background
After the epidemic this year, all children’s vaccines in Yuhang District of Hangzhou need to be booked online. The Yuhang government also provided a small program called “Healthy Yuhang” on wechat and Alipay to make an appointment. However, every time there are more than enough people to go round, and it is even harder to find a few working days after the holidays. Every time I make an appointment for my daughter’s vaccination is a battle!
Fortunately, the online system and offline have not been connected, every time you go to the hospital for vaccination, show the small program booking form on the mobile phone, the security guard will give you a paper registration vaccination number. Heh heh, so there is room for maneuverability — is it possible to get vaccinated as long as the small program on the phone can display the appointment form normally?
plan
- PS A reservation form
This solution is simple, but there are problems, if the security guards let you operate the small program will not explode?
- Reverse wechat mini program, in the corresponding interface will be the previous reservation form to the time you want
This scheme is relatively safe, as long as the online and offline do not get through the basic will not be detected.
WeChat hit a shell
Directly use AloneMonkey’s tool Frida-ios-dump to crack a shell and get wechat’s IPA file after cracking the shell.
New MonkeyApp
We continue to stand on the shoulders of giants, using the great God AloneMonkeyMonkeyDevCreate a new MonkeyApp
View applets layout
We can easily see that this page is implemented by a WKWebView, so do we just need to change the inoculation time to the time we want, such as “2020-12-10 13:40-14:10”, and by the way, we can change the appointment success time and the following password, in order to make the tutorial clear, In this demonstration we only modify the time of inoculation.
Replace the words
Let’s take a look in SafariWKWebViewThe layout of the
We see the value of the body propertyisIt should be the route, we can use this to determine the interface, and modify the corresponding element document, js code as follows
if (document.body.getAttribute('is') = = ='pages/booking/orderDetail/index') {
console.log('replace text');
let eles = document.getElementsByClassName('value _span data-v-c39257b4');
eles[0].innerText = 'Little Fat Yang';
eles[2].innerText = '2020-12-10 13:40-14:10';
}
Copy the codeI tested it under the Safari console and it changed the time.
Integrated into the APP
We’ve done that in the debug environment, but how do we make it persistent? Back to our new MonkeyApp, we just need to insert a JS script to replace the corresponding document when WKWebView is instantiated. OK! Logos Tweak is already integrated with MonkeyApp and we Hook WKWebView directly using Logos syntax
%hook WKWebView
- (id)initWithFrame:(CGRect)frame configuration:(id)configuration {
NSLog(@"This is a WKWebView initWithFrame method ");
WKWebView *wkWebView = %orig();
NSString *js = @"var replace = function () {\n"
" if (document.body.getAttribute('is') === 'pages/booking/orderDetail/index') {\n"
" console.log('replace text'); \n"
" let eles = document.getElementsByClassName('value _span data-v-c39257b4'); \n"
InnerText = 'innerText '; "eles[0]. \n"
" eles[2].innerText = '2020-12-10 13:40-14:10'; \n"
" }else{\n"
" setTimeout(replace, 100); \n"
" }\n"
"}\n"
"replace();";
WKUserScript *userScript = [[WKUserScript alloc] initWithSource:js
injectionTime:WKUserScriptInjectionTimeAtDocumentEnd
forMainFrameOnly:NO];
[wkWebView.configuration.userContentController addUserScript:userScript];
return wkWebView;
}
%end
Copy the codeNote that the timing of JS injection must be selected inWKUserScriptInjectionTimeAtDocumentEndOtherwise, the retrieved element will be null. We re-run wechat and jump to the corresponding mini program interface.
conclusion
This time we learned that the original wechat small program is a common WebView, but also thought there was a mystery. In fact, standing on the shoulders of giants, although we can do simple reverse, but do not know why, novice still need to have a long way to go.