env-patch

Implement environment patching solution for $ARGUMENTS.

Prerequisites: The encryption entry (module ID, function name, the script it locates in) is known. If not located, use

/find-crypto-entry

first.

Core Concepts

env_core.js
is the engine: Provides utility functions (
```
setFuncNative
```
/
```
setObjNative
```
/
```
getNativeProto
```
/
```
wrapFunc
```
/
```
monitor
```
/
```
createProxy
```
) and diagnostic reports. The engine does not contain any environment stubs, and will not be modified after copying.
run.js
is the strategy: All environment stubs, patches, loading logic are written in run.js. Only run.js is modified after each round of diagnosis.
browser-stubs.md
is the reference directory: Get stub code on demand according to the UNDEFINED/ERRORS appearing in the diagnostic report.

Iron Rules

Modification of original JS is prohibited — Files under
```
source/
```
are read-only. JS copies under
```
env/
```
(main.js / sdk.js / bytecode.js) are final once generated and will not be modified. All patches are written in run.js / sign.js.
Must require env_core.js — It is forbidden to rewrite utility functions such as setFuncNative / setObjNative / createProxy in run.js. All utilities are imported via
```
const env = require('./env_core')
```
, then call
```
env.setFuncNative()
```
/
```
env.createProxy()
```
etc. env_core.js will not be modified after copying. If you need additional helpers, write them at the top of run.js, but do not reimplement functions already available in env_core.
Analyze VMP entry parameters first — The dependency array of the VMP entry determines the boundary of environment patching.
```
typeof chrome !== "undefined" ? chrome : undefined
```
checks
```
globalThis
```
, not
```
window
```
. Must use
```
Object.defineProperty(global, name, ...)
```
for synchronization.
Loading order is critical — VMP initializes and reads the environment at the moment of
```
require()
```
, which cannot be changed afterwards. Code in run.js must strictly follow the order below:
1. ```
const env = require('./env_core')
```
  — Get utilities (first line)
2. Build stub objects (document / navigator / location etc.)
3. ```
env.init({ window, document, navigator, location })
```
  — Block Node leaks + mount global variables
4. Additional environment completion — Synchronize global variables such as performance, chrome etc.
5. ```
require('./main.js')
```
  — Load target JS
6. Test signature
Format validation takes precedence over request validation — Inconsistent signature length/prefix with browser = downgrade, even if HTTP 200 is returned it is a false positive.

Template

File	Purpose
`${CLAUDE_SKILL_DIR}/scripts/env_core.js`	Utility set + Proxy engine + Diagnostic report
`${CLAUDE_SKILL_DIR}/scripts/webpack_runtime.js`	Minimal webpack runtime

After copying to the project

env/

directory, env_core.js shall not be modified.

Execution Process

Step 1: Build project structure

<project>/
├── source/     # Original JS (downloaded, not modified)
├── env/        # Runtime environment
│   ├── env_core.js      # Copied from template, do not modify
│   ├── main.js          # Target JS copy (or sdk.js + bytecode.js)
│   ├── run.js           # Loader + environment stubs + test
│   └── sign.js          # Signature interface (encapsulated at last)
├── python/     # Verification scripts
└── docs/progress.md

Scenario judgment (read reference on demand):

Scenario	JS File	Reference Document
Single file SDK	Copy to `env/main.js`	—
SDK + bytecode separated	`env/sdk.js` + `env/bytecode.js`	`references/multi-file.md`
webpack bundle	Extract modules to `env/main.js`	`references/webpack.md`
Runtime dynamic loading	Download via curl to `source/` , copy to `env/`	`references/dynamic-loading.md`

Step 2: First run

Write minimal run.js, only include necessary stubs:

javascript

const env = require('./env_core');
const _process = process; // init() will hide process, reserve reference in advance

// ① Build minimal stubs (get document/navigator/location from browser-stubs.md)
const fakeDocument = { /* ... */ };
