巧用Chrome CDP远程调用Debug突破JS逆向 - 教学文档<\/h1>

1. CDP (Chrome DevTools Protocol) 基础<\/h2>

1.1 什么是CDP<\/h3>

Chrome DevTools Protocol (CDP) 是Chrome浏览器提供的远程调试协议<\/li>
允许开发者通过HTTP\/WebSocket接口与浏览器实例交互<\/li>

提供对DOM、网络、性能、JavaScript调试等功能的控制<\/li> <\/ul>

1.2 CDP核心功能<\/h3>

DOM操作<\/strong>：获取、修改页面DOM结构<\/li>
网络监控<\/strong>：拦截、修改网络请求<\/li>
JavaScript调试<\/strong>：断点设置、变量查看、调用栈追踪<\/li>

执行环境控制<\/strong>：注入JS代码、修改执行上下文<\/li> <\/ul>
2. 远程调试配置<\/h2>
2.1 启动Chrome调试模式<\/h3>
chrome.exe --remote-debugging-port=<\/span>9222<\/span> --user-data-dir=<\/span>remote-profile <\/span><\/span><\/code><\/pre> --remote-debugging-port<\/code>：指定调试端口<\/li> --user-data-dir<\/code>：指定用户数据目录（避免影响主配置）<\/li> <\/ul> 2.2 获取调试目标<\/h3> 访问 http:\/\/localhost:9222\/json<\/code> 获取可调试页面列表<\/p> { <\/span><\/span> "description"<\/span>: ""<\/span>, <\/span><\/span> "devtoolsFrontendUrl"<\/span>: "\/devtools\/inspector.html?ws=localhost:9222\/devtools\/page\/FA7FAB6A4B789E8B3A4C5D6E7F8A9B0"<\/span>, <\/span><\/span> "id"<\/span>: "FA7FAB6A4B789E8B3A4C5D6E7F8A9B0"<\/span>, <\/span><\/span> "title"<\/span>: "Example Page"<\/span>, <\/span><\/span> "type"<\/span>: "page"<\/span>, <\/span><\/span> "url"<\/span>: "https:\/\/example.com"<\/span>, <\/span><\/span> "webSocketDebuggerUrl"<\/span>: "ws:\/\/localhost:9222\/devtools\/page\/FA7FAB6A4B789E8B3A4C5D6E7F8A9B0"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. CDP在JS逆向中的应用<\/h2> 3.1 绕过反调试<\/h3> 方法1<\/strong>：通过CDP覆盖调试检测函数<\/li> <\/ul> Page<\/span>.addScriptToEvaluateOnNewDocument<\/span>({ <\/span><\/span> source<\/span>:<\/span> ` <\/span><\/span><\/span> window.console.debug = () => {}; <\/span><\/span><\/span> Object.defineProperty(window, 'debugger', {get: () => {}}); <\/span><\/span><\/span> `<\/span> <\/span><\/span>}); <\/span><\/span><\/code><\/pre> 方法2<\/strong>：禁用断点触发<\/li> <\/ul> Debugger<\/span>.setSkipAllPauses<\/span>({ skip<\/span>:<\/span> true<\/span> }); <\/span><\/span><\/code><\/pre>3.2 动态Hook函数<\/h3> Debugger<\/span>.setBreakpointByUrl<\/span>({ <\/span><\/span> lineNumber<\/span>:<\/span> 123<\/span>, <\/span><\/span> url<\/span>:<\/span> "https:\/\/example.com\/script.js"<\/span> <\/span><\/span>}); <\/span><\/span> <\/span><\/span>Debugger<\/span>.pauseOnAsyncCall<\/span>({ <\/span><\/span> parentStackTraceId<\/span>:<\/span> "..."<\/span> <\/span><\/span>}); <\/span><\/span><\/code><\/pre>3.3 内存数据提取<\/h3> Runtime<\/span>.evaluate<\/span>({ <\/span><\/span> expression<\/span>:<\/span> "window.sensitiveData"<\/span>, <\/span><\/span> returnByValue<\/span>:<\/span> true<\/span> <\/span><\/span>}); <\/span><\/span><\/code><\/pre>4. 实战案例：突破加密参数<\/h2> 4.1 定位加密函数<\/h3> Debugger<\/span>.searchInContent<\/span>({ <\/span><\/span> scriptId<\/span>:<\/span> "..."<\/span>, <\/span><\/span> query<\/span>:<\/span> "encrypt"<\/span> <\/span><\/span>}); <\/span><\/span><\/code><\/pre>4.2 设置断点并提取参数<\/h3> Debugger<\/span>.setBreakpoint<\/span>({ <\/span><\/span> location<\/span>:<\/span> { <\/span><\/span> scriptId<\/span>:<\/span> "..."<\/span>, <\/span><\/span> lineNumber<\/span>:<\/span> 456<\/span> <\/span><\/span> } <\/span><\/span>}); <\/span><\/span> <\/span><\/span>Debugger<\/span>.on<\/span>("paused"<\/span>, (event<\/span>) => { <\/span><\/span> const<\/span> callFrames<\/span> =<\/span> event<\/span>.callFrames<\/span>; <\/span><\/span> const<\/span> localScope<\/span> =<\/span> callFrames<\/span>[0<\/span>].scopeChain<\/span>[0<\/span>]; <\/span><\/span> <\/span><\/span> Runtime<\/span>.getProperties<\/span>({ <\/span><\/span> objectId<\/span>:<\/span> localScope<\/span>.object<\/span>.objectId<\/span> <\/span><\/span> }).then<\/span>((result<\/span>) => { <\/span><\/span> console<\/span>.log<\/span>("Local variables:"<\/span>, result<\/span>); <\/span><\/span> }); <\/span><\/span>}); <\/span><\/span><\/code><\/pre>4.3 修改函数行为<\/h3> Runtime<\/span>.evaluate<\/span>({ <\/span><\/span> expression<\/span>:<\/span> ` <\/span><\/span><\/span> window.originalEncrypt = window.targetFunction; <\/span><\/span><\/span> window.targetFunction = function(params) { <\/span><\/span><\/span> console.log("Intercepted params:", params); <\/span><\/span><\/span> return window.originalEncrypt(params); <\/span><\/span><\/span> } <\/span><\/span><\/span> `<\/span> <\/span><\/span>}); <\/span><\/span><\/code><\/pre>5. 高级技巧<\/h2> 5.1 网络请求拦截<\/h3> Network<\/span>.setRequestInterception<\/span>({ <\/span><\/span> patterns<\/span>:<\/span> [{ <\/span><\/span> urlPattern<\/span>:<\/span> "*"<\/span>, <\/span><\/span> resourceType<\/span>:<\/span> "XHR"<\/span>, <\/span><\/span> interceptionStage<\/span>:<\/span> "HeadersReceived"<\/span> <\/span><\/span> }] <\/span><\/span>}); <\/span><\/span> <\/span><\/span>Network<\/span>.on<\/span>("requestIntercepted"<\/span>, (event<\/span>) => { <\/span><\/span> Network<\/span>.getResponseBodyForInterception<\/span>({ <\/span><\/span> interceptionId<\/span>:<\/span> event<\/span>.interceptionId<\/span> <\/span><\/span> }).then<\/span>((response<\/span>) => { <\/span><\/span> console<\/span>.log<\/span>("Intercepted response:"<\/span>, response<\/span>); <\/span><\/span> }); <\/span><\/span>}); <\/span><\/span><\/code><\/pre>5.2 DOM事件监听<\/h3> DOMDebugger<\/span>.setInstrumentationBreakpoint<\/span>({ <\/span><\/span> eventName<\/span>:<\/span> "click"<\/span> <\/span><\/span>}); <\/span><\/span> <\/span><\/span>DOMDebugger<\/span>.on<\/span>("instrumentationBreakpoint"<\/span>, (event<\/span>) => { <\/span><\/span> console<\/span>.log<\/span>("DOM event intercepted:"<\/span>, event<\/span>); <\/span><\/span>}); <\/span><\/span><\/code><\/pre>5.3 性能分析<\/h3> Profiler<\/span>.start<\/span>(); <\/span><\/span>\/\/ 执行操作... <\/span><\/span><\/span><\/span>Profiler<\/span>.stop<\/span>().then<\/span>((profile<\/span>) => { <\/span><\/span> console<\/span>.log<\/span>("CPU profile:"<\/span>, profile<\/span>); <\/span><\/span>}); <\/span><\/span><\/code><\/pre>6. 安全注意事项<\/h2> 仅用于授权测试<\/strong>：确保有合法权限<\/li> 避免生产环境使用<\/strong>：调试模式会降低安全性<\/li> 清理痕迹<\/strong>：测试完成后关闭调试会话<\/li> 遵守法律法规<\/strong>：仅用于合法逆向工程目的<\/li> <\/ol> 7. 工具推荐<\/h2> chrome-remote-interface<\/strong>：Node.js CDP客户端库<\/li> Puppeteer<\/strong>：高级CDP封装<\/li> Playwright<\/strong>：多浏览器自动化工具<\/li> Selenium with CDP<\/strong>：结合Selenium使用CDP功能<\/li> <\/ol> 8. 常见问题解决<\/h2> 8.1 连接被拒绝<\/h3> 检查Chrome是否以调试模式启动<\/li> 验证端口是否正确<\/li> 确保没有防火墙阻止连接<\/li> <\/ul> 8.2 断点不生效<\/h3> 确认脚本已加载<\/li> 检查行号是否正确<\/li> 尝试使用Debugger.setBreakpointByUrl<\/code><\/li> <\/ul> 8.3 数据获取失败<\/h3> 确保在正确上下文中执行<\/li> 检查跨域限制<\/li> 尝试使用Runtime.evaluate<\/code>的contextId<\/code>参数<\/li> <\/ul> 这份文档涵盖了CDP在JS逆向中的核心应用，从基础配置到高级技巧，重点突出了实际逆向工程中的关键技术和解决方案。如需更详细案例，可参考原文档提供的PDF版本。<\/p>