微信小程序云函数抓包及Sign算法逆向

请求抓包

日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
04-26 07:49:54.136  7950  8083 D zhighest_hook: MicroMsg.webview.NetSceneJSOperateWxData        <init> hash[166025999] appId [wx9627eb7f4b1c69d5], data [{"api_name":"qbase_commapi","data":{"qbase_api_name":"tcbapi_call_container","qbase_req":"{\"method\":\"POST\",\"headers\":[{\"k\":\"Content-Type\",\"v\":\"application\/json;charset=utf-8\"},{\"k\":\"identity_code\",\"v\":\"oZdQ347xlO7z9kXPAXyVc1adyvZc\"},{\"k\":\"X-WX-REGION\",\"v\":\"ap-shanghai\"},{\"k\":\"X-WX-GATEWAY-ID\",\"v\":\"popvip-go-1gxfngyx17ebed6e\"},{\"k\":\"HOST\",\"v\":\"shops-go.paquapp.com\"},{\"k\":\"X-WX-EXCLUDE-CREDENTIALS\",\"v\":\"unionid, cloudbase-access-token, openid\"},{\"k\":\"User-Agent\",\"v\":\"Mozilla\/5.0 (Linux; Android 10; M2007J3SC Build\/QKQ1.200419.002; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/116.0.0.0 Mobile Safari\/537.36 XWEB\/1160117 MMWEBSDK\/20230504 MMWEBID\/8668 MicroMessenger\/8.0.37.2380(0x28002537) WeChat\/arm64 Weixin NetType\/WIFI Language\/zh_CN ABI\/arm64 MiniProgramEnv\/android\"},{\"k\":\"X-WX-ENV\",\"v\":\"popmart-boxonline-0eqbgme3fa2ffb\"},{\"k\":\"X-WX-CONTAINER-PATH\",\"v\":\"\/miniapp\/v2\/member\/birthday_month\/show\"}],\"data\":\"{\\\"activity_id\\\":4,\\\"openid\\\":\\\"oZdQ347xlO7z9kXPAXyVc1adyvZc\\\",\\\"sign\\\":\\\"226fe693fe52df4cd506f1f4050bd558\\\",\\\"time\\\":\\\"1714088994118\\\",\\\"version\\\":\\\"5.0.26\\\"}\",\"data_type\":0,\"action\":1,\"retryType\":0,\"call_id\":\"1714088994123-0.37782390521256115\"}","qbase_options":{"resourceEnv":"popmart-boxonline-0eqbgme3fa2ffb","config":{"database":{"realtime":{"maxReconnect":5,"reconnectInterval":5000,"totalConnectionTimeout":null}}},"env":"popmart-boxonline-0eqbgme3fa2ffb"},"qbase_meta":{"session_id":"1714088992363","sdk_version":"wx-miniprogram-sdk\/2.33.0 (1710689730000 platform\/android})","filter_user_info":false},"cli_req_id":"1714088994127_0.8756523024230949"},"operate_directly":false}], grantScope [], versionType [0], opt [0], extScene [1008]  sessionId []  avatarOpt [0]
04-26 07:49:54.137  7950  8083 D zhighest_hook: MicroMsg.NetSceneQueue  doSceneImp start: mmcgi type:1133 hash[166025999,0] run:0 wait:0 afterSec:0 canDo:true autoauth:185060742
04-26 07:49:54.138  7950  8083 D zhighest_hook: ThreadPool.Execute      <<< com.tencent.mm.plugin.appbrand.ipc.m@72025779 state=COMPLETE cost=1ms/2ms HotPool start@=1714088994135ms delay=0ms run@=1714088994136
04-26 07:49:54.138  7950  8001 D zhighest_hook: MicroMsg.webview.NetSceneJSOperateWxData        doScene hash=166025999, funcid=4602
04-26 07:49:54.138  8325  8619 D zhighest_hook: MicroMsg.AppBrandSplashAdLogic[AppBrandSplashAd]        checkShowAdTimer timeOut, realTime:3002
04-26 07:49:54.138  7950  8001 D zhighest_hook: MicroMsg.NetSceneBase   initilized security limit count to 1
04-26 07:49:54.139  8325  8325 D zhighest_hook: MicroMsg.AppBrandSplashAdLogic[AppBrandSplashAd]        hideSplashAdImmediately
04-26 07:49:54.139  7950  8001 D zhighest_hook: MicroMsg.MMReqRespBase  summerauths check cgi[4602] accHasReady openSwitch[true]
04-26 07:49:54.139  8325  8619 D zhighest_hook: ThreadPool.Execute      <<< AppBrandSplashAdLogic.checkShowAdTimeoutTask#wx9627eb7f4b1c69d5@10#0xd@16539864 state=COMPLETE cost=1ms/1ms ColdPool start@=1714088991137ms delay=2999ms run@=1714088994137
04-26 07:49:54.139  8325  8325 D zhighest_hook: MicroMsg.AppBrandSplashAdLogic[AppBrandSplashAd]        destroyServiceAdComponentView
