foreword
The big brother in the security department double-reported a high-risk vulnerability in a small program. He used reverse engineering to crack the encryption confidence, and used packet capture to modify the request parameters. Another day of headaches...
If you want to become a developer of WeChat applets, it is very necessary to learn front-end thinking and security awareness, so you must master the skills of decompilation of applets.
Two tools "Decipher" and "Reverse" are used here (not original, both come from big guys on the Internet).
Especially suitable for novices, and it's all free! It's all free! It's all free! The first operation may be slower. After you are proficient, you can grab the source code of a small program in 3 seconds!
Tool preparation
Download address: https://gitee.com/jiangsihan/wechat-applet-reverse-tool
Contains: reverse tool, decryption tool
reverse tool
Currently using: wxappUnpacker
This was developed by a master, and it could be downloaded on github before, but as of today, the master has closed the download, the specific reason... you know. However, open source is a trend, just like the world will not stop being open, so we still have many channels to get it, you can get it through your own channels, or use what I have prepared for you.
decryption tool
decrypt first
There are many tutorials on the Internet, which are divided into Apple and Android, and an emulator is also used. In fact, it is not so troublesome, just use the WeChat PC client directly.
1. Find the location of the file management
Applet is to store the compiled package of small programs,
which store all the opened small program package files
2. Open the applet
Open a small program on the PC side, click on all the pages as much as possible, let the local automatically generate a local package, in the folder just set:
But inside is the encrypted file: APP .wxapkg needs to use our previous decryption software.
3. Decryption
Select the encrypted package of the applet, and the decryption is successful in 0.1 seconds:
after encryption, it will be stored in wxpack:
reversing
Officially used [wxappUnpacker] developed by Dashen. The following operations are all performed in the cmd command window. What needs to be emphasized is that they must be in the wxappUnpacker path. The simple method is to directly enter cmd in the address bar of the [wxappUnpacker] folder.
1. Reverse preparation
Open the reverse tool folder, directly enter cmd to open the command board:
Check if there is a node environment! !
Install dependencies and execute one by one:
npm install
npm install esprima
npm install css-tree
npm install cssbeautify
npm install vm2
npm install uglify-es
npm install js-beautify
2. Formal reverse
Drag the decrypted package under wxpack just now:
bingo.bat 主包路径(可以直接拖入)
The compiled files will be saved under the wxpack file package:
OK, the compilation is complete, and then open it directly with the WeChat development tool, and you can learn the front-end design of the predecessors, Sao Nian.
3. Possible errors
If the times when executing the compile command:
this package is a subPackage which should be unpacked with -s=<MainDir>.
Explain that this is a subpackage. When opening the applet, two .wxapkg files are generated. Just compile another file. The commands for compiling the subpackage and the main package are different:
node ./wuWxapkg.js 分包路径 -s=主包路径
4. If the generated file does not contain the app.json file
Explain that the small program you are looking for was developed by a master, and decompilation security measures have been taken, so the decryption failed, which is also the purpose of my posting this article. However, such great gods are still relatively rare.
It's still the same sentence: those who have the heart can't guard against it, and those who don't have the heart don't need to guard against it. There is no absolute, only relative!