JS逆向补环境技术详解：携程testab参数逆向分析<\/h1>

一、前言<\/h2>
补环境技术是JS逆向中相对通用且易于实现的方法，相较于直接逆向算法，补环境可以更高效地解决JSVMP等复杂加密问题。本文将以携程testab参数为例，详细讲解补环境的完整流程和技术要点。<\/p>

二、逆向目标分析<\/h2>

1. 目标参数<\/h3>

参数名：testab<\/li>
生成方式：由e函数生成，通过JSVMP代码动态执行<\/li>

接口来源：getHotelScript接口返回的VMP代码<\/li> <\/ul>

2. 定位关键代码<\/h3>

全局搜索"testab"定位到生成函数<\/li>
跟栈发现是VMP代码通过eval执行<\/li>

VMP代码动态变化，需固定调试<\/li> <\/ol>

三、VMP代码调试方法<\/h2>

1. 两种调用方式<\/h3>

\/\/ 方法一：动态eval执行
<\/span><\/span><\/span><\/span>var<\/span> code<\/span> =<\/span> `vmp代码`<\/span>;
<\/span><\/span>function<\/span> decode<\/span>(callback<\/span>) {
<\/span><\/span>  window[callback<\/span>] =<\/span> function<\/span>(e<\/span>) {
<\/span><\/span>    delete<\/span> window[callback<\/span>];
<\/span><\/span>    var<\/span> e<\/span> =<\/span> e<\/span>();
<\/span><\/span>    testab<\/span> =<\/span> e<\/span>;
<\/span><\/span>    return<\/span> e<\/span>;
<\/span><\/span>  }
<\/span><\/span>  window.eval(code<\/span>);
<\/span><\/span>  return<\/span> testab<\/span>
<\/span><\/span>}
<\/span><\/span>decode<\/span>("KLBNxcMKmI"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 方法二：直接执行
<\/span><\/span><\/span><\/span>function<\/span> decode<\/span>(callback<\/span>) {
<\/span><\/span>  window[callback<\/span>] =<\/span> function<\/span>(e<\/span>) {
<\/span><\/span>    delete<\/span> window[callback<\/span>];
<\/span><\/span>    var<\/span> e<\/span> =<\/span> e<\/span>();
<\/span><\/span>    testab<\/span> =<\/span> e<\/span>;
<\/span><\/span>    return<\/span> e<\/span>;
<\/span><\/span>  }
<\/span><\/span>  \/\/ 直接放入vmp代码
<\/span><\/span><\/span><\/span>  return<\/span> testab<\/span>
<\/span><\/span>}
<\/span><\/span>decode<\/span>("KLBNxcMKmI"<\/span>);
<\/span><\/span><\/code><\/pre>2. JSVMP插桩调试<\/h3>
在VMP指令为函数调用的地方下断点，输出关键日志：<\/p>

navigator自有属性和external的toString()检测<\/li>
document.documentElement的getAttribute检测<\/li>
Object.keys对document原型检测<\/li>
navigator属性描述符检测及UA检测<\/li>
node process检测<\/li>
Window toString()检测<\/li>
document检测<\/li>
createElement检测<\/li>
appendChild及报错检测<\/li>
vm及其他检测<\/li>
<\/ul>
四、补环境实现<\/h2>
1. 基础环境搭建<\/h3>
创建三个文件：<\/p>

