Web流量解密技术详解：Web&小程序逆向分析指南<\/h1>

1. 无限debugger反调试绕过技术<\/h2>

1.1 基本原理<\/h3>
无限debugger反调试通常通过以下几种方式实现：<\/p>
setInterval循环触发debugger<\/li>
setTimeout延迟触发debugger<\/li>
原型链构造器(Constructor)触发debugger<\/li>
eval函数执行debugger语句<\/li> <\/ul>
1.2 万能绕过脚本<\/h3>
推荐使用hook技术覆盖关键函数：<\/p>
\/\/ 万能debugger绕过脚本
<\/span><\/span><\/span><\/span>Function.prototype<\/span>.constructor_<\/span> =<\/span> Function.prototype<\/span>.constructor<\/span>;
<\/span><\/span>Function.prototype<\/span>.constructor<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    if<\/span>(arguments<\/span>[0<\/span>]===<\/span>"debugger"<\/span>) {
<\/span><\/span>        return<\/span> function<\/span>(){};
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        return<\/span> Function.prototype<\/span>.constructor_<\/span>.apply<\/span>(this<\/span>, arguments<\/span>);
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>setInterval_<\/span> =<\/span> setInterval<\/span>;
<\/span><\/span>setInterval<\/span> =<\/span> function<\/span>(a<\/span>, b<\/span>) {
<\/span><\/span>    if<\/span>(a<\/span>.toString<\/span>().indexOf<\/span>('debugger'<\/span>) !=<\/span> -<\/span>1<\/span>) {
<\/span><\/span>        return<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> setInterval_<\/span>(a<\/span>, b<\/span>);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>setTimeout_<\/span> =<\/span> setTimeout<\/span>;
<\/span><\/span>setTimeout<\/span> =<\/span> function<\/span>(a<\/span>, b<\/span>) {
<\/span><\/span>    if<\/span>(a<\/span>.toString<\/span>().indexOf<\/span>('debugger'<\/span>) !=<\/span> -<\/span>1<\/span>) {
<\/span><\/span>        return<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> setTimeout_<\/span>(a<\/span>, b<\/span>);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>eval_<\/span> =<\/span> eval;
<\/span><\/span>eval =<\/span> function<\/span>(a<\/span>) {
<\/span><\/span>    if<\/span>(a<\/span>.toString<\/span>().indexOf<\/span>('debugger'<\/span>) !=<\/span> -<\/span>1<\/span>) {
<\/span><\/span>        return<\/span> function<\/span>(){};
<\/span><\/span>    }
<\/span><\/span>    return<\/span> eval_<\/span>(a<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>1.3 瑞数WAF绕过实战<\/h3>


定位入口文件<\/strong>：<\/p>

查找包含无限debugger逻辑的JS文件<\/li>
通过堆栈调用定位触发位置<\/li>
<\/ul>
<\/li>

操作步骤<\/strong>：<\/p>

在入口文件开头设置断点<\/li>
刷新页面使断点生效<\/li>
在控制台执行绕过脚本<\/li>
放开断点继续执行<\/li>
<\/ul>
<\/li>
<\/ol>
2. 常规JS逆向分析技术<\/h2>
2.1 加密定位方法<\/h3>


参数搜索法<\/strong>：<\/p>

抓包分析请求参数（如cipherH5）<\/li>
全局搜索关键参数名<\/li>
<\/ul>
<\/li>

函数特征搜索<\/strong>：<\/p>

搜索"encrypt"\/"encode"等关键词<\/li>
火狐浏览器可部分反混淆<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 AES加密分析实例<\/h3>


