].id
})
// Notice: request has "sign" parameter
// Step 5: Search for "sign" in scripts
const searchResults = search_in_scripts({
searchText: "sign:",
maxResults: 10
})
// Step 6: Hook the sign function
hook_function({
functionPath: "window.generateSign",
options: {
captureArgs: true,
captureReturn: true,
captureStack: true
}
})
// Step 7: Trigger request again (click button, etc.)
click_element({ selector: "button.load-data" })
// Step 8: Get hook data
const hookData = get_hook_data({
hookId: "auto-hook-generateSign"
})
// Review arguments and return value
// Step 9: Get script source for deeper analysis
const scriptSource = get_script_source({
url: hookData.stack[0].url
})
// Step 10: Deobfuscate if needed
const cleaned = deobfuscate_code({
source: scriptSource,
options: { renameVariables: true, removeDeadCode: true }
})
// Step 11: Export rebuild bundle
export_rebuild_bundle({
taskId: "example-sign-20240517",
includeScripts: true,
includeNetwork: true,
includeStorage: true
})
// Step 12: Record evidence
record_reverse_evidence({
taskId: "example-sign-20240517",
evidence: {
type: "function-hook",
functionName: "generateSign",
sampleInput: hookData.calls[0].args,
sampleOutput: hookData.calls[0].return
}
})typescript
// 步骤1:检查浏览器连接状态
check_browser_health()
// 步骤2:导航到目标页面
navigate_page({ url: "https://example.com/api-page" })
// 步骤3:列出网络请求
const requests = list_network_requests({
filterUrl: "*api*",
filterMethod: "POST"
})
// 步骤4:找到目标请求
const targetRequest = get_network_request({
requestId: requests[0].id
})
// 注意:请求包含"sign"参数
// 步骤5:在脚本中搜索"sign"
const searchResults = search_in_scripts({
searchText: "sign:",
maxResults: 10
})
// 步骤6:钩子签名函数
hook_function({
functionPath: "window.generateSign",
options: {
captureArgs: true,
captureReturn: true,
captureStack: true
}
})
// 步骤7:再次触发请求(如点击按钮)
click_element({ selector: "button.load-data" })
// 步骤8:获取钩子数据
const hookData = get_hook_data({
hookId: "auto-hook-generateSign"
})
// 查看参数与返回值
// 步骤9:获取脚本源码以进行深度分析
const scriptSource = get_script_source({
url: hookData.stack[0].url
})
// 步骤10:如有需要,进行反混淆
const cleaned = deobfuscate_code({
source: scriptSource,
options: { renameVariables: true, removeDeadCode: true }
})
// 步骤11:导出重构包
export_rebuild_bundle({
taskId: "example-sign-20240517",
includeScripts: true,
includeNetwork: true,
includeStorage: true
})
// 步骤12:记录证据
record_reverse_evidence({
taskId: "example-sign-20240517",
evidence: {
type: "function-hook",
functionName: "generateSign",
sampleInput: hookData.calls[0].args,
sampleOutput: hookData.calls[0].return
}
})Task Artifact Structure
任务工件结构
Tasks are stored in :
artifacts/tasks/<task-id>/artifacts/tasks/my-reverse-task/
├── task.json # Task metadata
├── runtime-evidence.jsonl # Hook/trace data
├── network.jsonl # Network requests
├── scripts.jsonl # Script sources
├── env/
│ ├── env.js # Base environment shims
│ ├── polyfills.js # Proxy diagnostics, watch
│ ├── entry.js # Entry point for local rebuild
│ └── capture.json # Runtime captures
├── run/ # Test runs
└── report.md # Analysis reportGit Safety: Only is committed. Real task directories stay local.
artifacts/tasks/_TEMPLATE/任务存储于目录下:
artifacts/tasks/<task-id>/artifacts/tasks/my-reverse-task/
├── task.json # 任务元数据
├── runtime-evidence.jsonl # 钩子/追踪数据
├── network.jsonl # 网络请求
├── scripts.jsonl # 脚本源码
├── env/
│ ├── env.js # 基础环境垫片
│ ├── polyfills.js # 代理诊断、监听
│ ├── entry.js # 本地重构入口文件
│ └── capture.json # 运行时捕获数据
├── run/ # 测试运行目录
└── report.md # 分析报告Git安全提示:仅会被提交至仓库,真实任务目录仅保存在本地。
artifacts/tasks/_TEMPLATE/Pre-Indexed Parameter Cases
预索引参数案例
Existing reverse-engineered parameter cases (abstracted, no sensitive data):
- JD h5st:
scripts/cases/jd-h5st-pure-node.mjs - Kuaishou falcon:
scripts/cases/ks-hxfalcon-pure-node.mjs - Douyin a-bogus:
scripts/cases/douyin-a-bogus-pure-node.mjs
See for methodology and templates.
