Frida实现对VX小程序的抓包

作者：l_user 发布时间：4 天前

作为一个刚接触逆向不久的新手，知道frIDA的时候，惊为天人，居然有这么好用的东西~
因为之前用各种抓包软件都没有抓到过小程序的数据包，于是就尝试一下用frida获取vx小程序的包。下面进入正题，感谢这位大佬提供的思路
1. 首先用Jadx打开微信安装包，搜索字符串createRequestTask，这样可以找到两个类，分别用于创建同步任务和异步任务。

C76AD273-6ABF-40df-B0B3-5717C44BF2CE.png (36.25 KB, 下载次数: 3)
下载附件
2024-7-25 23:15 上传

2. this.h.e(lVar, jSONObject, str); 进入这个方法，可以看到 jVar.g(lVar, i, jSONObject, g, aVar2.q, bVar, str, "createRequestTask"); 这个就是发起请求的地方。接下来就是用frida写代码hook了
3. 一开始的时候我陷入了一个误区，因为Jadx反编译出来的包名都不是完整的，比如这样的package kv0;。我一直在研究怎么拿到完整的包名。后面在论坛看到有大佬说了一句，这个是不影响hook的，那实际的拿到发送数据的代码就是这样的：
[JavaScript] 纯文本查看复制代码var JSendClass = Java.use("sz0.j");
if (JSendClass.g) {
   JSendClass.g.overload(
      "com.tencent.mm.plugin.appbrand.jsapi.l",
      "int",
      "org.json.JSONObject",
      "java.util.Map",
      "java.util.ArrayList",
      "sz0.o",
      "java.lang.String",
      "java.lang.String"
   ).implementation = function (lVar, i, jsonObject, map, arrayList, oVar, str, str2) {
      console.log("\n------------------ Sending Data ------------------");
      console.log("lVar:" + lVar.toString());
      console.log("jsonObject: " + jsonObject.toString());
      console.log("map: ");
      var keySet = map.keySet();
      var it = keySet.iterator();
      while (it.hasNext()) {
      var key = it.next();
      var value = map.get(key);
      console.log(key.toString() + " -> " + (value ? value.toString() : "null"));
      }
      console.log("str: " + str);
      console.log("str2: " + str2);
      return this.g(lVar, i, jsonObject, map, arrayList, oVar, str, str2);
   };
} else {
   console.log("Method 'g' not found in the sending class.");
}

运行脚本，就可以拿到发送的数据。注意frida的需要的PID应该是微信本体的PID，而不是小程序进程的PID。

程序, 大佬

相关帖子

风生·水起 4 天前

l_user 发表于 2024-7-26 16:58
那可以直接用frida来hook这个js
是啊但是我找了半天找不到hook点。大佬有兴趣研究一下吗[Java] 纯文本查看复制代码2024-07-01 15:02:47.441 17180-17841 LSPosed-Bridge       com.tencent.mm                      I  HookBox:MicroMsg.JsValidationInjectorWC batchInjectUsrJsFiles start assemble requests, appId:wxe89fc000f4991d2a, key:game.js, paths.size:1stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:71), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.441 17180-17841 LSPosed-Bridge       com.tencent.mm                      I  HookBox:MicroMsg.JsValidationInjectorWC batchInjectUsrJsFiles start invoke batchEvaluateJavascript, appId:wxe89fc000f4991d2a, key:game.js, paths.size:1stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:256), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.527 17180-17841 LSPosed-Bridge       com.tencent.mm                      I  HookBox:MicroMsg.JsValidationInjector hy: file game.js inject success! cost:86stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.c3.a(Unknown Source:35), com.tencent.mm.plugin.appbrand.utils.d3.a(Unknown Source:6), zh.h1.run(Unknown Source:40), zh.u3.s(Unknown Source:8), zh.u3.j(Unknown Source:35), zh.a.h(Unknown Source:5), zh.q0.b(Unknown Source:13), com.tencent.mm.plugin.appbrand.jsruntime.n.J(Unknown Source:4), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:270), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
HookBox:MicroMsg.JsValidationInjector hy: file game.js inject success! cost:86stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.c3.a(Unknown Source:35), com.tencent.mm.plugin.appbrand.utils.d3.a(Unknown Source:6), zh.h1.run(Unknown Source:40), zh.u3.s(Unknown Source:8), zh.u3.j(Unknown Source:35), zh.a.h(Unknown Source:5), zh.q0.b(Unknown Source:13), com.tencent.mm.plugin.appbrand.jsruntime.n.J(Unknown Source:4), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:270), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.527 17180-17841 LSPosed-Bridge       com.tencent.mm                      I