main.js：主运行文件<\/li>
env.js：环境补全代码<\/li>
code.js：VMP执行代码<\/li>
<\/ul>
基础保护代码<\/h4>
!<\/span>(function<\/span>(){
<\/span><\/span>  "use strict"<\/span>;
<\/span><\/span>  const<\/span> $toString<\/span> =<\/span> Function.toString<\/span>;
<\/span><\/span>  const<\/span> myFunction_toString_symbol<\/span> =<\/span> Symbol<\/span>('('<\/span>.concat<\/span>(Math.random<\/span>()+<\/span>''<\/span>).toString<\/span>(36<\/span>)));
<\/span><\/span>  const<\/span> mytoString<\/span> =<\/span> function<\/span>(){
<\/span><\/span>    return<\/span> typeof<\/span> this<\/span> ==<\/span> 'function'<\/span> &&<\/span> this<\/span>[myFunction_toString_symbol<\/span>] ||<\/span> $toString<\/span>.call<\/span>(this<\/span>);
<\/span><\/span>  };
<\/span><\/span>  
<\/span><\/span>  function<\/span> set_native<\/span>(func<\/span>,key<\/span>,value<\/span>){
<\/span><\/span>    Object.defineProperty<\/span>(func<\/span>,key<\/span>,{
<\/span><\/span>      "enumerable"<\/span>:<\/span> false<\/span>,
<\/span><\/span>      "configurable"<\/span>:<\/span> true<\/span>,
<\/span><\/span>      "writable"<\/span>:<\/span> true<\/span>,
<\/span><\/span>      "value"<\/span>:<\/span> value<\/span>
<\/span><\/span>    })
<\/span><\/span>  };
<\/span><\/span>  
<\/span><\/span>  delete<\/span> Function.prototype<\/span>['toString'<\/span>];
<\/span><\/span>  set_native<\/span>(Function.prototype<\/span>,"toString"<\/span>,mytoString<\/span>);
<\/span><\/span>  set_native<\/span>(Function.prototype<\/span>.toString<\/span>,myFunction_toString_symbol<\/span>,"function toString() { [native code] }"<\/span>);
<\/span><\/span>  
<\/span><\/span>  this<\/span>.func_set_native<\/span> =<\/span> function<\/span>(func<\/span>){
<\/span><\/span>    set_native<\/span>(func<\/span>,myFunction_toString_symbol<\/span>,`function <\/span>${<\/span>myFunction_toString_symbol<\/span>,func<\/span>.name<\/span>}<\/span>(){ [native code] }`<\/span>)
<\/span><\/span>  }
<\/span><\/span>}).call<\/span>(this<\/span>);
<\/span><\/span>
<\/span><\/span>window =<\/span> this<\/span>;
<\/span><\/span>self<\/span> =<\/span> window;
<\/span><\/span>self<\/span>.window =<\/span> window;
<\/span><\/span><\/code><\/pre>2. 关键环境补全<\/h3>
基础对象补全<\/h4>
Window<\/span> =<\/span> function<\/span> Window<\/span>(){};
<\/span><\/span>Location<\/span> =<\/span> function<\/span> Location<\/span>(){};
<\/span><\/span>Navigator<\/span> =<\/span> function<\/span> Navigator<\/span>(){};
<\/span><\/span>Image<\/span> =<\/span> function<\/span> Image<\/span>(){ console<\/span>.log<\/span>("Image"<\/span>, arguments<\/span>) };
<\/span><\/span>document =<\/span> {};
<\/span><\/span>navigator<\/span> =<\/span> {};
<\/span><\/span>location<\/span> =<\/span> {};
<\/span><\/span>external<\/span> =<\/span> {};
<\/span><\/span>
<\/span><\/span>\/\/ 外部对象补全
<\/span><\/span><\/span><\/span>Object.defineProperty<\/span>(external<\/span>, Symbol<\/span>.toStringTag<\/span>, {
<\/span><\/span>  value<\/span>:<\/span> 'External'<\/span>
<\/span><\/span>});
<\/span><\/span>External<\/span> =<\/span> function<\/span> External<\/span>(){ console<\/span>.log<\/span>("External"<\/span>,arguments<\/span>) };
<\/span><\/span>func_set_native<\/span>(External<\/span>);
<\/span><\/span>external<\/span>.__proto__<\/span> =<\/span> External<\/span>.prototype<\/span>;
<\/span><\/span><\/code><\/pre>Navigator补全<\/h4>
Object.setPrototypeOf<\/span>(navigator<\/span>, Navigator<\/span>.prototype<\/span>);
<\/span><\/span>Navigator<\/span>.prototype<\/span>.webdriver<\/span> =<\/span> false<\/span>;
<\/span><\/span>Navigator<\/span>.prototype<\/span>.platform<\/span> =<\/span> 'Win32'<\/span>;
<\/span><\/span>Navigator<\/span>.prototype<\/span>.appCodeName<\/span> =<\/span> 'Mozilla'<\/span>;
<\/span><\/span>Navigator<\/span>.prototype<\/span>.userAgent<\/span> =<\/span> 'Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36'<\/span>;
<\/span><\/span><\/code><\/pre>Document相关补全<\/h4>
HTMLHtmlElement<\/span> =<\/span> function<\/span> HTMLHtmlElement<\/span>(){
<\/span><\/span>  this<\/span>.getAttribute<\/span> =<\/span> function<\/span>(){
<\/span><\/span>    return<\/span> null<\/span>
<\/span><\/span>  }
<\/span><\/span>};
<\/span><\/span>document.documentElement<\/span> =<\/span> new<\/span> HTMLHtmlElement<\/span>();
<\/span><\/span>
<\/span><\/span>HTMLBodyElement<\/span> =<\/span> function<\/span> HTMLBodyElement<\/span>(){
<\/span><\/span>  this<\/span>.appendChild<\/span> =<\/span> function<\/span>(child<\/span>){
<\/span><\/span>    if<\/span>(child<\/span>.tagName<\/span> ==<\/span> "DIV"<\/span>){
<\/span><\/span>      child<\/span>.offsetHeight<\/span> =<\/span> 20<\/span>
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>};
<\/span><\/span>document.body<\/span> =<\/span> new<\/span> HTMLBodyElement<\/span>();
<\/span><\/span>
<\/span><\/span>HTMLDivElement<\/span> =<\/span> function<\/span> HTMLDivElement<\/span>(){
<\/span><\/span>  this<\/span>.tagName<\/span> =<\/span> "DIV"<\/span>;
<\/span><\/span>  this<\/span>.style<\/span> =<\/span> { height<\/span>:<\/span> ""<\/span> };
<\/span><\/span>  this<\/span>.offsetHeight<\/span> =<\/span> 0<\/span>;
<\/span><\/span>  this<\/span>.remove<\/span> =<\/span> function<\/span>(){
<\/span><\/span>    this<\/span>.offsetHeight<\/span> =<\/span> 0<\/span>
<\/span><\/span>  }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>document.createElement<\/span> =<\/span> function<\/span> createElement<\/span>(){
<\/span><\/span>  console<\/span>.log<\/span>("createElement创建了"<\/span>, arguments<\/span>);
<\/span><\/span>  let<\/span> tagName<\/span> =<\/span> arguments<\/span>[0<\/span>];
<\/span><\/span>  if<\/span>(tagName<\/span> ==<\/span> "div"<\/span>){
<\/span><\/span>    var<\/span> div<\/span> =<\/span> new<\/span> HTMLDivElement<\/span>();
<\/span><\/span>    return<\/span> div<\/span>;
<\/span><\/span>  }
<\/span><\/span>  \/\/ 其他标签处理...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>3. 对象冻结<\/h3>
Object.freeze<\/span>(document);
<\/span><\/span>Object.freeze<\/span>(navigator<\/span>);
<\/span><\/span><\/code><\/pre>4. 关键检测绕过<\/h3>
Object属性检测<\/h4>
\/\/ getOwnPropertyDescriptor检测
<\/span><\/span><\/span><\/span>_getOwnPropertyDescriptor<\/span> =<\/span> Object.getOwnPropertyDescriptor<\/span>;
<\/span><\/span>Object.getOwnPropertyDescriptor<\/span> =<\/span> function<\/span>(obj<\/span>, p<\/span>){
<\/span><\/span>  \/\/ 自定义处理逻辑
<\/span><\/span><\/span><\/span>  return<\/span> _getOwnPropertyDescriptor<\/span>.apply<\/span>(this<\/span>, arguments<\/span>);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ keys检测
<\/span><\/span><\/span><\/span>_keys<\/span> =<\/span> Object.keys<\/span>;
<\/span><\/span>Object.keys<\/span> =<\/span> function<\/span>(obj<\/span>){
<\/span><\/span>  \/\/ 自定义处理逻辑
<\/span><\/span><\/span><\/span>  return<\/span> _keys<\/span>.apply<\/span>(this<\/span>, arguments<\/span>);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ getOwnPropertyNames检测
<\/span><\/span><\/span><\/span>_getOwnPropertyNames<\/span> =<\/span> Object.getOwnPropertyNames<\/span>;
<\/span><\/span>Object.getOwnPropertyNames<\/span> =<\/span> function<\/span>(obj<\/span>){
<\/span><\/span>  \/\/ 自定义处理逻辑
<\/span><\/span><\/span><\/span>  return<\/span> _getOwnPropertyNames<\/span>.apply<\/span>(this<\/span>, arguments<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>正则检测绕过<\/h4>
RegExp =<\/span> new<\/span> Proxy(RegExp, {
<\/span><\/span>  construct<\/span>(target<\/span>, argArray<\/span>) {
<\/span><\/span>    if<\/span>(argArray<\/span>[0<\/span>] &&<\/span> argArray<\/span>[0<\/span>].indexOf<\/span>('vm'<\/span>) !==<\/span> -<\/span>1<\/span>){
<\/span><\/span>      return<\/span> new<\/span> target<\/span>(...['bootstrapNodeJSCoretryModuleLoadevalmachinerunInContext'<\/span>,'g'<\/span>])
<\/span><\/span>    }
<\/span><\/span>    return<\/span> new<\/span> target<\/span>(...argArray<\/span>)
<\/span><\/span>  }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>5. 代理检测处理<\/h3>
使用高级代理方案避免被检测：<\/p>
dtavm<\/span> =<\/span> {};
<\/span><\/span>dtavm<\/span>.log<\/span> =<\/span> console<\/span>.log<\/span>;
<\/span><\/span>
<\/span><\/span>function<\/span> proxy<\/span>(obj<\/span>, objname<\/span>, type<\/span>) {
<\/span><\/span>  \/\/ 完整代理实现...
<\/span><\/span><\/span><\/span>  \/\/ 包含get\/set\/has\/deleteProperty等处理
<\/span><\/span><\/span><\/span>  \/\/ 详细代码见原文
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 使用方式
<\/span><\/span><\/span><\/span>window =<\/span> proxy<\/span>(window, "window"<\/span>);
<\/span><\/span>document =<\/span> proxy<\/span>(document, "document"<\/span>);
<\/span><\/span>\/\/ 其他对象代理...
<\/span><\/span><\/span><\/code><\/pre>五、完整流程总结<\/h2>

定位testab生成位置，提取VMP代码<\/li>
搭建基础环境框架(main.js, env.js, code.js)<\/li>
实现基础保护代码(Function.toString等)<\/li>
补全关键环境对象(window, document, navigator等)<\/li>
处理DOM相关操作(createElement, appendChild等)<\/li>
绕过关键检测(Object方法、正则检测等)<\/li>
使用高级代理避免被检测<\/li>
冻结关键对象防止修改<\/li>
调试验证结果一致性<\/li>
<\/ol>
六、注意事项<\/h2>

补环境需要耐心，逐步验证每个补丁的效果<\/li>
优先处理影响主流程的环境检测<\/li>
注意浏览器异常断点的使用<\/li>
代理实现要足够完善以避免被检测<\/li>
关键对象如document、navigator需要冻结<\/li>
所有函数都需要toString保护<\/li>
<\/ol>
通过以上步骤，可以成功补全环境并正确生成testab参数。这种方法具有通用性，可以应用于其他类似的JSVMP逆向场景。<\/p>

JS逆向补环境技术详解：携程testab参数逆向分析<\/h1>

一、前言<\/h2> 补环境技术是JS逆向中相对通用且易于实现的方法，相较于直接逆向算法，补环境可以更高效地解决JSVMP等复杂加密问题。本文将以携程testab参数为例，详细讲解补环境的完整流程和技术要点。<\/p>

二、逆向目标分析<\/h2>

三、VMP代码调试方法<\/h2>

四、补环境实现<\/h2>

2. 关键环境补全<\/h3>

4. 关键检测绕过<\/h3>

一、前言<\/h2>
补环境技术是JS逆向中相对通用且易于实现的方法，相较于直接逆向算法，补环境可以更高效地解决JSVMP等复杂加密问题。本文将以携程testab参数为例，详细讲解补环境的完整流程和技术要点。<\/p>