Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
var CryptoJS = require('crypto-js')
var request = require('request-promise')
/*
* npm install crypto-js request-promise request
* node wx_t1t_hack.js
*/
// export function testEncription(msg, fullKey) {
// var fullKey = fullKey.slice(0, 16)
// var key = CryptoJS.enc.Utf8.parse(fullKey)
// var iv = CryptoJS.enc.Utf8.parse(fullKey)
// var passWord = CryptoJS.AES.encrypt(msg, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 })
// var base64 = passWord.toString()
// console.log('passWord', passWord)
// console.log('sessionId', sessionId)
// console.log('key', key)
// console.log('base64', base64)
// var bytes = CryptoJS.AES.decrypt(base64, key, {
// iv: iv
// });
// console.log('bytes', bytes)
// var plaintext = CryptoJS.enc.Utf8.stringify(bytes);
// console.log('plaintext', plaintext)
// }
function encrypt (text, originKey) {
var originKey = originKey.slice(0, 16),
key = CryptoJS.enc.Utf8.parse(originKey),
iv = CryptoJS.enc.Utf8.parse(originKey),
msg = JSON.stringify(text)
var ciphertext = CryptoJS.AES.encrypt(msg, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return ciphertext.toString()
}
function decrypt (text, originKey) {
var originKey = originKey.slice(0, 16),
key = CryptoJS.enc.Utf8.parse(originKey),
iv = CryptoJS.enc.Utf8.parse(originKey)
var bytes = CryptoJS.AES.decrypt(text, key, {
iv: iv
})
var plaintext = CryptoJS.enc.Utf8.stringify(bytes)
return plaintext
}
function extend (target) {
var sources = [].slice.call(arguments, 1)
sources.forEach(function (source) {
for (var prop in source) {
target[prop] = source[prop]
}
})
return target
}
var version = 5,
score = 2018,
// replace with your session_id here
session_id = 'xxxxx'
var headers = {
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C153 MicroMessenger/6.6.1 NetType/WIFI Language/zh_CN',
'Referer': 'https://servicewechat.com/wx7c8d593b2c3a7703/' + version + '/page-frame.html',
'Content-Type': 'application/json',
'Accept-Language': 'zh-cn',
'Accept': '*/*'
}
var base_req = {
'base_req': {
'session_id': session_id,
'fast': 1
}
}
var base_site = 'https://mp.weixin.qq.com/wxagame/'
var path = 'wxagame_getuserinfo'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: base_req
}).then(function (response) {
// console.log(path, response)
})
path = 'wxagame_getfriendsscore'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: base_req
}).then(function (response) {
// console.log(response.my_user_info)
var times = response.my_user_info.times + 1
path = 'wxagame_init'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: extend({}, {version: 9}, base_req)
}).then(function (response) {
// console.log(path, response)
var action = [],
musicList = [],
touchList = []
// for (var i = 0; i < score; i++) {
// action.push([0.752, 1.32, false])
// musicList.push(false)
// touchList.push([185, 451])
// }
var data = {
score: score,
times: times,
game_data: JSON.stringify({
seed: Date.now(),
action: action,
musicList: musicList,
touchList: touchList,
version: 1
})
}
path = 'wxagame_settlement'
request({
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: extend({}, {action_data: encrypt(data, session_id)}, base_req)
}).then(function (response) {
// console.log(path, response)
console.log('2018! Happy new year! 🎉')
}).catch(function (error) {
console.log(error)
})
})
}).catch(function (error) {
console.log('something crash')
})
@dotedu
Copy link

dotedu commented Jan 8, 2018

@hongdalu 我手动 跳一次 然后解密后 换个号加密 POST一次看看。

@dotedu
Copy link

dotedu commented Jan 8, 2018

真实跳的数据POST过去也不改变分数。。

@fan133
Copy link

fan133 commented Jan 8, 2018

@dotedu,抱歉D大,我不懂fork是啥意思,我才上github没多久。。。

@fan133
Copy link

fan133 commented Jan 8, 2018

@dotedu,跑到D大你的CODE页面上fork了,然后这些文件一堆下下来怎么处理,不好意思我是小白=。=

@dotedu
Copy link

dotedu commented Jan 8, 2018

@fan133 需要VS 编译的。

@fan133
Copy link

fan133 commented Jan 8, 2018

@dotedu,能大致说说怎么操作吗,抱歉,我以后一定好好学编程!

