-
-
Save feix/6dd1f62a54c5efa10f1e1c24f8efc417 to your computer and use it in GitHub Desktop.
var CryptoJS = require('crypto-js') | |
var request = require('request-promise') | |
/* | |
* npm install crypto-js request-promise request | |
* node wx_t1t_hack.js | |
*/ | |
// export function testEncription(msg, fullKey) { | |
// var fullKey = fullKey.slice(0, 16) | |
// var key = CryptoJS.enc.Utf8.parse(fullKey) | |
// var iv = CryptoJS.enc.Utf8.parse(fullKey) | |
// var passWord = CryptoJS.AES.encrypt(msg, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 }) | |
// var base64 = passWord.toString() | |
// console.log('passWord', passWord) | |
// console.log('sessionId', sessionId) | |
// console.log('key', key) | |
// console.log('base64', base64) | |
// var bytes = CryptoJS.AES.decrypt(base64, key, { | |
// iv: iv | |
// }); | |
// console.log('bytes', bytes) | |
// var plaintext = CryptoJS.enc.Utf8.stringify(bytes); | |
// console.log('plaintext', plaintext) | |
// } | |
function encrypt (text, originKey) { | |
var originKey = originKey.slice(0, 16), | |
key = CryptoJS.enc.Utf8.parse(originKey), | |
iv = CryptoJS.enc.Utf8.parse(originKey), | |
msg = JSON.stringify(text) | |
var ciphertext = CryptoJS.AES.encrypt(msg, key, { | |
iv: iv, | |
mode: CryptoJS.mode.CBC, | |
padding: CryptoJS.pad.Pkcs7 | |
}); | |
return ciphertext.toString() | |
} | |
function decrypt (text, originKey) { | |
var originKey = originKey.slice(0, 16), | |
key = CryptoJS.enc.Utf8.parse(originKey), | |
iv = CryptoJS.enc.Utf8.parse(originKey) | |
var bytes = CryptoJS.AES.decrypt(text, key, { | |
iv: iv | |
}) | |
var plaintext = CryptoJS.enc.Utf8.stringify(bytes) | |
return plaintext | |
} | |
function extend (target) { | |
var sources = [].slice.call(arguments, 1) | |
sources.forEach(function (source) { | |
for (var prop in source) { | |
target[prop] = source[prop] | |
} | |
}) | |
return target | |
} | |
var version = 5, | |
score = 2018, | |
// replace with your session_id here | |
session_id = 'xxxxx' | |
var headers = { | |
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C153 MicroMessenger/6.6.1 NetType/WIFI Language/zh_CN', | |
'Referer': 'https://servicewechat.com/wx7c8d593b2c3a7703/' + version + '/page-frame.html', | |
'Content-Type': 'application/json', | |
'Accept-Language': 'zh-cn', | |
'Accept': '*/*' | |
} | |
var base_req = { | |
'base_req': { | |
'session_id': session_id, | |
'fast': 1 | |
} | |
} | |
var base_site = 'https://mp.weixin.qq.com/wxagame/' | |
var path = 'wxagame_getuserinfo' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: base_req | |
}).then(function (response) { | |
// console.log(path, response) | |
}) | |
path = 'wxagame_getfriendsscore' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: base_req | |
}).then(function (response) { | |
// console.log(response.my_user_info) | |
var times = response.my_user_info.times + 1 | |
path = 'wxagame_init' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: extend({}, {version: 9}, base_req) | |
}).then(function (response) { | |
// console.log(path, response) | |
var action = [], | |
musicList = [], | |
touchList = [] | |
// for (var i = 0; i < score; i++) { | |
// action.push([0.752, 1.32, false]) | |
// musicList.push(false) | |
// touchList.push([185, 451]) | |
// } | |
var data = { | |
score: score, | |
times: times, | |
game_data: JSON.stringify({ | |
seed: Date.now(), | |
action: action, | |
musicList: musicList, | |
touchList: touchList, | |
version: 1 | |
}) | |
} | |
path = 'wxagame_settlement' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: extend({}, {action_data: encrypt(data, session_id)}, base_req) | |
}).then(function (response) { | |
// console.log(path, response) | |
console.log('2018! Happy new year! 🎉') | |
}).catch(function (error) { | |
console.log(error) | |
}) | |
}) | |
}).catch(function (error) { | |
console.log('something crash') | |
}) |
真实跳的数据POST过去也不改变分数。。
@dotedu,抱歉D大,我不懂fork是啥意思,我才上github没多久。。。
@dotedu,跑到D大你的CODE页面上fork了,然后这些文件一堆下下来怎么处理,不好意思我是小白=。=
@fan133 需要VS 编译的。
@dotedu,能大致说说怎么操作吗,抱歉,我以后一定好好学编程!
