[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81107":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":45,"readmeContent":46,"aiSummary":47,"trendingCount":15,"starSnapshotCount":15,"syncStatus":48,"lastSyncTime":49,"discoverSource":50},81107,"PerimeterX_RE","warterbili\u002FPerimeterX_RE","warterbili","Complete reverse engineering of PerimeterX (HUMAN Security) anti-bot SDK · pure-algo _px3\u002F_px2 generator (no browser, no Selenium) · iFood + Grubhub + Bundle 10\u002F10 verified · WASM PoW solved · 68 production gotchas · AI Skill included.","",null,"JavaScript",51,8,1,0,9,13,3,48.66,"Other",false,"main",true,[25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44],"ai-agent","anti-bot","anti-scraping","bot-detection","browser-fingerprinting","captcha-bypass","claude-code","grubhub","human-security","ifood","javascript-reverse-engineering","perimeterx","proof-of-work","px2","px3","reverse-engineering","sdk-reverse-engineering","security-research","web-scraping","webassembly","2026-06-12 04:01:32","\u003Cdiv align=\"center\">\n\n```\n██╗ ███████╗██████╗ ██╗ ██╗ █████╗ ████████╗███████╗██████╗ ██████╗ ██╗██╗ ██╗\n██║ ██╔════╝██╔══██╗██║ ██║██╔══██╗╚══██╔══╝██╔════╝██╔══██╗██╔══██╗██║██║ ██║\n██║ ███████╗██║ ██║██║ █╗ ██║███████║ ██║ █████╗ ██████╔╝██████╔╝██║██║ ██║\n██║ ╚════██║██║ ██║██║███╗██║██╔══██║ ██║ ██╔══╝ ██╔══██╗██╔══██╗██║██║ ██║\n███████╗███████║██████╔╝╚███╔███╔╝██║ ██║ ██║ ███████╗██║ ██║██████╔╝██║███████╗██║\n╚══════╝╚══════╝╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═════╝ ╚═╝╚══════╝╚═╝\n```\n\n# PerimeterX (HUMAN Security) SDK · Complete Reverse Engineering · **v2.0**\n\n### The Most Complete Public Reverse Engineering Study of PerimeterX\n\n**Byte-exact SDK Internal Logic Dissection · Pure-algorithm Reconstruction of `_px3` \u002F `_px2` · Zero-Browser Dependency · Dual-site 10\u002F10 Production-Grade Verification**\n\n**🇬🇧 English · 🇨🇳 [简体中文](README.zh.md)**\n\n\u003Cbr \u002F>\n\n**Authors**: `warterbili` · **Last Updated**: 2026-05-23 · **Status**: Actively Maintained · **License**: Dual-track (AGPL-3.0 + CC BY-NC-SA 4.0)\n\u003Cbr \u002F>\n**Last Verified Run**: 2026-05-21 (BR-residential proxy, HTTP 200 from production APIs)\n\n\u003Cbr \u002F>\n\n[![Version](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fversion-2.0-blue?style=for-the-badge)](#)\n[![iFood](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FiFood-10%2F10%20✓-success?style=for-the-badge)](stample\u002Fifood\u002F)\n[![Grubhub](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGrubhub-10%2F10%20✓-success?style=for-the-badge)](stample\u002Fgrub\u002F)\n[![Total Wine](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FTotal%20Wine-10%2F10%20✓%20strict--tier-success?style=for-the-badge)](stample\u002Ftotalwine\u002F)\n[![Bundle](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FiFood%20Bundle-10%2F10%20✓-success?style=for-the-badge)](bundle\u002F)\n\n![Algorithms](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPure--algo%20Primitives-9%20core-green?style=flat-square&logo=hackthebox)\n![Bundle Primitives](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FBundle--only-5%20primitives-darkgreen?style=flat-square)\n![Docs](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FTechnical%20Docs-20K%2B%20lines-orange?style=flat-square&logo=readthedocs)\n![Methodology](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FMethodology-10%20ch%20%2F%203389%20lines-blue?style=flat-square)\n![Gotchas](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FProduction%20Gotchas-68-red?style=flat-square&logo=bugatti)\n![Fine Gotchas](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FFine--grained-19%20gotchas-red?style=flat-square)\n![Mouse Tracks](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FReal%20Mouse%20Tracks-50-purple?style=flat-square)\n![Samples](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCapture%20Batches-6%C3%972%20sites-yellow?style=flat-square)\n![Bundle Doc](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FBundle%20Main%20Doc-4996%20lines-magenta?style=flat-square)\n![Userscript](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FUserscript-2131%20lines-lightgrey?style=flat-square)\n![AI Skill](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FAI%20Skill-9%20playbooks%20%2B%2014%20CLI-brightgreen?style=flat-square&logo=anthropic)\n![Last Run](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flast%20verified%20run-2026--05--21-brightgreen?style=flat-square&logo=githubactions&logoColor=white)\n![Longitudinal](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLongitudinal-3%20years-blueviolet?style=flat-square)\n\n\u003C\u002Fdiv>\n\n\u003Ctable align=\"center\">\n\u003Ctr>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>9\u003C\u002Fh2>\u003Csub>\u003Cb>Core Algos\u003C\u002Fb>\u003Cbr\u002F>(shared)\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>+5\u003C\u002Fh2>\u003Csub>\u003Cb>Bundle-only\u003C\u002Fb>\u003Cbr\u002F>Primitives\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>10\u002F10\u003C\u002Fh2>\u003Csub>\u003Cb>iFood ✓\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>10\u002F10\u003C\u002Fh2>\u003Csub>\u003Cb>Grubhub ✓\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>10\u002F10\u003C\u002Fh2>\u003Csub>\u003Cb>Total Wine ✓\u003C\u002Fb>\u003Cbr\u002F>(strict-tier)\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>10\u002F10\u003C\u002Fh2>\u003Csub>\u003Cb>Bundle ✓\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"110\">\u003Ch2>500ms\u003C\u002Fh2>\u003Csub>\u003Cb>End-to-end\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\u003Ch2>68\u003C\u002Fh2>\u003Csub>\u003Cb>Production\u003Cbr\u002F>Gotchas\u003C\u002Fb> (≥1h debug each)\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\">\u003Ch2>20K+\u003C\u002Fh2>\u003Csub>\u003Cb>Doc Lines\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\">\u003Ch2>14\u003C\u002Fh2>\u003Csub>\u003Cb>CLI Tools\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\">\u003Ch2>9\u003C\u002Fh2>\u003Csub>\u003Cb>AI Playbooks\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\">\u003Ch2>4\u003C\u002Fh2>\u003Csub>\u003Cb>AI Intent\u003Cbr\u002F>Manifests\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003Ctd align=\"center\">\u003Ch2>3 yrs\u003C\u002Fh2>\u003Csub>\u003Cb>Longitudinal\u003Cbr\u002F>SDK Drift\u003C\u002Fb>\u003C\u002Fsub>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n```console\n╭──────────────────────────────────────────────────────────────╮\n│ $ node stample\u002Fifood\u002Fpx_cookie\u002Fifood_px3.js │\n│ │\n│ ✅ _px3=eyJ1IjoiYWJj... ttl=330 │\n│ ✅ uuid: c83577f0-5420-11f1-... │\n│ ✅ ev1=14 fields · ev2=204 fields · smoke_test=21\u002F21 │\n│ ⚡ 500 ms end-to-end │\n│ │\n│ $ node stample\u002Fifood\u002Fpx_cookie\u002Fbusiness_api_demo.js │\n│ │\n│ ✅ HTTP 200 \u002Fv1\u002Fmerchant-info\u002Fgraphql │\n│ { name: \"Sorveteria Coelhinho\", userRating: 5, ... } │\n│ proxy = BR-residential · last run = 2026-05-21 │\n╰──────────────────────────────────────────────────────────────╯\n```\n\n```\n ┌──────────────────────────────────────┐\n │ ⚡ PX Anti-bot Handshake · 500 ms │\n └──────────────────┬───────────────────┘\n │\n ┌────────────────────────┼────────────────────────┐\n ▼ ▼ ▼\n ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐\n │ Layer 1 Pure-algo│ │ Layer 2 Plan B │ │ Layer 3 Bundle │\n │ 99% traffic │ │ Env-patching │ │ 1% risk-trigger │\n │ ~500 ms │ │ ~2-3 s │ │ ~10-15 s │\n └────────┬────────┘ └────────┬────────┘ └────────┬────────┘\n └────────────────────────┼────────────────────────┘\n ▼\n ┌────────────────────┐\n │ _px3 \u002F _px2 │\n │ ⇒ Business API ✓ │\n └────────────────────┘\n```\n\n\u003Cdiv align=\"center\">\n\n### [Quick Start](#9-reproduction--quick-start) · [Live Validation](stample\u002Flive_validation\u002F) · [Plan B](node_bridge\u002F) · [Methodology](main\u002FEN\u002Fmethodology\u002F) · [Gotchas](bug_report\u002F) · [Bundle](bundle\u002F) · [AI Skill](skill\u002FAI_re\u002F) · [Cite](#17-citation)\n\n\u003C\u002Fdiv>\n\n---\n\n## Table of Contents\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd>\n\n**Part I — Foundations**\n- [Abstract](#abstract)\n- [1. Introduction](#1-introduction)\n- [2. Threat Model](#2-threat-model)\n- [3. PerimeterX SDK Architecture](#3-perimeterx-sdk-architecture)\n- [4. Methodology](#4-methodology)\n\n**Part II — Implementation**\n- [5. Implementation Deep-dive](#5-implementation-deep-dive)\n- [6. Evaluation](#6-evaluation)\n- [7. Empirical Findings](#7-empirical-findings-gotcha-record)\n\n**Part III — Repository**\n- [8. Project Structure](#8-project-structure)\n- [9. Reproduction · Quick Start](#9-reproduction--quick-start)\n- [10. Tooling](#10-tooling)\n\n\u003C\u002Ftd>\n\u003Ctd>\n\n**Part IV — AI & Usage**\n- [11. AI Skill Integration](#11-ai-skill-integration)\n- [12. By Role · Reading Guide](#12-by-role--reading-guide)\n\n**Part V — Discussion**\n- [13. Maintenance Cost & Limitations](#13-maintenance-cost--limitations)\n- [14. Related Work](#14-related-work)\n- [15. Bilingual Status & Roadmap](#15-bilingual-status--roadmap)\n\n**Part VI — Meta**\n- [16. License, Ethics & Responsible Disclosure](#16-license-ethics--responsible-disclosure)\n- [17. Citation](#17-citation)\n- [18. Acknowledgments](#18-acknowledgments)\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n| # | Chapter | Summary |\n|---|---|---|\n| [1](#1-introduction) | **Introduction** | Background · Motivation · Three contributions · Repository overview |\n| [2](#2-threat-model) | **Threat Model** | Defender capabilities · Attacker goals · Assumptions & boundaries |\n| [3](#3-perimeterx-sdk-architecture) | **PerimeterX SDK Architecture** | Dual-path overview · Collector vs Bundle · Field taxonomy · 9+5 algorithms |\n| [4](#4-methodology) | **Methodology** | 7-stage reverse workflow · Time budget · Cross-platform porting · SDK upgrade triage |\n| [5](#5-implementation-deep-dive) | **Implementation Deep-dive** | 9 algorithm internals · Dual-site generators · Full Bundle chain · Plan B Bridge |\n| [6](#6-evaluation) | **Evaluation** | Protocol-level 10\u002F10 · End-to-end business API · Cross-vendor comparison |\n| [7](#7-empirical-findings-gotcha-record) | **Empirical Findings** | Top 5 critical pitfalls · 68-entry classification · 19 fine-grained gotchas · Longitudinal drift |\n| [8](#8-project-structure) | **Project Structure** | Complete directory tree (with module purpose \u002F line counts \u002F links) |\n| [9](#9-reproduction--quick-start) | **Reproduction · Quick Start** | 5-min walkthrough · Business API · Bundle userscript |\n| [10](#10-tooling) | **Tooling** | 14-tool CLI reference |\n| [11](#11-ai-skill-integration) | **AI Skill Integration** | ⭐ **CDP + AI_re dual-skill loop · AI end-to-end 0→1 autonomous reversing** |\n| [12](#12-by-role--reading-guide) | **By Role · Reading Guide** | Entry points for 11 reader profiles |\n| [13](#13-maintenance-cost--limitations) | **Maintenance Cost & Limitations** | Upgrade cadence · Limitations · Future work |\n| [14](#14-related-work) | **Related Work** | Public PX research · Cross-vendor |\n| [15](#15-bilingual-status--roadmap) | **Bilingual Status & Roadmap** | Chinese-English coverage matrix |\n| [16](#16-license-ethics--responsible-disclosure) | **License, Ethics & Disclosure** | Research ethics · Responsible disclosure |\n| [17](#17-citation) | **Citation** | BibTeX |\n| [18](#18-acknowledgments) | **Acknowledgments** | Credits · Project evolution |\n\n---\n\n## Abstract\n\nThis project presents a **complete reverse engineering study of the PerimeterX (HUMAN Security) anti-bot SDK**, covering the full stack from protocol-level bytes to internal SDK business logic. We make three primary contributions: (i) **pure-algorithm reconstructions of 9 core cryptographic primitives**, including the multi-step payload encryption chain, HMAC-MD5-derived PC, Unicode Tag Char SID steganography, dynamic Anti-tamper key injection, and others; (ii) **two end-to-end cookie generators** — iFood `_px3` and Grubhub `_px2`, both achieving **10\u002F10 protocol-level AND end-to-end business API verification under production conditions**; (iii) **the first complete open-source solution to the Bundle press-challenge path**, with synchronous WASM proof-of-work, Bézier mouse trajectory synthesis, Myanmar-script DOM steganography, and 4-group error-stack alignment, totaling 2,131 lines of production-grade userscript. Empirical findings include **68 production-verified failure modes**, a longitudinal study covering 3 major SDK iterations across 2024–2026, and a comparative analysis against DataDome, Akamai, and Cloudflare. The project further provides a **three-layer fallback resilience architecture** (pure-algo → Plan B environment patching → Bundle press-challenge) and an **industry-first dual-skill loop enabling AI agents to perform end-to-end 0→1 autonomous reverse engineering of new sites** ([`skill\u002Fcdp\u002F`](skill\u002Fcdp\u002F) auto-drives real Chrome for sample capture, while [`skill\u002FAI_re\u002F`](skill\u002FAI_re\u002F) provides 9 playbooks + 5 references + 14 CLI tools + 4 intent manifests). Together these constitute the most complete public reference implementation of PerimeterX anti-bot research to date.\n\n---\n\n## 1. Introduction\n\n### 1.1 Background — What is PerimeterX\n\n**PerimeterX** (acquired by HUMAN Security in 2022 but still widely deployed under the PerimeterX brand) is a de-facto standard commercial anti-bot \u002F anti-scraping product adopted by major sites including iFood, Grubhub, DoorDash, Zillow, Crunchyroll, and Major League Baseball. It injects an obfuscated JavaScript collector (`main.min.js`) into client pages, gathering 200+ device \u002F behavioral \u002F environment fingerprint dimensions, and issues `_px3` (v3) \u002F `_px2` (v2) signed cookies through two parallel paths:\n\n- **Silent Collector Path** — covers 99% of business traffic, runs as 2 background POST requests with no UI, completes in ~300 ms;\n- **Press-challenge Bundle Path** — triggered when the risk score exceeds threshold, presents visible challenges (press, click, slide) plus browser-side WASM PoW and mouse trajectory collection, takes ~10–15 seconds.\n\nPX's core obfuscation strategy is **byte-level rotation on a weekly-to-monthly cadence**: function names, line numbers, base64 dictionaries, and wire character sets all change — but **the underlying algorithms (HMAC-MD5 \u002F UUID v1 \u002F Anti-tamper \u002F steganography) have not changed in 3 years**. This is precisely the foundation that allows this project to build a sustainable maintenance regime.\n\n### 1.2 Motivation\n\nPublicly available material on PerimeterX has long been **bimodally distributed**:\n\n- **Too shallow**: 99% of blog posts and Stack Overflow answers stop at \"just use puppeteer \u002F undetected-chromedriver \u002F selenium-stealth\" — these approaches collapse against medium-strength PX risk control;\n- **Too fragmented**: the few deep dives only cover **single bug fixes** or **isolated algorithm snippets**, lacking end-to-end reproducible implementations, cross-site comparisons, or systematic failure analysis.\n\nThe community is missing a **complete map** — full-stack coverage from bytes to algorithms to protocols to business APIs, deployable in production, teachable to others, and citable in academic work. This project exists to fill that gap.\n\n### 1.3 Contributions\n\nThe core contributions of this work can be summarized as follows:\n\n1. **Algorithm-level open release** — Pure-algorithm Node.js implementations of 9 PX core cryptographic primitives ([`revers\u002F`](revers\u002F)), each byte-exact-verified across capture batches;\n2. **Site-level production implementations** — End-to-end generators for iFood `_px3` + Grubhub `_px2`, with 10\u002F10 protocol-level pass rates + real HTTP 200 verification against production business APIs (2026-05-21, BR-residential proxy);\n3. **Complete Bundle solution** — First fully open-source solution to the PX press-challenge (Captcha), with synchronous WASM PoW, Bézier mouse trajectories, Plane-14 Tag Char steganography, and Myanmar-script DOM encoding, 2,131 lines of production-grade userscript verified 10\u002F10;\n4. **Systematic failure mode catalog** — 68 production-environment debugging gotchas (each representing ≥1 hour of actual debug time), 19 fine-grained gotcha entries, covering collector \u002F bundle \u002F environment \u002F SDK drift dimensions;\n5. **AI Skill package** — Drop-in PX reverse-engineering skill for Claude Code \u002F Cursor, containing 9 playbooks + 5 references + 14 CLI tools + 4 user-intent manifests, converting this project's methodology into AI-agent-callable capabilities.