04-26 07:49:54.139  7950  8001 D zhighest_hook: MicroMsg.MMReqRespBase  summerauths check cgi list[302,681,138]
04-26 07:49:54.140  8325  8325 D zhighest_hook: MicroMsg.AppBrandSplashAdLogic[AppBrandSplashAd]        checkAllFinished, isSplashAdFinished:true, canLoadingSplashFinish:false
04-26 07:49:54.140  8325  8325 D zhighest_hook: MicroMsg.AppBrandSplashAdLogic[AppBrandSplashAd]        checkShowAdPrepareProcessReady   isResourceReady=true isSplashAdFinished=true
04-26 07:49:54.140  8325  8325 D zhighest_hook: ThreadPool.Execute      <<< nj0.r$$e$a@157130350 state=COMPLETE cost=1ms/1ms UIPool start@=1714088994138ms delay=0ms run@=1714088994139
04-26 07:49:54.140  8113  8146 D zhighest_hook: MicroMsg.WakerLock      unlock [98771418,245499403] caller:[com.tencent.mm.network.y.v4(Unknown Source:7)] @[com.tencent.mm.network.y.<init>(Unknown Source:50)]
04-26 07:49:54.141  8113  8146 D zhighest_hook: Matrix.battery.AmsInvokeListener        on wakelock invoke, method = release, form = com/tencent/mars/comm/WakerLock@245499403, args = null
04-26 07:49:54.143  8113  8146 D zhighest_hook: MicroMsg.WakerLock      lock [98771418,245499403] traceMsg:[MMAutoAuth.send] @[com.tencent.mm.network.y.<init>(Unknown Source:50)] limit time:1000
04-26 07:49:54.144  8113  8146 D zhighest_hook: Matrix.battery.AmsInvokeListener        on wakelock invoke, method = acquire, form = com/tencent/mars/comm/WakerLock@245499403, args = null
04-26 07:49:54.145  8113  8146 D zhighest_hook: MicroMsg.SDK.SyncTask   sync task exec...
04-26 07:49:54.145  8113  8146 D zhighest_hook: MicroMsg.SDK.SyncTask   sync task exec at synchronized
04-26 07:49:54.145  8113  8113 D zhighest_hook: MicroMsg.SDK.SyncTask   task run manualFinish = false
04-26 07:49:54.146  8113  8113 D zhighest_hook: MicroMsg.MMAutoAuth     dkcgi sendImp rr.type:4602 callback:50074699
04-26 07:49:54.148  8113  8113 D zhighest_hook: MicroMsg.MMNativeNetTaskAdapter keep-alive for cgi=/cgi-bin/mmbiz-bin/js-operatewxdata-keepalive
04-26 07:49:54.149  8113  8113 D zhighest_hook: MicroMsg.ExptManager    193262608 get mulit expt result[] key[clicfg_c2c_parallel_upload_unlimit] def[] cost[0] hadReport[false true]
04-26 07:49:54.150  8113  8113 D zhighest_hook: MicroMsg.MMNativeNetTaskAdapter mmcgi startTask inQueue netid:0 hash[85,187078955] net:1 cgi:/cgi-bin/mmbiz-bin/js-operatewxdata-keepalive needAuthed:true
04-26 07:49:54.151  8113  8113 D zhighest_hook: MicroMsg.SDK.SyncTask   setResultFinish
04-26 07:49:54.151  8113  8113 D zhighest_hook: MicroMsg.SDK.SyncTask   setResultFinish synchronized
04-26 07:49:54.152  8113  8146 D zhighest_hook: MicroMsg.SDK.SyncTask   sync task done, return=0, cost=7(wait=7, run=0)
04-26 07:49:54.152  7950  8001 D zhighest_hook: MicroMsg.NetSceneBase   dispatcher send, 0
04-26 07:49:54.153  7950  8001 D zhighest_hook: MicroMsg.NetSceneQueue  On doscene  mmcgi type:1133 hash[166025999,187078955] run:1 wait:0 ret:0 autoauth:185060742
04-26 07:49:54.155  8113  8377 D zhighest_hook: MicroMsg.MMAutoAuth     summerdiz makeSureAuth host[szminorshort.weixin.qq.com]
04-26 07:49:54.158  7950  8469 D zhighest_hook: MicroMsg.RemoteReq      summerauths dkrsa use session :[B@20ac721  type:4602, flag:7, ecdh:[16] signature[-30649831]
04-26 07:49:54.161  8113  8377 D zhighest_hook: MicroMsg.MMNativeNetTaskAdapter link: 1 req2Buf somr isfg:true  cookie: 6f*80~30, type:4602, host:szminorshort.weixin.qq.com, encryptAlgo:0, cgi:/cgi-bin/mmbiz-bin/js-operatewxdata-keepalive
04-26 07:49:54.164  8113  8377 D zhighest_hook: MicroMsg.WakerLock      unlock [129480074,88377339] caller:[<native>]

