Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
var CryptoJS = require('crypto-js')
var request = require('request-promise')
/*
* npm install crypto-js request-promise request
* node wx_t1t_hack.js
*/
// export function testEncription(msg, fullKey) {
// var fullKey = fullKey.slice(0, 16)
// var key = CryptoJS.enc.Utf8.parse(fullKey)
// var iv = CryptoJS.enc.Utf8.parse(fullKey)
// var passWord = CryptoJS.AES.encrypt(msg, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 })
// var base64 = passWord.toString()
// console.log('passWord', passWord)
// console.log('sessionId', sessionId)
// console.log('key', key)
// console.log('base64', base64)
// var bytes = CryptoJS.AES.decrypt(base64, key, {
// iv: iv
// });
// console.log('bytes', bytes)
// var plaintext = CryptoJS.enc.Utf8.stringify(bytes);
// console.log('plaintext', plaintext)
// }
function encrypt (text, originKey) {
var originKey = originKey.slice(0, 16),
key = CryptoJS.enc.Utf8.parse(originKey),
iv = CryptoJS.enc.Utf8.parse(originKey),
msg = JSON.stringify(text)
var ciphertext = CryptoJS.AES.encrypt(msg, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return ciphertext.toString()
}
function decrypt (text, originKey) {
var originKey = originKey.slice(0, 16),
key = CryptoJS.enc.Utf8.parse(originKey),
iv = CryptoJS.enc.Utf8.parse(originKey)
var bytes = CryptoJS.AES.decrypt(text, key, {
iv: iv
})
var plaintext = CryptoJS.enc.Utf8.stringify(bytes)
return plaintext
}
function extend (target) {
var sources = [].slice.call(arguments, 1)
sources.forEach(function (source) {
for (var prop in source) {
target[prop] = source[prop]
}
})
return target
}
var version = 5,
score = 2018,
// replace with your session_id here
session_id = 'xxxxx'
var headers = {
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C153 MicroMessenger/6.6.1 NetType/WIFI Language/zh_CN',
'Referer': 'https://servicewechat.com/wx7c8d593b2c3a7703/' + version + '/page-frame.html',
'Content-Type': 'application/json',
'Accept-Language': 'zh-cn',
'Accept': '*/*'
}
var base_req = {
'base_req': {
'session_id': session_id,
'fast': 1
}
}
var base_site = 'https://mp.weixin.qq.com/wxagame/'
var path = 'wxagame_getuserinfo'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: base_req
}).then(function (response) {
// console.log(path, response)
})
path = 'wxagame_getfriendsscore'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: base_req
}).then(function (response) {
// console.log(response.my_user_info)
var times = response.my_user_info.times + 1
path = 'wxagame_init'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: extend({}, {version: 9}, base_req)
}).then(function (response) {
// console.log(path, response)
var action = [],
musicList = [],
touchList = []
// for (var i = 0; i < score; i++) {
// action.push([0.752, 1.32, false])
// musicList.push(false)
// touchList.push([185, 451])
// }
var data = {
score: score,
times: times,
game_data: JSON.stringify({
seed: Date.now(),
action: action,
musicList: musicList,
touchList: touchList,
version: 1
})
}
path = 'wxagame_settlement'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: extend({}, {action_data: encrypt(data, session_id)}, base_req)
}).then(function (response) {
// console.log(path, response)
console.log('2018! Happy new year! 🎉')
}).catch(function (error) {
console.log(error)
})
})
}).catch(function (error) {
console.log('something crash')
})
@feix

This comment has been minimized.

Copy link
Owner Author

commented Dec 31, 2017

如何抓包 拿到 session_id

  1. 下载最新 charlesproxy
  2. 启动 charlesproxy
  3. 配置代理: 设置 > 无线局域网 > 配置代理 > 手动 > IP:电脑 ip,端口: 8888
  4. 导入 https 证书: 浏览器访问 http://chls.pro/ssl 下载安装证书
  5. 启动跳一跳小程序
  6. 去 charlesproxy 里查看抓到的请求, https://mp.weixin.qq.com/wxagame/wxagame_init 路径的请求,请求体里就包含 session_id

或者手机下载 surge

session_id 和微信账号相关联, session_id 公示或提供给他人 都是有账号安全风险的

https://www.v2ex.com/t/419056

Just for fun!

@feix

This comment has been minimized.

Copy link
Owner Author

commented Dec 31, 2017

两个个有意思的点:

如何下载小程序源代码

wget https://servicewechat.com/weapp/release/{appid}/{version_num}.wxapkg

{appid} 为小程序码, {version_num} 为 版本号,示例:
https://servicewechat.com/weapp/release/${appid}/${version_num}.wxapkg

如何解析 wxapkg 文件:

https://gist.github.com/feix/32ab8f0dfe99aa8efa84f81ed68a0f3e

@hijiangtao

This comment has been minimized.

Copy link

commented Jan 1, 2018

请求体里除了看 session_id 还看看 version 这个也会更改,现在已经到 9 了

@vmvz

This comment has been minimized.

Copy link

commented Jan 1, 2018

@feix 如何获得 appid ? 想下载几个示例看看

@xumeng

This comment has been minimized.

Copy link

commented Jan 1, 2018

现在运行后something crash,上午还可以。是bug修复了吗?