@dotedu
Copy link

dotedu commented Jan 8, 2018

我记得四号的时候两次提交数据的时间太近的话就会返回-1
我觉得服务器应该是验证了数据提交时间的

@edison1105
Copy link

@dotedu 我找了个小号 分数为0的,试了一次改分 改成100 提交成功。登录微信也看到了成绩。然后重新获取session_id 再次提交成绩200。失败了。

@fan133
Copy link

fan133 commented Jan 9, 2018

@edison, 请问D大的代码文件下载了怎么执行啊

@fan133
Copy link

fan133 commented Jan 9, 2018

@edison1105, 请问D大的代码文件下载了怎么执行啊

@jxst973393
Copy link

@dotedu 你好您的这个代码怎么使用啊,我每次都失败了。。

@TTV5
Copy link

TTV5 commented Jan 9, 2018

@dotedu 大神 你的代码我用vs2017编译后运行不起来
System.NullReferenceException
HResult=0x80004003
Message=未将对象引用设置到对象的实例。
Source=wx_t1t
StackTrace:
在 wx_t1t.Main.<>c__DisplayClass44_1.<button1_Click>b__10() 在 F:\hack\wx_t1t-master\wx_t1t\Main.cs 中: 第 86 行
在 wx_t1t.Main.<>c__DisplayClass59_0.b__0() 在 F:\hack\wx_t1t-master\wx_t1t\Main.cs 中: 第 706 行

@hongdalu
Copy link

hongdalu commented Jan 9, 2018

@TTV5 你要把项目文件中VS版本改高 和你安装的版本一致

@TTV5
Copy link

TTV5 commented Jan 9, 2018

@hongdalu 你试过现在还能刷分吗 刚才那个问题是session_id填错了导致的。
现在能提示刷分成功,微信里面没有却没有变化

@hongdalu
Copy link

hongdalu commented Jan 9, 2018

@TTV5 分数高了就成功不了 应该还是时间那的问题

@dotedu
Copy link

dotedu commented Jan 9, 2018

也是没变化
目前还没找到服务器的验证规律

@dotedu
Copy link

dotedu commented Jan 9, 2018

也有可能是抓取session_id时候的UserAgent和模拟的不同,服务器也可能会验证这个。

@edison1105
Copy link

@dotedu 试过改成一致的UserAgent也不行,我就用新号是成功过一次100分,在改成200分的时候就不行了。

@hongdalu
Copy link

hongdalu commented Jan 9, 2018

@dotedu 改了UserAgent还是一样 还有我觉得应该在while (currentScore<= score);下面579行附近加一条score = currentScore;不然提交的分数很可能和生成的数据对不上

@hongdalu
Copy link

hongdalu commented Jan 9, 2018

@dotedu 游戏的源码有变化吗?