请求

1
0a2d0a010010bdc00a1a104162643163343033333964353438350020b7ca80c0022a0a616e64726f69642d3239300012127778393632376562376634623163363964351ae70d7b226170695f6e616d65223a2271626173655f636f6d6d617069222c2264617461223a7b2271626173655f6170695f6e616d65223a227463626170695f63616c6c5f636f6e7461696e6572222c2271626173655f726571223a227b5c226d6574686f645c223a5c22504f53545c222c5c22686561646572735c223a5b7b5c226b5c223a5c22436f6e74656e742d547970655c222c5c22765c223a5c226170706c69636174696f6e5c2f6a736f6e3b636861727365743d7574662d385c227d2c7b5c226b5c223a5c226964656e746974795f636f64655c222c5c22765c223a5c226f5a6451333437786c4f377a396b5850415879566331616479765a635c227d2c7b5c226b5c223a5c22582d57582d524547494f4e5c222c5c22765c223a5c2261702d7368616e676861695c227d2c7b5c226b5c223a5c22582d57582d474154455741592d49445c222c5c22765c223a5c22706f707669702d676f2d316778666e67797831376562656436655c227d2c7b5c226b5c223a5c22484f53545c222c5c22765c223a5c2273686f70732d676f2e706171756170702e636f6d5c227d2c7b5c226b5c223a5c22582d57582d4558434c5544452d43524544454e5449414c535c222c5c22765c223a5c22756e696f6e69642c20636c6f7564626173652d6163636573732d746f6b656e2c206f70656e69645c227d2c7b5c226b5c223a5c22557365722d4167656e745c222c5c22765c223a5c224d6f7a696c6c615c2f352e3020284c696e75783b20416e64726f69642031303b204d323030374a335343204275696c645c2f514b51312e3230303431392e3030323b20777629204170706c655765624b69745c2f3533372e333620284b48544d4c2c206c696b65204765636b6f292056657273696f6e5c2f342e30204368726f6d655c2f3131362e302e302e30204d6f62696c65205361666172695c2f3533372e333620585745425c2f31313630313137204d4d57454253444b5c2f3230323330353034204d4d57454249445c2f38363638204d6963726f4d657373656e6765725c2f382e302e33372e32333830283078323830303235333729205765436861745c2f61726d36342057656978696e204e6574547970655c2f57494649204c616e67756167655c2f7a685f434e204142495c2f61726d3634204d696e6950726f6772616d456e765c2f616e64726f69645c227d2c7b5c226b5c223a5c22582d57582d454e565c222c5c22765c223a5c22706f706d6172742d626f786f6e6c696e652d30657162676d65336661326666625c227d2c7b5c226b5c223a5c22582d57582d434f4e5441494e45522d504154485c222c5c22765c223a5c225c2f6d696e696170705c2f76325c2f6d656d6265725c2f62697274686461795f6d6f6e74685c2f73686f775c227d5d2c5c22646174615c223a5c227b5c5c5c2261637469766974795f69645c5c5c223a342c5c5c5c226f70656e69645c5c5c223a5c5c5c226f5a6451333437786c4f377a396b5850415879566331616479765a635c5c5c222c5c5c5c227369676e5c5c5c223a5c5c5c2261343831636362306362343461353731306138336431646133353961333536625c5c5c222c5c5c5c2274696d655c5c5c223a5c5c5c22313731343039393531343738385c5c5c222c5c5c5c2276657273696f6e5c5c5c223a5c5c5c22352e302e32365c5c5c227d5c222c5c22646174615f747970655c223a302c5c22616374696f6e5c223a312c5c227265747279547970655c223a302c5c2263616c6c5f69645c223a5c22313731343039393531343739302d302e353531393030363030303831303638325c227d222c2271626173655f6f7074696f6e73223a7b227265736f75726365456e76223a22706f706d6172742d626f786f6e6c696e652d30657162676d6533666132666662222c22636f6e666967223a7b226461746162617365223a7b227265616c74696d65223a7b226d61785265636f6e6e656374223a352c227265636f6e6e656374496e74657276616c223a353030302c22746f74616c436f6e6e656374696f6e54696d656f7574223a6e756c6c7d7d7d2c22656e76223a22706f706d6172742d626f786f6e6c696e652d30657162676d6533666132666662227d2c2271626173655f6d657461223a7b2273657373696f6e5f6964223a2231373134303939353133343538222c2273646b5f76657273696f6e223a2277782d6d696e6970726f6772616d2d73646b5c2f322e33332e3020283137313036383937333030303020706c6174666f726d5c2f616e64726f69647d29222c2266696c7465725f757365725f696e666f223a66616c73657d2c22636c695f7265715f6964223a22313731343039393531343739325f302e3032333533343434363737393837303832227d2c226f7065726174655f6469726563746c79223a66616c73657d2200280030003a0510c108180140004a0050005800

image-20240426110852620

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
{
    "method": "POST",
    "headers": [
        {
            "k": "Content-Type",
            "v": "application/json;charset=utf-8"
        },
        {
            "k": "identity_code",
            "v": "oZdQ347xlO7z9kXPAXyVc1adyvZc"
        },
        {
            "k": "X-WX-REGION",
            "v": "ap-shanghai"
        },
        {
            "k": "X-WX-GATEWAY-ID",
            "v": "popvip-go-1gxfngyx17ebed6e"
        },
        {
            "k": "HOST",
            "v": "shops-go.paquapp.com"
        },
        {
            "k": "X-WX-EXCLUDE-CREDENTIALS",
            "v": "unionid, cloudbase-access-token, openid"
        },
        {
            "k": "User-Agent",
            "v": "Mozilla/5.0 (Linux; Android 10; M2007J3SC Build/QKQ1.200419.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36 XWEB/1160117 MMWEBSDK/20230504 MMWEBID/8668 MicroMessenger/8.0.37.2380(0x28002537) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android"
        },
        {
            "k": "X-WX-ENV",
            "v": "popmart-boxonline-0eqbgme3fa2ffb"
        },
        {
            "k": "X-WX-CONTAINER-PATH",
            "v": "/miniapp/v2/member/birthday_month/show"
        }
    ],
    "data": "{"activity_id":4,"openid":"oZdQ347xlO7z9kXPAXyVc1adyvZc","sign":"a481ccb0cb44a5710a83d1da359a356b","time":"1714099514788","version":"5.0.26"}",
    "data_type": 0,
    "action": 1,
    "retryType": 0,
    "call_id": "1714099514790-0.5519006000810682"
}