@wenlong-date

This comment has been minimized.

Copy link

commented Jan 1, 2018

  • 16:27分数提交成功
@touzi

This comment has been minimized.

Copy link

commented Jan 1, 2018

用 surge 抓包半天没成功, 现在改用 charlesproxy

@csioeu

This comment has been minimized.

Copy link

commented Jan 1, 2018

17点 分数提交成功

@touzi

This comment has been minimized.

Copy link

commented Jan 1, 2018

18:45 成功, 但我改了 score 的值怎么最后得分还是 2018 ?

@zunpiau

This comment has been minimized.

Copy link

commented Jan 1, 2018

18:46 提交成功,需要修改的 version 仅有 var version = 5 这一行

@EthianWong

This comment has been minimized.

Copy link

commented Jan 1, 2018

2018.1.2 00:50 可修改;另请注意,抓取的session_id前最好先进行如下操作: 退出微信(Kill掉后台) 重新进入微信 再进入跳一跳小程序 这时候界面上应该是有一个按钮叫做开始游戏的 不要点击开始游戏 此时查看反向代理的抓包结果 应该就有 session_id 了。利用这个session_id修改分数后,再点击界面上的排行榜即可验证结果。
PS: 最好不要点击进入游戏后再修改 可能也许大概 最起码对我而言 这样子再修改是会没有效果的

@TanninSi

This comment has been minimized.

Copy link

commented Jan 1, 2018

我的Chrome控制台显示 var CryptoJS = require('crypto-js') not defined 我知道可能是我没有安装这个库。应该怎么操作呢

@echaos

This comment has been minimized.

Copy link

commented Jan 2, 2018

something crash

@echaos

This comment has been minimized.

Copy link

commented Jan 2, 2018

问题是 第一次运行response没有times这个参数 我注释掉times重新运行之后 response里面又出现了times 然后按照源代码运行即可

@CaoYuGang

This comment has been minimized.

Copy link

commented Jan 2, 2018

有没有大师可以分享一下,修改完js文件后如何操作

@er567

This comment has been minimized.

Copy link

commented Jan 2, 2018

怎么操作人家代码里不都写了注释么

@hesj

This comment has been minimized.

Copy link

commented Jan 2, 2018

@EthianWong @zunpiau
https://mp.weixin.qq.com/wxagame/wxagame_init
一直抓不到这个请求,怎么办?
连wxagame 的都没有
只微信请求里面看到session id ,如下图
image

@yuezy

This comment has been minimized.

Copy link

commented Jan 2, 2018

对于楼上抓不到mp详情,是iOS 10以上需要如下操作

  1. 设置 - 通用 - 关于本机 - 证书信任设置 - 打开Charles Proxy CA 开关
  2. 右键 mp.weixin.qq.com 找到 Enable SSL Proxying 点击后 如图所示 :
    _2018-01-02_12-31-56
  • 编辑 wx_t1t_hack.js //大概第65行
    version = 抓包拿到的version
    session_id = 抓包拿到的session_id

  • 打开终端

cd 到  wx_t1t_hack.js 的目录
npm install crypto-js request-promise request
node wx_t1t_hack.js
@ksco

This comment has been minimized.

Copy link

commented Jan 2, 2018

友情提醒:分数最高为 10W 分,大于这个数字就会显示 10W

@mcl20034

This comment has been minimized.

Copy link

commented Jan 2, 2018

修改成功✌️

@Panway

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018.01.02 10:37 亲测还能用

@Panway

This comment has been minimized.

Copy link

commented Jan 2, 2018

抓包失败的可以参考:https://www.jianshu.com/p/6ad09374053b
跟我一样的小白可参考:
cd <此文件的父目录>
npm init (一路回车或者npm init --y)
npm install crypto-js request-promise
修改此文件的score和session_id
node wx_t1t_hack.js

@piao6236703

This comment has been minimized.

Copy link

commented Jan 2, 2018

weget不到wxapkg怎么办,一直404
image

@EthianWong

This comment has been minimized.

Copy link

commented Jan 2, 2018

@hesj @ycjcl868

二位的情况都属于抓包工具未配置好

  1. 在手机端安装完证书后 请进入 设置 - 通用 - 关于本机 - 证书信任设置 当中有 Charles 的证书 请把后面的开关打开
  2. 在电脑端 Charles 中找到 mp.weixin.qq.com 此时前面应该是一个锁头的图案,在这条记录上右键 应该有一个 enable SSL Proxying,左键单击这个选项后 应当变为 disable SSL Proxying

退出电脑端的 Charles 然后重启开启,手机再进入跳一跳界面 此时应该可以看到正常的请求了
PS: 如果还不可以 可以搜索 Charles 相关教程

@ycjcl868

This comment has been minimized.

Copy link

commented Jan 2, 2018

@EthianWong thx!!!

image

@Finb

This comment has been minimized.

Copy link

commented Jan 2, 2018

11:23 something crash 的可以把 105行改成 var times = response.ts + 1 即可

@timelessg

This comment has been minimized.

Copy link

commented Jan 2, 2018

已成功,谢谢老板

@george-luofz

This comment has been minimized.

Copy link

commented Jan 2, 2018

11:17亲测成功,感谢楼主!
装npm install crypto-js request-promise时会出现一堆warning,可忽略

@lniwn

This comment has been minimized.

