本帖最后由 M0nster 于 2019-3-18 22:12 编辑
2019-03-18 21:54 第18行代码插入错误,咨询了@Hmily是因为Discuz的问题所导致,现已修复。
之前在福利经验区发了帮人修改的帖子后来因为发错版块被版主删除了,现在公开一下具体算法及代码。
通过反编译小程序源码找到了关键加密算法,想修改相关数值就和吃饭一样容易了。
关于反编译小程序不多说了,到github上找到大神提供的程序wxappUnpacker。其他用到的工具有Fiddler、记事本、postman和浏览器。
小程序有两处关键加密,一处是获取用户信息的sign,一处是修改用户信息的sign。
我们想修改账号内的信息必须要先获取到信息内容。
第一步,获取用户信息的sign。以【ID:123】为例
[JavaScript] 纯文本查看 复制代码
var e = []
var i = "";
var t = {
plat: 'wx',
time: '1552654618286',
openid: '123',
wx_appid: 'wxa2c324b63b2a9e5e',
wx_secret: '8fbd540d0b23197df1d5095f0d6ee46d'
}
for (var s in t) {
e.push(s);
}
e.sort(function(t, e) {
return t > e ? 1 : t < e ? -1 : 0;
});
var n;
for (n in e) i += ( s=e[n]) + "=" + t[s] + "&";
document.write("1.Get UserInfo Hash<br><br>")
document.write($.md5(i.substring(0,i.length-1)))
获取到查询用户信息的sign后把它代入到Request里就可以查询到当前用户的详细信息了
[HTML] 纯文本查看 复制代码 POST /api/archive/get HTTP/1.1
charset:utf-8
Accept-Encoding:gzip
referer:[url=https://servicewechat.com/wxa2c324b63b2a9e5e/43/page-frame.html]https://servicewechat.com/wxa2c324b63b2a9e5e/43/page-frame.html[/url]
content-type:application/x-www-form-urlencoded
User-Agent:Mozilla/5.0 (Linux; Android 9; LYA-AL00 Build/HUAWEILYA-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36 MicroMessenger/7.0.3.1400(0x27000334) Process/appbrand2 NetType/WIFI Language/zh_CN
Content-Length: 116
Host:wxwyjh.chiji-h5.com
Connection:Keep-Alive
{"plat":"wx","time":1552654618286,"openid":"oc6rl5UBEiRdOTw55r48EBEAoZPQ","sign":"f85180650fefff89967c880cbac02caa"}
post之后得到以下数据
[JavaScript] 纯文本查看 复制代码 {
"data": {
"record": "{\"uid\":\"123\",\"isSoundOff\":false,\"isShackOff\":false,\"GMTimeG\":-1,\"GMTimeP\":-1,\"level\":8,\"lDamage\":20,\"lCount\":7,\"lJiaZhi\":7,\"lRiChang\":11,\"curFu\":0,\"levelFuCount\":[2,1,1,1,1,1,1,1,1,1],\"levelFuDamage\":[12,1,1,1,1,1,1,1,1,1],\"getTime2\":1551071798042,\"bgIndex\":6,\"money\":8888,\"tipFU\":false,\"isGuide\":false,\"tiLi\":80,\"tiLiBackTime\":1551079073073,\"today\":4,\"playCount\":0,\"shareCount\":0,\"videoCount\":0,\"isGuanZhu\":0,\"isShouCang\":0,\"tryFuCount\":0,\"pos\":\"u5317u4eac,u5317u4eac\",\"posUpdate\":21,\"zuanShi\":8888,\"getTime\":\"0\",\"sign\":\"e63a0b8b7c02a18737667060d5d1ce3c\"}",
"gm_record": "",
"gm_rewards": ""
},
"code": 0
}
record里面便是我们要修改的地方,比如说money和zuanShi这两项
[JavaScript] 纯文本查看 复制代码 {"uid":"123","isSoundOff":false,"isShackOff":false,"GMTimeG":-1,"GMTimeP":-1,"level":8,"lDamage":20,"lCount":7,"lJiaZhi":7,"lRiChang":11,"curFu":0,"levelFuCount":[2,1,1,1,1,1,1,1,1,1],"levelFuDamage":[12,1,1,1,1,1,1,1,1,1],"getTime2":1551071798042,"bgIndex":6,"money":"99999999999999","tipFU":false,"isGuide":false,"tiLi":80,"tiLiBackTime":1551079073073,"today":4,"playCount":0,"shareCount":0,"videoCount":0,"isGuanZhu":0,"isShouCang":0,"tryFuCount":0,"pos":"北京,北京","posUpdate":21,"zuanShi":999999999,"getTime":"0","sign":"e63a0b8b7c02a18737667060d5d1ce3c"}