scripts/cases/README.md已有的逆向分析参数案例(经过抽象处理,无敏感数据):
- 京东h5st:
scripts/cases/jd-h5st-pure-node.mjs - 快手falcon:
scripts/cases/ks-hxfalcon-pure-node.mjs - 抖音a-bogus:
scripts/cases/douyin-a-bogus-pure-node.mjs
查看获取方法论与模板。
scripts/cases/README.mdCommon Patterns
常见模式
Pattern 1: Find Encryption Function
模式1:查找加密函数
typescript
// Search for crypto keywords
search_in_scripts({ searchText: "CryptoJS.AES" })
// Hook the encryption call
hook_function({
functionPath: "CryptoJS.AES.encrypt",
options: { captureArgs: true, captureReturn: true }
})
// Trigger encryption, review hook data
get_hook_data({ hookId: "auto-hook-CryptoJS.AES.encrypt" })typescript
// 搜索加密相关关键词
search_in_scripts({ searchText: "CryptoJS.AES" })
// 钩子加密调用
hook_function({
functionPath: "CryptoJS.AES.encrypt",
options: { captureArgs: true, captureReturn: true }
})
// 触发加密操作,查看钩子数据
get_hook_data({ hookId: "auto-hook-CryptoJS.AES.encrypt" })Pattern 2: Trace Request Parameter Generation
模式2:追踪请求参数生成
typescript
// Set breakpoint when request fires
break_on_xhr({ urlPattern: "*api.example.com*" })
// When paused, check call stack
// Identify the function that generated parameters
// Resume and hook that function
resume()
hook_function({ functionPath: "window.buildParams" })
// Trigger again, get hook data
get_hook_data({ hookId: "auto-hook-buildParams" })typescript
// 设置请求触发时的断点
break_on_xhr({ urlPattern: "*api.example.com*" })
// 暂停时,查看调用栈
// 识别生成参数的函数
// 恢复执行并钩子该函数
resume()
hook_function({ functionPath: "window.buildParams" })
// 再次触发,获取钩子数据
get_hook_data({ hookId: "auto-hook-buildParams" })Pattern 3: Deobfuscate and Understand
模式3:反混淆与代码理解
typescript
// Get obfuscated script
const script = get_script_source({ scriptId: "123" })
// Deobfuscate
const cleaned = deobfuscate_code({
source: script.source,
options: {
renameVariables: true,
removeDeadCode: true,
simplifyExpressions: true
}
})
// Understand with AI (requires provider configured)
understand_code({
source: cleaned.code,
context: "API signature generation"
})typescript
// 获取混淆后的脚本
const script = get_script_source({ scriptId: "123" })
// 反混淆
const cleaned = deobfuscate_code({
source: script.source,
options: {
renameVariables: true,
removeDeadCode: true,
simplifyExpressions: true
}
})
// 借助AI理解代码(需配置AI提供商)
understand_code({
source: cleaned.code,
context: "API签名生成"
})Pattern 4: Export and Recreate Locally
模式4:导出与本地重建
typescript
// After gathering evidence
export_rebuild_bundle({
taskId: "my-api-20240517",
includeScripts: true,
includeNetwork: true,
includeStorage: true
})
// Check artifacts/tasks/my-api-20240517/env/entry.js
// Run locally:
// node artifacts/tasks/my-api-20240517/env/entry.js
// If errors occur, diff environment
diff_env_requirements({
currentEnv: {}, // Populated from Node.js runtime check
requiredEnv: {} // Populated from error messages
})
// Patch env/env.js and env/polyfills.js iterativelytypescript
// 收集完证据后
export_rebuild_bundle({
taskId: "my-api-20240517",
includeScripts: true,
includeNetwork: true,
includeStorage: true
})
// 查看artifacts/tasks/my-api-20240517/env/entry.js
// 本地运行:
// node artifacts/tasks/my-api-20240517/env/entry.js
// 若出现错误,对比环境差异
diff_env_requirements({
currentEnv: {}, // 由Node.js运行时检查填充
requiredEnv: {} // 由错误信息填充
})
// 逐步修补env/env.js和env/polyfills.jsTroubleshooting
故障排除
Browser Connection Issues
浏览器连接问题
Problem: fails
check_browser_healthSolution:
- Ensure Chrome is launched with
--remote-debugging-port=9222 - Check matches (default
--browserUrl)http://localhost:9222 - Verify no firewall blocking localhost:9222
问题:检查失败
check_browser_health解决方案:
- 确保Chrome以参数启动
--remote-debugging-port=9222 - 检查配置是否匹配(默认
--browserUrl)http://localhost:9222 - 确认防火墙未拦截localhost:9222端口
Hook Not Capturing Data
