Frida实现对VX小程序的抓包

l_user

作为一个刚接触逆向不久的新手，知道frIDA的时候，惊为天人，居然有这么好用的东西~

因为之前用各种抓包软件都没有抓到过小程序的数据包，于是就尝试一下用frida获取vx小程序的包。下面进入正题，感谢这位大佬提供的思路

1. 首先用Jadx打开微信安装包，搜索字符串createRequestTask，这样可以找到两个类，分别用于创建同步任务和异步任务。

2. this.h.e(lVar, jSONObject, str); 进入这个方法，可以看到 jVar.g(lVar, i, jSONObject, g, aVar2.q, bVar, str, "createRequestTask"); 这个就是发起请求的地方。接下来就是用frida写代码hook了
3. 一开始的时候我陷入了一个误区，因为Jadx反编译出来的包名都不是完整的，比如这样的package kv0;。我一直在研究怎么拿到完整的包名。后面在论坛看到有大佬说了一句，这个是不影响hook的，那实际的拿到发送数据的代码就是这样的：

[JavaScript] 纯文本查看 复制代码

var JSendClass = Java.use("sz0.j");
    if (JSendClass.g) {
      JSendClass.g.overload(
        "com.tencent.mm.plugin.appbrand.jsapi.l",
        "int",
        "org.json.JSONObject",
        "java.util.Map",
        "java.util.ArrayList",
        "sz0.o",
        "java.lang.String",
        "java.lang.String"
      ).implementation = function (lVar, i, jsonObject, map, arrayList, oVar, str, str2) {
        console.log("\n------------------ Sending Data ------------------");
        console.log("lVar:" + lVar.toString());
        console.log("jsonObject: " + jsonObject.toString());
        console.log("map: ");
        var keySet = map.keySet();
        var it = keySet.iterator();
        while (it.hasNext()) {
          var key = it.next();
          var value = map.get(key);
          console.log(key.toString() + " -> " + (value ? value.toString() : "null"));
        }
        console.log("str: " + str);
        console.log("str2: " + str2);
        return this.g(lVar, i, jsonObject, map, arrayList, oVar, str, str2);
      };
    } else {
      console.log("Method 'g' not found in the sending class.");
    }

               
运行脚本，就可以拿到发送的数据。注意frida的需要的PID应该是微信本体的PID，而不是小程序进程的PID。

风生·水起

l_user 发表于 2024-7-26 16:58
那可以直接用frida来hook这个js

是啊 但是我找了半天找不到hook点。大佬有兴趣研究一下吗

[Java] 纯文本查看 复制代码

2024-07-01 15:02:47.441 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  HookBox:MicroMsg.JsValidationInjectorWC batchInjectUsrJsFiles start assemble requests, appId:wxe89fc000f4991d2a, key:game.js, paths.size:1stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:71), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.441 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  HookBox:MicroMsg.JsValidationInjectorWC batchInjectUsrJsFiles start invoke batchEvaluateJavascript, appId:wxe89fc000f4991d2a, key:game.js, paths.size:1stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:256), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.527 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  HookBox:MicroMsg.JsValidationInjector hy: file game.js inject success! cost:86stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.c3.a(Unknown Source:35), com.tencent.mm.plugin.appbrand.utils.d3.a(Unknown Source:6), zh.h1.run(Unknown Source:40), zh.u3.s(Unknown Source:8), zh.u3.j(Unknown Source:35), zh.a.h(Unknown Source:5), zh.q0.b(Unknown Source:13), com.tencent.mm.plugin.appbrand.jsruntime.n.J(Unknown Source:4), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:270), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]


HookBox:MicroMsg.JsValidationInjector hy: file game.js inject success! cost:86stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.c3.a(Unknown Source:35), com.tencent.mm.plugin.appbrand.utils.d3.a(Unknown Source:6), zh.h1.run(Unknown Source:40), zh.u3.s(Unknown Source:8), zh.u3.j(Unknown Source:35), zh.a.h(Unknown Source:5), zh.q0.b(Unknown Source:13), com.tencent.mm.plugin.appbrand.jsruntime.n.J(Unknown Source:4), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:270), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.527 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  

风生·水起

l_user 发表于 2024-7-26 17:06
啥游戏，发我看一下，另外我不是大佬

我只是举个例子，如果能找到注入点这个就是通用的。微信里的小游戏核心代码全部都是game.js里。就像这个是之前跳一跳分数加倍的hook，现在已经没用了：

[Java] 纯文本查看 复制代码

   if (loadPackageParam.packageName.equals("com.tencent.mm")) {

       Class <  ?  > cljump = XposedHelpers.findClass("com.tencent.mm.plugin.appbrand.appcache.ai", loadPackageParam.classLoader);

       XposedBridge.hookAllMethods(cljump, "a", new XC_MethodHook() { // from class: top.chaego.wejumpp.main.2

           protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param)throws Throwable {}

           protected void afterHookedMethod(XC_MethodHook.MethodHookParam param)throws Throwable {

               String retStr;

               main.this.getKey();

               if (param.args.length >= 2) {

                   String arg = (String)param.args[1];

                   if (arg == "game.js") {

                       String result = (String)param.getResult();

                       if (main.kaiguan) {

                           retStr = result.replace("this.score+=t", "this.score+=t+=" + main.mag);

                       } else {

                           retStr = result;

                       }

                       param.setResult(retStr);

                   }

               }

           }

       });

   }

   }

l_user

为啥我插入的链接没了，大佬的思路在这里 https://www.52pojie.cn/thread-1764292-1-1.html

风生·水起

能不能实现修改小游戏的js数据？之前可以，新版的微信我研究了很久没有找到。

l_user

风生·水起 发表于 2024-7-26 16:34
能不能实现修改小游戏的js数据？之前可以，新版的微信我研究了很久没有找到。

为啥会找不到，抓包抓的到数据么

风生·水起

l_user 发表于 2024-7-26 16:36
为啥会找不到，抓包抓的到数据么

那个js数据是小游戏的包里面的 好像没有通过网络请求来获取这个js

l_user

风生·水起 发表于 2024-7-26 16:38
那个js数据是小游戏的包里面的 好像没有通过网络请求来获取这个js

直接把小程序反编译了看看，普通抓包抓不到的，试一下抓云函数

风生·水起

l_user 发表于 2024-7-26 16:40
直接把小程序反编译了看看，普通抓包抓不到的，试一下抓云函数

反编译肯定能看到，我是想hook修改他的js实现作弊。就像之前跳一跳辅助线的Xposed模块

l_user

风生·水起 发表于 2024-7-26 16:53
反编译肯定能看到，我是想hook修改他的js实现作弊。就像之前跳一跳辅助线的Xposed模块

那可以直接用frida来hook这个js

风生·水起

l_user 发表于 2024-7-26 16:58
那可以直接用frida来hook这个js

很多小游戏改一行代码就能作弊，比如说开间小店
修改game.js里的this._HasBuyMonthCard = true
这样就能实现本地月卡用很多VIP功能。
在电脑上可以开devtools来改，手机上hook修改js文件要找到他加载js的地方，我找了很久没找到注入点。