Copy link

commented Jan 2, 2018

[update] 使用Fiddler抓包 + node.js执行:

  • 手机设置Fiddler代理地址,然后手机浏览器访问代理地址http://xxxx:8888,点击红框部分安装证书
    _20180102114219
  • 启动弹一弹,搜索wxagame_init
    _20180102111538
  • npm 执行报错something crash修改脚本105行为:var times = response.base_resp.ts + 1想当然的把ts理解为时间戳了,刚才又好好看了下数据,ts表示次数,并且返回结果里是有my_user_info.ts项的,如果仍然有人报错,可以尝试换个合理的随机整数,比如58。
    [2018-01-02 14:4:23 再次更新]:报错的童鞋可能是从来没有玩过这个游戏,先用手机打开玩几把,有分数之后,再用脚本,应该就有response.my_user_info字段了。
    image
@hyndaniel

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年1月2日11:48:06 提交成功

@yefuchao

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018_1_2_11_51 亲测可用

@lniwn

This comment has been minimized.

Copy link

commented Jan 2, 2018

@CaoYuGang npm 执行报错something crash,修改脚本105行为:var times = response.base_resp.ts + 1

@youqingxiaozhua

This comment has been minimized.

Copy link

commented Jan 2, 2018

wxapkg 一直404,版本都尝试遍了...

@CaoYuGang

This comment has been minimized.

Copy link

commented Jan 2, 2018

成功

@y11en

This comment has been minimized.

Copy link

commented Jan 2, 2018

成功2018年1月2日12:13:57,感谢!

@s3xy

This comment has been minimized.

Copy link

commented Jan 2, 2018

可用。嫌电脑抓手机包麻烦的可以直接下个手机抓包app。

@chaoxn

This comment has been minimized.

Copy link

commented Jan 2, 2018

显示成功, 但是微信上还没有变

@chiemy

This comment has been minimized.

Copy link

commented Jan 2, 2018

666

@Lanseria

This comment has been minimized.

Copy link

commented Jan 2, 2018

  • now 亲测可用 10w
@yuezy

This comment has been minimized.

Copy link

commented Jan 2, 2018

@ytxbnahn 再试一下我刚那层楼增加的第二步,刚刚没写上

@fangge

This comment has been minimized.

Copy link

commented Jan 2, 2018

成功,感谢!

@huyuaning

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日12:46:53 成功。在自己手机上看积分没变,换一台手机积分是最新的

@sunday9th

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日1:36:53 成功

@chenyoufu

This comment has been minimized.

Copy link

commented Jan 2, 2018

尝试了一下,依然有用

@rxctp

This comment has been minimized.

Copy link

commented Jan 2, 2018

6的飞起

@Mrluobo

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日13:13:53 成功

@cdut007

This comment has been minimized.

Copy link

commented Jan 2, 2018

"base_resp":{"errcode":-2} 请求成功 服务器返回这个,不行了吧

@cdut007

This comment has been minimized.

Copy link

commented Jan 2, 2018

node wx_t1t_hack.js
my_user_info={"base_resp":{"errcode":0,"ts":"1514872722364"},"user_info":[{"nickname":"子 . 凡","headimg":"http://wx.qlogo.cn/mmhead/PiajxSqBRaEK2Jibe4475hGZK6VpiajvUnNECHesYQ2hyWDm5yHUnjbBw/96","score_info":[],"week_best_score":29,"grade":1,"hongbao_list":[]}]}
wxagame_settlement info:{"base_resp":{"errcode":-2}}
2018! Happy new year!

@Mrluobo

This comment has been minimized.

Copy link

commented Jan 2, 2018

@feix 现在似乎无法下载源码了

@touzi

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018/1/2 14:27
小号又刷了一次, 成功, 看来微信是不打算修复这个 bug 了.

@IORI20091101

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年1月2日14:20 依然可以成功,感谢

@coolryze

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日14:41:01 提交成功,感谢~

@teg1c

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018-1-2 14:42:38 2018! Happy new year!

@Mcdull0921

This comment has been minimized.

Copy link

commented Jan 2, 2018

没有nodejs,没有脚本,用Fiddler抓包加模拟发包成功实现,唯一需要解决的就是aes加密算法,这个任何一门语言都能实现。然后遇到的问题就是一开始采用拦截包加篡改的方式,发现不起作用,参考了这位兄弟@EthianWong的评论,那么可能也许大概应该在进入游戏之前去发包

@Cybs

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年1月2日14:40 依然可以成功,ios的微信要关掉进程再打开才能看到排行榜更新

@DinoZhang

This comment has been minimized.

Copy link

commented Jan 2, 2018

success

@yuppieLiu

This comment has been minimized.

Copy link

commented Jan 2, 2018

厉害了 老铁

@cdut007

This comment has been minimized.

Copy link

commented Jan 2, 2018

可以成功,先手动玩一局

var times = response.my_user_info.times + 1  //这个不能改

,"my_user_info":{"nickname":"xxx","headimg":"img","score_info":[],"history_best_score":2018,"week_best_score":2018,"grade":8,"times":3,"hongbao_list":[]}}
wxagame_settlement info:{"base_resp":{"errcode":0,"ts":"1514876354888"}}

@lily1115

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年1月2日15:08 可用

@yuxiaokui

This comment has been minimized.

