Frida实现对VX小程序的抓包

查看 111|回复 10
作者:l_user   
作为一个刚接触逆向不久的新手,知道frIDA的时候,惊为天人,居然有这么好用的东西~
因为之前用各种抓包软件都没有抓到过小程序的数据包,于是就尝试一下用frida获取vx小程序的包。下面进入正题,感谢这位大佬提供的思路
1. 首先用Jadx打开微信安装包,搜索字符串createRequestTask,这样可以找到两个类,分别用于创建同步任务和异步任务。


C76AD273-6ABF-40df-B0B3-5717C44BF2CE.png (36.25 KB, 下载次数: 3)
下载附件
2024-7-25 23:15 上传

2. this.h.e(lVar, jSONObject, str); 进入这个方法,可以看到 jVar.g(lVar, i, jSONObject, g, aVar2.q, bVar, str, "createRequestTask"); 这个就是发起请求的地方。接下来就是用frida写代码hook了
3. 一开始的时候我陷入了一个误区,因为Jadx反编译出来的包名都不是完整的,比如这样的package kv0;。我一直在研究怎么拿到完整的包名。后面在论坛看到有大佬说了一句,这个是不影响hook的,那实际的拿到发送数据的代码就是这样的:
[JavaScript] 纯文本查看 复制代码var JSendClass = Java.use("sz0.j");
    if (JSendClass.g) {
      JSendClass.g.overload(
        "com.tencent.mm.plugin.appbrand.jsapi.l",
        "int",
        "org.json.JSONObject",
        "java.util.Map",
        "java.util.ArrayList",
        "sz0.o",
        "java.lang.String",
        "java.lang.String"
      ).implementation = function (lVar, i, jsonObject, map, arrayList, oVar, str, str2) {
        console.log("\n------------------ Sending Data ------------------");
        console.log("lVar:" + lVar.toString());
        console.log("jsonObject: " + jsonObject.toString());
        console.log("map: ");
        var keySet = map.keySet();
        var it = keySet.iterator();
        while (it.hasNext()) {
          var key = it.next();
          var value = map.get(key);
          console.log(key.toString() + " -> " + (value ? value.toString() : "null"));
        }
        console.log("str: " + str);
        console.log("str2: " + str2);
        return this.g(lVar, i, jsonObject, map, arrayList, oVar, str, str2);
      };
    } else {
      console.log("Method 'g' not found in the sending class.");
    }
               
运行脚本,就可以拿到发送的数据。注意frida的需要的PID应该是微信本体的PID,而不是小程序进程的PID。

程序, 大佬

风生·水起   


l_user 发表于 2024-7-26 16:58
那可以直接用frida来hook这个js

是啊 但是我找了半天找不到hook点。大佬有兴趣研究一下吗[Java] 纯文本查看 复制代码2024-07-01 15:02:47.441 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  HookBox:MicroMsg.JsValidationInjectorWC batchInjectUsrJsFiles start assemble requests, appId:wxe89fc000f4991d2a, key:game.js, paths.size:1stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:71), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.441 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  HookBox:MicroMsg.JsValidationInjectorWC batchInjectUsrJsFiles start invoke batchEvaluateJavascript, appId:wxe89fc000f4991d2a, key:game.js, paths.size:1stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:256), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.527 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  HookBox:MicroMsg.JsValidationInjector hy: file game.js inject success! cost:86stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.c3.a(Unknown Source:35), com.tencent.mm.plugin.appbrand.utils.d3.a(Unknown Source:6), zh.h1.run(Unknown Source:40), zh.u3.s(Unknown Source:8), zh.u3.j(Unknown Source:35), zh.a.h(Unknown Source:5), zh.q0.b(Unknown Source:13), com.tencent.mm.plugin.appbrand.jsruntime.n.J(Unknown Source:4), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:270), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
HookBox:MicroMsg.JsValidationInjector hy: file game.js inject success! cost:86stack:[com.specher.superhookbox.hook.WeChat$5.beforeHookedMethod(WeChat.java:265), de.robv.android.xposed.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24), J.callback(Unknown Source:179), LSPHooker_.j(Unknown Source:14), com.tencent.mm.plugin.appbrand.utils.c3.a(Unknown Source:35), com.tencent.mm.plugin.appbrand.utils.d3.a(Unknown Source:6), zh.h1.run(Unknown Source:40), zh.u3.s(Unknown Source:8), zh.u3.j(Unknown Source:35), zh.a.h(Unknown Source:5), zh.q0.b(Unknown Source:13), com.tencent.mm.plugin.appbrand.jsruntime.n.J(Unknown Source:4), com.tencent.mm.plugin.appbrand.utils.h3.b(Unknown Source:270), com.tencent.luggage.sdk.jsapi.component.service.f.k(Unknown Source:95), us0.s.k(Unknown Source:282), com.tencent.luggage.sdk.jsapi.component.service.f.evaluateScriptFile(Unknown Source:208), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8.callObjectJavaMethod(Unknown Source:42), com.eclipsesource.mmv8.V8._executeScript(Native Method), com.eclipsesource.mmv8.V8.executeScript(SourceFile:6), com.eclipsesource.mmv8.V8.executeScript(SourceFile:5), com.eclipsesource.mmv8.V8ContextWrapper$V8ContextImpl.executeScript(SourceFile:3), java.lang.reflect.Method.invoke(Native Method), com.eclipsesource.mmv8.V8ContextWrapper.invoke(Unknown Source:22), java.lang.reflect.Proxy.invoke(Proxy.java:1006), $Proxy14.executeScript(Unknown Source), zh.g1.run(Unknown Source:42), zh.u3.s(Unknown Source:8), zh.u3.n(Unknown Source:47), zh.g0.n(Unknown Source:0), zh.u3.f(Unknown Source:109), zh.e.run(Unknown Source:259)]
2024-07-01 15:02:47.527 17180-17841 LSPosed-Bridge          com.tencent.mm                       I  
风生·水起   