风生·水起 4 天前

l_user 发表于 2024-7-26 17:06
啥游戏，发我看一下，另外我不是大佬
我只是举个例子，如果能找到注入点这个就是通用的。微信里的小游戏核心代码全部都是game.js里。就像这个是之前跳一跳分数加倍的hook，现在已经没用了：[Java] 纯文本查看复制代码 if (loadPackageParam.packageName.equals("com.tencent.mm")) {
   Class  cljump = XposedHelpers.findClass("com.tencent.mm.plugin.appbrand.appcache.ai", loadPackageParam.classLoader);
   XposedBridge.hookAllMethods(cljump, "a", new XC_MethodHook() { // from class: top.chaego.wejumpp.main.2
         protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param)throws Throwable {}
         protected void afterHookedMethod(XC_MethodHook.MethodHookParam param)throws Throwable {
            String retStr;
            main.this.getKey();
            if (param.args.length >= 2) {
               String arg = (String)param.args[1];
               if (arg == "game.js") {
                     String result = (String)param.getResult();
                     if (main.kaiguan) {
                        retStr = result.replace("this.score+=t", "this.score+=t+=" + main.mag);
                     } else {
                        retStr = result;
                     }
                     param.setResult(retStr);
               }
            }
         }
   });
}
}

l_user

OP

4 天前

为啥我插入的链接没了，大佬的思路在这里 https://www.52pojie.cn/thread-1764292-1-1.html

风生·水起 4 天前

能不能实现修改小游戏的js数据？之前可以，新版的微信我研究了很久没有找到。

l_user

OP

4 天前

风生·水起发表于 2024-7-26 16:34
能不能实现修改小游戏的js数据？之前可以，新版的微信我研究了很久没有找到。
为啥会找不到，抓包抓的到数据么

风生·水起 4 天前

l_user 发表于 2024-7-26 16:36
为啥会找不到，抓包抓的到数据么
那个js数据是小游戏的包里面的好像没有通过网络请求来获取这个js

l_user

OP

4 天前

风生·水起发表于 2024-7-26 16:38
那个js数据是小游戏的包里面的好像没有通过网络请求来获取这个js
直接把小程序反编译了看看，普通抓包抓不到的，试一下抓云函数

风生·水起 4 天前

l_user 发表于 2024-7-26 16:40
直接把小程序反编译了看看，普通抓包抓不到的，试一下抓云函数
反编译肯定能看到，我是想hook修改他的js实现作弊。就像之前跳一跳辅助线的Xposed模块

l_user

OP

4 天前

风生·水起发表于 2024-7-26 16:53
反编译肯定能看到，我是想hook修改他的js实现作弊。就像之前跳一跳辅助线的Xposed模块
那可以直接用frida来hook这个js

Frida实现对VX小程序的抓包

相关帖子

热门主题

iPhone 实时活动、灵动岛、Apple Watch 显

两个ks-le-b被取消

川普正式拿下摇摆州北卡、俄亥俄

我擦，怎么全在说什么大选

为什么你们这么关心USA大选？

树莓派 4B 能获取到公网 ipv6 外网，但同局

无论结果如何 ~ 感谢哈哈姐带给大家de欢乐

论坛已开启tls指纹验证,求大佬分享签到脚本

各位mjj，比特币突破新高了

出ie区OVH KS-LE-E

热门板块

公告

网站帮助 - Yoo趣儿

我们的愿景

在 Yoo趣儿投放广告

Yoo趣儿网站用户应遵守规则

Frida实现对VX小程序的抓包

相关帖子

热门主题

iPhone 实时活动、灵动岛、Apple Watch 显

两个ks-le-b被取消

川普正式拿下摇摆州北卡、俄亥俄

我擦，怎么全在说什么大选

为什么你们这么关心USA大选？

树莓派 4B 能获取到公网 ipv6 外网，但同局

无论结果如何 ~ 感谢哈哈姐带给大家de欢乐

论坛已开启tls指纹验证,求大佬分享签到脚本

各位mjj， 比特币突破新高了

出ie区OVH KS-LE-E

热门板块

公告

网站帮助 - Yoo趣儿

我们的愿景

在 Yoo趣儿 投放广告

Yoo趣儿网站用户应遵守规则

各位mjj，比特币突破新高了

在 Yoo趣儿投放广告