Copy link

commented Jan 2, 2018

15:30 10万分可用

@josephzjw

This comment has been minimized.

Copy link

commented Jan 2, 2018

成功了,遇到的问题是我还要装一个request的包,然后我发现我要把手机微信关了再运行一次脚本再登录才能看到新的记录。

@stevennzhou

This comment has been minimized.

Copy link

commented Jan 2, 2018

修改成功了,但是排行榜没有任何改变?

@super-ppx

This comment has been minimized.

Copy link

commented Jan 2, 2018

@DEVINNN
完全退出微信再开

@garyGao2014

This comment has been minimized.

Copy link

commented Jan 2, 2018

现在还可用吗 没找到session_id了

@hyndaniel

This comment has been minimized.

Copy link

commented Jan 2, 2018

@0312birdzhang 害人。。本来是2018挺好的数字,结果试了下改大了,没法改回来了

@zhihuitang

This comment has been minimized.

Copy link

commented Jan 2, 2018

牛逼,请问下, 你是怎么知道这个action_data是怎么加密的?

@feix

This comment has been minimized.

Copy link
Owner Author

commented Jan 2, 2018

@0312birdzhang 让别人填 session_id 不合适,session_id 关联微信账号,存在账号安全风险

@zhihuitang

This comment has been minimized.

Copy link

commented Jan 2, 2018

@feix, 请问你是怎么知道这个encrypt算法的, originKey = originKey.slice(0, 16),这都能知道?

@feix

This comment has been minimized.

Copy link
Owner Author

commented Jan 2, 2018

@zhihuitang 如何下载小程序源码 -> 读源码
js 脚本里最开始的一段注释,就是从源码里 copy 出来的

@zhihuitang

This comment has been minimized.

Copy link

commented Jan 2, 2018

@feix, 高!
那么你是怎么获得源码的呢?

@elichn

This comment has been minimized.

Copy link

commented Jan 2, 2018

已成功,感谢老板

@tutuoo

This comment has been minimized.

Copy link

commented Jan 2, 2018

小白求大佬教一下...wx: tutu168350444 TvT!

@dunwen

This comment has been minimized.

Copy link

commented Jan 2, 2018

老哥,奖杯借我摸摸好嘛!

@WenJimmy

This comment has been minimized.

Copy link

commented Jan 2, 2018

成功,感谢老板

@NowhereToRun

This comment has been minimized.

Copy link

commented Jan 2, 2018

66666

@yiailake

This comment has been minimized.

Copy link

commented Jan 2, 2018

亲测可用 perfect!

@Hardway2

This comment has been minimized.

Copy link

commented Jan 2, 2018

success

@sunyongjian

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日18:03:39 亲测有效。

扒源码操作 6

@flewsea

This comment has been minimized.

Copy link

commented Jan 2, 2018

似乎已经过滤了,中午改的,现在在朋友那里已经没了

@h080294

This comment has been minimized.

Copy link

commented Jan 2, 2018

@feix 现在没法下载小程序源代码了呢,访问都是404,还有其他办法能得到源码么

@able8

This comment has been minimized.

Copy link

commented Jan 2, 2018

666

@qianlishun

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日18:44:17 亲测可用

@jiangshaowei03

This comment has been minimized.

Copy link

commented Jan 2, 2018

运行成功了 !为啥分数没变

@zaing

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018年01月02日19:35 500分 亲测可用

@lee-newly

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018.01.01 19.42成功

@seclog

This comment has been minimized.

Copy link

commented Jan 2, 2018

用别的微信号看,可以看到最新的。

@FinCheng

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018.1.02 20:30 亲测有效

@inetkiller

This comment has been minimized.

Copy link

commented Jan 2, 2018

20:39亲测有效

@chenbin-353549444

This comment has been minimized.

Copy link

commented Jan 2, 2018

有效,666啊

@Lubyam

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018.01.01 20.54成功,t退出重新登录就可以看到成绩

@TonyLuo

This comment has been minimized.

Copy link

commented Jan 2, 2018

如何获得 appid ?

@Sunbelife

This comment has been minimized.

Copy link

commented Jan 2, 2018

好像挂了?

@zhaoawd

This comment has been minimized.

Copy link

commented Jan 2, 2018

@jxst973393 你需要执行最后一行的命令,npm install request --save,然后再执行之前的命令就行了,另外version要改成9

@busyfree

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018-01-02 22:22 修改分数ok

@Kingson

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018.01.02 22:34成功,修改完成后,玩一局失败再查看排行榜,就可以看到分数了

@jxst973393

This comment has been minimized.

Copy link

commented Jan 2, 2018

@zhaoawd 这个我都试过了,还是不行提示Error: Cannot find module 'boom'

@tutuoo

This comment has been minimized.

Copy link

commented Jan 2, 2018

为什么我运行成功了 重新登录还是玩一把 都没有分数出现..

@huanglins

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018.01.02 11:07 成功,打卡!!

@duenyang

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018-01-02 23:19搞定

@simaguo

This comment has been minimized.

Copy link

commented Jan 2, 2018

ok,安装软件花了99.99%的时间

@kaqijiang

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018-01-02 23:29可用

@liangli2718

This comment has been minimized.

