Web JS Reverse Master Flow

Role

• Normalizing the current task phase
• Selecting the most appropriate specialized skill for the next step
• Constraining the switching order to avoid misoperations such as "patching the environment before confirming the request chain"
• Outputting the current phase, blocking points, and the next tool that must be updated

• This skill always acts as a macro master controller and will not be reduced to a case library for specific vendors, sites or shells.
• Even if strong clues such as

  Akamai/Kasada/PX/reese84/TongDun/a_bogus/Tencent slider/Alibaba slider/JSVMP/227/226/wasm/protobuf/rid/fuid/fs/bx-pp/run_js/storage.estimate/animationend

  appear, it only helps with pre-routing and does not change its master control role of "judging phases first, then selecting specialized skills".
• Site-specific, vendor-specific and technical experience should be provided by

  $1997-pro-web-reverse-casebook

  or other specialized skills.

$1997-pro-web-reverse-casebook

MCP Stack

• chrome-devtools-mcp

  Responsible for browser takeover, page-level debugging, Network/DOM/Runtime/CDP breakpoint and call stack observation, which is the most direct on-site forensics surface.

• js-reverse

  Responsible for source code search, Hook, breakpoint, code collection, runtime evidence precipitation, WebSocket/Storage/Session state analysis at the reverse engineering workflow level.

• jshook

  Responsible for heavier JS reverse engineering analysis, deobfuscation, Stealth, Hook, browser automation, debugger and code understanding enhancement.

• First use

  chrome-devtools-mcp

  and

  js-reverse

  to obtain real samples and on-site evidence.
• Explicitly introduce

  jshook

  when entering the stages of heavy obfuscation, semantic layer restoration or advanced Hook/Stealth.
• Do not skip browser on-site evidence only by static reading.
• Do not directly discuss Node.js migration without browser baseline samples.

Input Block

URL or Target Page:
Target Request / Field / Cookie / Message:
Trigger Action:
Current Phenomenon:
Existing Evidence:
Goal:
Constraints:

General Principles

• Hook-first, Breakpoint-second, Full-dump-last.
• Prove the real request chain first, then discuss pure calculation, environment patching or replay.
• Restore the semantic layer first, then migrate the runtime, not the other way around.
• Runtime difference analysis takes precedence over blind environment patching.
• Expand only one variable at a time: one hook point, one sample, one patch, one branch judgment.
• Any conclusion must be accompanied by runtime evidence or intermediate state checkpoints.
• Case anchors can only help with pre-routing, and cannot replace evidence gates and phase judgments.

Anti-Spiral Protocol

• Performing similar operations at the same layer for consecutive rounds, but no new request chain, writing boundary, state carrier or checkpoint is added
• Continuously adding Hooks / breakpoints / patches, but cannot explain the first real divergence
• Spending a lot of time on beautify / AST transformation, but still failing to bind the logic back to the real sink
• The local environment patching is getting more and more complex, but cannot tell which object or state is affecting the result
• Only focusing on the final value, no longer comparing intermediate states

• If there is no new evidence in two consecutive rounds of the same phase, you must switch actions, and third repetition of similar operations is not allowed.
• If the same problem still does not converge after six consecutive rounds, you must stop the current approach and upgrade to the next layer of strategy.
• Any upgrade must clearly state: why the current approach failed, what to verify next, and which assumptions are abandoned.

• Stuck in

  locate

  : Expand the real trigger scope, switch to capturing initiators, use breakpoint stacks or browser-side calls instead
• Stuck in

  recover

  : Reduce the recovery depth, return to

  locate

  to reconfirm the boundary, or switch to black-box reuse
• Stuck in

  runtime

  : Roll back to the first stable browser snapshot, rebuild the divergence table, then patch only one state surface
• Stuck in

  env-patch

  : Stop patching objects, switch to browser-assisted execution, remote calling or minimal proxy solutions

• Continue to expand the dump scope without new evidence
• Perform full decompilation before proving the builder / writer boundary
• Perform full browser environment migration before proving the first divergence point
• Use "this site is difficult" instead of phase judgment and stop depth judgment

Case Anchor Pre-Routing

• Vendor / Product Anchors:

  • Akamai

    ,

    Kasada

    ,

    PX

    ,

    PX3

    ,

    reese84

    ,

    Incapsula

    ,

    TongDun

    ,

    BlackBox

    ,

    a_bogus

  • Default suspicion: Request chain in

    Phase 1

    + risk control / fingerprint / challenge divergence in

    Phase 3

• Field / Protocol Anchors:

  • rid

    ,

    protobuf

    ,

    x-s3-s4e

    ,

    desc

    ,

    bx-pp

  • Default suspicion: Builder / writer boundary in

    Phase 1

    , enter

    Phase 2

    to check

    wasm

    / encapsulation bridge if necessary
• Captcha / Business Anchors:

  • Tencent slider

    ,

    Alibaba slider

    ,

    _rand

    ,

    fuid

    ,

    fs

  • Default suspicion: Position chain and encryption chain coexist, usually triggering

    Phase 1

    and

    Phase 3

    simultaneously
• Shell Layer Anchors:

  • JSVMP

    ,

    227

    ,

    226

    ,

    while(true)+switch

    ,

    dispatcher

    ,

    basearr

  • Default direct suspicion:

    Phase 2

• Runtime Anchors:

  • run_js

    ,

    storage.estimate

    ,

    animationend

    ,

    postMessage

    ,

    worker

  • Default priority: Perform runtime difference analysis in

    Phase 3

    , then decide whether to enter

    Phase 4

Evidence Gate -> Writing Boundary -> Shell Layer Restoration (if necessary) -> Runtime Difference Analysis -> Node.js Migration

Main Flow

Phase 0: Evidence Gate

• Prove that the target request, field and trigger action all come from real samples, not guesses.

• First run the minimal link according to

  $mcp-js-reverse-playbook

  .
• Mandatorily use

  chrome-devtools-mcp

  or

  $js-reverse

  to establish a browser baseline sample.
• Create or refresh

  reverse-records/Overview.md

  .
• If the request chain, state chain and sample chain are still incomplete, immediately create or refresh

  reverse-records/Request Chain.md

  .

• At least one real sample chain exists.
• The target field or message has been proven by a real request.

• Start patching the environment before confirming the target request.
• Start algorithm restoration directly before confirming the target field.

• Can only say "suspect it's a certain parameter / a certain script", but cannot provide a real request sample
• The trigger action is unstable, and the same chain cannot be obtained by repeated operations

• Return to the minimal trigger action and re-capture a clean sample
• If the page scripts are too messy, prioritize using the Network / call stack scene of

  chrome-devtools-mcp

  instead of reading source code first

Phase 1: Writing Boundary & Request Chain

• $find-crypto-entry

• $jsr-locate

• Add

  $js-reverse-trace-hook

  if not found

• chrome-devtools-mcp

  : Network, DOM trigger points, call stack and breakpoint scene

• js-reverse

  : Request initiator, Hook, code collection, storage/session/websocket

• jshook

  : Supplement heavier Hook and reverse engineering analysis when ordinary search/breakpoints are not enough for stable positioning

• Find the real sink,

  entry -> builder -> writer

  relationship and upstream dependency chain.

• Parameter names are clear.
• The request chain is not fully closed yet.
• Suspect there are

  Set-Cookie

  , challenge, session, response-driven dependencies.

• The final writing boundary has been confirmed.
• The current blocking point has changed from "finding the chain" to "unreadable code/heavy shell/runtime divergence".

• while(true) + switch

• A large number of junk codes, true/false branches

• JSVMP

• 227/226/basearr/opcode/ip/g

• worker/wasm/webpack runtime

• _0x

  string table, dynamic

  eval/Function

• LL()[XX(XX)]()

  , multiple sets of string decrypters, dynamic string filling
• Dynamic string and bridge shells like

  Akamai/Kasada/PX

• The real builder of

  bx-pp

  ,

  rid

  ,

  protobuf builder

  is covered by dispatcher
• Only dispatcher can be seen, not the real builder

• Can see the target value, but cannot explain who wrote it last
• Hook hits many functions, but none can stably return to the real request
• Repeatedly search keywords in the same bundle, but fail to bind the field to the request boundary