响应

1
0a06080012020a001206080012026f6b1a9f0c7b2264617461223a227b5c2262617365726573706f6e73655c223a7b5c22657272636f64655c223a307d2c5c227374617475735c223a312c5c22687474705f636f64655c223a3230302c5c22686561646572735c223a5b7b5c226b5c223a5c22646174655c222c5c22765c223a5c224672692c2032362041707220323032342030323a34353a313420474d545c227d2c7b5c226b5c223a5c22636f6e74656e742d747970655c222c5c22765c223a5c226170706c69636174696f6e2f6a736f6e3b20636861727365743d7574662d385c227d2c7b5c226b5c223a5c22636f6e74656e742d6c656e6774685c222c5c22765c223a5c223636355c227d2c7b5c226b5c223a5c227472616365706172656e745c222c5c22765c223a5c2230302d32393864333661303936313962326233623936613532366232373966653935642d346136663336656466333038356332612d30315c227d2c7b5c226b5c223a5c22782d6b6f6e672d757073747265616d2d6c6174656e63795c222c5c22765c223a5c2232325c227d2c7b5c226b5c223a5c22782d6b6f6e672d70726f78792d6c6174656e63795c222c5c22765c223a5c22305c227d2c7b5c226b5c223a5c227669615c222c5c22765c223a5c226b6f6e672f322e352e305c227d2c7b5c226b5c223a5c22782d656e766f792d757073747265616d2d736572766963652d74696d655c222c5c22765c223a5c2233335c227d2c7b5c226b5c223a5c22782d636c6f7564626173652d757073747265616d2d7374617475732d636f64655c222c5c22765c223a5c223230305c227d2c7b5c226b5c223a5c22782d77782d63616c6c2d69645c222c5c22765c223a5c22313731343039393531343235362d302e30333431363835363932343132313238315c227d2c7b5c226b5c223a5c227365727665725c222c5c22765c223a5c22736563757269747967775c227d2c7b5c226b5c223a5c22782d726571756573742d69645c222c5c22765c223a5c2239393461383735622d653862642d346235312d386462632d6230643735386630636636645c227d5d2c5c22646174615c223a5c227b5c5c5c22636f64655c5c5c223a312c5c5c5c226d73675c5c5c223a5c5c5c225c5c5c222c5c5c5c22646174615c5c5c223a7b5c5c5c226769645c5c5c223a5c5c5c2234303833313638375c5c5c222c5c5c5c22746f6b656e5c5c5c223a5c5c5c2265794a68624763694f694a49557a49314e694973496d74705a434936496e427663485a7063434973496e523563434936496b705856434a392e65794a6e615751694f6949304d44677a4d5459344e794973496d3570593274755957316c496a6f693534367035622d44356f366935375369356136324969776959585a6864474679496a6f696148523063484d364c7939795a584d7563474678645746776343356a62323076634739776257467964485a706343396b5a575a68645778304c57686c595751756347356e49697769646d6c77544756325a5777694f6a4173496e4a76624755694f694a56633256794969776959584277535551694f6a4573496d467763454e765a4755694f6a4173496e427962335a705a47567956486c775a534936496e427663473168636e51694c434a7362326470626b4630496a6f784e7a45794f4467324f4455354c434a7a61473933535551694f69497a4f5467334e6a59344e6a51774d7a63304d7a45354e7a49304f5449344969776963484a76616d566a64456c6b496a6f6963473977646d6c774969776963484a76646d6c6b5a584a4a52434936496a67324f5455314f444d334969776963484a76646d6c6b5a5849694f69496966512e71773679525a6e446d3344346f34752d627569667244726f42693071562d33767a654a6561564d6b4e4e6b5c5c5c222c5c5c5c22687474705f636c6f75645f736572766963655c5c5c223a7b5c5c5c226170705f636f64655c5c5c223a5c5c5c226d656d6265725f616374697669746965735c5c5c222c5c5c5c22636c69656e745f6b65795c5c5c223a5c5c5c22717a3836636c327170386769696d6d336d5c5c5c222c5c5c5c227870726f6a6563745f69645c5c5c223a5c5c5c22706f707669705c5c5c227d7d7d5c222c5c22646174615f747970655c223a307d222c226572725f6e6f223a307d

