- 🌱 QAQ
tinyniko / mac_wxapkg_decrypt Goto Github PK
View Code? Open in Web Editor NEWmac 端wxpkg文件解密(非解包)
mac 端wxpkg文件解密(非解包)
macos 13.3.1 Intel 关闭了SIP
frida 15.2.2
微信 3.7.0
查看PID
~/Downloads/mac_wxapkg_decrypt-main » ps -ef | grep Mini 130 ↵
501 2598 1 0 3:03下午 ?? 0:04.59 /Applications/WeChat.app/Contents/MacOS/Mini Program.app/Contents/MacOS/Mini Program
501 3474 1 0 3:32下午 ?? 0:01.11 /Applications/WeChat.app/Contents/MacOS/Mini Program.app/Contents/MacOS/Mini Program
501 3589 979 0 3:39下午 ttys002 0:00.00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox Mini
启动frida
~/Downloads/mac_wxapkg_decrypt-main » sudo frida 3474 -l _agent.js
Password:
____
/ _ | Frida 15.2.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
[Local::PID::3474 ]->
[Local::PID::3474 ]-> exit
Thank you for using Frida!
没有出现Attaching,也没有报错
Failed to attach: unable to bind, “fstat$INODE64” not found in “/usr/lib/libSystem.B.dylib”
way 2 中 var filedata = decryptdata.bytes().readByteArray(decryptdata.length()) 报错了
师傅你好 能否给个联系方式 请教一下工具用法 从blog的联系方式解密没查到wechat
TypeError: cannot read property 'bytes' of null
at (src/mac_wx/main.ts:22)
at call (native)
at o (node_modules/browser-pack/_prelude.js:1)
at r (node_modules/browser-pack/_prelude.js:1)
at (/Users/xxx/tools/xiaochegnxu/mac_wxapkg_decrypt/_agent.js:27)
at evaluate (native)
at (/frida/repl-2.js:1)
hook得到的aes key来自-[AuthSectResp init]
中的置入的SetCliDbencryptKey
,提取对应目录下的聊天记录msg_*.db
可以使用此key解开得到聊天记录。
大神有没有空研究3.8版本的
关闭了 SIP
Python 3
Node v18.x
Frida 16.0.11
用的第二种方式:
// way 1
// var account = ObjC.classes.AccountService['- GetEncryptKey'];
// Interceptor.attach(account.implementation, {
// onLeave: function onLeave(ret) {
// var keyobj = new ObjC.Object(ret);
// var key = keyobj.bytes().readByteArray(keyobj.length());
// console.log(hexdump(key)); // the first 16 bytes is aes key
// }
// });
// way 2
var wadecrypt = ObjC.classes.WAPkgEncryptUtil['+ pkgDecrypt:'];
// // TODO fix path
var path = "/Users/bluemiaomiao/Library/Group Containers/5A4RE8SF68.com.tencent.xinWeChat/Library/Caches/xinWeChat/a0e1cb1856364ecce1b4f5a49bdf55e8/WeApp/LocalCache/release/wx16b266d88f279965/15.wxapkg";
var wxpath = ObjC.classes.NSString.stringWithUTF8String_(Memory.allocUtf8String(path));
var decryptdata = ObjC.classes.WAPkgEncryptUtil.pkgDecrypt_(wxpath);
var filedata = decryptdata.bytes().readByteArray(decryptdata.length());
// // TODO fix path
var file = new File("/Users/bluemiaomiao/Developer/15c.wxapkg", "wb");
file.write(filedata);
file.close();
console.log("write file done");
},{}]},{},[1])
报错了:
➜ mac_wxapkg_decrypt git:(main) ✗ sudo frida 1093 -l _agent.js
Password:
____
/ _ | Frida 16.0.11 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
Error: Operation not permitted
at <anonymous> (/Users/bluemiaomiao/Developer/mac_wxapkg_decrypt/_agent.js:22)
at call (native)
at o (node_modules/browser-pack/_prelude.js:1)
at r (node_modules/browser-pack/_prelude.js:1)
at <eval> (/Users/bluemiaomiao/Developer/mac_wxapkg_decrypt/_agent.js:27)
at evaluate (native)
at <anonymous> (/frida/repl-2.js:1)
[Local::PID::1093 ]-> quit
Thank you for using Frida!
❯ sudo frida 84348 -l agent.js
Password:
____
/ _ | Frida 16.0.8 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// || help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
Failed to attach: unable to access process with pid 84348 from the current user account
Error: Magic number is not correct!
at header (/Users/mac/Documents/github/WxAppUnpacker1/wuWxapkg.js:21:54)
at /Users/mac/Documents/github/WxAppUnpacker1/wuWxapkg.js:186:44
at /Users/mac/Documents/github/WxAppUnpacker1/wuLib.js:95:14
at agent (/Users/mac/Documents/github/WxAppUnpacker1/wuLib.js:64:23)
at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3)
Node.js v20.3.1
node /Users/mac/Documents/github/WxAppUnpacker1/wuWxapkg.js temp/h.wxapkg
Unpack file temp/h.wxapkg...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.