Entering the path
Caught analysis
tool
Packet capture tool – Charles
www.charlesproxy.com/
Prerequisite: The Charles certificate is installed on the mobile phone and computer
Interface debugging analysis – Postman
Small package export tool – Android RootExplorer file browser
(Requires root permission)
Runtime environment
Huawei P9 Android 6.0
(The package capture tool later than 7.0 cannot capture HTTPS requests by default. Solution: Upgrade the Charles certificate to the system certificate and install it in the system certificate directory.)
Interface analysis
Commodity category access interface
cURL
curl -H 'Host: as-vip.missfresh.cn' -H 'platform: weixin_app' -H 'charset: utf-8' -H 'request-id: 0649cacd90ffb932864517168199fa5a' -H 'content-type: application/json' -H 'mfsig: mfswaD2ZNKZTnrhVmrlTn43Ol3vT4uV46Q7hmuVf4iV72u4554JRnQzkmQ3V3J+PnGJU44Rk34QUiKC6Qry3niy2iRaWnrdPmiJ2mhzfROhQlFRSQiy3mhzQ SJqrk3RWSryTl439m3vTRHFuQum4QvKihGyOk3RPSizhQQr2PvG6' -H 'the user-agent: Mozilla / 5.0 (Linux; The Android 7.0. EVA-AL10 Build/HUAWEIEVA-AL10; Wv) AppleWebKit / 537.36 (KHTML, Like Gecko) Version/4.0 Chrome/ 78.0.3904.62xWeb / 2852mmwebsdk /20210501 Mobile Safari/ 537.36mmwebid /1318 X2800063a MicroMessenger / 8.0.6.1900 (0) the Process/appbrand2 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN/arm64 ABI MiniProgramEnv/android' -H 'x-region: {"address_code":330110,"station_code":"MRYX|mryx_celshd","delivery_type":1,"bigWarehouse":"MRYXSHD","type":0}' -H 'Referer: https://servicewechat.com/wxebf773691904eee9/821/page-frame.html' --data-binary '{"param":{"firstCategoryCode":"","secondCategoryCode":"","categoryIndex":0,"onlyClassify":1,"bizFingerprintType":3},"co mmon":{"accessToken":"","retailType":"","fromSource":"","sourceDeviceId":"0649cacd-90ff-b932-8645-17168199fa5a","deviceI d":"0649cacd-90ff-b932-8645-17168199fa5a","deviceCenterId":"8590201085835345922","env":"weixin_app","platform":"weixin_a Pp ", "model" : "EVA - AL10," "screenHeight screenWidth" : 611, "" : 360," version ":" 9.9.36.3 ", "addressCode" : 330110, "stationCode" : "MRY X | mryx_celshd ", "bigWarehouse MRYXSHD" : ""," deliveryType chromeType ": 1," ": 0," currentLng ": 120.024811," currentLat ": 30.28203," s ellerId":13646,"mfplatform":"weixin_app","mfenv":"wxapp","sellerInfoList":[{"sellerId":13646,"sellerType":1},{"sellerId" :678894,"sellerType":2},{"sellerId":2386422,"sellerType":6}]}}' --compressed 'https://as-vip.missfresh.cn/as/home/classify'
Copy the codeRequest body
{
"param": {
"firstCategoryCode": ""."secondCategoryCode": ""."categoryIndex": 0."onlyClassify": 1."bizFingerprintType": 3
},
"common": {
"accessToken": ""."retailType": ""."fromSource": ""."sourceDeviceId": "0649cacd-90ff-b932-8645-17168199fa5a"."deviceId": "0649cacd-90ff-b932-8645-17168199fa5a"."deviceCenterId": "8590201085835345922"."env": "weixin_app"."platform": "weixin_app"."model": "EVA-AL10"."screenHeight": 611."screenWidth": 360."version": "9.9.36.3"."addressCode": 330110."stationCode": "MRYX|mryx_celshd"."bigWarehouse": "MRYXSHD"."deliveryType": 1."chromeType": 0."currentLng": 120.024811."currentLat": 30.28203."sellerId": 13646."mfplatform": "weixin_app"."mfenv": "wxapp"."sellerInfoList": [{
"sellerId": 13646."sellerType": 1
}, {
"sellerId": 678894."sellerType": 2
}, {
"sellerId": 2386422."sellerType": 6}}}]Copy the codeThe return value
{
"data": {
"bizFingerprintType": 3."tabInfo": []."classifyStyle": 1."categories": [{"internalId": "3127"."secondList": [{"internalId": "3513"."categoryImage": "https://image.missfresh.cn/567284b5c37f4c5a815ffe36fda1b445.png"."icon": "Hot"."name": "Recommended"."parentId": "3127"
},
{
"internalId": "3514"."categoryImage": "https://image.missfresh.cn/32ed06cc30394b0895e771bb3a79e59e.png"."icon": "Hui"."name": "Member Privileges"."parentId": "3127"
},
{
"internalId": "3129"."categoryImage": "https://image.missfresh.cn/1971c2db09384038864fddc8b2497141.png"."icon": "New"."name": "New in season."."parentId": "3127"},...Copy the codeEncryption parameter determination
Postman debugging shows that the MFSIG cannot correctly request data after it is not transmitted or mistransmitted, and mfSIG is confirmed as the core encryption signature
In the early brought wonderful way
Decompile small packages
tool
wxUnpacker
Github: github.com/qwerty47212…
Prerequisites The Node environment must be installed
The tool requires a number of node dependency libraries to run. Installation instructions are available in the Github readme.md documentation
Small program package pull
Through the RE file manager App directly to wechat small program package path:
/ data/data/com. Tencent. Mm/MicroMsg / ${user MD5} / appbrand/PKG / _ * _xxx wxapkg
Use the RE file manager into a ZIP package, click the button in the upper right corner to find send, through QQ, nails or Bluetooth and other ways to send to the personal computer to receive
Small program master subpackage judgment
Nowadays, the single package volume of wechat small program cannot exceed 4M (except for small program foundation dependent package). If the project content is too large, the developer will use the subcontracting mode
Take the e-commerce, open a small program after operation, file directory found four packages
Among them:
_2124598774_821. Wxapkg 3.3 M master package
_ – 588782754 _76. Wxapkg 1.5 M package
_152740959_13. Wxapkg 89 k package
_1123949441_552.wxapkg 14M Basic dependency package
Decompile execution
Decompile the main package first
Decompile the main package
node wxWxapkg.js /Users/toretto/crack/wxapkg/missfresh_v3/_2124598774_821.wxapkg
Copy the codeThen decompile the subpackage, specifying the path of the main package with -s=, so that the decompiled contents of the subpackage are copied to the main package
Decompile subpackagesnode wxWxapkg.js -s=/Users/toretto/crack/wxapkg/missfresh_v3/_2124598774_821 .. /.. /wxapkg/missfresh_v3/_152740959_13.wxapkg node wxWxapkg.js -s=/Users/toretto/crack/wxapkg/missfresh_v3/_2124598774_821 . /.. /wxapkg/missfresh_v3/_-588782754_76.wxapkgCopy the code
If File done is displayed, decompilation is successful
Open with a small program development tool
Click Local Settings in the upper right corner, and select do not verify legitimate domain name, WebView, TLS and HTTPS certificates
With that done, a simple code analysis environment is set up
get
Static analysis
After packet capture analysis, it was found that the encryption parameter was MFSIG. The global search for MFSIG in the development tool found no matching result.
We can see that the values of MFSIG all start with MFSW, so we searched this globally and found no matching results for MFSW, so we can come to the conclusion:
The small program’s encryption correlation function is specially treated as obfuscated and static analysis plaintext cannot be located. It is a case with good security.
The code of small programs is often confused when it is released. In general, static analysis of the encryption logic in the code is very time-consuming and laborious, but with the help of debugging it is easy to understand the code logic
Since static analysis is fruitless, dynamic debugging analysis is important.
A dynamic analysis
Applet compilation
Open the emulator and click the compile button. Watch for error messages in the emulator window and the debugger’s Console window
During this period, I will encounter several small errors. After gradually solving the problem, I can see the main interface successfully, and then I can debug it
Dynamic analysis process
Find the corresponding interface, hit the breakpoint after step by step debugging analysis
Locate to the core code, decompiled code format is messy, many lines of code in the same line, is not good for tracking debugging, you can click the {} button in the lower left corner for formatting
Trace debugging through the debug function button on the right of the debugger
Encryption function confusion, need some patience step by step debugging, paper record the encryption process.
Basically it’s a coding game, string to array, array to string, and then index to encode characters to generate the final MFSIG
Yuan god with certain
Encryption translation
After the above dynamic analysis, the encryption process recorded on paper is sorted out, and the Java or Python translation is used to achieve it again
The request body parameters of a real packet capture interface are tested to verify the correctness of the encryption function
The RESULTING MFSIG is exactly the same as in the interface, and you’re done
Wonderful brought the cat
conclusion
- The reverse requires patience and bold guesses and assumptions to constantly try, the author of confused code debugging back for several days, is relatively stupid;
- Reverse work using a lot of good tools, usually pay attention to collect some good tools or good blog, to get twice the result with half the effort;
- The purpose of this article is to share some reverse techniques and ideas. Readers are not allowed to make use of the contents of this article for illegal commercial gain. If they do, the legal responsibility will be borne by the readers themselves.