钩子未捕获数据
Problem: returns empty
get_hook_dataSolution:
- Confirm hook was injected: check response
inject_hook - Ensure target function was actually called (trigger page action)
- Check console for hook errors:
list_console_messages() - Verify function path is correct (check exists)
window.functionName
问题:返回空数据
get_hook_data解决方案:
- 确认钩子已注入:检查的响应
inject_hook - 确保目标函数确实被调用(触发页面操作)
- 检查控制台是否有钩子错误:
list_console_messages() - 验证函数路径是否正确(确认存在)
window.functionName
Deobfuscation Produces Invalid Code
反混淆生成无效代码
Problem: Deobfuscated code doesn't run
Solution:
- Start with minimal options:
{ renameVariables: false } - Incrementally enable transformations
- Use to identify why code fails
understand_code - Some VM-based obfuscation requires manual extraction
问题:反混淆后的代码无法运行
解决方案:
- 先使用最小配置:
{ renameVariables: false } - 逐步启用转换选项
- 使用识别代码运行失败的原因
understand_code - 部分基于VM的混淆需要手动提取代码
Environment Reconstruction Fails
环境重建失败
Problem: Local rebuild throws errors
Solution:
- Review for missing globals
runtime-evidence.jsonl - Use to identify gaps
diff_env_requirements - Add shims to one at a time
env/env.js - Use and diagnostics in
watchenv/polyfills.js - Aim for "first divergence" — find exact point where behavior differs
问题:本地重构抛出错误
解决方案:
- 查看寻找缺失的全局变量
runtime-evidence.jsonl - 使用识别环境差异
diff_env_requirements - 逐步向添加垫片
env/env.js - 使用中的监听与诊断功能
env/polyfills.js - 定位“首次分歧点”——找到行为差异的确切位置
AI Provider Not Working
AI提供商无法工作
Problem: fails with "provider not configured"
understand_codeSolution:
- Set in MCP server env config
DEFAULT_LLM_PROVIDER - Set corresponding API key (,
ANTHROPIC_API_KEY, etc.)OPENAI_API_KEY - Verify key is valid and has API access
- Check if using proxy
ANTHROPIC_BASE_URL
问题:报错“provider not configured”
understand_code解决方案:
- 在MCP服务器环境配置中设置
DEFAULT_LLM_PROVIDER - 设置对应的API密钥(、
ANTHROPIC_API_KEY等)OPENAI_API_KEY - 验证密钥有效且具备API访问权限
- 若使用代理,检查配置
ANTHROPIC_BASE_URL
Session State Not Restoring
会话状态无法恢复
Problem: doesn't preserve login
restore_session_stateSolution:
- Ensure cookies domain matches current page
- Save session while still on target domain
- Check if site uses cookies (not accessible to JS)
httpOnly - Some sites require additional localStorage/sessionStorage
问题:无法保留登录状态
restore_session_state解决方案:
- 确保Cookie域名与当前页面匹配
- 在目标域名下保存会话
- 检查网站是否使用Cookie(此类Cookie无法被JS访问)
httpOnly - 部分网站需要额外的localStorage/sessionStorage数据
Reference Documentation
参考文档
- Full tool reference:
docs/reference/tool-reference.md - Workflow guide:
docs/reference/reverse-workflow.md - Case safety policy:
docs/reference/case-safety-policy.md - Environment patching:
docs/reference/env-patching.md - Reverse artifacts:
docs/reference/reverse-artifacts.md - Browser connection:
docs/guides/browser-connection.md - Client configuration:
docs/guides/client-configuration.md
- 完整工具参考:
docs/reference/tool-reference.md - 工作流指南:
docs/reference/reverse-workflow.md - 案例安全策略:
docs/reference/case-safety-policy.md - 环境修补:
docs/reference/env-patching.md - 逆向工件:
docs/reference/reverse-artifacts.md - 浏览器连接:
docs/guides/browser-connection.md - 客户端配置:
docs/guides/client-configuration.md
Security & Ethics
安全与伦理
- Never commit sensitive task directories (real credentials, keys, tokens)
- Respect target site's terms of service
- Use only for authorized testing, research, or debugging your own applications
- Abstracted cases in must be sanitized and educational
scripts/cases/
This tool is for legitimate reverse engineering, security research, and debugging — not for bypassing security controls on third-party services without permission.
- 切勿提交敏感任务目录(真实凭证、密钥、令牌等)
- 遵守目标网站的服务条款
- 仅用于授权测试、研究或调试自有应用
- 中的抽象案例必须经过脱敏处理,仅用于教学目的
scripts/cases/
本工具仅用于合法的逆向工程、安全研究与调试——未经许可,不得用于绕过第三方服务的安全控制。