image-20240426111309697

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
{
    "baseresponse": {
        "errcode": 0
    },
    "status": 1,
    "http_code": 200,
    "headers": [
        {
            "k": "date",
            "v": "Fri, 26 Apr 2024 02:45:14 GMT"
        },
        {
            "k": "content-type",
            "v": "application/json; charset=utf-8"
        },
        {
            "k": "content-length",
            "v": "665"
        },
        {
            "k": "traceparent",
            "v": "00-298d36a09619b2b3b96a526b279fe95d-4a6f36edf3085c2a-01"
        },
        {
            "k": "x-kong-upstream-latency",
            "v": "22"
        },
        {
            "k": "x-kong-proxy-latency",
            "v": "0"
        },
        {
            "k": "via",
            "v": "kong/2.5.0"
        },
        {
            "k": "x-envoy-upstream-service-time",
            "v": "33"
        },
        {
            "k": "x-cloudbase-upstream-status-code",
            "v": "200"
        },
        {
            "k": "x-wx-call-id",
            "v": "1714099514256-0.03416856924121281"
        },
        {
            "k": "server",
            "v": "securitygw"
        },
        {
            "k": "x-request-id",
            "v": "994a875b-e8bd-4b51-8dbc-b0d758f0cf6d"
        }
    ],
    "data": "{\"code\":1,\"msg\":\"\",\"data\":{\"gid\":\"40831687\",\"token\":\"eyJhbGciOiJIUzI1NiIsImtpZCI6InBvcHZpcCIsInR5cCI6IkpXVCJ9.eyJnaWQiOiI0MDgzMTY4NyIsIm5pY2tuYW1lIjoi546p5b-D5o6i57Si5a62IiwiYXZhdGFyIjoiaHR0cHM6Ly9yZXMucGFxdWFwcC5jb20vcG9wbWFydHZpcC9kZWZhdWx0LWhlYWQucG5nIiwidmlwTGV2ZWwiOjAsInJvbGUiOiJVc2VyIiwiYXBwSUQiOjEsImFwcENvZGUiOjAsInByb3ZpZGVyVHlwZSI6InBvcG1hcnQiLCJsb2dpbkF0IjoxNzEyODg2ODU5LCJzaG93SUQiOiIzOTg3NjY4NjQwMzc0MzE5NzI0OTI4IiwicHJvamVjdElkIjoicG9wdmlwIiwicHJvdmlkZXJJRCI6Ijg2OTU1ODM3IiwicHJvdmlkZXIiOiIifQ.qw6yRZnDm3D4o4u-buifrDroBi0qV-3vzeJeaVMkNNk\",\"http_cloud_service\":{\"app_code\":\"member_activities\",\"client_key\":\"qz86cl2qp8giimm3m\",\"xproject_id\":\"popvip\"}}}",
    "data_type": 0
}

HOOK点

请求

gr0.g

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package gr0;


public class g extends y implements n {
    public interface a {
        void a(int arg1, int arg2, String arg3, y arg4);
    }

    public final c d;
    public ad0.n e;
    public a f;

    public g(String appid, String data, String scope, int v, int v1, int v2, int v3, boolean z, String sessionId, int avatarOpt, boolean z1) {
        Log.i("MicroMsg.webview.NetSceneJSOperateWxData", "<init> hash[%d] appId [%s], data [%s], grantScope [%s], versionType [%d], opt [%d], extScene [%d]  sessionId [%s]  avatarOpt [%d]", new Object[]{((int)this.hashCode()), appid, data, scope, v, v2, v3, sessionId, avatarOpt});
        c c0 = this.i1(((boolean)(((int)z)))).a();
        this.d = c0;
        no2 no20 = (no2)c0.a.a;
        no20.d = appid;
        no20.e = new b((data.getBytes() == null ? new byte[0] : data.getBytes()));
        no20.f = scope;
        no20.h = v;
        no20.g = v2;
        no20.j = v1;
        no20.o = avatarOpt;
        no20.n = sessionId;
        no20.p = z1;
        if(v3 > 0) {
            qc5 qc50 = new qc5();
            no20.i = qc50;
            qc50.e = v3;
        }
    }

    @Override  // ad0.y
    public int doScene(com.tencent.mm.network.g g0, ad0.n n0) {
        Log.i("MicroMsg.webview.NetSceneJSOperateWxData", "doScene hash=%d, funcid=%d", new Object[]{((int)this.hashCode()), ((int)this.d.d)});
        //……
    }


    @Override  // com.tencent.mm.network.n
    public void onGYNetEnd(int v, int v1, int v2, String s, u u0, byte[] arr_b) {
        Log.i("MicroMsg.webview.NetSceneJSOperateWxData", "onGYNetEnd, hash[%d] errType = %d, errCode = %d, errMsg = %s", new Object[]{((int)this.hashCode()), v1, v2, s});
        //……
    }
}

响应

com.tencent.mm.plugin.appbrand.jsapi.auth.JsApiOperateWXData

image-20240427125801744

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// gl3.b.h()
public String h() {
    byte[] arr_b;
    int v = 0;
    try {
        while(true) {
            arr_b = this.a;
            if(v >= arr_b.length || arr_b[v] == 0) {
                break;
            }

            ++v;
        }

        return new String(arr_b, 0, v, "UTF-8");
    }
    catch(UnsupportedEncodingException unused_ex) {
        throw new RuntimeException("UTF-8 not supported?");
    }
}

Sign算法还原

内存中搜索sign密钥

image-20240430163514764

image-20240430221209951

image-20240430224759688

1
2
3
4
{"each_store_info":[{"settle_goods_list":[{"goods_sku_id":3149,"settle_num":6,"is_gift":false}],"ship_way":3,"store_id":6265,"user_address_id":0,"free_shipping_id":1,"promotion_id":0,"promotion_type":"","ladder_id":0,"shipping_code":"","mail_fee":0}],"openid":"oZdQ347xlO7z9kXPAXyVc1adyvZc","position":1,"share_phone":"18728463722","version":"5.0.27"}PopMartminiApp11171714580123556
3ce55224975fb611d3845020e36f4a72
3ce55224975fb611d3845020e36f4a72PopMartminiApp0314

image-20240502001624156

image-20240502001614181

小程序逆向

_a01d027Z为一个字符串解密函数(除了这个字符串解密函数外,还有其他字符串函数)。

image-20240504163522002

根据代码,可以确定函数的参数的值是一个数字,值大于等于454,小于454+r.length, 由此可以dump出所有字符串明文及index值。

1
2
3
4
5
temp = {}
for(i=454; i<454+r.length;++i){
    temp[i] =_a01d027Z(i)
}
JSON.stringify(temp)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "454": "_latest_",
    "455": "newGoodsIsSell",
    "456": "rawBindings",
    "457": "ZgfdgYm[",
    "458": "boxserver/v1/cart/count",
    "459": "Ld!\"=WUfH\\\\Xm",
    "460": "prototype",
    "1867": "PopMartminiApp1117",
    "1868": "$time",
    // ...
    "4919": "PopMartminiApp0314",
    "4920": "$MPViewScreen",
    "4921": "browser",
    "4922": "changeUnionid",
    "5227": "GaxDR\\",
    "5228": "data:image/png;base64,"
}

根据明文字符串的索引定位到创建订单的代码:

image-20240504165815939

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
function postApi(n, r, u, f, c) {
    var s, y, z, w, d, B = i, x = 5 < arguments[B(2341)] && void 0 !== arguments[5] ? arguments[5] : {}, L = 6 < arguments[B(2341)] && void 0 !== arguments[6] && arguments[6], C = (M = r,
        0 === (p = n)[(j = i)(654)](j(2958)) ? (b = t[j(2245)](j(4120)),
            M[j(4127)] = b) : 0 !== p[j(654)](j(1048)) && (b = t[j(2245)](j(4767)),
                M[j(3494)] = b),
        r), D = i;
    for (d in C)
        D(4949) === _typeof2(C[d]) && "" === C[d][D(682)]() && delete C[d];
    s = r,
        y = u,
        p = L,
        z = i,
        w = {},
        Object[z(5028)](s)[z(3894)]()[z(2670)]((function (n) {
            var t = z;
            w[n] = t(4416) === y ? s[n] : s[n][t(4744)]()
        }
        )),
        w[z(2147)] = o[z(2147)],
        M = (new Date)[z(1461)]()[z(4744)](),
        j = JSON[z(1446)](w) + z(1867) + M,
        j = (0,
            e[z(5218)])(j),
        s[z(1112)] = p ? (0,
            e[z(5218)])(a[z(4968)][z(4420)](j + z(4919))) : j,
        s[z(2976)] = M,
        s[z(2147)] = o[z(2147)];
    var M, b = t[B(2245)](B(4767)), p = (L = t[B(2245)](B(4120)),
        t[B(2245)](B(3522))), j = h(n, u, x);
    /\.json$/[B(4684)](n) || 0 === n[B(654)](B(1048)) || b ? /\.json$/[B(4684)](n) || 0 !== n[B(654)](B(2958)) || L ? 0 === n[B(654)](B(2958)) && !1 === p || (o[B(2235)] && setTimeout((function () {
        t[B(2264)]()
    }
    ), 6e4),
        v({
            url: 0 === (M = n)[(x = i)(654)](x(4479)) ? o[x(5188)] + M[x(3349)](7) : 0 === M[x(654)](x(3027)) ? o[x(3139)] + M[x(3349)](4) : 0 === M[x(654)](x(4165)) ? o[x(2901)] + M[x(3349)](6) : 0 === M[x(654)](x(3532)) ? x(1654) + M[x(3349)](5) : 0 === M[x(654)](x(4640)) ? x(1130) + M[x(3349)](10) : /\.json$/[x(4684)](M) ? x(4582) + M : M[x(3131)](x(1294)) ? M : 0 === M[x(654)](x(2374)) || 0 === M[x(654)](x(3503)) || 0 === M[x(654)](x(644)) || 0 === M[x(654)](x(749)) || 0 === M[x(654)](x(3888)) ? o[x(2905)] + M : 0 === M[x(654)](x(1263)) ? o[x(3139)] + M : o[x(5188)] + x(2672) + M,
            method: u || B(2783),
            header: j,
            data: r,
            success: function (r) {
                var i = B;
                o[i(2235)] || 1 === r[i(3070)][i(2510)] || /\.json$/[i(4684)](n) || 0 === n[i(654)](i(4165)) || t[i(1236)]({
                    title: r[i(3070)] && r[i(3070)].msg || i(4356),
                    icon: i(4696),
                    duration: 3e3
                }),
                    [i(1213), i(4384), i(866), i(2277)][i(2670)]((function (t) {
                        n[i(654)](t)
                    }
                    ));
                var e = [i(2480), i(4769), i(3588), i(1613), i(563), i(1756)];
                40000010 === r[i(3070)][i(2510)] || 40000004 === r[i(3070)][i(2510)] ? t[i(4685)]({
                    url: i(1253)
                }) : 1 !== r[i(3070)][i(2510)] && 40000004 !== r[i(3070)][i(2510)] && 40000032 !== r[i(3070)][i(2510)] && 40000030 !== r[i(3070)][i(2510)] && 4000001 !== r[i(3070)][i(2510)] && 40001003 !== r[i(3070)][i(2510)] && 40000018 !== r[i(3070)][i(2510)] && 40000054 !== r[i(3070)][i(2510)] && 10201 !== r[i(3070)][i(2510)] && 430 !== r[i(3070)][i(2510)] ? (!/\.json$/[i(4684)](n) && e[i(654)](n) < 0 && n[i(654)](i(3027)) < 0 && t[i(1236)]({
                    title: r[i(3070)] && r[i(3070)].msg,
                    icon: i(4696),
                    duration: 3e3
                }),
                    16117 == r[i(3070)][i(2510)] && l(r[i(3070)], (function (n) {
                        t[i(1972)]()
                    }
                    ))) : 430 == r[i(3070)][i(2510)] && t[i(1236)]({
                        title: i(2931),
                        icon: i(4696),
                        duration: 3e3
                    }),
                    f(r)
            },
            fail: function (n) {
                var r = B;
                t[r(2264)](),
                    o[r(2235)] || t[r(1236)]({
                        title: n[r(3070)] && n[r(3070)].msg || r(3745),
                        icon: r(4696)
                    }),
                    430 != n[r(4170)] ? (401 !== n[r(4170)] && 401 !== n[r(1765)] && n[r(3070)] && 40000032 !== n[r(3070)][r(2510)] && 40000030 !== n[r(3070)][r(2510)] && 40000018 !== n[r(3070)][r(2510)] && 40000054 !== n[r(3070)][r(2510)] && t[r(1236)]({
                        title: n[r(3070)] && n[r(3070)].msg,
                        icon: r(4696),
                        duration: 3e3
                    }),
                        103006 === n[r(4170)] && t[r(4213)]({
                            content: r(1846),
                            showCancel: !1,
                            confirmColor: r(1463)
                        }),
                        f(n),
                        -1 != n[r(3711)][r(654)](r(4425)) && t[r(4213)]({
                            title: "提示",
                            content: r(2202),
                            showCancel: !1
                        })) : t[r(1236)]({
                            title: r(2931),
                            icon: r(4696),
                            duration: 3e3
                        })
            },
            complete: function (n) {
                var r = B;
                n && n[r(3070)] && (40000010 === n[r(3070)][r(2510)] || 40000004 === n[r(3070)][r(2510)]) && t[r(4685)]({
                    url: r(1253)
                })
            }
        })) : setTimeout((function () {
            var n = B;
            delete r[n(1112)],
                delete r[n(2976)]
        }
        ), 200) : setTimeout((function () {
            var t = B;
            delete r[t(1112)],
                delete r[t(2976)],
                g[t(1735)](n, r, u, f)
        }
        ), 200)
}