修改好后要算出修改用户信息的sign
[JavaScript] 纯文本查看 复制代码
var e = []
var i = "";
var t = {
plat: 'wx',
record: '{"uid":"123","isSoundOff":false,"isShackOff":false,"GMTimeG":-1,"GMTimeP":-1,"level":8,"lDamage":20,"lCount":7,"lJiaZhi":7,"lRiChang":11,"curFu":0,"levelFuCount":[2,1,1,1,1,1,1,1,1,1],"levelFuDamage":[12,1,1,1,1,1,1,1,1,1],"getTime2":1551071798042,"bgIndex":6,"money":"99999999999999","tipFU":false,"isGuide":false,"tiLi":80,"tiLiBackTime":1551079073073,"today":4,"playCount":0,"shareCount":0,"videoCount":0,"isGuanZhu":0,"isShouCang":0,"tryFuCount":0,"pos":"北京,北京","posUpdate":21,"zuanShi":999999999,"getTime":"0","sign":"e63a0b8b7c02a18737667060d5d1ce3c"}',
time: '1552654613547',
openid: '123',
wx_appid: 'wxa2c324b63b2a9e5e',
wx_secret: '8fbd540d0b23197df1d5095f0d6ee46d'
}
for (var s in t) {
e.push(s);
}
e.sort(function(t, e) {
return t > e ? 1 : t < e ? -1 : 0;
});
var n;
for (n in e) i += ( s=e[n]) + "=" + t[s] + "&";
document.write("2.Post UserInfo Hash<br><br>")
document.write($.md5(i.substring(0,i.length-1)))
获取到更新用户信息的sign后把它代入到Request里便可完成修改。
[HTML] 纯文本查看 复制代码 POST /api/archive/upload HTTP/1.1
charset:utf-8
Accept-Encoding:gzip
referer:[url=https://servicewechat.com/wxa2c324b63b2a9e5e/43/page-frame.html]https://servicewechat.com/wxa2c324b63b2a9e5e/43/page-frame.html[/url]
content-type:application/x-www-form-urlencoded
User-Agent:Mozilla/5.0 (Linux; Android 9; LYA-AL00 Build/HUAWEILYA-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36 MicroMessenger/7.0.3.1400(0x27000334) Process/appbrand2 NetType/WIFI Language/zh_CN
Content-Length: 810
Host:wxwyjh.chiji-h5.com
Connection:Keep-Alive
{"plat":"wx","record":"{\"uid\":\"123\",\"isSoundOff\":false,\"isShackOff\":false,\"GMTimeG\":-1,\"GMTimeP\":-1,\"level\":8,\"lDamage\":20,\"lCount\":7,\"lJiaZhi\":7,\"lRiChang\":11,\"curFu\":0,\"levelFuCount\":[2,1,1,1,1,1,1,1,1,1],\"levelFuDamage\":[12,1,1,1,1,1,1,1,1,1],\"getTime2\":1551071798042,\"bgIndex\":6,\"money\":\"99999999999999\",\"tipFU\":false,\"isGuide\":false,\"tiLi\":80,\"tiLiBackTime\":1551079073073,\"today\":4,\"playCount\":0,\"shareCount\":0,\"videoCount\":0,\"isGuanZhu\":0,\"isShouCang\":0,\"tryFuCount\":0,\"pos\":\"北京,北京\",\"posUpdate\":21,\"zuanShi\":999999999,\"getTime\":\"0\",\"sign\":\"e63a0b8b7c02a18737667060d5d1ce3c\"}","time":1552654613547,"openid":"123","sign":"c37ddaffc1a4cdeb0d231dc3c3a5d8df"} |
[复制链接]
|
发表于 2019-3-17 22:45
|楼主
发表于 2019-4-13 15:07
收藏
淘帖
有用
分享到朋友圈
