├── .gitignore
├── LICENSE
├── README.md
├── _types.py
├── js
└── native.js
├── main.py
└── requirements.txt
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | build/
12 | develop-eggs/
13 | dist/
14 | downloads/
15 | eggs/
16 | .eggs/
17 | lib/
18 | lib64/
19 | parts/
20 | sdist/
21 | var/
22 | wheels/
23 | share/python-wheels/
24 | *.egg-info/
25 | .installed.cfg
26 | *.egg
27 | MANIFEST
28 |
29 | # PyInstaller
30 | # Usually these files are written by a python script from a template
31 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
32 | *.manifest
33 | *.spec
34 |
35 | # Installer logs
36 | pip-log.txt
37 | pip-delete-this-directory.txt
38 |
39 | # Unit test / coverage reports
40 | htmlcov/
41 | .tox/
42 | .nox/
43 | .coverage
44 | .coverage.*
45 | .cache
46 | nosetests.xml
47 | coverage.xml
48 | *.cover
49 | *.py,cover
50 | .hypothesis/
51 | .pytest_cache/
52 | cover/
53 |
54 | # Translations
55 | *.mo
56 | *.pot
57 |
58 | # Django stuff:
59 | *.log
60 | local_settings.py
61 | db.sqlite3
62 | db.sqlite3-journal
63 |
64 | # Flask stuff:
65 | instance/
66 | .webassets-cache
67 |
68 | # Scrapy stuff:
69 | .scrapy
70 |
71 | # Sphinx documentation
72 | docs/_build/
73 |
74 | # PyBuilder
75 | .pybuilder/
76 | target/
77 |
78 | # Jupyter Notebook
79 | .ipynb_checkpoints
80 |
81 | # IPython
82 | profile_default/
83 | ipython_config.py
84 |
85 | # pyenv
86 | # For a library or package, you might want to ignore these files since the code is
87 | # intended to run in multiple environments; otherwise, check them in:
88 | # .python-version
89 |
90 | # pipenv
91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies
93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not
94 | # install all needed dependencies.
95 | #Pipfile.lock
96 |
97 | # poetry
98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
99 | # This is especially recommended for binary packages to ensure reproducibility, and is more
100 | # commonly ignored for libraries.
101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
102 | #poetry.lock
103 |
104 | # pdm
105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
106 | #pdm.lock
107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
108 | # in version control.
109 | # https://pdm.fming.dev/latest/usage/project/#working-with-version-control
110 | .pdm.toml
111 | .pdm-python
112 | .pdm-build/
113 |
114 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
115 | __pypackages__/
116 |
117 | # Celery stuff
118 | celerybeat-schedule
119 | celerybeat.pid
120 |
121 | # SageMath parsed files
122 | *.sage.py
123 |
124 | # Environments
125 | .env
126 | .venv
127 | env/
128 | venv/
129 | ENV/
130 | env.bak/
131 | venv.bak/
132 |
133 | # Spyder project settings
134 | .spyderproject
135 | .spyproject
136 |
137 | # Rope project settings
138 | .ropeproject
139 |
140 | # mkdocs documentation
141 | /site
142 |
143 | # mypy
144 | .mypy_cache/
145 | .dmypy.json
146 | dmypy.json
147 |
148 | # Pyre type checker
149 | .pyre/
150 |
151 | # pytype static type analyzer
152 | .pytype/
153 |
154 | # Cython debug symbols
155 | cython_debug/
156 |
157 | # PyCharm
158 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can
159 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
160 | # and can be added to the global gitignore or merged into this file. For a more nuclear
161 | # option (not recommended) you can uncomment the following to ignore the entire idea folder.