• Switch to capturing request initiators and call stacks, stop blind source code search
• Narrow down the problem to the three segments of

  entry -> builder -> writer

  , no longer discuss the full link
• If the builder is covered by a shell, immediately switch to

  Phase 2

Phase 2: Shell Layer Restoration & Heavy Obfuscation Compression

• $jsr-recover

• $js-controlflow-truth-sampling-prune

• $js-ast-binding-alias-deobf

• js-reverse

  : collect_code, trace, breakpoint, Hook, source code-level evidence

• jshook

  : Deobfuscation, Stealth, complex Hook, debugger control, script-level semantic compression

• chrome-devtools-mcp

  : Keep the browser scene, verify the execution path of dispatcher/bridge in the real page

• Compress the shell to a level that is "sufficient to continue locate / runtime / replay", instead of full restoration at one time.

• Identify container, dispatcher, state carrier, bridge, core operator, write-back layer.
• Perform real sample pruning for flat flow or dispatcher.
• Only restore the minimal slice required for the current task.
• For

  JSVMP/227/226

  , at least complete: entry, state variables, key

  opcode

  families, bridge contracts.
• For

  wasm

  , at least complete: download point, instantiation method, imports, exports, JS-to-wasm call bridge.
• For heavy obfuscation like

  Akamai/Kasada/PX

  , freeze the sample first, then extract string decryption mapping and minimal execution fragments.

• Downstream work does not need to open the same layer of shell again.
• Can return to

  $jsr-locate

  to confirm the sink, or enter

  $jsr-runtime

  to handle runtime divergence.

• Recover first, then handle runtime.
• Do not blindly patch

  window/document/navigator

  before clarifying dispatcher and state carrier.

• The code becomes more readable, but still cannot explain the target field
• Keep supplementing cases / opcodes, but fail to bind them to the target write-back path
• The deobfuscation product becomes larger and larger, but no new verifiable checkpoints are added

• Reduce the recovery depth, first only retain key

  opcode

  families or bridges
• If the sink relevance becomes weaker, return to

  Phase 1

• If the bridge contract is clear but the result is still inconsistent, switch to

  Phase 3

• By default, only allow to reach the depth of "sufficient to continue", do not automatically upgrade to a minimal interpreter just because the code is messy
• In composite shell scenarios like

  worker/wasm/JSVMP/227/226

  , if black-box reuse can support downstream work, stop full lifting

Phase 3: Browser vs. Local Difference Diagnosis

• $jsr-runtime

• $js-runtime-diff-env-patching

• Add

  $js-reverse-env-antidebug

  when there is anti-debugging

• chrome-devtools-mcp

  : Establish normal browser path and runtime scene

• js-reverse

  : Capture intermediate states of storage/session/network/websocket/hook

• jshook

  : Anti-debugging, Stealth, environment confrontation, supplementary verification of runtime behavior

• Explain why the browser can run but the local environment cannot, and output a minimal runtime dependency list.

• Missing objects
• Missing states
• Anti-debugging
• Fingerprint/risk control branches
• Time/random number/seed drift

• sign lane

  mixed with

  token lane

• Browser feature channels:

  storage.estimate

  ,

  animationend

  ,

  postMessage

  ,

  worker

• Automation friction:

  run_js

  , formatting detection, drift when DevTools is opened

• The first real mismatch checkpoint has been found.
• Clarified which dependencies must be migrated and which cannot be migrated.

• Compare intermediate states first, then compare final values.
• Patch state first, then patch objects.
• Prove that browser feature channels are actually consumed first, then patch the surface of browser objects.

• Keep patching objects, but the first divergence point is still unclear
• The final value is consistently inconsistent, but there is no intermediate state comparison table
• Each change affects many aspects, cannot know which one takes effect

• Return to the normal browser state, rebuild the "first divergence point comparison table"
• Patch only one state surface at a time:

  cookie/storage/channel/style/time/random

• If the divergence cannot be explained within six rounds, stop environment patching and switch to browser-assisted execution or proxy reuse

Phase 4: Node.js Minimal Migration

• $env-patch

• chrome-devtools-mcp

  : Freeze the browser baseline sample

• js-reverse

  : Extract migratable entry, intermediate states and dependencies

• jshook

  : Assist in local migration judgment when heavier Hook/Stealth/analysis is needed

• Migrate the minimal set of dependencies required by the browser to Node.js.

• Entry is known.
• Dispatcher / builder / bridge is basically clear.
• Browser vs. local difference analysis has been attributed.

• The local environment can stably reach the target builder.
• Intermediate states can be aligned with the browser.

• env-patch

  is for runtime migration, not a replacement for

  recover

  .
• Do not migrate the complete browser environment at one time.

• The local patch list is getting longer and longer, but the intermediate states are not closer to the browser
• Only rely on stacking objects to make the code run without errors, but still cannot enter the real builder
• Fixing one object will introduce more objects, but there is no evidence that they are consumed

• Stop patching objects, return to

  Phase 3

  to only check states and divergences
• If the entry is known but the local environment is still unstable, switch to browser remote calling / browser-assisted replay
• If the Node.js migration cost is significantly higher than the benefit, retain browser-side black-box reuse and do not force localization

Phase 5: Stable Reproduction & Regression

• $js-reverse-sign-replay

• chrome-devtools-mcp

  : Compare with real browser results

• js-reverse

  : Verify whether intermediate states and state dependencies are closed

• jshook

  : Perform supplementary analysis for complex obfuscation or advanced algorithm segments

• Solidify the link into a maintainable, regression-capable local reproduction script.

• Split into

  normalize -> concat -> hash/encrypt -> encode

• Solidify input contracts and phase checkpoints
• Provide baseline and regression

• Fixed input produces stable and consistent results
• Variant input behaviors are explainable
• Can quickly locate breakpoints when subsequent version drifts

• The final value matches, but cannot explain which intermediate states must be consistent
• The result drifts when the input changes slightly, but no record of which phase drifts first

• Split regression back to phase checkpoints, no longer only look at the final value
• If drift comes from runtime dependencies, return to

  Phase 3/4

Complex Scenario Branches

Branch A: Regular Parameter Sites

• Parameter names are clear
• No obvious VM or dispatcher shell
• Code can be traced directly

• Phase 0
• Phase 1
• Phase 5

Branch B: Heavy Obfuscation / Junk Code / Flat Flow / JSVMP

• Large

  switch

• Dispatcher

• JSVMP

• 227/226

• basearr/opcode/ip/g

• A large number of true/false branches

• worker/wasm/runtime

  shell
• Vendor shells:

  Akamai/Kasada/PX/reese84

• Phase 0
• Phase 1
• Phase 2
• Return to Phase 1 to confirm the sink
• Phase 3
• Phase 4
• Phase 5

Branch D: Captcha / Browser Feature Channel Topics

• Tencent slider

  ,

  Alibaba slider

• _rand

  ,

  fuid

  ,

  fs

• animationend

  , CSS animation, style final state value

• run_js

  , automation detection, behavior differences between browser and local environment

• Phase 0
• Phase 1
• Phase 3
• Return to Phase 2 to restore the bridge layer if necessary
• Phase 4
• Phase 5

Branch E: Risk Control Fingerprint / Vendor Challenge Topics

• Akamai

  ,

  Kasada

  ,

  PX

  ,

  reese84

  ,

  Incapsula

• TongDun

  ,

  BlackBox

  ,

  a_bogus

• abck

  ,

  sensor_data

  ,

  bm_sz

  ,

  TLS/JA4

• Browser can pass, local environment gets continuous

  403

  or challenge redirects

• Phase 0
• Phase 1
• Phase 3
• Phase 2 if necessary
• Phase 4
• Phase 5

Branch F: Protocol Encapsulation / Wasm / Builder Topics

• protobuf

  ,

  jspb

• rid

  ,

  x-s3-s4e

  ,

  desc

  ,

  bx-pp

• wasm

  ,

  compileStreaming

  , imports/exports
• Builder / writer is covered by VM or wasm bridge

• Phase 0
• Phase 1
• Phase 2 if necessary
• Phase 3
• Phase 4
• Phase 5

Branch G: Hard Site Composite Scenario

• JSVMP/flat flow/worker/wasm

  appear simultaneously
• Browser feature channels like

  run_js/storage.estimate/animationend

  exist at the same time
• Risk control branches like

  Akamai/Kasada/PX/reese84/TongDun/a_bogus

  exist at the same time
• Huge differences between Node.js and browser, and local patches diverge quickly

• Phase 0
• Phase 1
• Phase 2, only restore the minimal bridge slice
• Return to Phase 1 to reconfirm the sink
• Phase 3, first find the first divergence point
• Phase 4, only enter when the dependency list is stable
• Phase 5

• Direct jumping from

  Phase 2

  to "full local restoration" is prohibited in this scenario
• Once the boundary anchor is lost at any time, prioritize returning to

  Phase 1

Hard-Site Escalation Ladder

1. Browser Minimal Sample
   • Confirm real request, trigger action, target field
2. Writing Boundary
   • Confirm

     entry -> builder -> writer

3. Minimal Shell Layer Restoration
   • Only restore the blocking dispatcher / bridge / imports / opcode
4. First Divergence Point Diagnosis
   • Make browser vs. local comparison table
5. Minimal Runtime Migration
   • Only migrate dependencies proven to affect results
6. Browser-Assisted Execution or Black-Box Reuse
   • Accept browser-side solutions when localization cost is too high
7. Stable Regression
   • Then perform pure calculation, proxy or replay solidification

• The previous layer has produced stable tools, but still cannot support the next step

• Do Step 5 without completing Step 2
• Claim that the local environment is sufficient without completing Step 4
• Force "must be pure local" without evaluating Step 6

Branch C: Huge Differences Between Browser and Node.js

• Browser works normally, local environment fails
• Local environment can generate values, but server returns continuous

  403

• Result drifts when debugging is enabled
• Sensitive to fingerprint, time, random number, risk control

• Phase 0
• Phase 1
• Phase 3
• Phase 4
• Phase 5

Switching Rules Quick Reference

• Clear parameter names without heavy obfuscation: Start with Phase 1 first.
• See

  JSVMP/227/226/flat flow/basearr/opcode

  : Switch to Phase 2 first.
• See

  wasm/bx-pp/protobuf builder/dynamic string shell

  : Usually start with Phase 1, then switch to Phase 2 according to the degree of coverage.
• See

  run_js/storage.estimate/animationend/postMessage/worker

  : Prioritize Phase 3.
• See

  Akamai/Kasada/PX/reese84/TongDun/a_bogus

  : Prioritize checking mixed blocking in Phase 1 and Phase 3.
• See

  Tencent slider/Alibaba slider/_rand/fuid/fs

  : Prioritize handling according to captcha dual chains and browser feature channels.
• First real divergence between browser and Node.js: Switch to Phase 3.
• Difference analysis has been attributed, ready for local execution: Switch to Phase 4.
• Link is stable, ready for delivery: Switch to Phase 5.

MCP Execution Discipline

• chrome-devtools-mcp

  is responsible for "real page scene", without it there is no reliable browser baseline.

• js-reverse

  is responsible for "reverse engineering workflow evidence", without it there is no stable Hook/code/state record.

• jshook

  is responsible for "advanced reverse engineering and confrontation reinforcement", and is added by default during heavy obfuscation, anti-debugging, Stealth, complex Hook.
• If any of the three does not provide incremental evidence in any phase, clearly explain why this phase does not need it temporarily, instead of skipping silently.

Deliverables

• reverse-records/Overview.md

• reverse-records/Request Chain.md

• reverse-records/Restoration Record.md

• reverse-records/Runtime Dependency.md

• reverse-records/Verification Record.md

• reverse-records/State Carrier Card.md

• reverse-records/Environment Dependency List.md

• reverse-records/Escalation Record.md

• Current phase
• Current blocking point
• Current strongest anchor
• New evidence added in the latest round
• If no new evidence, which layer to switch to next

One-Sentence Version

Evidence Gate -> locate -> recover(if necessary) -> runtime diff -> env-patch -> sign-replay

• Recover in advance if the shell is heavy
• Perform runtime diff first if divergence is obvious
• Use env-patch only to wrap up Node.js migration
• Enter sign-replay only for final delivery