l_user 发表于 2024-7-26 17:06
啥游戏,发我看一下,另外我不是大佬

我只是举个例子,如果能找到注入点这个就是通用的。微信里的小游戏核心代码全部都是game.js里。就像这个是之前跳一跳分数加倍的hook,现在已经没用了:[Java] 纯文本查看 复制代码   if (loadPackageParam.packageName.equals("com.tencent.mm")) {
       Class  cljump = XposedHelpers.findClass("com.tencent.mm.plugin.appbrand.appcache.ai", loadPackageParam.classLoader);
       XposedBridge.hookAllMethods(cljump, "a", new XC_MethodHook() { // from class: top.chaego.wejumpp.main.2
           protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param)throws Throwable {}
           protected void afterHookedMethod(XC_MethodHook.MethodHookParam param)throws Throwable {
               String retStr;
               main.this.getKey();
               if (param.args.length >= 2) {
                   String arg = (String)param.args[1];
                   if (arg == "game.js") {
                       String result = (String)param.getResult();
                       if (main.kaiguan) {
                           retStr = result.replace("this.score+=t", "this.score+=t+=" + main.mag);
                       } else {
                           retStr = result;
                       }
                       param.setResult(retStr);
                   }
               }
           }
       });
   }
   }
l_user
OP
  

为啥我插入的链接没了,大佬的思路在这里 https://www.52pojie.cn/thread-1764292-1-1.html
风生·水起   

能不能实现修改小游戏的js数据?之前可以,新版的微信我研究了很久没有找到。
l_user
OP
  


风生·水起 发表于 2024-7-26 16:34
能不能实现修改小游戏的js数据?之前可以,新版的微信我研究了很久没有找到。

为啥会找不到,抓包抓的到数据么
风生·水起   


l_user 发表于 2024-7-26 16:36
为啥会找不到,抓包抓的到数据么

那个js数据是小游戏的包里面的 好像没有通过网络请求来获取这个js
l_user
OP
  


风生·水起 发表于 2024-7-26 16:38
那个js数据是小游戏的包里面的 好像没有通过网络请求来获取这个js

直接把小程序反编译了看看,普通抓包抓不到的,试一下抓云函数
风生·水起   


l_user 发表于 2024-7-26 16:40
直接把小程序反编译了看看,普通抓包抓不到的,试一下抓云函数

反编译肯定能看到,我是想hook修改他的js实现作弊。就像之前跳一跳辅助线的Xposed模块
l_user
OP
  


风生·水起 发表于 2024-7-26 16:53
反编译肯定能看到,我是想hook修改他的js实现作弊。就像之前跳一跳辅助线的Xposed模块

那可以直接用frida来hook这个js
您需要登录后才可以回帖 登录 | 立即注册

返回顶部