BestHub
Sign in
Frontend Development 9 min read

Accelerate JS Reverse Engineering with Sekiro RPC: A Step‑by‑Step Guide

This tutorial demonstrates how to bypass complex, layered encryption on a target website by using Sekiro RPC to invoke browser methods directly, covering analysis of the encrypted sign parameter, setting conditional breakpoints, overriding JavaScript files, defining a Sekiro client, and retrieving the signature via Python.

Sohu Tech Products
Sohu Tech Products
Sohu Tech Products
Accelerate JS Reverse Engineering with Sekiro RPC: A Step‑by‑Step Guide

Some web applications encrypt request parameters in multiple layers, making traditional JavaScript reverse‑engineering time‑consuming. Sekiro RPC provides a way to call browser functions directly over a persistent WebSocket connection, simplifying the extraction of encrypted parameters.

1. Identify the encrypted request

The target site makes a request to /h/api/gateway/handler_get with a sign query parameter that is generated by JavaScript. In Chrome DevTools → Sources → Page, search for the keyword sign. The generation logic resides in vendor-a1b40867.js (path similar to */obj/goofy/star/idou_fe/assets/vendor-a1b40867.js).

2. Capture the generation algorithm

Set a conditional breakpoint inside the generatePayload function, e.g. c.service_name==='author.AdStarAuthorService'. When the breakpoint hits, record the values of c and l. Repeating the debugging session reveals the fixed parts and the algorithm used to produce the encrypted sign.

3. Override the JavaScript file

Create a local folder and enable Sources → Overrides in Chrome DevTools.

Right‑click vendor-a1b40867.js in the Sources panel and choose Save for overrides to copy the file into the overrides directory.

4. Define a Sekiro client in the overridden file

Modify the saved vendor-a1b40867.js to add a SekiroClient implementation and register a custom action that invokes generatePayload. A minimal client example (truncated) is shown below:

function SekiroClient(e){
  if(this.wsURL=e,this.handlers={},this.socket={},!e) throw new Error("wsURL can not be empty!!");
  this.webSocketFactory=this.resolveWebSocketFactory();
  this.connect();
}
// ... resolveWebSocketFactory, connect, handleSekiroRequest, sendSuccess, sendFailed, registerAction ...
var client = new SekiroClient("wss://sekiro.iinti.cn:5612/business/register?group=test_web&clientId="+Math.random());
client.registerAction("xingtu", function(request, resolve, reject){
  let c={"hot_list_id":"0","tag":"61e541324fe6649d1b8a2ee3","service_name":"author.AdStarAuthorService","service_method":"GetHotListData"};
  let l={"strict":true,"serializing":true,"rule":{"include":["hot_list_id","tag","download","image_download","province","city","rlid"]}};
  resolve(generatePayload(c,l));
});

The full client source is available at:

https://raw.githubusercontent.com/yint-tech/sekiro-samples/main/demo-web/sekiroWeb.js

5. Invoke the client from Python

Use the Sekiro HTTP invoke endpoint to trigger the registered action and obtain the encrypted sign value:

import requests

def get_signature():
    data = {"group":"test_web", "action":"xingtu"}
    resp = requests.get("http://sekiro.iinti.cn:5612/business/invoke", params=data).json()
    return resp['sign']

def get_data(sign):
    url = f"https://*host/h/api/gateway/handler_get/?hot_list_id=0&tag=*tag&service_name=author.AdStarAuthorService&service_method=GetHotListData&sign_strict=1&sign={sign}"
    headers = {
        'authority':'*host',
        'agw-js-conv':'str',
        'pragma':'no-cache',
        'x-login-source':'1',
        'x-star-service-method':'GetHotListData',
        'x-star-service-name':'author.AdStarAuthorService',
        'Cookie':'cookie',
        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'
    }
    response = requests.request("GET", url, headers=headers)
    print(response.text)

if __name__ == '__main__':
    sign = get_signature()
    print("sign:", sign)
    get_data(sign)

6. Alternative injection methods

Instead of using Overrides, the same initialization and action registration can be performed with a userscript (e.g., Tampermonkey) or a custom browser extension that injects the Sekiro client into the page.

7. Remarks

Calling the encrypted‑parameter generator via Sekiro is faster and more reliable than extracting and reproducing the JavaScript logic manually.

The approach requires the target page to be loaded in a browser because the WebSocket connection and the JavaScript environment are provided by the browser.

Official Sekiro documentation: https://sekiro.iinti.cn/sekiro-doc/

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

WebSocketweb securityOverridesPython integrationJS reverse engineeringBrowser debuggingSekiro RPC
Sohu Tech Products
Written by

Sohu Tech Products

A knowledge-sharing platform for Sohu's technology products. As a leading Chinese internet brand with media, video, search, and gaming services and over 700 million users, Sohu continuously drives tech innovation and practice. We’ll share practical insights and tech news here.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment