A, goals,
Boss Li: Fly, light Debug is meaningless, is it possible to run this decompiler out of the small program? Or is there a leak in the decompiled code that doesn’t work?
Fenfei: One city, one policy, specific App specific analysis, specific to this App can still play.
Second, the steps
To run a
Let’s run through the decompiled code from the previous tutorial.
Unfortunately, the screen is blank, and there’s nothing we’re looking for.
Fortunately, there is a warning: # login failed
Search for:
/ Users/fenfei/Downloads/wx / _2089237937_16/3 aae21d3932643bf5cc849d4da8f8236. Js 79 ploidy: title: E.d ata. MSG | | "login failed", / Users/fenfei/Downloads/wx / _2089237937_16 / app - service. Js, 2613152: ShowToast ({title: e.d ata. MSG | | "login failed", icon: "none"}).Copy the codeThere are two parts to this hint. Which one is it?
Let’s change the former to “login failed 1″ and the latter to” login failed 2 “.
Run again, prompting “Login failed 1”.
Well, that’s you.
Analysis of the code
wx.request({ url: "".concat(n, "/s/user/account/openlogin"), method: "POST", dataType: "json", data: (0, t.default)({ openkey: e.code }, u), success: function(e) { // console.log(e); if (e.data.ret > 0) { var n = e.data, r = n.data, s = n.data.member_info, c = getApp(), u = s.isreg ? 2:1; c && (c.globalData = (0, t.default)({}, s, { userstatus: u })), a.h_did = r.did, a.h_m = r.mid, a.mid = r.mid, a.token = r.token, a.userstatus = u, wx.setStorage({ key: "userInfo", data: (0, t.default)({}, r, s, { userstatus: u }) }), o(e.data.data); } else wx.reportAnalytics("login fail request success", JSON.stringify(e)), wx.showToast({ title: E.d ata. MSG | | "login failed 1," icon: "none"}), I (); }, fail: function(t) { wx.reportAnalytics("login fail request fail", JSON.stringify(t)), i(); }});Copy the codeIf e.data.ret is less than or equal to 0, “login failed 1” will be displayed.
Oh, my god. Isn’t that what it is? Let’s grab a package and see what the openLogin request returns on the real machine, and then assign it directly to the variable e.
Let’s add console.log(e); So what is the current value of the e variable?
You can see our output from the debugger ->Console
The return value is -101, which must indicate a login failure.
Change the code
According to the previous analysis, let’s capture the packet and look at the return value of the openLogin request on the real machine. But the weird thing is, there’s no way to catch it.
After the login is successful, it will save a bunch of return values, so we can find the did, mid, token and other values from other request packages, and then directly assign values.
If (e.data.ret < 0) {// if (e.data.ret < 0) {// var n = e.data.r = n.data.member_info, c = getApp(), u = s.isreg? 2:1; var n = e.data, r = n.data, s = "123456", c = getApp(), u = 2; c && (c.globalData = (0, t.default)({}, s, { userstatus: u })), // a.h_did = r.did, a.h_m = r.mid, a.mid = r.mid, a.token = r.token, a.userstatus = u, a.h_did = "eccdb12b68fd755fb52b2763f69aaa00", a.h_m = 257167182, a.mid = 257167182, a.token = "TeKeNJiAKQ3YqxMms7yw2n4gGgkzEWG7SMGoLCSUM6P2hs3N6DyhyGURt-ZA6ZC1j2Uw5w9ur4EXVhLURS7xqnjZd9IbgLPtt5QFJRaMzFVi82yk=", A.usserstatus = u,...... }Copy the codeThen run up
There we go. Here we go.
yet
Before I was happy for a while, something went wrong again, and then I couldn’t run. There was no “login failed” message.
Was App found, cross-province banned, too bad.
Tinkering for a long time, accidentally click on the IDE clear cache
Bright again, must have logged in successfully and saved the information in the cache.
/*
wx.setStorage({
key: "userInfo",
data: (0, t.default)({}, r, s, {
userstatus: u
})
}),
*/
Copy the codeJust comment out the save section, which makes debugging easier.
Recall that the openLogin package could not be caught on the real machine.
But how do you cache real computers? Stir-fry chicken easy, delete this small program, and then install again.
Nice change
Now that we’ve got the package, we can do a nice change, which is the idea we started with, which is to just assign the e variable.
success: function(e) { e= JSON.parse(`{"data": {"ret":1,"errcode":1,"data":{"member_info":123456,"mid":257167182,"register":0,"passwd":"98227e90298d0711","token":"TeKe NJiAKQ3YqxMms7yw2n4gGgkzEWG7SMGoLCSUM6P2hs3N6DyhyGURt-ZA6ZC1j2Uw5w9ur4EXVhLURS7xqnjZd9IbgLPtt5QFJRaMzFVi82yk=","member_i nfo":{"id":257167182,"isreg":1,"ct":1630931968,"rt":1630931968,"pw":"98417e90298d0757","name":"W8a\xbd\xe5\xad\x90J","ge nder":0,"sign":"","avatar":3,"cover":0,"isbind":0,"opentype":4,"zyid":"46120279","vip_info":{"mid":257167182,"rev_bubble _cnt":0},"you_age":3},"did":"eccdb12b68fd755fb52b2763f69aaa00"}} }`) console.log(e); If (e.data.ret > 0) {// Don't forget to change this back to greater than 0}Copy the codeThat’s a little more elegant. We’re done.
Third, summary
Can other small programs also run like this?
Wake up, if the big factory’s little programs were that easy for you to run, their big brother coder would be out of a job. One city, one policy, and then a case-by-case analysis. When we do reverse analysis, we find the possible in the impossible.
Or a little pursuit, as far as possible to ensure the flow of the original program, can be elegant and not rude. Of course you can be rough if you have to.
Wechat developer tools are very useful, debugger ->Sources next breakpoint, smooth smooth.
Reverse engineering is still a bit of a forward development foundation, so that you can recognize the cache problem early.
Don’t deify your opponent. Interprovincial prohibition is magic.
If you don’t know how to organize your life, there will be many people who will arrange it for you and they will need you to do it.
TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.
Wechat public account: Fenfei safety, the latest technology dry goods real-time push