A, goals,

Boss Li: Fenfei ah, recently play small program of more, and seems js good play a bit? Why don’t we try it?

Fenfei: You are the boss, you have the final say.

The first time to make small program, have to find a soft persimmon pinch, find a section of the App before the analysis of the small program.

  • decompiling
  • Static analysis
  • Dynamic debugging

Second, the steps

Where is spring?

App download back is apK package, so where is the small program?

Small program is a suffix for wxapkg file, in the android mobile phone/data/data/com. Tencent. The mm/MicroMsg/user id/appbrand/PKG/find, for example in my test on mobile phones

/data/data/com.tencent.mm/MicroMsg/9099d679ace11f72569bd530813a28ff/appbrand/pkg 
Copy the code

Under this directory. But the following pile of digital command files, which is we are looking for a section of the App small program?

Two solutions: delete all the small programs except one, and this file will be the one. . Delete the applets of a certain App and reinstall them. Look at the date of the file, just the latest.

decompiling

Wxapkg files can’t be analyzed directly, I bet it can decompile js files.

Github.com/ezshine/wxa…

Download his compiled Wxapkg-Convertor executable from Releases.

Drag the wxapkg file into the Wxapkg-convertor interface to decompile the JS source code.

Let’s try to analyze the history of this Websign

Start by searching for the WebSign string

./3AAE21D3932643BF5CC849D4DA8F8236.js:3: if (! e) return console.error("websign arguments error"), ""; ./3AAE21D3932643BF5CC849D4DA8F8236.js:6: return n.length < 20 ? (console.error("websign length error"), "") : "v2-".concat(o("".concat(e).concat(o(n)))); ./3AAE21D3932643BF5CC849D4DA8F8236.js:98: url: "".concat(n, "/account/nonce? websign=").concat(i(c)), ./3AAE21D3932643BF5CC849D4DA8F8236.js:124: url: "".concat(n, "/account/auth? websign=").concat(i(u)), ./3AAE21D3932643BF5CC849D4DA8F8236.js:178: var ff = "".concat(n).concat(s).concat(e, "? websign=").concat(i(d)); ./3AAE21D3932643BF5CC849D4DA8F8236.js:180: url: "".concat(n).concat(s).concat(e, "? websign=").concat(i(d)),Copy the code

Luckily, it looks like it’s in the I (d) function in this JS.

Dynamic debugging

Since the decompile out js source code, can dynamic debugging, so that the analysis is more convenient?

The answer is yes, download wechat developer tools, just decompiled into the project.

Remember to go to Settings -> Project Settings and put “Do not calibrate legitimate domain names…” Check this term.

So the code looks like it’s going to run, so let’s put a breakpoint on the I function, and send it in.

Look at the

When debugging, we found that it did not generate webSign, t.h_m was empty, resulting in no subsequent generation, this is not difficult to us, from the capture result to find a value of h_m, write to death, and smoothly run the result.

var e = t.h_m; Var e = 257167182; // t.h_m;Copy the code

From the js code, o(n) is called at the end of function I, and

o = require("E5CA98B6932643BF83ACF0B13A9F8236.js").md5
Copy the code

Md5 is so obvious, let’s try to add a code to the I function

var t1Use = o("123456");
Copy the code

So first of all, let’s do this on the Mac

ffNewMac:Downloads fenfei$ md5 -s 123456
MD5 ("123456") = e10adc3949ba59abbe56e057f20f883e
Copy the code

Then debug the project to see the value of t1Use

Check the eyes. It’s MD5.

Third, summary

When you’re building something new, find a soft target, not a satellite.

Can decompile, and then debug dynamically, then the dawn is just around the corner.

If you are lucky enough to see this sample, it is md5, a complex JS algorithm, you can consider PyExecJS, js2py or Node.js to run.

Every story has an end, only life does.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push