const fakeNavigator = { /* ... */ };
const fakeLocation = { /* ... */ };

// ② Assemble window
const fakeWindow = {
    document: fakeDocument,
    navigator: fakeNavigator,
    location: fakeLocation,
    // ... supplement on demand
};
fakeWindow.window = fakeWindow;
fakeWindow.self = fakeWindow;
fakeWindow.top = fakeWindow;
fakeWindow.parent = fakeWindow;
fakeWindow.globalThis = fakeWindow;

// ③ Initialize (Node leak blocking + global mounting)
env.init({
    window: env.createProxy(fakeWindow, 'window', 0),
    document: env.createProxy(fakeDocument, 'document', 0),
    navigator: env.createProxy(fakeNavigator, 'navigator', 0),
    location: env.createProxy(fakeLocation, 'location', 0),
});

// ④ Additional global synchronization
// global.chrome = window.chrome;  // If needed

// ⑤ Load target JS
require('./main.js');

// ⑥ Test
console.log('Signature function:', typeof window.签名函数名);

Run

node env/run.js

and read the diagnostic report.

Step 3: Diagnosis loop (core)

Read the diagnostic report after each run, process according to the following decision tree:

Diagnostic report
├── [HANG] Process stuck/no output → Refer to references/anti-debug.md
│   ├── setInterval debugger infinite loop → hook setInterval to filter
│   ├── eval/Function dynamically generated debugger → hook eval + Function to strip
│   └── Synchronous while(true) → Locate source code, patch global in run.js
│
├── [ERRORS] → Must be fixed immediately
│   ├── TypeError: xxx is not a function → Supplement corresponding method
│   ├── xxx is not defined → Supplement global variable/constructor
│   └── Cannot read property of undefined → Supplement intermediate object
│
├── [UNDEFINED] → Process item by item
│   ├── First use evaluate_script to get real value from browser
│   ├── Also undefined in browser → Skip (marked as confirmed)
│   └── Has value in browser → Supplement to run.js (get standard writing from browser-stubs.md)
│
└── ERRORS = 0 && All UNDEFINED confirmed → Enter signature format verification
    ├── Signature length/prefix consistent with browser → Step 4
    └── Inconsistent signature → In-depth investigation
        ├── monitor() wraps key objects to track property access
        ├── Global error interception: process.on('uncaughtException')
        ├── Check item by item against references/node-detection.md
        └── No abnormalities in all external hooks → references/limitations.md

Operations per round:

Read diagnostic report
Get corresponding stub code from
```
browser-stubs.md
```
, write with utilities from
```
env_core.js
```
Only modify run.js
Rerun, go back to step 1

Step 4: Encapsulation and verification

sign.js:

javascript

const env = require('./env_core');
// ... Environment construction (same as run.js) ...
require('./main.js');

module.exports = function sign(url, data) {
    // Call signature function, return result
    return window.签名函数名(url, data);
};

Verification order:

Format verification — Signature length, prefix are consistent with those from browser
Request verification — HTTP 200 + business data returned

References

Read on demand when encountering specific scenarios:

File	When to read
`references/anti-debug.md`	Process is stuck/extremely slow, or target is known to have debugger anti-debugging
`references/browser-stubs.md`	Need to supplement stubs, look up standard writing
`references/node-detection.md`	Signature downgrade (length/prefix inconsistent with browser)
`references/multi-file.md`	SDK + bytecode separation, multi-interpreter scenarios
`references/dynamic-loading.md`	Encryption code is dynamically loaded from API
`references/webpack.md`	webpack bundle module extraction
`references/storage-tracing.md`	Suspect localStorage has control flow switch
`references/limitations.md`	When all external hooks are invalid, understand the ceiling of the solution

env-patch

NPX Install

Tags

SKILL.md Content (Chinese)

env-patch

Core Concepts

Iron Rules

Template

Execution Process

Step 1: Build project structure

Step 2: First run

Step 3: Diagnosis loop (core)

Step 4: Encapsulation and verification

References