diff --git a/img/39.png b/img/39.png
new file mode 100644
index 0000000..fa67893
Binary files /dev/null and b/img/39.png differ
diff --git a/img/40.png b/img/40.png
new file mode 100644
index 0000000..294deb5
Binary files /dev/null and b/img/40.png differ
diff --git a/img/41.png b/img/41.png
new file mode 100644
index 0000000..fd2f934
Binary files /dev/null and b/img/41.png differ
diff --git a/img/42.png b/img/42.png
new file mode 100644
index 0000000..e193298
Binary files /dev/null and b/img/42.png differ
diff --git a/img/43.png b/img/43.png
new file mode 100644
index 0000000..7d35fc4
Binary files /dev/null and b/img/43.png differ
diff --git a/zy-websocket/案例站.md b/zy-websocket/案例站.md
new file mode 100644
index 0000000..dc34834
--- /dev/null
+++ b/zy-websocket/案例站.md
@@ -0,0 +1,44 @@
+## 调试虎牙 
+
+发现找到 pending 正在连接中 WebSocket
+
+并发送一条测试信息
+
+![debugger](../img/39.png)
+
+进入js代码，发现new WebSocket
+
+![debugger](../img/40.png)
+
+这里就要注意，无论js代码怎么混淆 new WebSocket 肯定会出现
+
+    s && !o.online && e.useHttps && (h += ":4434");
+    var p = new WebSocket((e.useHttps ? "wss://" : "ws://") + h + _);
+    p.ip = h,
+    p.onopen = c,
+    p.onclose = d,
+    p.onerror = d
+    
+通过搜索发现很多 onmessage 和 send 方法
+
+一个个打断点非常麻烦，直接hook
+    
+    p.send_ = p.send;
+    p.send = function(t){
+        debugger;
+        return p.send_(t);
+    }
+
+![debugger](../img/41.png)
+
+hook
+
+![debugger](../img/42.png)
+
+发送弹暮测试，定位到加密函数
+
+![debugger](../img/43.png)
+
+r中间存在我发送的代码内容，打上断点
+
+    d.writeStruct("tReq", r)
\ No newline at end of file
diff --git a/zy-websocket/调试websocket.md b/zy-websocket/调试websocket.md
index 9ca1e92..e210a15 100644
--- a/zy-websocket/调试websocket.md
+++ b/zy-websocket/调试websocket.md
@@ -26,7 +26,7 @@ websocket html5 不是v8引擎自带的，本身就是关键词
 
 心跳包：客户端每隔30秒（不固定）发送给服务端信号，服务端就回认为客户端还是在线
 
-## 调试 message
+## 调试 onmessage
 
 ![debugger](../img/34.png)