\n\n### 1.4 What's in this Repository\n\n| Dimension | Number |\n|---|---|\n| **Total files** | ~380 |\n| **Total documentation lines** | 20,000+ (primarily Chinese, partial English bilingual) |\n| **Core algorithm implementations** | 9 Node.js modules (`revers\u002F`) |\n| **Generators** | iFood + Grubhub, both 10\u002F10 |\n| **Bundle main document** | 4,996 lines |\n| **Bundle production userscript** | 2,131 lines (10\u002F10 verified) |\n| **New methodology** | 10 chapters \u002F 3,389 lines (incl. 14 tools \u002F algorithm pseudocode \u002F 10 pitfalls) |\n| **Real capture batches** | iFood 6 batches + Grubhub 6 batches + Bundle 4 POSTs |\n| **Real mouse tracks** | 50 (Bundle-specific) |\n| **Total gotchas** | 68 (4 main files) + 19 fine-grained |\n| **Research dossiers** | 6 English `research\u002F` (threat model \u002F longitudinal \u002F cross-vendor \u002F failure modes \u002F field entropy \u002F isolation) |\n| **AI Skill assets** | 9 playbooks + 5 references + 14 CLI + 4 manifests |\n| **Longitudinal coverage** | 3 years (2024–2026), spanning 3 major SDK iterations |\n\n---\n\n## 2. Threat Model\n\nThe full formal threat model is documented in [`research\u002F03_threat_model\u002F`](research\u002F03_threat_model\u002F). This section provides a self-contained summary.\n\n### 2.1 Defender Capabilities\n\nPerimeterX defenses can be decomposed into four layers:\n\n| Layer | Capability | Project Coverage |\n|---|---|---|\n| **Network \u002F Edge** | TLS fingerprint (JA3\u002FJA4) · HTTP\u002F2 frame sequence · IP blocklists · ASN tiering (residential vs datacenter) | [`bug_report\u002F3_environment.md`](bug_report\u002F3_environment_EN.md) |\n| **Browser Fingerprint** | UA + Sec-CH-UA · Canvas \u002F WebGL \u002F AudioContext · Font list · Timezone consistency | [`main\u002FEN\u002FEV1_EV2_UNIFIED_REFERENCE.md`](main\u002FEN\u002FEV1_EV2_UNIFIED_REFERENCE.md) |\n| **Behavioral** | Mouse trajectories · Keystroke timing · Scroll cadence · Touch pressure · Focus transition sequences | [`bundle\u002Fstample\u002Fmouse_tracks\u002F`](bundle\u002Fstample\u002F) — 50 real samples |\n| **Cryptographic** | Dynamic Anti-tamper keys · Timestamp nonces · HMAC-MD5 signatures · Unicode steganography · WASM PoW | [`revers\u002F`](revers\u002F) — 9 algorithms |\n\n### 2.2 Attacker Goals & Assumptions\n\nThe attacker (i.e., the reverser) modeled in this project:\n\n- **Goal**: Stably obtain legitimate `_px3` \u002F `_px2` cookies for automated access to business APIs (academic research, price monitoring, compliance automation, security auditing);\n- **Capability**: Access to capture tools (Charles \u002F Fiddler \u002F CDP), residential proxy, test accounts at the target site, Node.js runtime;\n- **Not assumed**: No internal PX source code access, no ability to breach PX's backend, no TLS bypass capability.\n\n### 2.3 Out-of-scope\n\nThe following are **explicitly out of scope**: distributed crawler scheduling, proxy pool management, CAPTCHA OCR \u002F third-party solving, UA pool spoofing, denial-of-service attacks against PX's backend. These belong to operational engineering domains orthogonal to protocol-level and algorithm-level reverse engineering research.\n\n---\n\n## 3. PerimeterX SDK Architecture\n\n### 3.1 Dual-path Defense Overview\n\n```\n ┌──────────────────┐\n │ main.min.js │\n │ (PX Collector) │\n └─────────┬────────┘\n │\n ┌──────────┴──────────┐\n ▼ ▼\n ┌──────────────────────┐ ┌──────────────────────┐\n │ Silent Collector │ │ Press-challenge │\n │ Path │ │ Bundle Path │\n │ ───────────────── │ │ ────────────────── │\n │ · 99% of traffic │ │ · 1% risk-triggered │\n │ · 2 POST │ │ · 4 POST │\n │ · ~300 ms │ │ · WASM + PoW + press│\n │ · No UI │ │ · 10-15 seconds │\n │ · 9 shared algos │ │ · 9 shared + 5 own │\n └──────────┬───────────┘ └──────────┬───────────┘\n │ │\n └─────────────┬───────────┘\n ▼\n ┌──────────────────┐\n │ _px3 \u002F _px2 │\n │ Signed cookie │\n │ ⇒ Business API │\n └──────────────────┘\n```\n\n### 3.2 Collector Path (Silent)\n\nThe Collector path is PX's default silent path, covering 99% of business traffic:\n\n1. **Page load** → `main.min.js` injection, initializes `_px3.appId \u002F state \u002F pxsid \u002F pxhd`;\n2. **Collects 200+ fields** → device fingerprint, browser environment, behavioral cadence, forming EV1 (base) \u002F EV2 (extended);\n3. **First POST `\u002Fapi\u002Fv2\u002Fcollector`** → carries `payload=\u003Cencrypted EV>` + `pc=\u003CHMAC-MD5 signature>` + `sid=\u003Csteganography>`;\n4. **Server responds with OB** → contains `state.no\u002Fqa\u002Fvid\u002Fpxsid\u002Fcts\u002FappId\u002Fjf\u002F...` encrypted fields;\n5. **Second POST `\u002Fapi\u002Fv2\u002Fcollector`** → carries EV2 with server-issued state injected;\n6. **Server issues `_px3` cookie** → TTL typically 330 s (iFood) \u002F 500 s (Grubhub).\n\nFull details in [`main\u002FEN\u002FPX_SDK_Reverse_Engineering.md`](main\u002FEN\u002FPX_SDK_Reverse_Engineering.md) §2-3 (and its EN twin).\n\n### 3.3 Bundle Path (Press-challenge)\n\nThe Bundle path triggers when the risk score exceeds threshold:\n\n1. **Trigger condition** → server returns `px-captcha` HTML or collector refuses to issue `_px3`;\n2. **Loads `captcha.js`** → Bundle-specific SDK with different AppID (iFood = `PXd6f03jmq8h6c7382req0`), includes WASM module;\n3. **6 events** → init \u002F mouse_move \u002F touch \u002F pow_start \u002F pow_done \u002F press_complete;\n4. **Synchronous WASM PoW** → SHA-256 brute-force, CPU work ~5-10 s (**must be synchronous SHA-256; async `crypto.subtle` times out at 600s+**, see gotcha #5);\n5. **Bézier mouse trajectory** → synthesized from 50 real samples → POST to `\u002Fapi\u002Fv1\u002Fcollector`;\n6. **Myanmar-script DOM steganography** → Plane-14 Tag Char + Myanmar characters injected into DOM, defeating Copy-as-cURL replay;\n7. **Issues `_px3`** → with Bundle pass marker.\n\nFull details in [`main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md`](main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md) + [`bundle\u002Fdoc\u002FBundle_Complete_Technical_Doc.md`](bundle\u002Fdoc\u002FBundle_Complete_Technical_Doc.md) (4,996 lines).\n\n### 3.4 Field Taxonomy (EV1 \u002F EV2 \u002F State Three-class Classification)\n\nPX has 200+ total fields. This project introduces a **three-class taxonomy** for the first time:\n\n| Class | Proportion | Characteristics | Handling Strategy |\n|---|---|---|---|\n| **STATIC** | ~40% | Invariant across batches (e.g., `appId \u002F TAG \u002F FT \u002F OS \u002F screen resolution`) | Hard-coded template |\n| **DYNAMIC** | ~50% | Recomputed every run (`uuid \u002F timestamps \u002F mouse_no \u002F focus_no`) | Algorithmic generation |\n| **CONDITIONAL** | ~10% | Depends on server-issued state (`state.no \u002F qa \u002F vid \u002F pxsid`) | Filled in after OB decode |\n\nComplete field table: [`main\u002FEN\u002FEV1_EV2_UNIFIED_REFERENCE.md`](main\u002FEN\u002FEV1_EV2_UNIFIED_REFERENCE.md) (204+ fields with three-class classification + cross-platform mapping).\n\n### 3.5 9 Core Algorithms (Shared Between Both Paths)\n\n| # | Algorithm | Input → Output | Implementation | Doc Section |\n|---|---|---|---|---|\n| 1 | **payload encryption chain** | EV JSON → `PX serialize` → `XOR(50)` → `Base64(UTF-8)` → `20-char interleave` → POST `payload=` | [`revers\u002Fpayload.js`](revers\u002F) | Tech doc §3.1 |\n| 2 | **PC signature** | `HMAC-MD5(serialize(events), uuid:TAG:FT)` → 32 hex → digit retention + letter ASCII%10 → stride pick → 16 chars | [`revers\u002Fpc.js`](revers\u002F) | Tech doc §3.2 |\n| 3 | **OB decode** | Server response string → 27-handler dispatch → `state.*` fields | [`revers\u002Fob.js`](revers\u002F) | Tech doc §3.3 |\n| 4 | **SID Unicode steganography** | `state.pxsid + hh(state.no)` → `hh()` encodes as `U+E0100+` Plane-14 invisible Tag Char | [`revers\u002Fsid.js`](revers\u002F) | Tech doc §3.4 |\n| 5 | **UUID v1** | PX-compatible clockseq (non-standard RFC 4122 behavior) | [`revers\u002Fuuid.js`](revers\u002F) | Tech doc §3.5 |\n| 6 | **Anti-tamper** | `key = te(state.to, parseInt(state.no)%10 + 2)` — **key name is dynamic** | [`revers\u002Fantitamper.js`](revers\u002F) | Tech doc §3.6 |\n| 7 | **Hash (djb2 variant)** | String → 32-bit hash → field fill | [`revers\u002Fhash.js`](revers\u002F) | Tech doc §3.7 |\n| 8 | **Memory** | `performance.memory` synthesis (heap triplet) | [`revers\u002Fmemory.js`](revers\u002F) | Tech doc §3.8 |\n| 9 | **\u002Fns probe** | `\u002Fns` endpoint sync (DNS-like health check) | [`revers\u002Fns.js`](revers\u002F) | Tech doc §3.9 |\n\n### 3.6 Bundle-only +5 Primitives\n\n| # | Primitive | Purpose |\n|---|---|---|\n| B1 | **WASM PoW** | SHA-256 brute-force challenge, must be synchronous |\n| B2 | **Bézier mouse trajectory** | Synthesized from 50 real samples, with catmull-rom interpolation |\n| B3 | **Myanmar-script DOM encoding** | Myanmar characters + Unicode tag injected into DOM, defeats Copy-as-cURL |\n| B4 | **4-group error-stack alignment** | Deliberately triggers 4 JS exception types; stack trace is a fingerprint |\n| B5 | **Press duration \u002F pressure curve** | Synthesis of touch event `force \u002F radiusX \u002F radiusY` |\n\nFull details in [`bundle\u002Fdoc\u002FBundle_Complete_Technical_Doc.md`](bundle\u002Fdoc\u002FBundle_Complete_Technical_Doc.md) §6-12.\n\n---\n\n## 4. Methodology\n\nFull methodology documentation: [`main\u002FEN\u002Fmethodology\u002F`](main\u002FEN\u002Fmethodology\u002F) (10 chapters \u002F 3,389 lines, including 14 tools \u002F algorithm pseudocode \u002F 10 pitfall appendices).\n\n### 4.1 7-Stage Reverse Workflow\n\n| Stage | Goal | Time Budget | Doc |\n|---|---|---|---|\n| **Stage 1 · Capture** | Capture N batches (≥6), varying across accounts \u002F time \u002F IP | 30 min | [01_stage1_capture.md](main\u002FEN\u002Fmethodology\u002F01_stage1_capture.md) |\n| **Stage 2 · Decode** | Decode payload XOR\u002Fb64\u002Finterleave + decode OB response | 1 h | [02_stage2_decode.md](main\u002FEN\u002Fmethodology\u002F02_stage2_decode.md) |\n| **Stage 3 · Classify** | Field three-class classification (STATIC\u002FDYNAMIC\u002FCONDITIONAL) | 1 h | [03_stage3_classify.md](main\u002FEN\u002Fmethodology\u002F03_stage3_classify.md) |\n| **Stage 4 · Locate** | grep for algorithm locations in main.min.js (grep handbook) | 2 h | [04_stage4_locate.md](main\u002FEN\u002Fmethodology\u002F04_stage4_locate.md) |\n| **Stage 5 · Value Match** | `state.* → EV2 b64 key` cross-batch value matching | 1-2 h | [05_stage5_value_match.md](main\u002FEN\u002Fmethodology\u002F05_stage5_value_match.md) |\n| **Stage 6 · Implement** | Write generator + byte-exact diff | 4-8 h | [06_stage6_implement.md](main\u002FEN\u002Fmethodology\u002F06_stage6_implement.md) |\n| **Stage 7 · Validate** | Protocol-level 10\u002F10 + end-to-end business API | 2 h | [07_stage7_validate.md](main\u002FEN\u002Fmethodology\u002F07_stage7_validate.md) |\n\n### 4.2 Cross-platform Porting\n\nBudget for new-site integration: 8–12 h total, with **90% algorithm reuse**; only 5 site-specific constants need replacement (AppID \u002F TAG \u002F FT \u002F endpoint \u002F state→EV2 key mapping). Details in [08_cross_platform.md](main\u002FEN\u002Fmethodology\u002F08_cross_platform.md) + [`main\u002FEN\u002FPX_Complete_SDK_Comparative_Methodology.md`](main\u002FEN\u002FPX_Complete_SDK_Comparative_Methodology.md) (1,441-line iFood-vs-Grubhub comparison).\n\n### 4.3 SDK Upgrade Emergency Playbook\n\nPX collector upgrades every 1-2 months; bundle every 2-3 weeks. This project provides a ~2-hour recovery playbook: [09_sdk_upgrade.md](main\u002FEN\u002Fmethodology\u002F09_sdk_upgrade.md). A real upgrade-diff case study: [`bug_report\u002Fsdk_drift_cases\u002F2026-05-19_ifood\u002F`](bug_report\u002Fsdk_drift_cases\u002F) (iFood mid-version 202→225 b64 dictionary + TAG\u002FFT swap).\n\n---\n\n## 5. Implementation Deep-dive\n\n### 5.1 Algorithm Layer — [`revers\u002F`](revers\u002F)\n\nPure-algorithm Node.js implementations of 9 core algorithms, with zero browser dependency. Each algorithm is byte-exact-verified across all capture batches (6 iFood + 6 Grubhub), with ~100% unit test coverage.\n\n**Core algorithm samples (4 most pitfall-prone)**:\n\n```js\n\u002F\u002F 1. payload encryption chain (revers\u002Fpayload.js)\nevents → PX_serialize(events) \u002F\u002F ⚠️ ≠ JSON.stringify\n → XOR(_, 50) \u002F\u002F single-byte XOR\n → Base64(_, 'utf8') \u002F\u002F ⚠️ must be UTF-8, never Latin-1\n → interleave(_, key_pos) \u002F\u002F 20-char interleave\n \u002F\u002F key_pos = f(uuid, state.no)\n\n\u002F\u002F 2. PC HMAC-MD5 (revers\u002Fpc.js)\nconst md5_hex = hmacMD5(\n PX_serialize(events),\n `${uuid}:${TAG}:${FT}` \u002F\u002F note colon separators\n); \u002F\u002F → 32 hex chars\nconst digits = md5_hex.replace(\u002F[a-f]\u002Fg, c => c.charCodeAt(0) % 10);\nconst pc16 = digits.split('').filter((_, i) => i % 2).join(''); \u002F\u002F 16 chars\n\n\u002F\u002F 3. Anti-tamper dynamic key injection (revers\u002Fantitamper.js)\nconst idx = parseInt(state.no) % 10; \u002F\u002F ⚠️ must parseInt (gotcha #1)\nconst key = te(state.to, idx + 2); \u002F\u002F ⚠️ key NAME is dynamic\nconst val = te(state.to, idx + 1);\nevents.d[key] = val; \u002F\u002F ⚠️ preserve original position (gotcha #17)\n\n\u002F\u002F 4. SID Unicode Tag Char steganography (revers\u002Fsid.js)\nconst sid = state.pxsid + hh(state.no); \u002F\u002F hh() encodes each digit as\n \u002F\u002F U+E0100+ Plane-14 invisible Tag Char\n \u002F\u002F defeats \"Copy as cURL\" replay\n```\n\nComplete algorithm analysis: [`main\u002FEN\u002FPX_SDK_Reverse_Engineering.md`](main\u002FEN\u002FPX_SDK_Reverse_Engineering.md) §3 (2,597 lines of full PX technical reference, EN twin available).\n\n### 5.2 Site Generators — [`stample\u002F`](stample\u002F)\n\nTriple-site mirrored structure (added totalwine 2026-05-25); each site directory contains `px_cookie\u002F` (generator) + `source\u002F` (SDK lock) + `sample\u002F` (6 capture batches) + `script\u002F` (8+ site-specific tools).\n\n| Site | AppID | TAG | FT | Cookie | TTL | Tier | SDK Hash |\n|---|---|---|---|---|---|---|---|\n| **iFood** | `PXO1GDTa7Q` | `U0MmDhUmOnhXSw==` | `401` | `_px3` | 330 s | lenient | `b47a639c…` |\n| **Grubhub** | `PXO97ybH4J` | `FmYgK1gdJEAP` | `359` | `_px2` | 500 s | lenient | `5e81bffc…` |\n| **Total Wine** ⭐ | `PXFF0j69T5` | `CFQ7WU4xIS8MXA==` | `401` | `_px2` | 330 s | **strict** | `9335db02…` |\n\nAll constants are **extracted directly from real POST body captures** ([`stample\u002F{ifood,grub,totalwine}\u002Fsample\u002F`](stample\u002F) — 6 auditable batches per site), not from documentation memory. Smoke tests pass at 21\u002F21 (iFood) \u002F 17\u002F17 (Grubhub) \u002F 22\u002F22 (Total Wine — includes 6 strict-tier-only checks).\n\n**Strict-tier vs lenient-tier** (new 2026-05-25): Total Wine demonstrates that the same PX SDK has different server-side enforcement at different customers. Strict tier adds: 3-POST chain (seq=2 cookie-confirmation beacon), server-side HMAC verification, counter sub-field synchronization, and `state.hid` extraction. See [`skill\u002FAI_re\u002Freferences\u002Fdeployment-tiers.md`](skill\u002FAI_re\u002Freferences\u002Fdeployment-tiers.md) for the full comparison and [`skill\u002FAI_re\u002Freferences\u002Fgotchas.md`](skill\u002FAI_re\u002Freferences\u002Fgotchas.md) Bug #15-#18 for the 4 strict-tier traps.\n\n### 5.3 Bundle Path — [`bundle\u002F`](bundle\u002F)\n\nIndustry-first complete open-source solution to the PX press-challenge:\n\n```\nbundle\u002F\n├── README.md 4-level depth learning path\n├── doc\u002FBundle_完整技术文档.md ⭐ 4,996 lines — Bundle full deconstruction\n├── source\u002F captcha.js + WASM + SDK_INFO\n│ ├── WASM_ANALYSIS.md WASM module reverse analysis\n│ └── SDK_INFO.md Bundle SDK metadata\n├── stample\u002F 4 raw POSTs + 50 mouse tracks + EV templates\n│ └── mouse_tracks\u002F 50 real human mouse tracks (highest collection cost)\n└── script\u002Fuserscripts\u002F\n └── px_bundle3_auto.user.js ⭐ 2,131-line userscript (10\u002F10 production-verified)\n```\n\n**Bundle exclusive technical highlights**:\n\n- **Synchronous WASM PoW** — SHA-256 brute-force, CPU work 5–10 s (must be synchronous; async takes 600s+ and TIMEOUTs)\n- **Bézier trajectory synthesis** — catmull-rom interpolation with statistical sampling from 50 real samples\n- **Myanmar + Plane-14 Tag Char DOM steganography** — defeats Copy-as-cURL replay\n- **4-group error-stack alignment** — deliberately triggers JS exceptions; stack traces are fingerprints\n\nDetails in [`main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md`](main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md) (973-line, 8-stage methodology).\n\n### 5.4 Plan B — [`node_bridge\u002F`](node_bridge\u002F)\n\n**The secondary path for pure-algo failure scenarios** — when PX deploys a new encryption layer (rare but has happened) that temporarily disables the pure-algo approach, the \"environment patching + jsdom\" approach activates:\n\n```\nnode_bridge\u002F\n├── README.md ~400-line introduction + design philosophy\n├── ifood\u002F iFood Bridge implementation\n├── grub\u002F Grubhub Bridge implementation\n└── skill\u002F\n ├── SKILL.md AI Skill entry point (115 lines)\n ├── methodology.md Bridge methodology (520 lines)\n └── new_site_guide.md New site onboarding guide (411 lines)\n```\n\n| Dimension | Layer 1 (Pure-algo) | Layer 2 (Plan B) |\n|---|---|---|\n| Browser dependency | 0 | 0 (jsdom only) |\n| Startup overhead | ~50 ms | ~1-2 s (jsdom init) |\n| Per-call speed | ~500 ms | ~2-3 s |\n| New encryption layer response | Algorithm-side rewrite required | jsdom auto-evaluates, **no rewrite needed** |\n| Maintenance cost | 1-2 small upgrades per month | Nearly zero (PX algorithm changes have no impact) |\n| Use case | 99% default production | Emergency \u002F long-tail sites \u002F fast new-site onboarding |\n\nPlan B is the project's **disaster-recovery insurance**, ensuring business continuity during major PX refactors.\n\n---\n\n## 6. Evaluation\n\n### 6.1 Protocol-level Validation (2026-05-20)\n\n| Site | Verification | Result |\n|---|---|---|\n| **ifood.com.br** | AppID `PXO1GDTa7Q` · TAG `U0MmDhUmOnhXSw==` · FT `401` · cookie `_px3` (ttl 330) · 2-POST chain · lenient tier | **10\u002F10 pass** |\n| **grubhub.com** | AppID `PXO97ybH4J` · TAG `FmYgK1gdJEAP` · FT `359` · cookie `_px2` (ttl 500) · 2-POST chain · lenient tier | **10\u002F10 pass** |\n| **totalwine.com** ⭐ | AppID `PXFF0j69T5` · TAG `CFQ7WU4xIS8MXA==` · FT `401` · cookie `_px2` (ttl 330) · **3-POST chain** · **strict tier** | **10\u002F10 pass** (2026-05-25) |\n| **iFood Bundle press** | Bundle AppID `PXd6f03jmq8h6c7382req0` · FT `388` · 6 events + WASM + PoW | **10\u002F10 pass** |\n\nAll constants are **extracted directly from real POST body captures** ([`stample\u002F{ifood,grub,totalwine}\u002Fsample\u002F`](stample\u002F) — 6 auditable batches per site), not relying on documentation memory.\n\n### 6.2 End-to-end Business API (2026-05-21 \u002F 2026-05-25 for totalwine)\n\nBeyond byte correctness, this means **real proxy + real business API calls + real HTTP 200 responses**. Full journal: [`stample\u002Flive_validation\u002Fjournal\u002F2026-05-21.md`](stample\u002Flive_validation\u002Fjournal\u002F2026-05-21_EN.md)\n\n| Site | Proxy | Business API | Real Response |\n|---|---|---|---|\n| **iFood** | BR residential (Bright Data) | `POST cw-marketplace.ifood.com.br\u002Fv1\u002Fmerchant-info\u002Fgraphql?lat&lng&channel=IFOOD` | ✅ HTTP 200 → `{ name: \"Sorveteria Coelhinho - Shopping Vitória\", userRating: 5, available: false }` |\n| **Grubhub** | Local direct (US proxy optional) | `POST \u002Fauth (anonymous) + \u002Fauth\u002Flogin (Bearer + real account)` | ✅ HTTP 200 anon_token + HTTP 463 verify_methods (business-layer OTP; desktop 5\u002F5 same verdict) |\n| **Total Wine** ⭐ | US residential (Bright Data) | `GET totalwine.com\u002Fsearch\u002Fall?text=wine` (PX-gated SRP HTML) | ✅ HTTP 200 → 1.3 MB real SRP HTML × 10\u002F10 independent sessions on different exit IPs (strict-tier Layer 3.5 validation) |\n\n**Additional finding**: iFood's server stack also runs **Akamai Bot Manager** (response `set-cookie: ak_bmsc=...`); legitimate PX cookie + BR IP simultaneously passes both Akamai and PX layers.\n\n### 6.3 Cross-vendor Comparison\n\nFull horizontal comparison: [`research\u002F04_cross_vendor_comparison\u002F`](research\u002F04_cross_vendor_comparison\u002F). Summary matrix:\n\n| Dimension | PerimeterX | DataDome | Akamai BMP | Cloudflare |\n|---|---|---|---|---|\n| Client-side obfuscation strength | ★★★★☆ | ★★★★★ | ★★★☆☆ | ★★★☆☆ |\n| WASM PoW | ✅ Bundle | ✅ | ❌ | ⚠️ optional |\n| Behavioral analysis | ★★★★☆ | ★★★☆☆ | ★★★★☆ | ★★☆☆☆ |\n| Public reverse material | **This project = most complete** | medium | low | high |\n\n---\n\n## 7. Empirical Findings (Gotcha Record)\n\n**The project's most unique asset**. 68 production-environment-verified failure modes + 19 fine-grained gotcha entries, each representing actual debug time (at least 1 hour).\n\n### 7.1 Top 5 Critical Pitfalls (Read Before You Code)\n\n1. ⭐⭐⭐ **`state.no` must be `parseInt`** — string causes PC to pass but `_px3` not issued; ~90% of newcomers hit this ([gotcha #01](bug_report\u002Fgotchas\u002F01_state_no_parseint.md))\n2. ⭐⭐⭐ **Anti-tamper field position destruction** — `delete + add` moves the key to the end, changing iteration order → signature mismatch ([gotcha #06](bug_report\u002Fgotchas\u002F06_ob_handler_by_name.md))\n3. ⭐⭐⭐ **`state.* → EV2 b64 key` is completely different per site** — iFood vs Grubhub use different injection keys ([gotcha #11](bug_report\u002Fgotchas\u002F11_state_to_ev2_key.md))\n4. ⭐⭐⭐ **base64's `+` must NOT be replaced with space** — Python `urllib.parse.unquote_plus` will eat the `+` ([gotcha #02](bug_report\u002Fgotchas\u002F02_utf8_latin1_xor.md))\n5. ⭐⭐⭐ **WASM PoW must use synchronous SHA-256** — `crypto.subtle` async approach times out at 600s+ ([gotcha #16](bug_report\u002Fgotchas\u002F16_pxuuid_wasm_init.md))\n\n### 7.2 68 Documented Failure Modes (4 Major Categories)\n\n| File | Path | Count | Representative Pitfalls |\n|---|---|---|---|\n| [`1_collector_path.md`](bug_report\u002F1_collector_path_EN.md) | Silent Collector path | **33** | parseInt \u002F anti-tamper \u002F b64 \u002F state mapping |\n| [`2_bundle_path.md`](bug_report\u002F2_bundle_path_EN.md) | Press-challenge Bundle path | **20** | WASM PoW \u002F Myanmar script \u002F error stack \u002F mouse trajectory |\n| [`3_environment.md`](bug_report\u002F3_environment_EN.md) | Environment \u002F infrastructure | **8** | IP \u002F TLS \u002F UA \u002F Python sid encoding |\n| [`4_sdk_drift.md`](bug_report\u002F4_sdk_drift_EN.md) | SDK version drift | **7** | b64 dictionary \u002F TAG\u002FFT swap \u002F function name change |\n\n### 7.3 19 Fine-grained Gotchas — [`bug_report\u002Fgotchas\u002F`](bug_report\u002Fgotchas\u002F)\n\nEach in its own file with complete fix code + unit tests:\nstate_no_parseint · utf8_latin1_xor · antitamper_position · pc_md5_slice · sid_stego_even_tag · ob_handler_by_name · uuid_v1_clock · hq_index_off_by_one · wire_chars_confusion · interleave_odd_length · state_to_ev2_key · cross_event_key_reuse · ip_rate_limit · cookie_ttl · jf_offset_minus_one · pxuuid_wasm_init · pointer_float_coords · press_duration_mismatch · myanmar_template_drift\n\n### 7.4 SDK Drift Longitudinal Study — [`research\u002F02_sdk_drift_longitudinal\u002F`](research\u002F02_sdk_drift_longitudinal\u002F)\n\n3-year longitudinal tracking across 2024–2026, plus a real iFood mid-version upgrade diff case study ([`sdk_drift_cases\u002F2026-05-19_ifood\u002F`](bug_report\u002Fsdk_drift_cases\u002F)). Key findings:\n\n- **Algorithm layer unchanged for 3 years** — standard MD5 \u002F HMAC \u002F UUID \u002F SHA-256 etc.\n- **Surface layer rotates every upgrade** — function names, line numbers, b64 key dictionary, wire character set\n- **Average upgrade recovery time** — 1–3 hours (following the [09_sdk_upgrade.md](main\u002FEN\u002Fmethodology\u002F09_sdk_upgrade.md) playbook)\n\n### 7.5 Field Entropy Analysis — [`research\u002F01_field_entropy\u002F`](research\u002F01_field_entropy\u002F)\n\nEntropy analysis of dynamism for 204+ EV1\u002FEV2 fields, quantifying per-field stability across batches, providing data-driven support for the three-class field taxonomy.\n\n---\n\n## 8. Project Structure\n\n```\nperimeter\u002F v2.0 · 2026-05-23\n│\n├── README.md \u002F README.zh.md ← This file (bilingual · paper-level overview; EN = root README, ZH companion in README.zh.md)\n├── LICENSE ⭐ Dual-track License (AGPL-3.0 code + CC BY-NC-SA 4.0 docs)\n│\n├── main\u002F ⭐ Core technical docs (bilingual track)\n│ ├── ZH\u002F Chinese (10,800+ lines)\n│ │ ├── methodology\u002F ⭐ 10-chapter methodology (3,389 lines)\n│ │ │ ├── README.md Entry + learning paths (130 lines)\n│ │ │ ├── 00_overview.md 7-stage map + time budget (210 lines)\n│ │ │ ├── 01..09_stage*.md 9 detailed chapters\n│ │ │ └── appendix\u002F 14 tools \u002F algorithm pseudocode \u002F 10 pitfalls\n│ │ ├── EV1_EV2_UNIFIED_REFERENCE ⭐ 204+ fields + cross-platform mapping (227 lines)\n│ │ ├── PX_SDK_逆向技术文档.md 2,597 lines — full PX technical reference\n│ │ ├── PX_逆向方法论_通用版.md 1,233 lines — legacy single-file methodology\n│ │ ├── PX_完整SDK对照逆向方法论 1,441 lines — iFood vs Grubhub comparison\n│ │ └── PX_Bundle_逆向方法论.md 973 lines — Bundle 8-stage methodology\n│ └── EN\u002F English mirror — 4 core docs + full 10-chapter methodology + appendix\n│\n├── research\u002F ⭐ 6 English research dossiers (academic skeleton)\n│ ├── 01_field_entropy\u002F Field dynamism entropy analysis\n│ ├── 02_sdk_drift_longitudinal\u002F 3-year SDK upgrade timeline\n│ ├── 03_threat_model\u002F ⭐ Formal threat model\n│ ├── 04_cross_vendor_comparison\u002F PX vs DataDome vs Akamai vs Cloudflare\n│ ├── 05_field_isolation_experiments\u002F Field isolation experiments\n│ └── 06_failure_modes\u002F Failure mode taxonomy\n│\n├── revers\u002F ⭐ 9 pure-algorithm Node.js implementations\n│ ├── payload.js EV → POST `payload=` (XOR+b64+interleave)\n│ ├── pc.js HMAC-MD5 + digit extraction → 16-char PC\n│ ├── ob.js OB decode + handler dispatch (27 handlers)\n│ ├── sid.js SID + Unicode Tag Char steganography\n│ ├── uuid.js UUID v1 (PX-compatible clockseq)\n│ ├── hash.js djb2 variant\n│ ├── memory.js performance.memory synthesis\n│ ├── antitamper.js Dynamic XOR key\u002Fvalue injection\n│ └── ns.js \u002Fns endpoint sync\n│\n├── node_bridge\u002F ⭐ Plan B — fallback for pure-algo failure (jsdom env)\n│ ├── README.md ~400 lines intro + design philosophy\n│ ├── ifood\u002F grub\u002F Dual-site bridge implementations\n│ └── skill\u002F AI Skill package\n│ ├── SKILL.md 115 lines — AI entry\n│ ├── methodology.md 520 lines — Bridge methodology\n│ └── new_site_guide.md 411 lines — new-site onboarding guide\n│\n├── skill\u002F ⭐ AI agent skill packages (let AI reverse for you)\n│ ├── AI_re\u002F PX reverse-engineering skill\n│ │ ├── README.md Entry\n│ │ ├── SKILL.md ⭐ AI invocation entry (feed Claude \u002F Cursor this)\n│ │ ├── skills\u002F ⭐ 4 user-intent manifests\n│ │ │ ├── px_capture\u002F Capture N new sample batches\n│ │ │ ├── px_decode\u002F Decode a batch\n│ │ │ ├── px_port_to_new_platform\u002F Cross-site generator porting\n│ │ │ └── px_sdk_drift_audit\u002F SDK upgrade response\n│ │ ├── playbooks\u002F ⭐ 9 operation playbooks (\"how to do\")\n│ │ ├── references\u002F ⭐ 5 knowledge layer references (\"what is\")\n│ │ └── scripts\u002F ⭐ 14 CLI tools\n│ └── cdp\u002F Real Chrome CDP capture skill (no webdriver signatures)\n│\n├── stample\u002F ⭐ Site implementation layer (triple-site mirror)\n│ ├── ifood\u002F\n│ │ ├── px_cookie\u002F ifood_px3.js + templates + smoke_test 21\u002F21 ✓\n│ │ ├── source\u002F main.min.js (locked at SHA b47a639c…)\n│ │ ├── sample\u002F 6 real capture batches × 11 files\n│ │ ├── px_cookie\u002Fbusiness_api_demo.js End-to-end business API demo\n│ │ ├── script\u002F 8 iFood-specific scripts\n│ │ └── RESEARCH_PURPOSE.md Research purpose statement\n│ ├── grub\u002F (Same structure as iFood)\n│ ├── totalwine\u002F ⭐ NEW 2026-05-25 (strict-tier deployment)\n│ │ ├── px_cookie\u002F totalwine_px2.js + EV1\u002FEV2\u002FEV3 templates + smoke 22\u002F22 ✓\n│ │ ├── source\u002F main.min.js (locked at SHA 9335db02…)\n│ │ ├── sample\u002F 6 real capture batches × 13 files (含 EV3 解码)\n│ │ ├── script\u002F 8 scripts (3 are strict-tier-only: diff_ev2, find_hmac, smoke_10x_e2e)\n│ │ └── RESEARCH_PURPOSE.md Strict vs lenient tier — 5 root causes documented\n│ └── live_validation\u002F ⭐ End-to-end business API validation journal\n│ └── journal\u002F2026-05-21.md BR residential proxy + dual-site HTTP 200\n│\n├── bundle\u002F ⭐ Complete Bundle press-challenge solution\n│ ├── README.md 4-level depth learning path\n│ ├── doc\u002FBundle_完整技术文档.md ⭐ 4,996 lines — Bundle full deconstruction\n│ ├── source\u002F captcha.js + WASM + SDK_INFO\n│ ├── stample\u002F Samples (4 raw POSTs + 50 mouse tracks)\n│ │ ├── mouse_tracks\u002F ⭐ 50 real human mouse tracks (highest collection cost)\n│ │ └── README.md\n│ └── script\u002Fuserscripts\u002F\n│ └── px_bundle3_auto.user.js ⭐ 2,131-line userscript (10\u002F10)\n│\n└── bug_report\u002F ⭐ 68 production gotchas (most unique asset)\n ├── README.md 4-file classification entry\n ├── 1_collector_path.md Collector path 33 entries\n ├── 2_bundle_path.md Bundle path 20 entries\n ├── 3_environment.md Environment \u002F infrastructure 8 entries\n ├── 4_sdk_drift.md SDK version drift 7 entries\n ├── gotchas\u002F ⭐ 19 fine-grained entries (each: file + fix + test)\n └── sdk_drift_cases\u002F ⭐ Real upgrade-diff case studies\n └── 2026-05-19_ifood\u002F iFood mid-version (202→225 b64 dict + TAG\u002FFT swap)\n```\n\n---\n\n## 9. Reproduction · Quick Start\n\n### 9.1 5-minute Quick Start\n\n```bash\n# 1. clone + install\ngit clone \u003Crepo-url> perimeter\ncd perimeter && npm install\n\n# 2. iFood — generate _px3\ncd stample\u002Fifood\u002Fpx_cookie\nnode smoke_test.js # self-test 21\u002F21 ✓\nnode ifood_px3.js # real _px3\n# Expected output:\n# ✅ _px3=eyJ1IjoiYWJj... ttl=330\n# uuid: c83577f0-5420-11f1-...\n# ev1_fields: 14, ev2_fields: 204\n\n# 3. Grubhub — generate _px2\ncd ..\u002F..\u002F..\u002Fstample\u002Fgrub\u002Fpx_cookie\nnode smoke_test.js # self-test 17\u002F17 ✓\nnode grubhub_px2.js\n\n# 4. Total Wine — generate _px2 (strict-tier, 3-POST chain)\ncd ..\u002F..\u002F..\u002Fstample\u002Ftotalwine\u002Fpx_cookie\nnode smoke_test.js # self-test 22\u002F22 ✓ (includes 6 strict-tier-only checks)\n# Generator requires US residential proxy:\n$env:HTTPS_PROXY = 'http:\u002F\u002F\u003Cuser>-session-\u003Cid>:\u003Cpwd>@\u003Chost>:\u003Cport>'\nnode totalwine_px2.js\n# Expected: _px2=… ttl=330, ev1=13, ev2=199, ev3=11, seq2_status=200\n\n# 5. Bundle path (press-challenge) — install userscript\n# Install Tampermonkey in browser → load bundle\u002Fscript\u002Fuserscripts\u002Fpx_bundle3_auto.user.js\n# Visit https:\u002F\u002Fwww.ifood.com.br\u002F → trigger challenge → automatic _px3\n```\n\n500 ms to complete the full PX handshake (lenient-tier, 2 POSTs); ~6 s for strict-tier 3-POST chain. 10 cryptographic algorithms shared across all 3 sites — only protocol assembly differs.\n\n### 9.2 End-to-end Business API (Proxy Required)\n\n```bash\n# iFood (requires BR residential proxy)\nexport HTTPS_PROXY='http:\u002F\u002F\u003Cuser>:\u003Cpwd>@\u003Chost>:\u003Cport>'\nnode stample\u002Fifood\u002Fpx_cookie\u002Fbusiness_api_demo.js\n# → HTTP 200 { name: \"Sorveteria Coelhinho\", userRating: 5, ... }\n\n# Grubhub (proxy optional; for full chain add credentials via env vars)\nexport GRUBHUB_EMAIL='your@email.com'\nexport GRUBHUB_PASSWORD='yourpassword'\nnode stample\u002Fgrub\u002Fpx_cookie\u002Fbusiness_api_demo.js\n# → HTTP 200 anon_token + HTTP 463 verify_methods\n\n# Total Wine ⭐ (strict-tier — REQUIRES US residential proxy)\nexport HTTPS_PROXY='http:\u002F\u002F\u003Cuser>-session-\u003Cid>:\u003Cpwd>@\u003Chost>:\u003Cport>'\nnode stample\u002Ftotalwine\u002Fpx_cookie\u002Fbusiness_api_demo.js\n# → HTTP 200 + ~1.3 MB real SRP HTML\n# For 10\u002F10 stability test (different exit IP each iteration):\npython stample\u002Ftotalwine\u002Fscript\u002Fsmoke_10x_e2e.py\n```\n\n### 9.3 Bundle Userscript (Press-challenge Automation)\n\n```\n1. Install Tampermonkey extension\n2. Load bundle\u002Fscript\u002Fuserscripts\u002Fpx_bundle3_auto.user.js (2,131 lines)\n3. Visit https:\u002F\u002Fwww.ifood.com.br\u002F or https:\u002F\u002Fwww.grubhub.com\u002F\n4. Trigger risk challenge → script auto-solves WASM PoW + synthesizes Bézier trajectory + submits press\n5. Server issues _px3 → business API accessible\n```\n\n---\n\n## 10. Tooling\n\n14 CLI tools ([`skill\u002FAI_re\u002Fscripts\u002F`](skill\u002FAI_re\u002Fscripts\u002F)) + site-specific scripts:\n\n```bash\n# 1. Decode a single capture payload\nnode skill\u002FAI_re\u002Fscripts\u002Fdecode_payload.js stample\u002Fifood\u002Fsample\u002F1\u002Frequest_1.txt\n# → EV1\u002FEV2 JSON output\n\n# 2. Decode OB response (27-handler dispatch)\nnode skill\u002FAI_re\u002Fscripts\u002Fdecode_response.js \\\n stample\u002Fifood\u002Fsample\u002F1\u002Fresponse_1.json \\\n U0MmDhUmOnhXSw==\n# → state.no\u002Fqa\u002Fvid\u002Fpxsid\u002Fcts\u002FappId\u002Fjf\u002F...\n\n# 3. Cross-batch field three-class classification (STATIC\u002FDYNAMIC\u002FCONDITIONAL)\nnode skill\u002FAI_re\u002Fscripts\u002Fdiff_samples.js \\\n stample\u002Fifood\u002Fsample\u002F{1..6}\u002Fdecoded_payload_2.json\n# → field stability matrix\n\n# 4. state.* → EV2 b64 key cross-batch value matching (⭐ key script)\npython skill\u002FAI_re\u002Fscripts\u002Ffind_state_keys_in_ev2.py\n# → cross-platform mapping table\n\n# 5. My generated vs real captured — field-level diff\npython stample\u002Fifood\u002Fscript\u002Fcompare_my_ev2.py \u002Ftmp\u002Fmy_ev2.json\n\n# 6. HTTP request byte-level diff\npython stample\u002Fifood\u002Fscript\u002Fdiff_http.py \u002Ftmp\u002Fmy_post.txt\n\n# 7. Verify decode-loop closure across all batches\n.\u002Fstample\u002Fifood\u002Fscript\u002Fverify_all.sh\n# → Expected: 6\u002F6 pass — decoder works against current SDK\n```\n\nFull 14-tool listing: [`skill\u002FAI_re\u002Fscripts\u002FREADME.md`](skill\u002FAI_re\u002Fscripts\u002F) and [`main\u002FEN\u002Fmethodology\u002Fappendix\u002FA_tools.md`](main\u002FEN\u002Fmethodology\u002Fappendix\u002FA_tools.md).\n\n---\n\n## 11. AI Skill Integration\n\n> **⭐ Industry-first dual-skill loop enabling AI agents to perform end-to-end 0→1 autonomous reverse engineering of PerimeterX sites.**\n\nThis project encapsulates the complete methodology into **two complementary AI Skills**. Used together, they enable Claude Code \u002F Cursor to **independently complete all 8 stages of new-site onboarding** — no manual capture, no manual decoding, no manual generator writing required.\n\n### 11.1 Dual-Skill Cooperative Architecture\n\n```\n┌────────────────────────────────────────────────────────────────────┐\n│ AI End-to-end 0→1 Loop │\n└────────────────────────────────────────────────────────────────────┘\n\n Stage 0-3 [10 min] Stage 4-8 [4-8 hours]\n ┌──────────────────┐ ┌──────────────────────┐\n │ skill\u002Fcdp\u002F │ ───────→ │ skill\u002FAI_re\u002F │\n │ ────────────── │ │ ────────────────── │\n │ Launch Chrome │ │ Decode payload + OB │\n │ Capture 6+ batch│ │ Field 3-class │\n │ Download SDK │ │ state.* value match │\n │ Pin SDK version │ │ Write generator │\n │ No webdriver │ │ 10\u002F10 validation │\n │ No bot trigger │ │ E2E business API │\n └──────────────────┘ └──────────────────────┘\n ↑ ↓\n └───────── shared stample\u002F\u003Csite>\u002F ───┘\n```\n\n**The cooperative relationship is explicitly documented in [`skill\u002FAI_re\u002FSKILL.md`](skill\u002FAI_re\u002FSKILL.md) lines 77-85**:\n\n```\nskill\u002Fcdp\u002F ← Stage 0-3: Launch Chrome + capture + download SDK + pin version + 6 batches\nskill\u002FAI_re\u002F ← Stage 4-8: Locate constants\u002Ffunctions + decode + field analysis + generator + 10\u002F10\n```\n\nComplete 8-stage end-to-end workflow: [`skill\u002FAI_re\u002Fplaybooks\u002Fmaster-workflow.md`](skill\u002FAI_re\u002Fplaybooks\u002Fmaster-workflow.md).\n\n### 11.2 [`skill\u002Fcdp\u002F`](skill\u002Fcdp\u002F) — Real Chrome CDP Capture Skill\n\nControls real Chrome via Chrome DevTools Protocol; **no webdriver signatures, does not trigger anti-bot**. The AI uses this to autonomously:\n\n- **Capture 6+ batches of PX collector POST samples** (Stage 0-3 fully automated)\n- **Download and pin SDK version** (automatic sha256 verification ensures all 6 batches share the same SDK)\n- Analyze XHR \u002F Fetch \u002F WebSocket traffic, inject JS, screenshot, manipulate DOM\n- Alternative native mode (`agent-browser --native`, pure-Rust, faster startup)\n\n**Key scripts**: [`skill\u002Fcdp\u002Fscripts\u002Fcapture_via_cdp_ifood.py`](skill\u002Fcdp\u002Fscripts\u002F) + `capture_via_cdp_grubhub.py` — dual-site dedicated capturers, already wired into the `skill\u002FAI_re\u002Fskills\u002Fpx_capture\u002F` entry.\n\n### 11.3 [`skill\u002FAI_re\u002F`](skill\u002FAI_re\u002F) — PX Reverse Core Skill\n\nEnd-to-end skill that completely reconstructs the PX SDK collector POST chain (silent mode) using pure algorithms. Asset inventory:\n\n| Category | Count | Contents |\n|---|---|---|\n| **User intent manifests** ([`skills\u002F`](skill\u002FAI_re\u002Fskills\u002F)) | **4** | `px_capture` (invokes cdp) · `px_decode` · `px_port_to_new_platform` · `px_sdk_drift_audit` |\n| **Playbook operation manuals** ([`playbooks\u002F`](skill\u002FAI_re\u002Fplaybooks\u002F)) | **9** | master-workflow ⭐⭐⭐ \u002F identify-sdk-version \u002F extract-constants \u002F locate-all-constants \u002F locate-functions \u002F locate-field-sources \u002F reverse-algorithms \u002F build-generator \u002F validate-generator |\n| **Reference knowledge layer** ([`references\u002F`](skill\u002FAI_re\u002Freferences\u002F)) | **5** | algorithm-chain (5 major algorithm formulas) \u002F locate-by-pattern ⭐ (cross-version grep handbook) \u002F handler-table (27 OB handlers) \u002F field-categories (STATIC\u002FDYNAMIC\u002FCONDITIONAL) \u002F gotchas ⭐ (19 entries) |\n| **Algorithm modules** (`reverse\u002F`) | **9** | payload \u002F pc \u002F ob \u002F sid \u002F uuid \u002F hash \u002F memory \u002F antitamper \u002F ns — directly `require()`-able |\n| **CLI tools** (`scripts\u002F`) | **14** | Decode (3) · Cross-batch analysis (4) · state value match (1) · Field location (2) · Byte-level diff (2) · Version migration (1) · End-to-end validation (1) |\n\n### 11.4 AI End-to-end 0→1 Full Workflow\n\nA single command invokes the AI to autonomously run all 8 stages:\n\n```\n@skill\u002FAI_re\u002FSKILL.md\nPlease port doordash.com — mirror the grubhub\u002F structure\n```\n\nThe AI will then automatically execute:\n\n| Stage | AI Action | Invokes |\n|---|---|---|\n| **Stage 0** | Identify SDK URL + AppID | `skill\u002Fcdp\u002F` network sniffing |\n| **Stage 1** | Launch real Chrome + capture 6+ batches | `cdp\u002Fscripts\u002Fcapture_via_cdp_*.py` |\n| **Stage 2** | Decode 6 batches of payload + OB | `decode_payload.js` + `decode_response.js` |\n| **Stage 3** | Field three-class classification | `diff_samples.js` |\n| **Stage 4** | state.* → EV2 b64 key value matching | `find_state_keys_in_ev2.py` ⭐⭐⭐ |\n| **Stage 5** | Locate 5 site constants from SDK source | `playbooks\u002Flocate-all-constants.md` |\n| **Stage 6** | Build STATIC templates + write generator | `build_templates.js` + `playbooks\u002Fbuild-generator.md` |\n| **Stage 7** | Byte-level diff validation | `diff_http_request.py` + `compare_ev2_field_by_field.py` |\n| **Stage 8** | 10\u002F10 stability test + end-to-end business API | `verify_batch.js` |\n\n**Estimated total time**: 8–12 hours fully autonomous for a new site (including 10 min capture + AI inference + diff iteration). **90% algorithm reuse from existing sites; 5 site-specific constants auto-located in SDK by AI**.\n\n### 11.5 Four Pre-built AI Intent Entries\n\nEach intent entry is an independent SKILL manifest, with complete procedure + quality gates + output spec:\n\n```bash\n# Capture 6+ new batches (with SDK hash consistency check)\n@skill\u002FAI_re\u002Fskills\u002Fpx_capture\nPlease capture 6 batches of ifood.com.br, save to stample\u002Fifood\u002Fsample\u002F\n\n# Decode a batch (decode payload + OB, output decoded_*.json)\n@skill\u002FAI_re\u002Fskills\u002Fpx_decode\nPlease decode stample\u002Fgrub\u002Fsample\u002F3\u002F\n\n# Cross-site generator port (90% algorithm reuse, 5 constants auto-located)\n@skill\u002FAI_re\u002Fskills\u002Fpx_port_to_new_platform\nPlease port doordash.com, mirror grubhub\u002F structure\n\n# SDK upgrade response (auto-diff old SDK + propose migration path)\n@skill\u002FAI_re\u002Fskills\u002Fpx_sdk_drift_audit\niFood upgraded again, please run sdk_drift_audit\n```\n\n### 11.6 Limitations (Fair Disclosure)\n\nWhile the AI can autonomously run the Collector path 0→1, the **Bundle path** still requires two pre-stocked assets:\n\n| Item | Limitation | Pre-stocked Material |\n|---|---|---|\n| WASM module static analysis | Binary disassembly remains manual | [`bundle\u002Fsource\u002FWASM_ANALYSIS.md`](bundle\u002Fsource\u002FWASM_ANALYSIS_EN.md) already dissected |\n| Mouse trajectory generation | Requires sampling from real samples | [`bundle\u002Fstample\u002Fmouse_tracks\u002F`](bundle\u002Fstample\u002F) — 50 real human tracks |\n\nThat is, **the AI does not need to do these from scratch** — it can directly reuse project assets to complete the Bundle path.\n\n---\n\n## 12. By Role · Reading Guide\n\n| If you are… | Recommended entry |\n|---|---|\n| **First-time visitor** | This README + [`main\u002FEN\u002FPX_SDK_Reverse_Engineering.md`](main\u002FEN\u002FPX_SDK_Reverse_Engineering.md) §1-2 (60-second architecture overview) |\n| **Engineer** (need `_px3`) | Just run [`stample\u002Fifood\u002Fpx_cookie\u002Fifood_px3.js`](stample\u002Fifood\u002Fpx_cookie\u002F) → 5 minutes |\n| **Learner** (teach me anti-bot reverse) | ⭐ [`main\u002FEN\u002Fmethodology\u002F`](main\u002FEN\u002Fmethodology\u002F) 10-chapter (14 tools + algorithm pseudocode + 10 pitfalls) |\n| **Reverse engineer** (new site) | ⭐ [`methodology\u002F04_stage4_locate.md`](main\u002FEN\u002Fmethodology\u002F04_stage4_locate.md) (grep handbook) + [`05_stage5_value_match.md`](main\u002FEN\u002Fmethodology\u002F05_stage5_value_match.md) + [`skill\u002FAI_re\u002Fplaybooks\u002Fmaster-workflow.md`](skill\u002FAI_re\u002Fplaybooks\u002Fmaster-workflow.md) |\n| **Want to do Bundle** (press-challenge) | [`bundle\u002FREADME.md`](bundle\u002FREADME_EN.md) → [`main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md`](main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md) |\n| **Can't get _px3, debugging** | [`bug_report\u002FREADME.md`](bug_report\u002FREADME_EN.md) → match against 4 categories → [`gotchas\u002F`](bug_report\u002Fgotchas\u002F) 19 entries |\n| **SDK upgraded, emergency** | ⭐ [`methodology\u002F09_sdk_upgrade.md`](main\u002FEN\u002Fmethodology\u002F09_sdk_upgrade.md) (~2h recovery playbook) |\n| **Cross-platform porting** | [`main\u002FEN\u002FPX_Complete_SDK_Comparative_Methodology.md`](main\u002FEN\u002FPX_Complete_SDK_Comparative_Methodology.md) + [`methodology\u002F08_cross_platform.md`](main\u002FEN\u002Fmethodology\u002F08_cross_platform.md) |\n| **Pure-algo failed, need fallback** | ⭐ [`node_bridge\u002FREADME.md`](node_bridge\u002FREADME_EN.md) → env patching + jsdom secondary path |\n| **AI-driven reversing** | [`skill\u002FAI_re\u002FSKILL.md`](skill\u002FAI_re\u002FSKILL.md) (feed to Claude Code \u002F Cursor) |\n| **Academic research \u002F teaching** | [`main\u002FEN\u002F`](main\u002FEN\u002F) 4 core docs + [`research\u002F`](research\u002F) 6 English research dossiers |\n| **Contributor** (add new site) | Mirror the [`stample\u002Fgrub\u002F`](stample\u002Fgrub\u002F) structure, walk through 7-stage methodology |\n\n---\n\n## 13. Maintenance Cost & Limitations\n\n### 13.1 Maintenance Cost\n\n| Item | Cadence | Effort |\n|---|---|---|\n| Collector minor upgrade (function name \u002F line number swap) | 1-2× \u002F month | 30 min (following [09_sdk_upgrade.md](main\u002FEN\u002Fmethodology\u002F09_sdk_upgrade.md) playbook) |\n| Collector medium upgrade (b64 dict + TAG\u002FFT swap) | Every 2-3 months | 1-2 h (see [2026-05-19 case](bug_report\u002Fsdk_drift_cases\u002F2026-05-19_ifood\u002F)) |\n| Collector major upgrade (new encryption layer) | Rare, every 6-12 months | Plan B can mitigate immediately; pure-algo side requires 4-8 h rewrite |\n| Bundle upgrade (WASM \u002F challenge type change) | Every 2-3 weeks | 1-3 h |\n| New site onboarding | — | 8-12 h (90% algorithm reuse) |\n\n### 13.2 Limitations\n\n- **This project covers only iFood + Grubhub**. Other PX sites (DoorDash \u002F Zillow \u002F Crunchyroll etc.) require onboarding via the methodology;\n- **Bundle userscript depends on Tampermonkey + real browser** — non-pure-algo; the Bundle path cannot be fully headless (WASM modules require full V8 + DOM);\n- **PX SDK major refactors are rare but happen**: Plan B node_bridge is the disaster-recovery insurance, but **each refactor still requires 4-8 h of pure-algo-side rewrite** to return to pure-algo performance tier.\n\n### 13.3 Future Work\n\n- Onboard more PX sites (DoorDash \u002F Zillow in plan)\n- Automate WebAssembly static analysis (currently manual)\n- ML model for mouse trajectory synthesis (currently statistical sampling from 50 real samples)\n- Complete Chinese → English bilingualization (top-level README + 4 gotcha files + Bundle + node_bridge + 10-chapter methodology + EV1\u002FEV2 reference + full stample mirror landed; remaining long-form docs ongoing)\n\n---\n\n## 14. Related Work\n\n### 14.1 Public PerimeterX Research\n\nPublic-domain in-depth analyses of PX are extremely scarce. This project's positioning:\n\n| Source | Coverage | Limitations |\n|---|---|---|\n| Scattered blog posts (GitHub gists \u002F Zhihu \u002F Medium) | Single algorithm or single bug | Lacks end-to-end, methodology, longitudinal tracking |\n| Akamai \u002F DataDome \u002F Cloudflare public research | Horizontal comparison | Doesn't dive into PX internals |\n| **This project** | **9 algorithms + dual-site + Bundle + 68 gotchas + 3-year longitudinal + AI Skill + Plan B** | — |\n\n### 14.2 Cross-vendor Comparison\n\nDetails in [`research\u002F04_cross_vendor_comparison\u002F`](research\u002F04_cross_vendor_comparison\u002F).\n\n### 14.3 Adjacent Projects\n\n- **undetected-chromedriver \u002F playwright-stealth** — Browser-side anti-detection; orthogonal to this project's pure-algo reversing\n- **curl_cffi \u002F hrequests** — TLS fingerprint simulation; complementary to this project's protocol-layer work\n\n---\n\n## 15. Bilingual Status & Roadmap\n\n| Resource | Chinese | English |\n|---|---|---|\n| Top-level README | ✅ ([README.zh.md](README.zh.md)) | ✅ (this file — repo root) |\n| Core technical docs (4) | ✅ | ✅ [`main\u002FEN\u002F`](main\u002FEN\u002F) all 4 complete |\n| ⭐ Methodology 10 chapters | ✅ 3,389 lines | ✅ [`main\u002FEN\u002Fmethodology\u002F`](main\u002FEN\u002Fmethodology\u002F) |\n| ⭐ EV1_EV2_UNIFIED_REFERENCE | ✅ 227 lines | ✅ [`main\u002FEN\u002FEV1_EV2_UNIFIED_REFERENCE.md`](main\u002FEN\u002FEV1_EV2_UNIFIED_REFERENCE.md) |\n| ⭐ research\u002F (6 dossiers) | — | ✅ English original |\n| ⭐ AI Skill manifests (4) | — | ✅ English original |\n| ⭐ Fine-grained gotchas (19) | — | ✅ English original |\n| Plan B node_bridge\u002F | ✅ | ✅ [`node_bridge\u002FREADME_EN.md`](node_bridge\u002FREADME_EN.md) + skill |\n| Bundle methodology | ✅ 973 lines | ✅ [`main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md`](main\u002FEN\u002FPX_Bundle_Reverse_Methodology.md) |\n| Bundle main doc | ✅ 4,996 lines | ✅ [`bundle\u002Fdoc\u002FBundle_Complete_Technical_Doc.md`](bundle\u002Fdoc\u002FBundle_Complete_Technical_Doc.md) |\n| 4 main gotcha files | ✅ | ✅ [`bug_report\u002F*_EN.md`](bug_report\u002F) |\n| stample\u002F dual-site mirror (README \u002F SDK_INFO \u002F px_cookie \u002F script) | ✅ | ✅ Full EN mirror landed |\n\n**Bilingual progress**: top-level README + core technical docs + 10-chapter methodology + Bundle + Plan B + gotchas + stample mirror are all in English; a few remaining long-form docs continue.\n\n---\n\n## 16. License, Ethics & Responsible Disclosure\n\n### 16.1 License — Dual-track (Anti-abuse Hardened)\n\nFull License text is in [`LICENSE`](LICENSE) at the repository root. This project uses a **dual-track License**, applying separate anti-abuse constraints to code and documentation:\n\n| Asset Type | Scope | License | Key Constraint |\n|---|---|---|---|\n| **Code** | [`revers\u002F`](revers\u002F) · [`stample\u002F*\u002Fpx_cookie\u002F`](stample\u002F) · [`bundle\u002Fscript\u002F`](bundle\u002Fscript\u002F) · [`node_bridge\u002F`](node_bridge\u002F) · [`skill\u002F*\u002Fscripts\u002F`](skill\u002F) | **AGPL-3.0** | Any commercial service \u002F SaaS use must **fully open-source contribute back** |\n| **Documentation** | [`main\u002F`](main\u002F) · [`bug_report\u002F`](bug_report\u002F) · [`research\u002F`](research\u002F) · all `README.md` \u002F `SKILL.md` | **CC BY-NC-SA 4.0** | **NonCommercial** + Attribution + ShareAlike (derivatives equally open) |\n\n**Why dual-track**: CC officially recommends against using CC for code; AGPL doesn't excel at protecting documentation. Combining them creates a two-layer anti-abuse shield — commercial companies can neither commercially use the docs nor closed-source-leverage the code. This is the standard practice in academic + security research circles (e.g., Trail of Bits \u002F NCC Group \u002F Project Zero companion projects).\n\n### 16.2 Research Ethics\n\nThis project **strictly adheres to the following principles**:\n\n- **Research \u002F Education \u002F Personal Security Audit purposes only** — algorithm analysis, protocol dissection, cross-platform comparison, teaching\n- **Does not provide large-scale scraping operational tooling** — no proxy pools, schedulers, IP rotation, UA pools, CAPTCHA OCR, third-party solving integration\n- **Does not target individual user privacy data** — all capture samples were legitimately collected through the researcher's own accounts\n- **Compliance with target site ToS** — Each site's terms of service are judged and borne by the user, independent of the project author\n\n### 16.3 ⚠️ Disclaimer (Important)\n\n> Using this project signifies that you **fully understand and agree** to the following:\n\n1. **User assumes all responsibility** — The project author (`warterbili`) releases this work strictly as academic research and educational content, and **assumes no responsibility for any direct or indirect damage** arising from use of this project, including but not limited to: account bans, IP blocklisting, legal litigation, compliance review, platform complaints, business loss, privacy incidents.\n2. **Prohibited uses** — This project **must not** be used for:\n - Unauthorized data scraping \u002F content harvesting\n - Credit card \u002F coupon \u002F gift card abuse (carding, coupon fraud)\n - Automated ordering \u002F inventory hoarding \u002F scalping\n - User credential theft \u002F credential stuffing\n - Denial-of-service attacks (DoS \u002F DDoS)\n - Malicious interference with target sites\n - Any conduct violating target site ToS or local law\n3. **Legal compliance is the user's responsibility** — Different jurisdictions have different laws regarding reverse engineering, automated access, and data collection (e.g., US CFAA \u002F EU GDPR \u002F China's Cybersecurity Law \u002F Data Security Law \u002F Personal Information Protection Law). Users are **obligated to research and comply** with the laws of their jurisdiction.\n4. **Author has no obligation to provide support** — This project is released free of charge as a research artifact; the author has **no obligation** to provide technical support, bug fixes, SDK upgrade responses, or legal counsel.\n5. **Redistribution restrictions** — Redistributions must preserve this entire disclaimer text; modification or deletion is not ","该项目是对PerimeterX(HUMAN Security)反机器人SDK的完整逆向工程,实现了纯算法生成_px3\u002F_px2的功能,无需浏览器或Selenium支持。项目核心功能包括WASM PoW求解、iFood和Grubhub等网站的10\u002F10验证通过率,并解决了68个生产环境中的问题。此外,还集成了AI技能以增强其应用场景下的表现。适合于需要绕过特定网站反爬虫机制的数据抓取任务以及安全研究领域使用。",2,"2026-06-11 04:03:33","CREATED_QUERY"]