识别加密类型<\/strong>：<\/p>

通过CryptoJS库特征识别<\/li>
常见模式：AES-CBC-PKCS7<\/li>
<\/ul>
<\/li>

提取关键参数<\/strong>：<\/p>

获取WordArray格式的key和iv<\/li>
还原为可用的密钥和初始向量<\/li>
<\/ul>
<\/li>
<\/ol>
\/\/ WordArray转Hex示例
<\/span><\/span><\/span><\/span>function<\/span> wordArrayToHex<\/span>(wordArray<\/span>) {
<\/span><\/span>    let<\/span> hex<\/span> =<\/span> ''<\/span>;
<\/span><\/span>    for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> wordArray<\/span>.sigBytes<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>        const<\/span> byte<\/span> =<\/span> (wordArray<\/span>.words<\/span>[Math.floor<\/span>(i<\/span> \/<\/span> 4<\/span>)] >>><\/span> (24<\/span> -<\/span> (i<\/span> %<\/span> 4<\/span>) *<\/span> 8<\/span>)) &<\/span> 0xff<\/span>;
<\/span><\/span>        hex<\/span> +=<\/span> byte<\/span>.toString<\/span>(16<\/span>).padStart<\/span>(2<\/span>, '0'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> hex<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 全混淆JS逆向高阶技术<\/h2>
3.1 JSON Hook技术<\/h3>
生命周期分析<\/strong>：<\/p>
明文数据 -> JSON.stringify -> 加密函数 -> 网络传输
接收数据 -> 解密函数 -> JSON.parse -> 明文数据
<\/code><\/pre>
Hook实现方法<\/strong>：<\/p>
\/\/ Hook JSON.stringify
<\/span><\/span><\/span><\/span>const<\/span> stringify_<\/span> =<\/span> JSON<\/span>.stringify<\/span>;
<\/span><\/span>JSON<\/span>.stringify<\/span> =<\/span> function<\/span>(params<\/span>) {
<\/span><\/span>    console<\/span>.log<\/span>("stringify called"<\/span>, params<\/span>);
<\/span><\/span>    debugger<\/span>;
<\/span><\/span>    return<\/span> stringify_<\/span>(params<\/span>);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ Hook JSON.parse
<\/span><\/span><\/span><\/span>const<\/span> parse_<\/span> =<\/span> JSON<\/span>.parse<\/span>;
<\/span><\/span>JSON<\/span>.parse<\/span> =<\/span> function<\/span>(params<\/span>) {
<\/span><\/span>    console<\/span>.log<\/span>("parse called"<\/span>, params<\/span>);
<\/span><\/span>    debugger<\/span>;
<\/span><\/span>    return<\/span> parse_<\/span>(params<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.2 操作步骤<\/h3>

在控制台输入Hook代码<\/li>
触发业务功能点<\/li>
通过调用堆栈定位加密函数<\/li>
将加密函数提升为全局函数<\/li>
<\/ol>
\/\/ 函数提升为全局示例
<\/span><\/span><\/span><\/span>window.encryptFunc<\/span> =<\/span> function<\/span>(data<\/span>) {
<\/span><\/span>    \/\/ 原加密函数逻辑
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>4. 非常规加密逆向技术<\/h2>
4.1 国密SM4\/自定义算法处理<\/h3>
工具准备<\/strong>：<\/p>
# 安装Sekiro Docker工具<\/span>
<\/span><\/span>docker pull registry.cn-beijing.aliyuncs.com\/iinti\/common:sekiro-all-in-one-latest
<\/span><\/span>docker run -d -p 5612:5612 -v ~\/sekiro-mysql-data:\/var\/lib\/mysql --name sekiro-all-in-one registry.cn-beijing.aliyuncs.com\/iinti\/common:sekiro-all-in-one-latest
<\/span><\/span><\/code><\/pre>4.2 Sekiro客户端配置<\/h3>
function<\/span> SekiroClient<\/span>(wsURL<\/span>) {
<\/span><\/span>    \/\/ ... 省略构造函数实现 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>var<\/span> client<\/span> =<\/span> new<\/span> SekiroClient<\/span>("wss:\/\/127.0.0.1:5612\/business\/register?group=test_web&clientId="<\/span> +<\/span> Math.random<\/span>());
<\/span><\/span>
<\/span><\/span>client<\/span>.registerAction<\/span>("River6Enc"<\/span>, function<\/span>(request<\/span>, resolve<\/span>, reject<\/span>) {
<\/span><\/span>    var<\/span> data1<\/span> =<\/span> request<\/span>['data1'<\/span>];
<\/span><\/span>    var<\/span> data2<\/span> =<\/span> request<\/span>['data2'<\/span>];
<\/span><\/span>    var<\/span> res<\/span> =<\/span> window.River6Enc<\/span>(data1<\/span>, data2<\/span>);
<\/span><\/span>    resolve<\/span>(res<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>4.3 Python调用示例<\/h3>
import<\/span> websockets
<\/span><\/span>import<\/span> asyncio
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>async<\/span> def<\/span> call_encrypt<\/span>(data1, data2):
<\/span><\/span>    async<\/span> with<\/span> websockets.<\/span>connect('ws:\/\/127.0.0.1:5612\/business\/invoke'<\/span>) as<\/span> websocket:
<\/span><\/span>        request =<\/span> {
<\/span><\/span>            "group"<\/span>: "test_web"<\/span>,
<\/span><\/span>            "action"<\/span>: "River6Enc"<\/span>,
<\/span><\/span>            "data1"<\/span>: data1,
<\/span><\/span>            "data2"<\/span>: data2
<\/span><\/span>        }
<\/span><\/span>        await<\/span> websocket.<\/span>send(json.<\/span>dumps(request))
<\/span><\/span>        response =<\/span> await<\/span> websocket.<\/span>recv()
<\/span><\/span>        return<\/span> json.<\/span>loads(response)['data'<\/span>]
<\/span><\/span><\/code><\/pre>4.4 Yakit热加载实现<\/h3>

编写加密函数调用逻辑<\/li>
配置自动化参数处理<\/li>
实现请求\/响应自动加解密<\/li>
<\/ol>
5. 小程序逆向补充技术<\/h2>
5.1 通用逆向流程<\/h3>

获取小程序包（.wxapkg）<\/li>
使用反编译工具（如wxappUnpacker）<\/li>
分析核心业务逻辑<\/li>
定位加密\/签名函数<\/li>
<\/ol>
5.2 常见保护方式<\/h3>

代码混淆（变量名混淆、控制流平坦化）<\/li>
逻辑分块加载<\/li>
核心算法wasm化<\/li>
签名校验机制<\/li>
<\/ul>
5.3 应对策略<\/h3>


动态调试<\/strong>：<\/p>

使用模拟器+Charles抓包<\/li>
配合Chrome DevTools调试<\/li>
<\/ul>
<\/li>

静态分析<\/strong>：<\/p>

反编译后代码还原<\/li>
关键函数定位与重构<\/li>
<\/ul>
<\/li>

Hook技术<\/strong>：<\/p>

Frida\/Xposed框架注入<\/li>
关键API拦截与修改<\/li>
<\/ul>
<\/li>
<\/ol>
6. 实战注意事项<\/h2>


法律合规<\/strong>：<\/p>

仅用于授权测试<\/li>
遵守相关法律法规<\/li>
<\/ul>
<\/li>

技术要点<\/strong>：<\/p>

多维度验证加密逻辑<\/li>
注意时间戳\/随机数等动态参数<\/li>
处理Cookie\/Session等状态保持<\/li>
<\/ul>
<\/li>

调试技巧<\/strong>：<\/p>

使用条件断点提高效率<\/li>
记录完整调用堆栈<\/li>
对比多组数据寻找规律<\/li>
<\/ul>
<\/li>

反反调试<\/strong>：<\/p>

检测DevTools打开状态<\/li>
检测执行时间差异<\/li>
检测代码完整性校验<\/li>
<\/ul>
<\/li>
<\/ol>
本技术文档仅用于安全研究学习，请勿用于非法用途。<\/p>