@dotedu
Copy link

dotedu commented Jan 9, 2018

本地程序没有升级,主要应该还是服务器端对提交的数据验证了

@dotedu
Copy link

dotedu commented Jan 9, 2018

@edison1105 我也是之前小号 提交成功一次后 就不能再提交了。。

@joyfun
Copy link

joyfun commented Jan 10, 2018

抓包了下 现在代码是 要steps timestamps了 {"score":144,"times":384,"game_data":"{\"seed\":1515605346816,\"action\":[[0.773,1.26,false],[0.749,1.29,false],[0.668,1.43,false],[0.923,0.92,false],[0.802,1.16,false],[0.471,1.84,false],[0.973,0.82,false],[0.466,1.84,false],[0.732,1.29,false],[0.477,1.8,false],[0.731,1.29,false],[0.464,1.84,false],[0.425,1.9,false],[0.649,1.46,false],[0.723,1.33,false],[0.563,1.63,false],[0.717,1.33,false],[0.599,1.56,false],[0.85,1.06,false],[0.852,1.06,false],[0.377,2,false],[0.781,1.19,false],[0.853,1.09,false],[0.598,1.56,false],[0.539,1.7,false],[0.75,1.26,false],[0.568,1.63,false],[0.549,1.67,false],[0.478,1.8,false],[0.357,2.04,false],[0.53,1.7,false],[0.549,1.67,false],[0.548,1.67,false],[0.834,1.09,false],[0.323,2.11,false],[0.512,1.73,false],[0.323,2.11,false],[0.577,1.6,false],[0.888,0.99,false],[0.75,1.26,false],[0.704,1.36,false],[0.427,1.9,false],[0.487,1.8,false],[0.633,1.5,false],[0.407,1.94,false],[0.669,1.43,false],[0.765,1.23,false],[0.732,1.29,false],[0.717,1.33,false],[0.7,1.36,false],[0.29,2.17,false]],\"musicList\":[false,false,false,false,false,true,false,false,false,false,false,false,false,false,false,false,false,false,false,false,true,false,false,false,false,true,false,false,false,false,false,false,false,false,false,false,false,false,false,false,true,false,false,false,false,false,false,false,false,false,true],\"touchList\":[[209.47272,574.7006],[224.79187,587.6939],[227.45605,588.69336],[233.78352,592.02496],[234.44958,594.0239],[226.79002,587.0276],[227.45605,591.35864],[230.12025,593.69073],[231.45235,593.69073],[229.78723,592.02496],[230.78632,591.35864],[232.78447,593.0245],[233.4505,592.02496],[231.45235,590.026],[233.4505,592.3581],[233.4505,591.69183],[231.78539,589.6929],[236.1147,585.36176],[235.78168,587.6939],[237.11378,586.0281],[234.44958,580.3644],[235.11565,582.6965],[232.45143,577.6991],[231.78539,578.0323],[232.78447,581.0307],[233.78352,581.697],[235.78168,585.36176],[235.78168,585.0286],[234.44958,582.0302],[235.44867,583.696],[235.44867,582.6965],[232.78447,579.3649],[233.78352,578.69855],[232.45143,576.03326],[230.78632,574.7006],[230.78632,574.03436],[234.11656,577.0328],[230.12025,576.36646],[230.4533,573.7012],[229.12117,576.03326],[202.47919,565.7054],[212.80296,576.03326],[210.80481,580.3644],[217.46532,587.0276],[218.4644,588.3602],[218.13136,593.0245],[223.45976,595.68976],[226.45699,593.69073],[229.78723,596.356],[227.12303,593.69073],[227.45605,595.68976]],\"steps\":[[209.47272,574.7006],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[]],\"timestamp\":[1515605347766,1515605349291,1515605350724,1515605352130,1515605353762,1515605358014,1515605359254,1515605361264,1515605362602,1515605364090,1515605365333,1515605366816,1515605368085,1515605369300,1515605370773,1515605372472,1515605373867,1515605375932,1515605377474,1515605379289,1515605383917,1515605385353,1515605387203,1515605388970,1515605390356,1515605394089,1515605395777,1515605397239,1515605398672,1515605400104,1515605401398,1515605402969,1515605404491,1515605405968,1515605407754,1515605408897,1515605410373,1515605411605,1515605413194,1515605415233,1515605425124,1515605427205,1515605431086,1515605432672,1515605434383,1515605435904,1515605437635,1515605439409,1515605441066,1515605442716,1515605447426],\"version\":2}"}

@lycwu
Copy link

lycwu commented Jan 13, 2018

增加了steps,不知道代表什么,数组长度并不固定。

@cuiyongjian
Copy link

求问楼主怎么找到aes算法部分?

@ComSept
Copy link

ComSept commented Jan 14, 2018

分析源代码,发现 t.actionList.push([t.duration, +t.bottle.obj.position.y.toFixed(2), t.quick] 中的 t.bottle.obj.position.y 来源于以下
this.obj.position.y -= o.BLOCK.reduction / 2 * o.BLOCK.height / 2 + .027
其中 o.BLOCK.reduction 为 0.005,o.BLOCK.height 为 5.5
@dotedu

@lycwu
Copy link

lycwu commented Jan 15, 2018

周一更新排行榜,代码更新之后60分以下随意改都成功,超过60分就改不成功了。

@zhengqqrt
Copy link

大神能不能解答一下这个原因呀
2018-01-15 12 37 07

@chucklqsun
Copy link

我已经放弃直接提交分数了,全自动跳就是时间久点,但是不会被封号。

@zhu106878723
Copy link

还能用吗? 谁有源码哦?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment