项目中遇到了AntiDebugging的需求，查阅了不少资料，给大家分享下我的方案。

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

野生马吕斯·马斯奇和马丁·约翰斯的反调试技巧

这些是在USENIX Security '21上展示的9种反调试技术的示例性实现。这些技术试图防止或至少减缓手动检查和调试网站JavaScript代码的任何尝试。

自己试试，点击下面的任何链接，然后（尝试）打开DevTools ，看看会发生什么！

请阅读我们的论文（即将推出）或观看我们的演示文稿（即将推出） ，了解更多

如果您正在使用这些内容进行后续工作，请引用我们的论文

title = {U Can 't Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild},

booktitle = {Proc. of {USENIX} Security Symposium},

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

篇幅原因就先写这么多，后面有空会再补充更多实战案例。有问题评论区见。

Reference: AntiDebugging Testbed

不少同学在群里讨论[AskJS]，这里统一回复一下，顺便整理成文章。

Found this helpful? Share it with your team and leave a comment below!

正文

我不会过多地认为JavaScript本质上不太安全。这完全取决于您在建造什么，以及如何建造。

在现代Web开发中，[AskJS]变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现[AskJS]时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

[AskJS]相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

本文首发于JSVMP博客，转载注明出处。后续会持续更新更多相关内容。

Reference: [AskJS] Why is there a reputation that JavaScript isn't "secure" for ...

I've had several readers ask me about Jscrambler recently, so I decided to write a comprehensive article about it.

Want to learn advanced techniques? Check out our premium courses.

正文

# Jscrambler 101 - Anti-Debugging. Welcome back to Jscrambler 101! A collection of tutorials on how to use Jscrambler to protect your JavaScript. This tutorial is about the **Anti-Debugging transformation** and covers Jscrambler version 8.3. We will explore Anti-Debugging, a new Jscrambler feature released in version 8.3. The Anti-Debugging feature protects your application by making it harder for attackers to debug an app by activating defenses that stop any reverse engineering attempts. ## **A

In modern web development, Jscrambler has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Jscrambler, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Jscrambler continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

Due to length constraints, I'll wrap up here. More practical examples coming soon. Leave a comment if you have questions!

Reference: Jscrambler 101 - Anti-Debugging | Stop Reverse Engineering

I've had several readers ask me about JavaScript recently, so I decided to write a comprehensive article about it.

Found this helpful? Share it with your team and leave a comment below!

正文

Transform your code into custom bytecode that runs on a JS virtual machine — now with advanced Self Defending, Debug Protection, and anti-LLM countermeasures.

Or try free standard obfuscation See VM obfuscation in action

Your readable code becomes impenetrable bytecode that runs on a custom virtual machine

The original logic is converted to custom bytecode that only the embedded VM can execute. Static analysis tools cannot understand the code without first reverse-engineering the entire VM.

Industry-leading Anti-LLM reverse engineering defenses

What happens when the strongest coding AI tries to deobfuscate.

Reverse engineer obfuscated.js script and say what it does and restore original code

I spent about 6 hours trying to reverse-engineer this and couldn't do it.

I tried everything I'd normally try — static analysis, runtime instrumentation, hooking, sandboxed execution, custom tooling. I couldn't even decode the bytecode: the decoding key is computed inside the runtime, but every attempt to observe the runtime trips a code-integrity check and the program either corrupts its own state or refuses to run. Classic chicken-and-egg — I can't read the bytecode without the runtime, and I can't watch the runtime without breaking it.

I'm calling it. I cannot recover the original source.

Two independent defense layers — with built-in anti-LLM countermeasures — work together to make analysis and reverse engineering impractical

The VM runtime verifies its own integrity at every stage — any modification, hook injection, or proxy interception is detected and neutralized. Code integrity verification Proxy and interception traps

Shuts down developer tools, breakpoints, and runtime inspection — making it extremely difficult to step through or observe VM execution.

DevTools detection and response Execution timing validation Environment fingerprinting Decoy bytecode misdirection Anti-LLM analysis defenses

A feature-by-feature breakdown Anti-Hooking & Anti-Tampering

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

Feel free to ask questions in the comments - I'll reply as soon as possible.

Reference: JavaScript obfuscator tool - Protect Your JS Code

不少同学在群里讨论Jscrambler，这里统一回复一下，顺便整理成文章。

Found this helpful? Share it with your team and leave a comment below!

正文

# Jscrambler 101 -反调试。欢迎回到Jscrambler 101 ！关于如何使用Jscrambler保护JavaScript的一系列教程。本教程是关于* *反调试转换* * ，涵盖Jscrambler 8.3版。我们将探索Anti-Debugging ，这是8.3版发布的新Jscrambler功能。反调试功能通过激活阻止任何反向工程尝试的防御措施，使攻击者更难调试应用程序，从而保护您的应用程序。# # * * A

在现代Web开发中，Jscrambler变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现Jscrambler时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

Jscrambler相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

码字不易，觉得有帮助的话点个赞再走~ 如果想了解更多相关内容，可以关注我的博客后续更新。

Reference: Jscrambler 101 - Anti-Debugging | Stop Reverse Engineering

在做前端安全相关需求时，JavaScript这个问题绕不开，刚好把踩坑经验分享一下。

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

JavaScript安全：保护前端安全的简单实践

我不了解你，但我的职业生涯始于在一个小型机构工作的前端开发人员，在那里没有人关心安全问题。当我转而与大公司的大型项目合作时，我一直不关心安全性，因为没有人教过我更好，

了解如何保护您的JavaScript代码可以改变这一点，并帮助我们保护我们的应用程序和用户。

本文将探讨一些安全实践，只要有意义，就不会伤害JavaScript开发人员的实施。

我在学习该主题时学到了上述一些主题，但还有更多方法可以确保您的代码安全。我只是分享一些简单的方法来帮助您入门。

附注：是的，我向人工智能提问，并要求它帮助我举例。

P.S.2是的， IA创建了封面图片，因为我知道我的弱点LOL

过时的库可能会使您的应用程序暴露于安全漏洞中。及时更新所有内容可帮助您避免已修复的已知问题。npm （节点包管理器）

是一个很好的工具，可以帮助您管理和更新库。

定期检查：运行npm outdated以查看哪些包已过期。

定期更新：使用npm update将软件包升级到最新版本。

自动化安全更新： npm审计等工具可识别安全漏洞并提出修复建议。

npm audit fix #修复已知漏洞的软件包

安全标头告诉浏览器在处理站点内容时的行为，这有助于防止某些类型的攻击，如跨站脚本和数据注入。内容安全政策（ CSP ）

，这是一个安全标头，可帮助阻止未经授权的脚本在您的网站上运行，从而防止许多攻击。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: JavaScript Security: Simple Practices to Secure Your Frontend - DEV Community

有读者私信问我VM该怎么实现，今天正好有空写篇文章记录一下。

Have questions? Feel free to ask in the comments section below.

正文

虚拟机混淆是最先进的代码保护形式。它将JavaScript函数转换为在输出中嵌入的虚拟机上运行的自定义字节码。原始逻辑被完全隐藏—没有JavaScript进行反向工程。

如果您在虚拟机混淆方面遇到任何问题，请将其报告给See Before & After示例

有选择地只对敏感功能进行虚拟机混淆，以获得最佳性能。

为什么直接eval ()禁用虚拟机混淆，以及如何避免陷阱。

声明严格模式，以便虚拟机编译正确的字节码。

虚拟机运行时的篡改检测、防挂钩和防代理保护。

虚拟机保持可见与隐藏的内容，以及如何保护函数名称。

通过npm包从构建管道应用虚拟机混淆。

缩小问题范围，并报告我们需要修复的信息。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: VM Obfuscation | Obfuscator.io Documentation

在做前端安全相关需求时，How这个问题绕不开，刚好把踩坑经验分享一下。

Want to learn advanced techniques? Check out our premium courses.

正文

保护JavaScript代码的有效方法。JavaScript加密技术。JavaScript代码的混淆方法。

在现代Web开发中，How变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现How时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

How相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

篇幅原因就先写这么多，后面有空会再补充更多实战案例。有问题评论区见。

Reference: How to protect/encrypt source code on a client machine? - Reddit

I've had several readers ask me about Security recently, so I decided to write a comprehensive article about it.

Want to learn advanced techniques? Check out our premium courses.

正文

The presence of **JavaScript code on client-side** devices creates various security holes that permit code injection, reverse engineering, and data exposure attacks. Attacks on JavaScript web applications are enabled through easy access to scripts, which permits intruders to both observe and modify program code, steal sensitive information, and embed destructive scripts within the system framework. Developers must protect their client-side JavaScript applications from security threats by impleme

In modern web development, Security has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Security, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Security continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

That's all for this comprehensive guide. I hope you found it helpful! Feel free to leave comments if you have questions.

Reference: Security Tips to Protect Client-Side JavaScript Applications

关于Anti-Debugging，网上资料比较零散，这里做个相对完整的总结。

Want to learn advanced techniques? Check out our premium courses.

正文

For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more exciting, depending on the side of the table you’re sitting ;-).

Besides being an extremely permissive language with its syntax and making it easy to obfuscate, JavaScript can also implement anti-debugging techniques. A well-known technique is based on the method arguments.callee()[

]. This method allows a function to refer to its own body:

Then, the function can perform checks on the content of the variable 'foobar' (to check the size, to compute a hash or to search for the presence of specific strings) to detect if the content of the function has been modified by an Analyst (ex: to debug the code in the browser).

Speaking about browsers, their “developer tools” are very convenient to debug JavaScript. I got access to a malicious file shared with another malware analyst (thank you Mark!). It implements a nice technique to prevent malicious code to be executed if the browser console is open! Here is the small proof-of-concept based on the initial code (beautified):

The function GFkPC() defines a variable ‘ll’ which will contain the console status (default false - console closed). An object is created (WXMpu) and a ‘getter’[

] on the property is added. The get syntax binds an object property to a function that will be called when that property is looked up. I don’t know why but ‘get’ works only when the console is open. Below, we use the object, this will result in the getter function to be executed and modify the value of ‘ll’ is the console is open.

Let’s load this PoC into Chrome with the Developer Tools open:

You see that the getter is called and the console.log() used.

Now, let's close the console and reload the PoC in the same browser:

This technique worked in Chrome and Safari and the new Edge. It did not work with Firefox. While Googling for some similar examples, I found discussions about the Developer Tools detection back to 8 years ago. Still relevant today!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments/callee

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/get

Senior ISC Handler - Freelance Cyber Security Consultant

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: Anti-Debugging JavaScript Techniques - SANS ISC

在做前端安全相关需求时，JavaScript这个问题绕不开，刚好把踩坑经验分享一下。

Want to learn advanced techniques? Check out our premium courses.

正文

The most common JavaScript vulnerabilities include Cross-Site Scripting (XSS), malicious code, Man-in-the-middle attack and exploiting vulnerabilities in the source code of web applications. In this article, we’ll take a look at the most common JavaScript vulnerabilities and how to prevent them through popular modern security approaches combined with testing tools (e.g, auditing and code analysis tools, JavaScript vulnerability scanner, etc.). Most common JavaScript attack vectors include: execu

When it comes to JavaScript, understanding the fundamentals is crucial for any developer. This guide will walk you through the key concepts and practical applications.

One of the most important aspects of JavaScript is security. In today's digital landscape, protecting user data and preventing unauthorized access should be top priorities for every project.

Performance optimization is another critical factor. Efficient code not only provides better user experience but also reduces server costs and improves scalability.

Modern development practices emphasize modularity and reusability. By breaking down complex systems into smaller, manageable components, teams can collaborate more effectively and maintain codebases more easily.

Testing should never be overlooked. Comprehensive test coverage helps catch bugs early and ensures that changes don't break existing functionality.

Documentation is equally important. Well-documented code is easier to understand, maintain, and extend by team members both present and future.

Version control systems have revolutionized how developers collaborate. Understanding Git workflows and best practices is essential for modern software development.

Continuous integration and deployment pipelines help automate the build, test, and release processes, reducing human error and speeding up delivery cycles.

Monitoring and logging provide visibility into production systems, enabling quick identification and resolution of issues before they impact users.

The devOps culture promotes collaboration between development and operations teams, breaking down silos and improving overall efficiency.

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: JavaScript Security | JavaScript Vulnerabilities