-
Notifications
You must be signed in to change notification settings - Fork 58
/
Hook_WeChat_FaaS.js
111 lines (92 loc) · 4.53 KB
/
Hook_WeChat_FaaS.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
let CallWX_asyncRequestCounter = 0;
let Call_AppId = null;
let AppId = null;
function CallWX(appid, jsapi_name, data) {
Call_AppId = appid;
// CallWX_asyncRequestCounter = 0
Java.perform(function () {
function dumpAllFieldValue(obj) {
if (obj === null) {
return;
}
var cls = obj.getClass();
while (cls !== null && !cls.equals(Java.use("java.lang.Object").class)) {
var fields = cls.getDeclaredFields();
if (fields === null || fields.length === 0) {
cls = cls.getSuperclass();
continue;
}
// if (!cls.equals(obj.getClass())) {
// console.log("Dump super class " + cls.getName() + " fields:");
// }
for (var i = 0; i < fields.length; i++) {
var field = fields[i];
field.setAccessible(true);
var name = field.getName();
var value = field.get(obj);
var type = field.getType();
if (name === "C") {
return value
}
// console.log(type + " " + name + "=" + value);
}
cls = cls.getSuperclass();
}
}
function getFieldValue(obj, fieldName) {
var cls = obj.getClass();
var field = cls.getDeclaredField(fieldName);
field.setAccessible(true);
var name = field.getName();
var value = field.get(obj);
// console.log("field: " + field + "\tname:" + name + "\tvalue:" + value);
return value;
}
CallWX_asyncRequestCounter++;
Java.choose('com.tencent.mm.appbrand.commonjni.AppBrandCommonBindingJni', {
onMatch: function (instance) {
// CallWX_asyncRequestCounter++;
// console.log(CallWX_asyncRequestCounter, instance.mNativeHandle.value, JSON.stringify(instance.mAppBrandDelegate))
try {
let mAppBrandDelegate = getFieldValue(instance, 'mAppBrandDelegate')
let g = getFieldValue(mAppBrandDelegate, 'g')
dumpAllFieldValue(g)
let C = dumpAllFieldValue(g)
if (C.toString() !== '{__APP__=true}') {
return;
}
} catch {
return;
}
instance.nativeInvokeHandler(jsapi_name, data, '{}', CallWX_asyncRequestCounter, true)
},
onComplete: function () {
}
})
})
// Call_AppId = null
return `${Call_AppId}${CallWX_asyncRequestCounter}`;
}
Java.perform(function () {
//let v = Java.use("com.tencent.mm.plugin.appbrand.v");
//v["getAppId"].implementation = function () {
// AppId = this["getAppId"]();
// return AppId;
//};
let AppBrandCommonBindingJni = Java.use("com.tencent.mm.appbrand.commonjni.AppBrandCommonBindingJni");
AppBrandCommonBindingJni["nativeInvokeHandler"].implementation = function (jsapi_name, data, str3, asyncRequestCounter, z15) {
CallWX_asyncRequestCounter = asyncRequestCounter;
console.log(`[${AppId}] [${asyncRequestCounter}] == \x1b[36m[requests]\x1b[0m: jsapi_name=${jsapi_name}, data=${data}, str3=${str3}, z15=${z15}`);
return this["nativeInvokeHandler"](jsapi_name, data, str3, asyncRequestCounter, z15);
};
let AppBrandJsBridgeBinding = Java.use('com.tencent.mm.appbrand.commonjni.AppBrandJsBridgeBinding');
AppBrandJsBridgeBinding['invokeCallbackHandler'].implementation = function (asyncRequestCounter, res) {
console.log(`[${AppId}] [${asyncRequestCounter}] == \x1b[32m[response]\x1b[0m: ${res}`)
this['invokeCallbackHandler'](asyncRequestCounter, res)
}
}
)
rpc.exports = {call: CallWX}
// frida -U -l Hook_WeChat_FaaS.js com.tencent.mm --no-pause
// CallWX('wx3c12cdd0ae8b1a7b', 'operateWXData', '{"data":{"api_name":"webapi_getuserinfo","data":{"lang":"en","version":"3.4.3"},"operate_directly":false,"with_credentials":true,"tid":1716198903418},"requestInQueue":true,"isImportant":true}')
// CallWX('wx3c12cdd0ae8b1a7b', 'setStorageSync', '{"key":"sensors_mp_prepare_data","data":"[]","dataType":"Array","storageId":0}')