JS Reverse

A JavaScript reverse engineering MCP server that enables AI coding assistants to debug and analyze JavaScript code in web pages. Built on the Patchright anti-detection engine with multi-layered anti-bot bypass capabilities.

Features

• Anti-detection browser: Based on Patchright (Playwright anti-detection fork), 60+ stealth launch arguments, bypasses mainstream anti-bot systems
• Script analysis: List all loaded JS scripts, search code, get/save source code
• Breakpoint debugging: Set/remove breakpoints, conditional breakpoints, precise positioning in minified code
• Execution control: Pause/resume execution, step debugging (over/into/out) with source context
• Runtime inspection: Evaluate expressions at breakpoints, inspect scope variables
• Network analysis: View request initiator call stacks, set XHR breakpoints, WebSocket message analysis

Configuration Options

The server accepts multiple command-line flags:

• --browserUrl, -u: Connect to a running Chrome instance
• --wsEndpoint, -w: WebSocket endpoint connection
• --headless: Run in headless mode (default: false)
• --executablePath, -e: Custom Chrome executable path
• --isolated: Use temporary user data directory (fresh each time, default: false)
• --channel: Chrome channel: stable, canary, beta, dev (default: stable)
• --viewport: Initial viewport size, e.g. 1280x720
• --hideCanvas: Enable Canvas fingerprint noise (default: false)
• --blockWebrtc: Block WebRTC to prevent real IP leaks (default: false)
• --disableWebgl: Disable WebGL to prevent GPU fingerprinting (default: false)
• --noStealth: Disable stealth launch arguments for debugging (default: false)
• --proxyServer: Proxy server configuration
• --logFile: Debug log file path

Usage Examples

Basic JS Reverse Engineering Workflow

1. Open the target page: Open https://example.com and list all loaded JS scripts
2. Find target functions: Search all scripts for code containing "encrypt"
3. Set breakpoints: Set a breakpoint at the entry of the encryption function
4. Trigger and analyze: Trigger an action on the page, then inspect arguments, call stack and scope variables when the breakpoint hits

WebSocket Protocol Analysis

List WebSocket connections, analyze message patterns, view messages of specific types

Anti-Detection Architecture

The server includes multi-layered anti-detection measures:

• Patchright Engine: C++ level anti-detection patches
• 60+ Stealth Args: Removes automation signatures, bypasses headless detection
• Harmful Args Removal: Excludes automation-revealing arguments
• Silent CDP Navigation: Prevents anti-bot scripts from detecting debugging protocol activity
• Google Referer Spoofing: All navigations include referer: https://www.google.com/
• Persistent Login State: Uses persistent user-data-dir by default

Security Notice

This tool exposes browser content to MCP clients, allowing inspection, debugging, and modification of any data in the browser. Do not use it on pages containing sensitive information.