Copy link

commented Jan 2, 2018

亲测可用 这一发过后 一切都变得索然无味。。。😂

@TonyLuo

This comment has been minimized.

Copy link

commented Jan 2, 2018

@EthianWong 我的是安卓手机,手机很电脑都已经安装了Charles证书,但还是抓取不了session_id 和appId。难道要单独配置微信信任ssl证书吗
You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.

image

@foxman209

This comment has been minimized.

Copy link

commented Jan 2, 2018

1.3号有成功的吗,运行成功后,分数没有任何变化

@liangzr

This comment has been minimized.

Copy link

commented Jan 2, 2018

01-03 12:55 AM 返回 errCode 108

@zcdll

This comment has been minimized.

Copy link

commented Jan 2, 2018

@foxman209 我这里页没有变化。。。0点之后

@CHEN-DONG

This comment has been minimized.

Copy link

commented Jan 2, 2018

@liangzr 我也是返回errCode 108

@oloopy

This comment has been minimized.

Copy link

commented Jan 2, 2018

没成功,返回errcode: 108

@ishenyi

This comment has been minimized.

Copy link

commented Jan 2, 2018

post游戏分数,返回:
node wx_t1t_hack.js
wxagame_settlement { base_resp: { errcode: 108 } }
2018! Happy new year!

应该是被官方禁止了吧

@qmppz

This comment has been minimized.

Copy link

commented Jan 2, 2018

只能2018??成功一次后就再也没成功过了,求分享一下你们的操作步骤,

@ishenyi

This comment has been minimized.

Copy link

commented Jan 2, 2018

已无法下载小程序包

wget https://servicewechat.com/weapp/release/32ab8f0dfe99aa8efa84f81ed68a0f3e/4.wxapkg
--2018-01-03 02:11:15-- https://servicewechat.com/weapp/release/32ab8f0dfe99aa8efa84f81ed68a0f3e/4.wxapkg
Resolving servicewechat.com... 180.163.26.36, 180.163.21.166
Connecting to servicewechat.com|180.163.26.36|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-01-03 02:11:15 ERROR 404: Not Found.

@sjaeiou

This comment has been minimized.

Copy link

commented Jan 2, 2018

恩应该是不行了 同样errcode: 108

@qinguoliang

This comment has been minimized.

Copy link

commented Jan 2, 2018

2018! Happy new year! 但是分数没变

@WatcherT

This comment has been minimized.

Copy link

commented Jan 2, 2018

脐带更新

@cnBruceHong

This comment has been minimized.

Copy link

commented Jan 2, 2018

action_data算法应该换了。

@WatcherT

This comment has been minimized.

Copy link

commented Jan 2, 2018

action算法还能搞出来吗,源码下不到了?

@lyh2668

This comment has been minimized.

Copy link

commented Jan 3, 2018

action算法加个盐没有源码基本推算不出来了吧

@linweiwei123

This comment has been minimized.

Copy link

commented Jan 3, 2018

谁知道最新代码怎么弄?

@cdut007

This comment has been minimized.

Copy link

commented Jan 3, 2018

用android本地解压小程序 ,算法更新一下就可以了

参考最新跳一跳压缩的js 找到加密 对应更新即可
function encrypt (text, originKey) {

return ciphertext.toString()

}

@cdut007

This comment has been minimized.

Copy link

commented Jan 3, 2018

这个漏洞只要本地下载小程序 js ,提交分数 永远都封不了,即便搞成.so统一加密 客户端也能破解,游戏性质决定了,对战游戏就不会有这个问题。

@jiangshaowei03

This comment has been minimized.

Copy link

commented Jan 3, 2018

还能刷吗 脚本执行成功,分数无变化(微信后台完全退出)

@CHEN-DONG

This comment has been minimized.

Copy link

commented Jan 3, 2018

@cdut007 兄弟现在小程序下载不下来了 怎么拿源码啊?

@yuwenqiang

This comment has been minimized.

Copy link

commented Jan 3, 2018

image
一直108

@kevinTutu

This comment has been minimized.

Copy link

commented Jan 3, 2018

恩应该是不行了 同样errcode: 108

@zhaozhen

This comment has been minimized.

Copy link

commented Jan 3, 2018

20170103 10 17 出现“2018! Happy new year! ” 但是分数并没有提交成功,可能已经被封了。

@wxisme

This comment has been minimized.

Copy link

commented Jan 3, 2018

楼主,请教一下,这个漏洞你是怎么破解的,是分析源码吗?也就是说如果源码不外泄那么也就很难用这种方式破解了?能不能在信息安全的角度解释一下。要做什么才能防止类似的漏洞。

@joker8023

This comment has been minimized.

Copy link

commented Jan 3, 2018

2018-01-03 10:19
2018! Happy new year!分数没有变化,不要再试了

@suyuanhxx

This comment has been minimized.

Copy link

commented Jan 3, 2018

wxagame_settlement 这个接口已经抓不到了

@Kingson

This comment has been minimized.

Copy link

commented Jan 3, 2018

2018.01.03 10:44 提交成功,分数无变化

@PengchengFang

This comment has been minimized.

Copy link

commented Jan 3, 2018

2018.01.03 10:46 提交成功,分数无变化

@LJLSS

This comment has been minimized.

Copy link

commented Jan 3, 2018

2018-01-03 最新小游戏跳一跳里的game.js源码
里面和楼主的encrypt里的算法似乎是一样的

@bestvist

This comment has been minimized.

Copy link

commented Jan 3, 2018

error code :108 微信修复了?

@mattxzhang

This comment has been minimized.

Copy link

commented Jan 3, 2018

已经失效,执行成功,分数没变

@deng-yc

This comment has been minimized.

Copy link

commented Jan 3, 2018

error code :108

@gaoshilei

This comment has been minimized.

Copy link

commented Jan 3, 2018

微信返回这个错wxagame_settlement { base_resp: { errcode: 108 } }

@ratelgogo

This comment has been minimized.

Copy link

commented Jan 3, 2018

接口改成了wxagame_bottlereport

每次wxagame_init获取时间戳,reposrt_list需要添加时间戳,和duration时间,估计后台会比对玩的时间,如果太快就拒绝了。

report_list": [{
		"ts": 1514948681,
		"type": 2,
		"score": 20,
		"best_score": 2018,
		"break_record": 0,
		"duration": 27,
		"times": 148
	}]

得试出时间比对的算法,还是可以hack的。

@pcjser

This comment has been minimized.

Copy link

commented Jan 3, 2018

求一个破解后的游戏源码 开发使用 好人一生平安 邮箱 201688080@qq.com

@AshanJiang

This comment has been minimized.

Copy link

commented Jan 3, 2018

这个现在是失效了,应该是刷分太快给官方BAN了。

@wehooshen

This comment has been minimized.

Copy link

commented Jan 3, 2018

已失效,执行成功,分数没变

@xitangwang

This comment has been minimized.

Copy link

commented Jan 3, 2018

同求一个破解后的游戏源码 开发使用 好人一生平安 邮箱 534346738@qq.com

@Jialufeng

This comment has been minimized.

Copy link

commented Jan 3, 2018

report_list": [{
"ts": 1514948681, //当前时间戳 每次跳一次+几秒
"type": 2, //每次跳的方格类型,1-10左右
"score": // 当前分,
"best_score": 2018, // 最高分
"break_record": 0, // 最低分
"duration": 27, // 停留时间
"times": 148 // 第多少次跳 ps:累加
}]

image

@xiefei

This comment has been minimized.

Copy link

commented Jan 3, 2018

接口改掉了https://mp.weixin.qq.com/wxagame/wxagame_bottlereport, 请求参数也改了
report_list:[{

ts=1514952588
type=0

},
best_score=35
break_record=0
duration=27
score=1
times=24
ts=1514952628
type=2

]

@Seayon

This comment has been minimized.

Copy link

commented Jan 3, 2018

求教楼上两位,请求参数的详细格式,现在这个格式的参数还需要加密吗?session_id 在哪里

@0x1ng

This comment has been minimized.

Copy link

commented Jan 3, 2018

最新十万分可行。

@Kingson

This comment has been minimized.

Copy link

commented Jan 3, 2018

@lovexing 确定?

@hackxx

This comment has been minimized.

Copy link

commented Jan 3, 2018

@lovexing 测试不行啊

@GabrielchenCN

This comment has been minimized.

Copy link

commented Jan 3, 2018

 ts为wxagame_init中的JSON.parse(response.responseText).base_resp.ts;
 ts = new Number(ts);
                   var report_list = [{
                       "ts": Math.floor(ts/ 1000),//当前时间戳 每次跳一次+几秒
                       "type": 2, //每次跳的方格类型,1-10左右
                       "score": 2018,// 当前分,
                       "best_score":  106, // 最高分
                       "break_record": 0, // 最低分
                       "duration": 27, // 停留时间
                       "times": 1// 第多少次跳 ps:累加
                   }];
   data:       extend({}, {action_data: encrypt(report_list, session_id)}, base_req),

请求成功,但是分数没有改变

@ChristopherKai

This comment has been minimized.

Copy link

commented Jan 3, 2018

表示关注

@longchena

This comment has been minimized.

Copy link

commented Jan 3, 2018

提交请求应该还是wxagame_settlement,没有修改成wxagame_bottlereport,理由是:停留在开始页面,未进行游戏也会上报wxagame_bottlereport接口

bottle

是wxagame_settlement接口的加密算法更新了吗?

@zzzzzb

This comment has been minimized.

Copy link

commented Jan 3, 2018

新接口参数请求成功,但分没改变

@hackxx

This comment has been minimized.

Copy link

commented Jan 3, 2018

感觉已经凉凉了 还是用这个吧https://github.com/wangshub/wechat_jump_game

@gechanghang

This comment has been minimized.

Copy link

commented Jan 3, 2018

怎么拿appid?看不到啊

@jiaxuml

This comment has been minimized.

Copy link

commented Jan 3, 2018

wxagame_init { base_resp: { errcode: 0, ts: '1514959169525' }, version: 9 }
wxagame_bottlereport { base_resp: { errcode: 0, ts: '1514959169662' } }
2018! Happy new year!

分数没改变,这是正常的么?

@zhangxinGithub

This comment has been minimized.

Copy link

commented Jan 3, 2018

还有大手子吗 循环一个report_list可以不

@MarkGor

This comment has been minimized.

Copy link

commented Jan 3, 2018

测试过小游戏这边提交的action_data拿来脚本解密,发现解密成功并且数据架构和data的一致。证明验证加密处没有被修改,
请求的地址也是wxagame_settlement
但是一直返回108错误

脚本注释的
for (var i = 0; i < score; i++) {
action.push([0.752, 1.32, true])
musicList.push(true)
touchList.push([185, 451])
}
也取消注释了,发现结果一样是108
但是我用一个正常的数据提交去小号那里刷成功了。

估计是后端验证了game_data的数据

@maxfong

This comment has been minimized.

Copy link

commented Jan 3, 2018

@hackxx

This comment has been minimized.

Copy link

commented Jan 3, 2018

莫名其妙成功 怎么办就是用这个脚步 ps:心得 可能 需要取消注释
for (var i = 0; i < score; i++) {
action.push([0.752, 1.32, false])
musicList.push(false)
touchList.push([185, 451])
}
刚刚好友看到我到10w分 了 我自己本地没看见,莫名其妙的感觉 ,老铁们 不谢

@ZexiFangkong

This comment has been minimized.

Copy link

commented Jan 3, 2018

@gechanghang Charlse抓包。

@ZexiFangkong

This comment has been minimized.

Copy link

commented Jan 3, 2018

接口改了 旧的代码昨天还能改,今天用不了了 。

@lixiaokuan0819

This comment has been minimized.

Copy link

commented Jan 3, 2018

成功了 happy new year了,分数没变= =

@PengchengFang

This comment has been minimized.

Copy link

commented Jan 3, 2018

@hackxx 我也是,把注释去掉就莫名的成功了

image

@qmppz

This comment has been minimized.

Copy link

commented Jan 3, 2018

输出 happy new year,分数没变??

@acer4750

This comment has been minimized.

Copy link

commented Jan 3, 2018

@maxfong 确实可用,不同的思路

@joker-danta

This comment has been minimized.

Copy link

commented Jan 3, 2018

貌似现在不行了,替换掉session_id 之后,请求已经成功,但是没有分数没有更新

@wohub

This comment has been minimized.

Copy link

commented Jan 3, 2018

本帖的代码和 @maxfong 帖子的部分代码结合起来刷分 成功

@xiaruikun

This comment has been minimized.

Copy link

commented Jan 3, 2018

输出happy new year不代表访问成功,把输出前面一行注释放开,errorCode是108就报错了

@EagleChen

This comment has been minimized.

Copy link

commented Jan 3, 2018

地址是wxagame_settlement

game_data 需要补充, 也就是action, musicList, touchList需要随机生成

并且最重要的似乎是 等!
服务器好像会验证时间, 发的请求 1s 跳个 几百步, 服务器就拒绝了 (errcode: 108)

@wohub

This comment has been minimized.

Copy link

commented Jan 3, 2018

需要修改两处:
1、注释的这部分代码使用随机数
for(var i=Math.round(10000+Math.random()*2000);i>0;i--){
action.push([Math.random().toFixed(3),(Math.random()*2).toFixed(2),i/5000==0?true:false]);
musicList.push(false);
touchList.push([(250-Math.random()*10).toFixed(4),(670-Math.random()*20).toFixed(4)]);
}
2、分数也用随机数
score: Math.round(8000+Math.random()*2000)

@joker-danta

This comment has been minimized.

Copy link

commented Jan 3, 2018

@xiaruikun 放开了,输出 108 ,有什么解决办法吗?

@zhon9

This comment has been minimized.

Copy link

commented Jan 3, 2018

15:38 10w成功

@h080294

This comment has been minimized.

Copy link

commented Jan 3, 2018

截止目前为止,仍然可以刷分

@xiaruikun

This comment has been minimized.

Copy link

commented Jan 3, 2018

@joker-danta
for (var i = 0; i < score; i++) {
action.push([0.752, 1.32, false])
musicList.push(false)
touchList.push([185, 451])
},放开这段注释,然后就能成功了

@wohub

This comment has been minimized.

Copy link

commented Jan 3, 2018

分数可以不用随机数 也成功了

@xiaruikun

This comment has been minimized.

Copy link

commented Jan 3, 2018

放开注释能成功推测是服务器端校验了玩游戏过程的数据,将这些数据全部加入到actionData中,发送请求就可以成功了

@ellenSong

This comment has been minimized.

Copy link

commented Jan 3, 2018

随机数还是可以的,成功

@pharrellyhy

This comment has been minimized.

Copy link

commented Jan 3, 2018

@lvxiaodongweb
亲测可用

@joker-danta

This comment has been minimized.

Copy link

commented Jan 3, 2018

修改为随机数,亲测可用 。

@Kingson

This comment has been minimized.

Copy link

commented Jan 3, 2018

放开注释可用

@chucklqsun

This comment has been minimized.

Copy link

commented Jan 3, 2018

下面是按照评论修改过的,替换session id直接可以用(刚刚测试过)。
https://github.com/chucklqsun/WxJumpHelper/blob/master/wx_t1t_hack.js

@WatcherT

This comment has been minimized.

Copy link

commented Jan 3, 2018

有意思,放开注释,分数用随机数可用,回头来研究下

@zheyuangao

This comment has been minimized.

Copy link

commented Jan 3, 2018

可以使用,点击位置需要随机,分数可以自定

@yangceng

This comment has been minimized.

Copy link

commented Jan 3, 2018

厉害

@scriptway

This comment has been minimized.

Copy link

commented Jan 3, 2018

显示成功 可还是没有变

@yangceng

This comment has been minimized.

@scriptway

This comment has been minimized.

Copy link

commented Jan 3, 2018

@chucklqsun 可用
wxagame_settlement { base_resp: { errcode: 0, ts: '1514972607421' } }
2018! Happy new year!

@scriptway

This comment has been minimized.

Copy link

commented Jan 3, 2018

刷了11082分 哈哈哈

@vera0707

This comment has been minimized.

Copy link

commented Jan 3, 2018

定义action musicList touchList 三个变量那里 循环改为 :
for(var i=Math.round(10000+Math.random()*2000);i>0;i--){
action.push([Math.random().toFixed(3),(Math.random()*2).toFixed(2),i/5000==0?true:false]);
musicList.push(false);
touchList.push([(250-Math.random()*10).toFixed(4),(670-Math.random()*20).toFixed(4)]);
}
OK了
大神们你们分数为什么也要用随机数啊~

@Skypow2012

This comment has been minimized.

Copy link

commented Jan 3, 2018

可以成功@maxfong ,自己的机器上还没变,过了一段时间其他人的机器上变了,我是保持在即在开始游戏的状态下

@pavilion2t

This comment has been minimized.

Copy link

commented Jan 3, 2018

安卓手机不知道在哪里 设置证书信任 T T
2018-01-03 18 48 04

@lizhengnacl

This comment has been minimized.

Copy link

commented Jan 3, 2018

倒是把Charles熟悉了一下,果然需求是第一生产力。

@leo9960

This comment has been minimized.

Copy link

commented Jan 3, 2018

Android手机推荐用Packet Capture抓包,不用root,安装之后点右上角三个点-Setting-Certificate-Status,安装证书,然后返回主界面点右上角的开始(抓之前最好把能关的应用都关了,清一次后台),打开跳一跳,玩一局,返回Packet Capture停止抓包,点进去找,有微信标志且有SSL标志的包应该就是跳一跳发出来的请求(我这里跳一跳请求的ip是120.204.16.168:443)
其中:
POST /wxagame/wxagame_getfriendsscore是获取排行榜的,body是{"base_req": {"session_id": "你的session id","fast": 1}}
POST /wxagame/wxagame_settlement是上传分数的,body是{"base_req": {"session_id": "你的session id","fast": 1},"action_data": "这局分数之类的数据"}

@weijihong

This comment has been minimized.

Copy link

commented Jan 3, 2018

由于每开始新的游戏session_id会一直变,所以每次执行node hack.js时都要重新获得新的session_id
取消注释莫名其妙可用+1

@vinplezhang

This comment has been minimized.

Copy link

commented Jan 3, 2018

请问 version要改成9吗 取消注释 也一直不行@weijihong

@PengchengFang

This comment has been minimized.

Copy link

commented Jan 3, 2018

请问有人突破10w的限制吗 ?

@vinplezhang

This comment has been minimized.

Copy link

commented Jan 3, 2018

退出微信重新登录 就可以了 蛋疼 不行的 可以试下

@edison1105

This comment has been minimized.

Copy link

commented Jan 3, 2018

定义action musicList touchList 三个变量那里 循环改为 :
for(var i=Math.round(10000+Math.random()*2000);i>0;i--){
action.push([Math.random().toFixed(3),(Math.random()*2).toFixed(2),i/5000==0?true:false]);
musicList.push(false);
touchList.push([(250-Math.random()*10).toFixed(4),(670-Math.random()*20).toFixed(4)]);
}
然后退出微信重新登录就是见证奇迹的时刻
提交时间 2018年01月03日22:39:36

@0xa-saline

This comment has been minimized.

Copy link

commented Jan 3, 2018

用楼上的方法成功了.

2018年 1月 3日 星期三 23时06分28秒 CST

@bjbao912

This comment has been minimized.

Copy link

commented Jan 3, 2018

@chucklqsun 亲测可用

@zhishengpeng

This comment has been minimized.

Copy link

commented Jan 3, 2018

https://gist.github.com/yangceng/0c2a76564c1afa4cd3a1e238300b311f

用这个,版本改为9,分数12018。
把 var times = response.my_user_info.times + 1 改成 var times = response.ts + 1
可以执行。
2018-01-04-00.03可行。

@ishenyi

This comment has been minimized.

Copy link

commented Jan 3, 2018

2018-01-04 00:24:08
测试成功,今天抽空仔细研究了一下,有段for循环数字需要解开。
解开后。score设置666,不行ero=108
score设置100000,直接成功
tiaotiao_hack node wx_t1t_hack.js
wxagame_settlement { base_resp: { errcode: 0, ts: '1514996241276' } }
2018! Happy new year!

image

@qmppz

This comment has been minimized.

Copy link

commented Jan 4, 2018

楼上的还没翻车?

@hackxx

This comment has been minimized.

Copy link

commented Jan 4, 2018

翻车啦

@xuyusong

This comment has been minimized.

Copy link

commented Jan 4, 2018

怎么一直crash

@Alienhh

This comment has been minimized.

Copy link

commented Jan 4, 2018

修改成功

@Alienhh

This comment has been minimized.