162 | #.idea/
163 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2024 Qian ruanke
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AndroidWXCloudFuncHook
2 |
3 | ## 1. 微信云函数的介绍及目前的研究到的点
4 |
5 | 其实微信云函数不是单独的云函数,他包含:云网关、云托管、云函数,在此统称为云函数。
6 |
7 | 现在很多小程序的请求,不再是普通的HTTP请求,而是基于微信云网关/云函数/云托管进行请求,此类请求直接通过抓包软件,无法抓到,因为其实现原理主要是通过微信的Mmtls进行请求发包(当然这只是一种方式),根据研究,目前发现微信云请求有以下几种:
8 |
9 | 1. 基于微信Mmtls协议,调用微信的 ***OperateWxData*** 接口(可以在PC小程序逆向中看到该函数)是通过小程序进程和微信进程通讯,通过微信的mmtls协议进行实际的发包,走的相当于微信私有链路的请求。
10 | 2. 基于HTTP2.0,此类又分为两种,一种是鉴权模式,及微信小程序中部分使用的模式,该模式的主要流程是以下几点:
11 | 1. 通过调用OperateWxData接口(此接口为Mmtls)的qbase_commit,中的 ***tcbapi_get_service_info*** 接口,获取到请求的加密参数以及鉴权的Token。
12 | 2. 通过拿到的key和token把请求体进行加密并压缩(目前来看压缩使用的算法是snappy),数据的格式一般采用ProtoBuf或者JSON两种类型进行处理。
13 | 3. 拿到请求后,通过key进行解密,解密算法目前使用的是AES-CBC算法。
14 | 3. 不鉴权的HTTP2.0,此类与上述类似,一般用于使用了微信云托管/云网关但不在小程序,而是自己单独网站的情况下使用,key和token通过微信链路获取,后续请求和2中类似进行加解密。
15 | 4. 基于HTTP明文的请求,此类主要是微信云网关,一般用于其他App,此类请求,通过带Socks的抓包软件可以抓到(不带Socks的抓不到),此类请求是通过微信云网关的算法(so层),在请求的请求头中附带了x-wx-auth-code以及x-wx-call-id请求头,这两个参数通过URL以及Body计算出来,来进行数据合法性验证。
16 |
17 | ## 2. 这个项目用于干啥?
18 |
19 | **AndroidWXCloudFuncHook** 主要是针对于上面介绍的第二种情况,第二种情况通过 *get_service_info* 接口拿到Key进行加解密,会导致抓包很麻烦(除非直接抓JS层),同时要集成抓包+frida逆向到key进行同步作用,较为麻烦,所以在近期的研究中,发现当 *get_service_info* 接口触发某个异常的时候,会自动降级为第一种的Mmtls接口,如果降级成Mmtls那就可以很便捷的通过Frida找到对应的Hook点进行抓包。
20 |
21 | 目前抓包适配了安卓微信***848/849/850***,降级云函数只适配了***848/849***
22 |
23 | ```javascript
24 | Java.use('com.tencent.mm.plugin.appbrand.jsapi.i0').o.overload('java.lang.String', 'java.util.Map').implementation = function (x, y) { // 取自代码片段,frida脚本部分
25 | let res =this.o(x, y)
26 | sendResponseToPython(res)
27 | if(res.includes('{"data":"{\\"data\\":\\"{\\\\\\"token\\\\\\":\\\\\\"')){
28 | res = '{"data":"{\\"baseresponse\\":{\\"errcode\\":103006,\\"errmsg\\":\\"system error.\\"}}","err_no":0}'
29 | console.log("降级云函数")
30 | }
31 | return res
32 | }
33 | ```
34 |
35 | 在这里我们可以看到,当遇到获取Token和Key的时候,就抛出**103006异常**(目前来看就是非法请求),此时云函数会自动降级为OperateWxData,就可以很方便的进行抓包,当然你也可以先抓到这个key进行解密,这里不做讨论。
36 | 当然你也可以通过此脚本自行实现RPC或者重写请求/响应
37 | ## 3. 如何运行?
38 |
39 | 1. python > 3.8
40 | 2. pip install -r (requirements.txt)
41 | 3. Git下载Frida-server(具体教程可以自行搜索) [Releases · frida/frida](https://github.com/frida/frida/releases)
42 | 4. 下载adb并添加到环境变量
43 | 5. 运行脚本即可
44 |
45 | #### 另外,对于3/4类的请求,都能通过逆向JS或者So层拿到实际的加密参数,根据目前的算法,4类算法,基本就是一个很简单的HASH算法进行了验签,在So层通过IDA即可拿到。
46 |
47 | By WeChat: ***RSCompanyCEO***
48 |
49 | Telegram: ***ryf5584***
50 |
--------------------------------------------------------------------------------
/_types.py:
--------------------------------------------------------------------------------
1 | # coding: utf-8
2 | # @Author: Ruan
3 | # coding:utf-8
4 | from pydantic import BaseModel, model_validator
5 | from typing import *
6 | from enum import Enum
7 |
8 |
9 | class JsSendType(Enum):
10 | Request = 1
11 | Response = 2
12 | Other = 3
13 |
14 |
15 | class Request(BaseModel):
16 | api_name: str
17 | data: Any
18 |
19 |
20 | class Response(BaseModel):
21 | data: Any
22 |
23 |
24 | class JsSendRequest(BaseModel):
25 | type: JsSendType
26 | data: Union[Request, Response, Any]
27 |
28 | @model_validator(mode='before')
29 | def validate_and_serialize_data(cls, values):
30 | type_ = values.get('type')
31 | data = values.get('data')
32 | if type_ == JsSendType.Request:
33 | values['data'] = Request.parse_obj(data)
34 | elif type_ == JsSendType.Response:
35 | values['data'] = Response.parse_obj(data)
36 | elif type_ == JsSendType.Other:
37 | values['data'] = data
38 | return values
39 |
--------------------------------------------------------------------------------
/js/native.js:
--------------------------------------------------------------------------------
1 | Java.perform(function () {
2 | const SendType = {
3 | Request: 1,
4 | Response: 2,
5 | Other: 3
6 | }
7 |
8 | function sendToPython(type, data) {
9 | send({
10 | type, data
11 | })
12 | }
13 |
14 | function sendRequestToPython(api_name, data) {
15 | sendToPython(
16 | SendType.Request, {api_name, data}
17 | )
18 | }
19 |
20 | function sendOtherToPython(text) {
21 | sendToPython(
22 | SendType.Other, text
23 | )
24 | }
25 |
26 | function sendResponseToPython(data) {
27 | sendToPython(
28 | SendType.Response,
29 | data
30 | )
31 | }
32 |
33 |
34 | const ReqCaptue = {
35 | "8.0.48"() {
36 | Java.use('com.tencent.mm.plugin.appbrand.jsapi.i0').o.overload('java.lang.String', 'java.util.Map').implementation = function (x, y) {
37 | let res =this.o(x, y)
38 | sendResponseToPython(res)
39 | if(res.includes('{"data":"{\\"data\\":\\"{\\\\\\"token\\\\\\":\\\\\\"')){
40 | res = '{"data":"{\\"baseresponse\\":{\\"errcode\\":103006,\\"errmsg\\":\\"system error.\\"}}","err_no":0}'
41 | console.log("降级云函数")
42 | }
43 | return res
44 | }
45 | },
46 | "8.0.49"() {
47 | Java.use('com.tencent.mm.plugin.appbrand.jsapi.i0').o.overload('java.lang.String', 'java.util.Map').implementation = function (x, y) {
48 | let res =this.o(x, y)
49 | sendResponseToPython(res)
50 | if(res.includes('{"data":"{\\"data\\":\\"{\\\\\\"token\\\\\\":\\\\\\"')){
51 | res = '{"data":"{\\"baseresponse\\":{\\"errcode\\":103006,\\"errmsg\\":\\"system error.\\"}}","err_no":0}'
52 | console.log("降级云函数")
53 | }
54 | return res
55 | }
56 | },
57 | "8.0.50"() {
58 | Java.use('com.tencent.mm.plugin.appbrand.jsapi.i0').k.overload('java.lang.String', 'java.util.Map').implementation = function (x, y) {
59 | let JSONObject = Java.use('org.json.JSONObject');
60 | let jsonObject = JSONObject.$new(y);
61 | let jsonString = jsonObject.toString();
62 | sendResponseToPython(jsonString)
63 | return this.k(x, y)
64 | }
65 |
66 | },
67 | }