还原字符串后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
function postApi(n, r, u, f, c) {
    var s, y, z, w, d, B = i, x = 5 < arguments["length"] && void 0 !== arguments[5] ? arguments[5] : {}, L = 6 < arguments["length"] && void 0 !== arguments[6] && arguments[6], C = (M = r,
        0 === (p = n)[(j = i)(654)]("getUserInfo") ? (b = t["getStorageSync"]("userId"),
            M["user_id"] = b) : 0 !== p["indexOf"]("new/user/login/wechat_mini") && (b = t["getStorageSync"]("providerId"),
                M["openid"] = b),
        r), D = i;
    for (d in C)
        "string" === _typeof2(C[d]) && "" === C[d]["trim"]() && delete C[d];
    s = r,
        y = u,
        p = L,
        z = i,
        w = {},
        Object["keys"](s)["sort"]()["forEach"]((function (n) {
            var t = z;
            w[n] = "POST" === y ? s[n] : s[n]["toString"]()
        }
        )),
        w["version"] = o["version"],
        M = (new Date)["getTime"]()["toString"](),
        j = JSON["stringify"](w) + "PopMartminiApp1117" + M,
        j = (0,
            e["default"])(j),
        s["sign"] = p ? (0,
            e["default"])(a["Base64"]["encode"](j + "PopMartminiApp0314")) : j,
        s["time"] = M,
        s["version"] = o["version"];
    var M, b = t["getStorageSync"]("providerId"), p = (L = t["getStorageSync"]("userId"),
        t["getStorageSync"]("loginStatus")), j = h(n, u, x);
    /\.json$/["test"](n) || 0 === n["indexOf"]("new/user/login/wechat_mini") || b ? /\.json$/["test"](n) || 0 !== n["indexOf"]("getUserInfo") || L ? 0 === n["indexOf"]("getUserInfo") && !1 === p || (o["isProd"] && setTimeout((function () {
        t["hideLoading"]()
    }
    ), 6e4),
        v({
            url: 0 === (M = n)[(x = i)(654)]("common/") ? o["serverUrl"] + M["slice"](7) : 0 === M["indexOf"]("new/") ? o["newServerUrl"] + M["slice"](4) : 0 === M["indexOf"]("graph/") ? o["graphServerUrl"] + M["slice"](6) : 0 === M["indexOf"]("mock/") ? "http://yapi.paquapp.com/mock/" + M["slice"](5) : 0 === M["indexOf"]("boxonline/") ? "https://res.paquapp.com/boxonline/" + M["slice"](10) : /\.json$/["test"](M) ? "https://res.paquapp.com/popmartvip/" + M : M["includes"]("https://") ? M : 0 === M["indexOf"]("boxserver/") || 0 === M["indexOf"]("rightsserver/") || 0 === M["indexOf"]("playerserver/") || 0 === M["indexOf"]("orderserver/") || 0 === M["indexOf"]("v2/service/boxonline_speed_version/") ? o["boxliteUrl"] + M : 0 === M["indexOf"]("box_speed/") ? o["newServerUrl"] + M : o["serverUrl"] + "wechat/" + M,
            method: u || "GET",
            header: j,
            data: r,
            success: function (r) {
                var i = B;
                o["isProd"] || 1 === r["data"]["code"] || /\.json$/["test"](n) || 0 === n["indexOf"]("graph/") || t["showToast"]({
                    title: r["data"] && r["data"].msg || "出现报错,请查找原因~",
                    icon: "none",
                    duration: 3e3
                }),
                    ["graph/notice/v1/notice/notices/users/has-subscribe", "playerserver/v1/user/get_user_expand_info", "orderserver/v1/order/placeOrder", "orderserver/v1/order/checkOrder"]["forEach"]((function (t) {
                        n["indexOf"](t)
                    }
                    ));
                var e = ["common/member/wechat_card_sync", "common/member/wechat_card_alter", "common/member/wechat_card_all_sync", "new/sg/store/sellout_recommend_store", "common/index/get_box_user", "new/store_tickoff/tickoff"];
                40000010 === r["data"]["code"] || 40000004 === r["data"]["code"] ? t["reLaunch"]({
                    url: "/pages/index"
                }) : 1 !== r["data"]["code"] && 40000004 !== r["data"]["code"] && 40000032 !== r["data"]["code"] && 40000030 !== r["data"]["code"] && 4000001 !== r["data"]["code"] && 40001003 !== r["data"]["code"] && 40000018 !== r["data"]["code"] && 40000054 !== r["data"]["code"] && 10201 !== r["data"]["code"] && 430 !== r["data"]["code"] ? (!/\.json$/["test"](n) && e["indexOf"](n) < 0 && n["indexOf"]("new/") < 0 && t["showToast"]({
                    title: r["data"] && r["data"].msg,
                    icon: "none",
                    duration: 3e3
                }),
                    16117 == r["data"]["code"] && l(r["data"], (function (n) {
                        t["exitMiniProgram"]()
                    }
                    ))) : 430 == r["data"]["code"] && t["showToast"]({
                        title: "访问异常,请稍后重试~",
                        icon: "none",
                        duration: 3e3
                    }),
                    f(r)
            },
            fail: function (n) {
                var r = B;
                t["hideLoading"](),
                    o["isProd"] || t["showToast"]({
                        title: n["data"] && n["data"].msg || "当前网络状态不佳~",
                        icon: "none"
                    }),
                    430 != n["statusCode"] ? (401 !== n["statusCode"] && 401 !== n["status"] && n["data"] && 40000032 !== n["data"]["code"] && 40000030 !== n["data"]["code"] && 40000018 !== n["data"]["code"] && 40000054 !== n["data"]["code"] && t["showToast"]({
                        title: n["data"] && n["data"].msg,
                        icon: "none",
                        duration: 3e3
                    }),
                        103006 === n["statusCode"] && t["showModal"]({
                            content: "请先将手机时间调整为北京时间 用于展示订单",
                            showCancel: !1,
                            confirmColor: "#222222"
                        }),
                        f(n),
                        -1 != n["errMsg"]["indexOf"]("timeout") && t["showModal"]({
                            title: "提示",
                            content: "请求超时,请检查网络情况!",
                            showCancel: !1
                        })) : t["showToast"]({
                            title: "访问异常,请稍后重试~",
                            icon: "none",
                            duration: 3e3
                        })
            },
            complete: function (n) {
                var r = B;
                n && n["data"] && (40000010 === n["data"]["code"] || 40000004 === n["data"]["code"]) && t["reLaunch"]({
                    url: "/pages/index"
                })
            }
        })) : setTimeout((function () {
            var n = B;
            delete r["sign"],
                delete r["time"]
        }
        ), 200) : setTimeout((function () {
            var t = B;
            delete r["sign"],
                delete r["time"],
                g["postApi"](n, r, u, f)
        }
        ), 200)
}

从代码中即可获得签名算法。

1
md5(base64(md5(sorted_json_str+'PopMartminiApp1117'+timestamp)+'PopMartminiApp0314'))

参考资料

https://github.com/tea0o/miniprogram_cloudfunctions_tool

https://github.com/cnmsec/MpaasPentestTool

https://github.com/aj3423/protod