【js逆向专题】13.jsvmp补环境篇一

上一篇直通车：【js逆向专题】12.RPC技术

js逆向专题传送门

说明

本教程仅供学习交流使用，严禁用于商业用途和非法用途，否则由此产生的一切后果均与本人无关，请各学员自觉遵守相关法律法规。

小节目标:

1. 熟悉 jsvmp技术
2. 熟悉 补环境的调试方法
3. 掌握 插桩调试
4. 掌握 基本补环境操作

一.了解jsvmp技术

1. js虚拟机保护方案

参考文章：https://mp.weixin.qq.com/s/YDx5Dr-HDfAm-sAqeWW0qg

• JSVMP 的概念最早应该是由西北大学2015级硕士研究生匡开圆，在其2018年的学位论文中提出的，论文标题为：《基于 WebAssembly 的 JavaScript 代码虚拟化保护方法研究与实现》，同年还申请了国家专利，专利名称：《一种基于前端字节码技术的 JavaScript 虚拟化保护方法》，网上可以直接搜到

• 常见的jsvmp的实现方法，你可以理解为：就是自己写了一段代码解释器，用来解释自己的代码 而这个自己的代码：可以是密文，也可以是所谓的明文

2.jsvmp实现原理

• JSVMP 的核心是在 JavaScript 代码保护过程中引入代码虚拟化思想，实现源代码的虚拟化过程，将目标代码转换成自定义的字节码，这些字节码只有特殊的解释器才能识别，隐藏目标代码的关键逻辑。在匡开圆的论文中，利用 WebAssembly 技术实现了特殊的虚拟解释器，通过编译隐藏解释器的执行逻辑。JSVMP 的保护流程如下图所示：
  

• 大致的架构应该是这样子的：服务器端读取 JavaScript 代码 —> 词法分析 —> 语法分析 —> 生成AST语法树 —> 生成私有指令 —> 生成对应私有解释器，将私有指令加密与私有解释器发送给浏览器，然后一边解释，一边执行。

3. 模拟jsvmp执行过程

• 准备数据

var a = '丽丽'
var b = '菲菲'
var c = '莹莹'
var d = a+b
var e = c + d

• 将数据进行第一次转换

var a ;
a = '丽丽'
var b;
b = '菲菲'
var c;
c = '莹莹'
var d;
a+b;
d = ?;
var e;
c+d;
e = ?;

• 再次转换

// 我们假设赋值指令为 1, 加和指令为 2,声明指令为 3
// 如果按照从上到下的顺序，我们就可以将他们的操作变成指令性的[用|分割左侧和右侧]
// 1 赋值
// 2 加
// 3 声明3 --- var | a
1 --- a |  '丽丽'
3 --- var | b
1 --- b |  '菲菲'
3 --- var | c
1 --- c |  '莹莹'
3 --- var | d
2 --- a | b  -----> ?
1 --- d | ?
3 --- var | e
2 --- d | c   -----> ?
1 --- e | ?(此处的d 与 c的和)

• 在将数据压缩到数组

_stack = [[3, 'var', 'a'],[1, 'a', '丽丽'],[3, 'var', 'b'],[1, 'b', '菲菲'],[3, 'var', 'c'],[1, 'c', '莹莹'],[3, 'var', 'd'],[2, 'a', 'b'],[1, 'd', '?'],[3, 'var', 'e'],[2, 'd', 'c'],[1, 'e', '?'],]

• 通过自己写的自执行函数,对数据进行处理

!function(_stack) {var register;   // 这个就当做是问号的存储位置var variable = {};   // 这个就当做是var变量的存储位置。由于没有其他声明方式的存在，所就不写其他的了for (let i = 0; i < _stack.length; i++) {instruct = _stack[i][0];left = _stack[i][1];right = _stack[i][2];if (instruct === 3) {variable[right] = ''}if (instruct === 1) {if (right === '?') {variable[left] = register} else {variable[left] = right}}if (instruct === 2) {register = variable[left] + variable[right]}};console.log(variable)
} ([[3, 'var', 'a'],[1, 'a', '丽丽'],[3, 'var', 'b'],[1, 'b', '菲菲'],[3, 'var', 'c'],[1, 'c', '莹莹'],[3, 'var', 'd'],[2, 'a', 'b'],[1, 'd', '?'],[3, 'var', 'e'],[2, 'd', 'c'],[1, 'e', '?'],]
)

• 实际jsvmp会更加的复杂,这个是基本的逻辑,就行自己写一个解释器来解释自己的代码

关于jsvmp的解法一般有3种，补环境，和插桩扣逻辑，jsrpc，当然还有自动化等方式可自行研究试试

二.环境检测

1. 什么是环境检测

• 由于浏览器和node的差别,会导致浏览器的js代码在node没有办法执行,js代码会根据浏览器的这些属性来判断你是不是在真正的浏览器执行的代码,要不是正确的浏览器环境则不会返回正确的数据信息.
• 拿到代码在node里面执行、经常看到这一类型的错误，提示xxx未定义，其实这一块就是浏览器对象的一些特征

 if (navigator['userAgent']){^ReferenceError: navigator is not defined

2.案例讲解

• 检测执行代码是否存在navigator, 可以通过补空的方式

navigator = {}
navigator.userAgent = '11111'function ps(){if (navigator['userAgent']){return 'hello world'} else {return  '失败'}
}console.log(ps());

• 检测属性长度,会根据长度来判断你的数据是否正确,是不是一个空数据

location = {}
location.href = '123123'
function ps(){if (location['href'].length > 3){return 'hello world'} else {return  '失败'}
}console.log(ps());

• js异常代码捕获,很多情况下可能js代码会把异常给捕获掉导致我们结果不对
• 可以输出异常捕获的内容, 或者可以直接把异常捕获的代码直接删除,把错误暴露出来

location = {}
location.host = '12334'
navigator = {}
navigator.userAgent = '1231234'
function pn() {// try {verify_local()if (navigator['userAgent']) {return 'hello world'}// } catch (e) {//     console.log(e)//     return '错误的数据'// }
}function verify_local() {if (location.host.length > 2) {return 'xxx'}
}console.log(pn());

• 浏览器和node环境差异
• 在 Node.js 中，exports 是一个用于导出模块中的函数、对象、变量等的对象。
• 浏览器是undefined
• 可以删除, 或者可以修改的判断成功

// 浏览器和 node差异
sss = "undefined" != typeof exports ? exports : void 0
console.log(typeof sss);

• global检测

glb= "undefined" == typeof window ? global:window

三. 项目实战

1. 案例1

1.逆向目标

• 目标：https://www.toutiao.com/
• 参数：_signature: _02B4Z6wo00901-PSSggAAIDC

2. 项目分析

• 定位到加密位置,数据信息就是由window.byted_acrawler.sign来进行加密的
  

• 进到函数内部看他做的事情

• 他这个就是很明显的jsvmp的结构,上面的方法是他用来翻译代码的解释器,调用的时候就把,对应的参数传递,他会进行解析,后面还有一些环境判断
  

1.补第一个referrer

• 我们可以直接把代码扣到我们的js文件当中

• 执行之后我们可以看到当前的代码会报错
  

• 这个是因为我们在node上执行代码会没有浏览器的环境,我们需要再这里进行补环境

• 在pycharm会不好调试代码,需要再浏览器对当前数据进行调试

• 在浏览器找到正确的数据,把需要的内容进行补齐
  

2. 调试技巧1

• 我们这样去定位数据会非常麻烦,一个个看,有没有实用的方法能让我们更快的定位需要补参数的位置

• 日志断点又称插桩可以在console界面输出A变量值以及S[R][A]值；此处可以补很多东西，但是我们先看报错再后面挑着补

• 使用浏览器打开日志断点,输入A, '-->', S[R] , '-->' , S[R][A]

3. 调试技巧2

• 条件断点当A变量等于referrer时会自动debugger住
  
  

4. 补充sign

TypeError: Cannot read properties of undefined (reading 'sign')

• 第二次运行报错原因分析，js文件检测了是否是node环境，如exports只在node环境下存在，但是浏览器是undefined，所以我们直接把"undefined" != typeof exports ? exports : void 0 替换成浏览器输出的结果undefined

5. 补 length

S[R] = S[R][A]^
TypeError: Cannot read properties of undefined (reading 'length')

注：这里可以下断点查看、到了哪个位置给程序报的错、可以发现在执行完protocol就开始报错，所以可以判断没有protocol、在控制台执行打出即可,要通过调试的方式定位到length前面所调用的一个属性

6. 参数长短补充

• 我们可以看到参数在当前生成的时候是比较短的
• 我们可以通过日志的方式输出他的数据信息,可以对比我们的参数,看看有没有参数是必须要使用的,会看到最后他还用了cookie来生成
• 需要把cookie也补上
  

3. 逆向结果

• JavaScript代码

window = global;
document = {};
document.referrer = ''
location = {href: 'https://www.toutiao.com/',protocol: 'https'
}
navigator = {userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36'
}
document.cookie = 'ttcid=0e14d7148cdb49eab083c6c3e91e0af423; _tea_utm_cache_24={%22utm_source%22:%22weixin%22%2C%22utm_medium%22:%22toutiao_android%22%2C%22utm_campaign%22:%22client_share%22}; csrftoken=05669b8011ce491783b441081b064f6c; _ga=GA1.1.910991427.1693382146; passport_csrf_token=8a241fbb55ef2ab48abea14e30e67548; msToken=ZaSXhv44LuLP_DysBFPc49cfEmjMU1g6itlrAe2-gOY-6UJB1F8--N1duZbISNJMDuzHq2V-NnKDi3Jzwuy2ZSGMDB8xWvoGmBmTHf1W; s_v_web_id=verify_logwp5j9_GkE6IbXA_dJ7X_4l0P_Aj5Z_E2uOXbMZWsjV; local_city_cache=%E5%8C%97%E4%BA%AC; _ga_QEHZPBE5HH=GS1.1.1699249959.12.1.1699253197.0.0.0; tt_scid=GwoclW9d6psZ8F6uftTebUsS3uhfts-4OrP7Z7ytUKWnOJljpkVP7WXsZwcPKTxY275a'var glb;
(glb = "undefined" == typeof window ? global : window)._$jsvmprt = function (b, e, f) {function a() {if ("undefined" == typeof Reflect || !Reflect.construct)return !1;if (Reflect.construct.sham)return !1;if ("function" == typeof Proxy)return !0;try {return Date.prototype.toString.call(Reflect.construct(Date, [], (function () {}))),!0} catch (b) {return !1}},(glb = "undefined" == typeof window ? global : window)._$jsvmprt("7", [, , "undefined" == typeof exports ? exports : void 0, "undefined" != typeof module ? module : void 0, "undefined" != typeof define ? define : void 0, "undefined" != typeof Object ? Object : void 0, void 0, "undefined" != typeof TypeError ? TypeError : void 0, "undefined" != typeof document ? document : void 0, "undefined" != typeof InstallTrigger ? InstallTrigger : void 0, "undefined" != typeof safari ? safari : void 0, "undefined" != typeof Date ? Date : void 0, "undefined" != typeof Math ? Math : void 0, "undefined" != typeof navigator ? navigator : void 0, "undefined" != typeof location ? location : void 0, "undefined" != typeof history ? history : void 0, "undefined" != typeof Image ? Image : void 0, "undefined" != typeof console ? console : void 0, "undefined" != typeof PluginArray ? PluginArray : void 0, "undefined" != typeof indexedDB ? indexedDB : void 0, "undefined" != typeof DOMException ? DOMException : void 0, "undefined" != typeof parseInt ? parseInt : void 0, "undefined" != typeof String ? String : void 0, "undefined" != typeof Array ? Array : void 0, "undefined" != typeof Error ? Error : void 0, "undefined" != typeof JSON ? JSON : void 0, "undefined" != typeof Promise ? Promise : void 0, "undefined" != typeof WebSocket ? WebSocket : void 0, "undefined" != typeof eval ? eval : void 0, "undefined" != typeof setTimeout ? setTimeout : void 0, "undefined" != typeof encodeURIComponent ? encodeURIComponent : void 0, "undefined" != typeof encodeURI ? encodeURI : void 0, "undefined" != typeof Request ? Request : void 0, "undefined" != typeof Headers ? Headers : void 0, "undefined" != typeof decodeURIComponent ? decodeURIComponent : void 0, "undefined" != typeof RegExp ? RegExp : void 0]);function aa(o) {return window.byted_acrawler.sign(o)
}
o = {"url": "https://www.toutiao.com/toutiao/api/pc/info"
}
console.log(aa(o));

• python代码

# encoding: utf-8
"""
@file: 头条测试.py
"""
import requests
import execjsdef get_sig(url):js = execjs.compile(open('头条.js', encoding='utf-8').read())signature = js.call('aa', {'url': url})if "?" in url:url += "&_signature={}".format(signature)else:url += "?_signature={}".format(signature)return urlurl = get_sig("https://www.toutiao.com/api/pc/list/feed?channel_id=0&max_behot_time=1698925370&offset=0&category=pc_profile_recommend&aid=24&app_name=toutiao_web")
print(url)
headers = {"authority": "www.toutiao.com","accept": "application/json, text/plain, */*","accept-language": "zh-CN,zh;q=0.9","cache-control": "no-cache","pragma": "no-cache","referer": "https://www.toutiao.com/","sec-ch-ua": "^\\^Google","sec-ch-ua-mobile": "?0","sec-ch-ua-platform": "^\\^Windows^^","sec-fetch-dest": "empty","sec-fetch-mode": "cors","sec-fetch-site": "same-origin","user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}
res = requests.get(url, headers=headers)
print(res.text)
# https://www.toutiao.com/api/pc/list/feed?channel_id=0&min_behot_time=1636703275&refresh_count=2&category=pc_profile_recommend&_signature=_02B4Z6wo00d01KWcaZwAAIDAJZ6T3JmB4wiluG0AAEwpfdsN1DmbuNsUZxKy6hQ9zmq5aoV6APEJmbKSJmmYKcV7Mr4VnVYu3tJ11y1TYvRcyhTGsiq5RdbNdsSdf1msDFZUvL.AAJ-zz4GM34

2. 案例2

1. 逆向目标

• 目标网址:https://www.douyin.com/
• 解析参数:X-Bogus

2.逆向分析

• 通过xhr定位加密位置

• xhr定位数据在xhr之前,我们需要跟栈找数据位置

• 定位的位置在上一个栈
  

• 他的数据都是在这里复制给了_0xcc6308所有数据之会重这里出

• 进函数之后代码是jsvmp的格式

• 我们可以直接拿下来代码进行补环境
  

3.逆向结果

• JavaScript代码

window = global;
Request = function () {
}
Headers = function () {
}
document = {}
document.addEventListener = function () {
}
navigator = {}
setTimeout = function () {
}
navigator.userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36'var w0_0x3771f2 = 'undefined' == typeof window ? global : window;
w0_0x3771f2['_$webrt_1668687510'] = function (_0x13afdb, _0x113c4d, _0x106f2d) {function _0x2f9ebc() {if ('undefined' == typeof Reflect || !Reflect['construct'])return !(-0x1bdf + 0x894 + 0x41 * 0x4c);if (Reflect['construct']['sham'])return !(-0x3c5 + -0x4 * 0x81f + 0x2442);if ('function' == typeof Proxy)return !(-0xea5 + 0x1d5 * -0x13 + -0xc5d * -0x4);try {return Date['prototype']['toString']['call'](Reflect['construct'](Date, [], function () {})),!(-0x44f * 0x1 + -0x2 * -0x12cb + -0x4c1 * 0x7);} catch (_0x1a9721) {return !(0x9d9 * 0x3 + 0x23a + -0x1fc4);}},
window['byted_acrawler'] || function (_0x2fdb61, _0x2c042f) {'object' == typeof exports && 'undefined' != typeof module ? _0x2c042f(exports) : 'function' == typeof define && define['amd'] ? define(['exports'], _0x2c042f) : _0x2c042f((_0x2fdb61 = 'undefined' != typeof globalThis ? globalThis : _0x2fdb61 || self)['byted_acrawler'] = {});
}(this, function (_0x3059dd) {'use strict';
。。。。。。省略var _0x3dbe20 = !(-0x595 + -0x1233 + 0x17c9);function _0x5a8f25(_0x48914f, _0xa771aa) {return ('undefined' == typeof window ? global : window)['_$webrt_1668687510']('484e4f4a403f52430017211b45bdadd5a9f8450800000000000007fa1b0002012f1d00921b000b191b000b02402217000a1c1b000b1926402217000c1c1b000b190200004017002646000306000e271f001b000200021d00920500121b001b000b031b000b19041d0092071b000b0401220117000b1c1b000b051e01301700131b00201d00741b000b06260a0000101c1b000b07260a0000101c1b001b000b081e01311d00931b001b000b091e00091d00941b0048021d00951b001b000b1d1d009d1b0048401d009e1b001b000b031b000b18041d00d51b001b000b0a221e0132241b000b031b000b0a221e0132241b000b200a000110040a0001101d00d71b001b000b0a221e0132241b000b031b000b0a221e0132241b000b1a0a000110040a0001101d00d91b000b0b1e00161e01330117002d1b000b0b1e001602000025001d11221e006e24131e00530201340200701a020200000a000210001d01331b001b000b0c1e00101d00da1b000b232217000e1c211b000b23430201353e1700151b001b000b23221e0133240a0000101d00da1b001b000b0d261b000b1c1b000b1b0a0002101d00db1b001b000b0e261b000b241b000b230a0002101d00dd1b001b000b0f261b000b250200200a0002101d00e11b001b000b0a221e0132241b000b031b000b26040a0001101d00e21b001b000b101a00221e00dc240a0000104903e82b1d00e31b001b000b11260a0000101d00e41b001b000b1f1d00e71b001b000b1c4901002b1d00e81b001b000b1c4901002c1d00ea1b001b000b1b1d00ee1b001b000b21480e191d00f31b001b000b21480f191d00f91b001b000b22480e191d00fa1b001b000b22480f191d00fc1b001b000b27480e191d00ff1b001b000b27480f191d01011b001b000b284818344900ff2f1d01021b001b000b284810344900ff2f1d01041b001b000b284808344900ff2f1d01361b001b000b284800344900ff2f1d01371b001b000b294818344900ff2f1d01381b001b000b294810344900ff2f1d01391b001b000b294808344900ff2f1d013a1b001b000b294800344900ff2f1d013b1b001b000b2a1b000b2b311b000b2c311b000b2d311b000b2e311b000b2f311b000b30311b000b31311b000b32311b000b33311b000b34311b000b35311b000b36311b000b37311b000b38311b000b39311b000b3a311b000b3b311d013c1b004900ff1d013d1b001b000b12261b000b2a1b000b2c1b000b2e1b000b301b000b321b000b341b000b361b000b381b000b3a1b000b3c1b000b2b1b000b2d1b000b2f1b000b311b000b331b000b351b000b371b000b391b000b3b0a0013101d013e1b001b000b0e261b000b131b000b3d041b000b3e0a0002101d013f1b001b000b14261b000b1e1b000b3d1b000b3f0a0003101d01401b001b000b15261b000b400200240a0002101d01411b000b4100000142000160203333333333333333333333333333333333333333333333333333333333333333016d0e3130333c3b3005273a253027212c023c31061a373f3036210332302108313037203232302707303b23363a313007363a3b263a393007333c27303720320a3a20213027023c31213d0a3c3b3b3027023c31213d0b3a202130271d303c323d210b3c3b3b30271d303c323d2109202630271432303b210b213a193a223027163426300163073c3b31302d1a33083039303621273a3b09203b3130333c3b30310925273a213a212c253008213a0621273c3b3204363439390725273a36302626100e3a373f3036217525273a3630262608063a373f30362105213c213930043b3a31300168016202266541141716111013121d1c1f1e19181b1a05040706010003020d0c0f343736313033323d3c3f3e39383b3a25242726212023222d2c2f65646766616063626d6c7e7a6802266441113e3125323d610f1e2604176d657a1833232266630d1c640767607e02001439103c621b19373a240c011a05202f38133f1f3b272c2d6c1d03123634062116306802266741113e3125323d610f1e2604176d657a1833232266630d1c640767607802001439103c621b19373a240c011a05202f38133f1f3b272c2d6c1d031236340621163068016c0264640639303b32213d0a363d3427163a3130142102646506363d342714210f0e3a373f30362175023c3b313a220808113a362038303b21120e3a373f303621751b34233c3234213a2708053f26313a38100e3a373f303621751d3c26213a272c0807253920323c3b26080a253d343b213a380b36343939053d343b213a380b0a0a3b3c323d2138342730051420313c3a1816343b23342607303b3130273c3b32163a3b21302d2167110922303731273c233027133230211a223b05273a253027212c1b343830260939343b32203432302606363d273a38300727203b213c383007363a3b3b303621140a0a22303731273c2330270a3023343920342130130a0a263039303b3c20380a30233439203421301b0a0a22303731273c2330270a2636273c25210a33203b36213c3a3b170a0a22303731273c2330270a2636273c25210a33203b36150a0a22303731273c2330270a2636273c25210a333b130a0a332d31273c2330270a3023343920342130120a0a31273c2330270a203b22273425253031150a0a22303731273c2330270a203b22273425253031110a0a31273c2330270a3023343920342130140a0a263039303b3c20380a203b22273425253031140a0a332d31273c2330270a203b22273425253031090a263039303b3c20380c36343939063039303b3c2038160a063039303b3c20380a1c11100a0730363a2731302702646708313a362038303b21043e302c2602646602646102646002646305383421363d06073032102d250a09710e34782f0831360a063634363d300a04263a383008363033063d34272508163033063d34272505303a34253c16303a02303717273a22263027113c26253421363d30270f373c3b311a373f30362114262c3b360e3c26101a02303717273a222630270166043a25303b0421302621093c3b363a323b3c213a073a3b3027273a2704363a31301204001a01140a100d1610101110110a1007070e263026263c3a3b06213a27343230072630211c21303810263a38301e302c1d302730172c2130310a2730383a23301c213038093c3b31302d303111170c053a3c3b2130271023303b210e1806053a3c3b2130271023303b210d36273034213010393038303b210636343b23342609213a1134213400071907273025393436300309267f01320a3b34213c2330363a3130140e3a373f30362175053920323c3b142727342c084a0b3d212125266a6f097a097a7d0e65786c082e647966287d097b0e65786c082e647966287c2e6628290e34783365786c082e647961287d6f0e34783365786c082e647961287c2e62287c016108393a3634213c3a3b043d27303304333c3930103d2121256f7a7a393a3634393d3a26210825393421333a273807223c3b313a222603223c3b07343b31273a3c3105393c3b202d026462063c253d3a3b3002646d043c25343102646c043c253a3102676503383436026764093834363c3b213a263d0c3834360a253a22302725367c0436273a26032d64640536273c3a2605332d3c3a2604253c3e3002676702676602676102676002676302676202676d02676c08333c2730333a2d7a063a253027347a05753a25277a05753a25217a07363d273a38307a0821273c31303b217a0438263c300266650266640623303b313a2706123a3a3239300e0a253427343806223c21363d1a3b0a313c27303621063c323b0a363a3b263c2621303b210626223c21363d03313a3807253d343b213a38043d3a3a3e40141716111013121d1c1f1e19181b1a05040706010003020d0c0f343736313033323d3c3f3e39383b3a25242726212023222d2c2f65646766616063626d6c787b03343c31013b01330127092621342721013c383001210934373c393c213c30260a213c3830262134382564133d34273122342730163a3b36202727303b362c0c3130233c36301830383a272c0839343b32203432300a2730263a3920213c3a3b0f3423343c390730263a3920213c3a3b0926362730303b013a250a26362730303b19303321103130233c3630053c2d30390734213c3a0a25273a31203621062037073734212130272c012509213a20363d1c3b333a08213c38302f3a3b300a213c3830262134382567073225201c3b333a0b3f26133a3b2126193c26210b253920323c3b26193c26210a213c38302621343825660a30233027163a3a3e3c300721210a26363c3101380b262c3b21342d1027273a270c3b34213c233019303b32213d052721361c05093325033027263c3a3b0b0a0a233027263c3a3b0a0a0836393c303b211c310a213c38302621343825610b302d21303b31133c303931042520263d0334393904213d303b093734263063610a363d0c33273a38163d3427163a3130063763610a6665083734263063610a65026667083734263063610a64026666083734263063610a6702666102666002666307323021013c38300266620b313a381b3a210334393c31092620372621273c3b320825273a213a363a3902666d02666c02616502616401650e646565656565656564646565656502616702616607333a272730343902616104373a312c092621273c3b323c332c022e280261600b373a312c033439672621270a373a312c0a3d34263d6801730320273902616305242030272c0a34263a39310a263c323b092534213d3b343830680921210a2230373c3168067320203c316802616202616d0e0a372c2130310a2630360a313c3102616c0a61676c616c6362676c63093330033027263c3a3b0260650e0a656717610f63223a65656565640260640260670526393c3630026066070610161c1b131a033b3a2209213c383026213438250533393a3a270627343b313a380f3230210101023037163a3a3e3c3026052121223c310821210a2230373c310721210230371c310b21210a2230373c310a23670921210230373c3103670727203b3b3c3b3205333920263d08383a2330193c2621062625393c3630063730183a23300936393c363e193c262107373016393c363e0c3e302c373a342731193c26210a37301e302c373a3427310b3436213c233006213421300b223c3b313a2206213421300326013805212734363e08203b3c21013c3830033436360a203b3c2114383a203b210837303d34233c3a2707382632012c253003221c1107343c31193c26210b25273c2334362c183a313006362026213a38063426263c323b0f0210170a1110031c16100a1c1b131a043f263a3b0a2730323c3a3b163a3b33092730253a272100273904302d3c21090d78180678060100170c0d7818067805140c191a141120656565656565656565656565656565656565656565656565656565656565656520316164316d36316c6d33656537676561306c6d65656c6c6d3036336d616762300123062037363a3130063130363a31300421273c38210b0e0926092013101313092d1465087e290e0926092013101313092d1465087e71062621273c3b3202606102606002606302606202606d02606c026365026364026367026366026361026360', [, , void (-0x1afd + 0x22 * 0x25 + 0x1613), void (-0x1 * 0x71e + 0x726 + -0x2 * 0x4) !== _0x38ba41 ? _0x38ba41 : void (0x1 * 0x247f + -0x584 * -0x1 + -0x2a03), void (0x216d + -0x1 * -0x5ba + -0x303 * 0xd) !== _0x3dbe20 ? _0x3dbe20 : void (-0x325 * -0x2 + 0xb1b + -0x49 * 0x3d), void (-0x27 * 0xe9 + -0x19e2 + 0x3d61) !== _0xeb6638 ? _0xeb6638 : void (-0x211a + -0x3d * -0x88 + 0xb2 * 0x1), void (-0x1 * 0x61f + -0x65 * 0x1f + 0x125a) !== _0x2bd2cf ? _0x2bd2cf : void (-0x71e * -0x5 + 0x42b + 0x1 * -0x27c1), void (-0x7 * -0x481 + 0xc49 + -0x2bd0) !== _0x45636f ? _0x45636f : void (-0x1 * 0x1072 + -0x9e4 + 0x1a56 * 0x1), void (0x569 + 0x20ae + 0x571 * -0x7) !== _0x2cee6c ? _0x2cee6c : void (0x6 * 0x10f + -0xac * -0x3a + -0x2d52 * 0x1), void (0x58 * 0x26 + -0x17f6 * 0x1 + -0xa * -0x117) !== _0x402a35 ? _0x402a35 : void (-0x13d4 + 0x1dbd + 0x9e9 * -0x1), void (0x10fb + 0x2332 + -0x342d) !== _0x5cf87b ? _0x5cf87b : void (-0xa * 0x1ed + 0x1713 + 0x3d1 * -0x1), 'undefined' != typeof String ? String : void (-0x1131 + -0x24e8 + 0x1 * 0x3619), 'undefined' != typeof navigator ? navigator : void (0x1 * 0xbdf + -0x173e + 0xb5f), void (-0x3 * 0x166 + -0x584 + 0x9b6) !== _0x5caed2 ? _0x5caed2 : void (-0x10e * -0xf + 0x12b6 + -0x2288), void (0x272 * -0x6 + -0xcf * -0x2f + -0x21 * 0xb5) !== _0x25788b ? _0x25788b : void (-0x9 * -0x37b + -0x1 * 0x143b + -0xb18), void (0x1a77 + -0x53 * -0x16 + -0x2199) !== _0x2642b3 ? _0x2642b3 : void (0x264d + -0x11 * 0x1a + 0x2493 * -0x1), 'undefined' != typeof Date ? Date : void (0x14f * 0x3 + -0x2ff * 0xd + -0x1183 * -0x2), void (-0x1 * 0xb81 + 0x1c8c + -0x110b) !== _0x17dd8c ? _0x17dd8c : void (-0x1 * 0xf01 + -0x466 * -0x5 + 0x6fd * -0x1), void (-0x1 * -0x141b + -0x1 * -0x15ee + -0x2a09) !== _0x398111 ? _0x398111 : void (-0x16bd + 0x1690 + 0x2d), void (0x706 * 0x1 + -0x116 * 0x13 + 0x86 * 0x1a) !== _0x86cb82 ? _0x86cb82 : void (-0x121 + 0x22 * -0xa3 + 0x1 * 0x16c7), void (-0x1 * 0x599 + -0x98a + 0xf23) !== _0x94582 ? _0x94582 : void (-0xa0d + -0x1253 + 0x1c60), void (-0x348 + 0x959 * -0x2 + -0x1d * -0xc2) !== _0x38c772 ? _0x38c772 : void (0x8 * -0x4a2 + -0x6 * 0x340 + -0x10 * -0x389), , _0x5a8f25, _0x48914f, _0xa771aa]);}window.aaa = _0x5a8f25;});da = "device_platform=webapp&aid=6383&channel=channel_pc_web&aweme_id=7268312625753181477&cursor=80&count=20&item_type=0&insert_ids=&whale_cut_token=&cut_version=1&rcFT=&pc_client_type=1&version_code=170400&version_name=17.4.0&cookie_enabled=true&screen_width=1920&screen_height=1080&browser_language=zh-CN&browser_platform=Win32&browser_name=Chrome&browser_version=119.0.0.0&browser_online=true&engine_name=Blink&engine_version=119.0.0.0&os_name=Windows&os_version=10&cpu_core_num=8&device_memory=8&platform=PC&downlink=10&effective_type=4g&round_trip_time=50&webid=7298277328847783450&msToken=g_T1iuv8RavLI-i35OHGTLutn3FdRsQ2f9CpxK2BLPCpZ3YDNn9jxQEgiz31WXHEO8-B6KOKwZ0u1te1JlrfPTBD0SSOchCe8c--MPypU2Jti8HCAQk="
console.log(window.aaa(da, null));

• python

import requests
import execjsheaders = {"authority": "www.douyin.com","accept": "application/json, text/plain, */*","accept-language": "zh-CN,zh;q=0.9","cache-control": "no-cache","pragma": "no-cache","referer": "https://www.douyin.com/","sec-ch-ua": "^\\^Google","sec-ch-ua-mobile": "?0","sec-ch-ua-platform": "^\\^Windows^^","sec-fetch-dest": "empty","sec-fetch-mode": "cors","sec-fetch-site": "same-origin",'cookie': 'ttwid=1%7C-IHMBn_Fn3RNAaNUTcIKMkXlhIrrLJpu-uq216ZIgas%7C1699262620%7C0b53171a92f5e03385cb1b75b0cf5a5010656cbdb55220c107e2290d12218ec9; stream_recommend_feed_params=%22%7B%5C%22cookie_enabled%5C%22%3Atrue%2C%5C%22screen_width%5C%22%3A1920%2C%5C%22screen_height%5C%22%3A1080%2C%5C%22browser_online%5C%22%3Atrue%2C%5C%22cpu_core_num%5C%22%3A8%2C%5C%22device_memory%5C%22%3A8%2C%5C%22downlink%5C%22%3A10%2C%5C%22effective_type%5C%22%3A%5C%224g%5C%22%2C%5C%22round_trip_time%5C%22%3A50%7D%22; passport_csrf_token=0457d51b7499e8e79afbcd401a1e5866; passport_csrf_token_default=0457d51b7499e8e79afbcd401a1e5866; FORCE_LOGIN=%7B%22videoConsumedRemainSeconds%22%3A180%7D; s_v_web_id=verify_lomp3cgv_ATSasb54_pbWV_49FX_86Sp_MJSdjAkOSgfG; douyin.com; device_web_cpu_core=8; device_web_memory_size=8; architecture=amd64; webcast_local_quality=null; strategyABtestKey=%221699508560.355%22; volume_info=%7B%22isUserMute%22%3Afalse%2C%22isMute%22%3Atrue%2C%22volume%22%3A0.5%7D; csrf_session_id=1c5ed902a0360b04fffcde342fa6af90; download_guide=%223%2F20231109%2F0%22; __ac_nonce=0654c805900ac512729c5; __ac_signature=_02B4Z6wo00f01PoEe-AAAIDAegaBoigS5ZT6JH9AAFvTjlJJ1cLsrJ1oc1sm7kPYcRVxZ3TuVSZ7Lwwdpo6OuNWyFI5MAQoAcdHSv7Ij8LVaSbGw.wqVWA2PEIkzuv2cotyKfva5LGHYIwTs4a; SEARCH_RESULT_LIST_TYPE=%22single%22; pwa2=%220%7C0%7C3%7C0%22; bd_ticket_guard_client_data=eyJiZC10aWNrZXQtZ3VhcmQtdmVyc2lvbiI6MiwiYmQtdGlja2V0LWd1YXJkLWl0ZXJhdGlvbi12ZXJzaW9uIjoxLCJiZC10aWNrZXQtZ3VhcmQtcmVlLXB1YmxpYy1rZXkiOiJCSXF0ZlB3YU5nVWljL0FoemVYUytvZm84TVlTaHg1b0dlSTd3YWRsaWFGMDFvcmdUOWpobjFmREJmeHo4Vlk3MG1LMS9CdW16b3BwbXFVWkdubjJKbHM9IiwiYmQtdGlja2V0LWd1YXJkLXdlYi12ZXJzaW9uIjoxfQ%3D%3D; IsDouyinActive=true; VIDEO_FILTER_MEMO_SELECT=%7B%22expireTime%22%3A1700117514037%2C%22type%22%3A1%7D; home_can_add_dy_2_desktop=%221%22; tt_scid=Pi3ro7Q19MWgWG2vEBAVAgyBUGq-cXCGula.I1FYHlNqq4Z9WxGyo6k6nH1NZr4q62b7; msToken=g_T1iuv8RavLI-i35OHGTLutn3FdRsQ2f9CpxK2BLPCpZ3YDNn9jxQEgiz31WXHEO8-B6KOKwZ0u1te1JlrfPTBD0SSOchCe8c--MPypU2Jti8HCAQk=',"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}url = "https://www.douyin.com/aweme/v1/web/comment/list/?"
enc = 'device_platform=webapp&aid=6383&channel=channel_pc_web&aweme_id=7268312625753181477&cursor={}&count=20&item_type=0&insert_ids=&whale_cut_token=&cut_version=1&rcFT=&pc_client_type=1&version_code=170400&version_name=17.4.0&cookie_enabled=true&screen_width=1920&screen_height=1080&browser_language=zh-CN&browser_platform=Win32&browser_name=Chrome&browser_version=119.0.0.0&browser_online=true&engine_name=Blink&engine_version=119.0.0.0&os_name=Windows&os_version=10&cpu_core_num=8&device_memory=8&platform=PC&downlink=10&effective_type=4g&round_trip_time=50&webid=7298277328847783450&msToken=g_T1iuv8RavLI-i35OHGTLutn3FdRsQ2f9CpxK2BLPCpZ3YDNn9jxQEgiz31WXHEO8-B6KOKwZ0u1te1JlrfPTBD0SSOchCe8c--MPypU2Jti8HCAQk='
js = execjs.compile(open('抖音.js', encoding='utf-8').read())
Bogus = js.call('window.aaa', enc.format(60), None)
url = url + enc.format(60) + '&X-Bogus=' + Bogus
print(url)
response = requests.get(url, headers=headers)print(response.text)
print(response)

结语

以上就是关于js逆向技术中的JSVMP补环境的部分内容，欢迎同学们在评论区讨论交流，有任何js逆向、数据采集相关需求也可以V后台regentwan与我联系哟~

上一篇直通车：【js逆向专题】12.RPC技术

js逆向专题传送门