68 |
69 | let activityThread = Java.use("android.app.ActivityThread");
70 | let context = activityThread.currentApplication().getApplicationContext();
71 | let packageManager = context.getPackageManager();
72 | let packageName = context.getPackageName();
73 | let packageInfo = packageManager.getPackageInfo(packageName, 0);
74 | let WX_VERSION = packageInfo.versionName.value.toString().trim()
75 | sendOtherToPython('当前应用程序版本:' + WX_VERSION)
76 | if (ReqCaptue.hasOwnProperty(WX_VERSION)) {
77 | sendOtherToPython(`查找到 -${WX_VERSION}- 对应接口...`)
78 | ReqCaptue[WX_VERSION]()
79 | } else {
80 | sendOtherToPython("版本不支持,仅可抓全局Jni接口,只能看到请求体")
81 | }
82 |
83 | let AppBrandCommonBindingJni = Java.use("com.tencent.mm.appbrand.commonjni.AppBrandCommonBindingJni");
84 | // 是否打开解码
85 | AppBrandCommonBindingJni["nativeInvokeHandler"].implementation = function (jsapi_name, data, str3, asyncRequestCounter, z15) {
86 | sendRequestToPython(jsapi_name, data)
87 | return this["nativeInvokeHandler"](jsapi_name, data, str3, asyncRequestCounter, z15);
88 | };
89 |
90 | })
91 |
--------------------------------------------------------------------------------
/main.py:
--------------------------------------------------------------------------------
1 | # @Author: Ruan
2 | import json
3 | import frida
4 | import sys
5 | import os
6 | from loguru import logger
7 | import _types
8 | import subprocess
9 |
10 | subprocess.getoutput("adb forward tcp:27042 tcp:27042")
11 | subprocess.getoutput("adb forward tcp:27043 tcp:27043")
12 | logger_red = logger.bind()
13 | logger_red.remove() # 移除默认的日志配置
14 | logger.add(
15 | sys.stdout,
16 | format="{time:YYYY-MM-DD HH:mm:ss} | {level: <8} | - {message}",
17 | level="DEBUG"
18 | )
19 | device = frida.get_usb_device()
20 | front_app = device.get_frontmost_application()
21 | app_name = front_app.pid
22 | logger.info(f'当前前台应用:{front_app}')
23 | BASE_DIR = os.path.dirname(__file__)
24 |
25 |
26 | def attach_start(pid: int):
27 | global script
28 | session = device.attach(pid)
29 | with open(os.path.join(BASE_DIR, 'js', 'native.js'), encoding='utf-8') as file:
30 | script = session.create_script(file.read())
31 | script.on('message', on_message)
32 | script.load()
33 |
34 |
35 | def handle_response(response: _types.Response):
36 | try:
37 | data = json.loads(response.data)
38 | except:
39 | pass
40 |
41 |
42 | def on_message(message: dict, *args, **kwargs):
43 | """
44 | HOOK结果回调函数,需要自定义解析,请修改该函数
45 | """
46 | if message.get("type") != "send" or not message.get("payload"):
47 | logger.error(message)
48 | return
49 | try:
50 | payload = _types.JsSendRequest.parse_obj(message.get("payload"))
51 | if payload.type == _types.Request:
52 | logger_red.info(payload)
53 | elif payload.type == _types.Response:
54 | logger.info(payload)
55 | else:
56 | logger.info(payload)
57 | except:
58 | logger.error(message.get("payload"))
59 |
60 |
61 | processes = device.enumerate_processes()
62 | target_processes = [
63 | process for process in processes if
64 | any(keyword in process.name for keyword in ['微信', 'tencent.mm'])
65 | ]
66 | for process in target_processes:
67 | try:
68 | logger.info(f"Attaching to PID: {process.pid}, Name: {process.name}")
69 | attach_start(process.pid)
70 | except Exception as e:
71 | logger.error(f"Error attaching to PID {process.pid}: {e}")
72 |
73 | logger.info('py-Hook Start...')
74 | sys.stdin.read()
75 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | loguru
2 | frida
3 | pydantic
--------------------------------------------------------------------------------