我记得四号的时候两次提交数据的时间太近的话就会返回-1
我觉得服务器应该是验证了数据提交时间的
@dotedu 我找了个小号 分数为0的,试了一次改分 改成100 提交成功。登录微信也看到了成绩。然后重新获取session_id 再次提交成绩200。失败了。
@edison, 请问D大的代码文件下载了怎么执行啊
@edison1105, 请问D大的代码文件下载了怎么执行啊
@dotedu 你好您的这个代码怎么使用啊,我每次都失败了。。
@dotedu 大神 你的代码我用vs2017编译后运行不起来
System.NullReferenceException
HResult=0x80004003
Message=未将对象引用设置到对象的实例。
Source=wx_t1t
StackTrace:
在 wx_t1t.Main.<>c__DisplayClass44_1.<button1_Click>b__10() 在 F:\hack\wx_t1t-master\wx_t1t\Main.cs 中: 第 86 行
在 wx_t1t.Main.<>c__DisplayClass59_0.b__0() 在 F:\hack\wx_t1t-master\wx_t1t\Main.cs 中: 第 706 行
@TTV5 你要把项目文件中VS版本改高 和你安装的版本一致
@hongdalu 你试过现在还能刷分吗 刚才那个问题是session_id填错了导致的。
现在能提示刷分成功,微信里面没有却没有变化
@TTV5 分数高了就成功不了 应该还是时间那的问题
也是没变化
目前还没找到服务器的验证规律
也有可能是抓取session_id时候的UserAgent和模拟的不同,服务器也可能会验证这个。
@dotedu 试过改成一致的UserAgent也不行,我就用新号是成功过一次100分,在改成200分的时候就不行了。
@dotedu 改了UserAgent还是一样 还有我觉得应该在while (currentScore<= score);
下面579行附近加一条score = currentScore;
不然提交的分数很可能和生成的数据对不上
@dotedu 游戏的源码有变化吗?
本地程序没有升级,主要应该还是服务器端对提交的数据验证了
@edison1105 我也是之前小号 提交成功一次后 就不能再提交了。。
抓包了下 现在代码是 要steps timestamps了 {"score":144,"times":384,"game_data":"{\"seed\":1515605346816,\"action\":[[0.773,1.26,false],[0.749,1.29,false],[0.668,1.43,false],[0.923,0.92,false],[0.802,1.16,false],[0.471,1.84,false],[0.973,0.82,false],[0.466,1.84,false],[0.732,1.29,false],[0.477,1.8,false],[0.731,1.29,false],[0.464,1.84,false],[0.425,1.9,false],[0.649,1.46,false],[0.723,1.33,false],[0.563,1.63,false],[0.717,1.33,false],[0.599,1.56,false],[0.85,1.06,false],[0.852,1.06,false],[0.377,2,false],[0.781,1.19,false],[0.853,1.09,false],[0.598,1.56,false],[0.539,1.7,false],[0.75,1.26,false],[0.568,1.63,false],[0.549,1.67,false],[0.478,1.8,false],[0.357,2.04,false],[0.53,1.7,false],[0.549,1.67,false],[0.548,1.67,false],[0.834,1.09,false],[0.323,2.11,false],[0.512,1.73,false],[0.323,2.11,false],[0.577,1.6,false],[0.888,0.99,false],[0.75,1.26,false],[0.704,1.36,false],[0.427,1.9,false],[0.487,1.8,false],[0.633,1.5,false],[0.407,1.94,false],[0.669,1.43,false],[0.765,1.23,false],[0.732,1.29,false],[0.717,1.33,false],[0.7,1.36,false],[0.29,2.17,false]],\"musicList\":[false,false,false,false,false,true,false,false,false,false,false,false,false,false,false,false,false,false,false,false,true,false,false,false,false,true,false,false,false,false,false,false,false,false,false,false,false,false,false,false,true,false,false,false,false,false,false,false,false,false,true],\"touchList\":[[209.47272,574.7006],[224.79187,587.6939],[227.45605,588.69336],[233.78352,592.02496],[234.44958,594.0239],[226.79002,587.0276],[227.45605,591.35864],[230.12025,593.69073],[231.45235,593.69073],[229.78723,592.02496],[230.78632,591.35864],[232.78447,593.0245],[233.4505,592.02496],[231.45235,590.026],[233.4505,592.3581],[233.4505,591.69183],[231.78539,589.6929],[236.1147,585.36176],[235.78168,587.6939],[237.11378,586.0281],[234.44958,580.3644],[235.11565,582.6965],[232.45143,577.6991],[231.78539,578.0323],[232.78447,581.0307],[233.78352,581.697],[235.78168,585.36176],[235.78168,585.0286],[234.44958,582.0302],[235.44867,583.696],[235.44867,582.6965],[232.78447,579.3649],[233.78352,578.69855],[232.45143,576.03326],[230.78632,574.7006],[230.78632,574.03436],[234.11656,577.0328],[230.12025,576.36646],[230.4533,573.7012],[229.12117,576.03326],[202.47919,565.7054],[212.80296,576.03326],[210.80481,580.3644],[217.46532,587.0276],[218.4644,588.3602],[218.13136,593.0245],[223.45976,595.68976],[226.45699,593.69073],[229.78723,596.356],[227.12303,593.69073],[227.45605,595.68976]],\"steps\":[[209.47272,574.7006],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[]],\"timestamp\":[1515605347766,1515605349291,1515605350724,1515605352130,1515605353762,1515605358014,1515605359254,1515605361264,1515605362602,1515605364090,1515605365333,1515605366816,1515605368085,1515605369300,1515605370773,1515605372472,1515605373867,1515605375932,1515605377474,1515605379289,1515605383917,1515605385353,1515605387203,1515605388970,1515605390356,1515605394089,1515605395777,1515605397239,1515605398672,1515605400104,1515605401398,1515605402969,1515605404491,1515605405968,1515605407754,1515605408897,1515605410373,1515605411605,1515605413194,1515605415233,1515605425124,1515605427205,1515605431086,1515605432672,1515605434383,1515605435904,1515605437635,1515605439409,1515605441066,1515605442716,1515605447426],\"version\":2}"}
增加了steps,不知道代表什么,数组长度并不固定。
求问楼主怎么找到aes算法部分?
分析源代码,发现 t.actionList.push([t.duration, +t.bottle.obj.position.y.toFixed(2), t.quick] 中的 t.bottle.obj.position.y 来源于以下
this.obj.position.y -= o.BLOCK.reduction / 2 * o.BLOCK.height / 2 + .027
其中 o.BLOCK.reduction 为 0.005,o.BLOCK.height 为 5.5
@dotedu
周一更新排行榜,代码更新之后60分以下随意改都成功,超过60分就改不成功了。
我已经放弃直接提交分数了,全自动跳就是时间久点,但是不会被封号。
还能用吗? 谁有源码哦?
@hongdalu 我手动 跳一次 然后解密后 换个号加密 POST一次看看。