-
-
Save yangceng/0c2a76564c1afa4cd3a1e238300b311f to your computer and use it in GitHub Desktop.
var CryptoJS = require('crypto-js') | |
var request = require('request-promise') | |
/* | |
* npm install crypto-js request-promise | |
* node wx_hack.js | |
*/ | |
// export function testEncription(msg, fullKey) { | |
// var fullKey = fullKey.slice(0, 16) | |
// var key = CryptoJS.enc.Utf8.parse(fullKey) | |
// var iv = CryptoJS.enc.Utf8.parse(fullKey) | |
// var passWord = CryptoJS.AES.encrypt(msg, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 }) | |
// var base64 = passWord.toString() | |
// console.log('passWord', passWord) | |
// console.log('sessionId', sessionId) | |
// console.log('key', key) | |
// console.log('base64', base64) | |
// var bytes = CryptoJS.AES.decrypt(base64, key, { | |
// iv: iv | |
// }); | |
// console.log('bytes', bytes) | |
// var plaintext = CryptoJS.enc.Utf8.stringify(bytes); | |
// console.log('plaintext', plaintext) | |
// } | |
function encrypt (text, originKey) { | |
var originKey = originKey.slice(0, 16), | |
key = CryptoJS.enc.Utf8.parse(originKey), | |
iv = CryptoJS.enc.Utf8.parse(originKey), | |
msg = JSON.stringify(text) | |
var ciphertext = CryptoJS.AES.encrypt(msg, key, { | |
iv: iv, | |
mode: CryptoJS.mode.CBC, | |
padding: CryptoJS.pad.Pkcs7 | |
}); | |
return ciphertext.toString() | |
} | |
function decrypt (text, originKey) { | |
var originKey = originKey.slice(0, 16), | |
key = CryptoJS.enc.Utf8.parse(originKey), | |
iv = CryptoJS.enc.Utf8.parse(originKey) | |
var bytes = CryptoJS.AES.decrypt(text, key, { | |
iv: iv | |
}) | |
var plaintext = CryptoJS.enc.Utf8.stringify(bytes) | |
return plaintext | |
} | |
function extend (target) { | |
var sources = [].slice.call(arguments, 1) | |
sources.forEach(function (source) { | |
for (var prop in source) { | |
target[prop] = source[prop] | |
} | |
}) | |
return target | |
} | |
var version = 5, | |
// score = Math.round(10000+Math.random()*2000), | |
score = 13142, | |
// replace with your session_id here | |
session_id = 'xxxx' | |
var headers = { | |
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C153 MicroMessenger/6.6.1 NetType/WIFI Language/zh_CN', | |
'Referer': 'https://servicewechat.com/wx7c8d593b2c3a7703/' + version + '/page-frame.html', | |
'Content-Type': 'application/json', | |
'Accept-Language': 'zh-cn', | |
'Accept': '*/*' | |
} | |
var base_req = { | |
'base_req': { | |
'session_id': session_id, | |
'fast': 1 | |
} | |
} | |
var base_site = 'https://mp.weixin.qq.com/wxagame/' | |
var path = 'wxagame_getuserinfo' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: base_req | |
}).then(function (response) { | |
// console.log(path, response) | |
}) | |
path = 'wxagame_getfriendsscore' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: base_req | |
}).then(function (response) { | |
// console.log(response.my_user_info) | |
var times = response.my_user_info.times + 1 | |
path = 'wxagame_init' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: extend({}, {version: 9}, base_req) | |
}).then(function (response) { | |
// console.log(path, response) | |
var action = [], | |
musicList = [], | |
touchList = [] | |
for (var i = 0; i < score; i++) { | |
action.push([0.752, 1.32, false]) | |
musicList.push(false) | |
touchList.push([Math.round(100+Math.random()*200), Math.round(300+Math.random()*200)]) | |
} | |
var data = { | |
score: score, | |
times: times, | |
game_data: JSON.stringify({ | |
seed: Date.now(), | |
action: action, | |
musicList: musicList, | |
touchList: touchList, | |
version: 1 | |
}) | |
} | |
path = 'wxagame_settlement' | |
request({ | |
method: 'POST', | |
url: base_site + path, | |
headers: headers, | |
json: true, | |
body: extend({}, {action_data: encrypt(data, session_id)}, base_req) | |
}).then(function (response) { | |
// console.log(path, response) | |
console.log('2018! Happy new year! 🎉') | |
}).catch(function (error) { | |
console.log(error) | |
}) | |
}) | |
}).catch(function (error) { | |
console.log('something crash') | |
}) |
没有108阿
score改为其他值,就会失效?
不会,score随意改
刚刚试了一下 score低于1w,就失效了
version 改 9
把 var times = response.my_user_info.times + 1 改成 var times = response.ts + 1
可以执行
2018年1月3日22:55:41
分数大于1W成功 23:27
版本改为9,分数12018。
把 var times = response.my_user_info.times + 1 改成 var times = response.ts + 1
可以执行。
2018-01-04-00.03可行。
2018年01月04日10:47:54 19999分 亲测可用 分数没测1W以内的
改动记录
- version = 9 (66 行)
- score = 100000
- var times = response.my_user_info.times + 1 改成 var times = response.ts + 1
可以执行 :)
2018-01-04 12:29:45
我用楼主的代码只能改成功一次啊,之后再改就不行了,不知道是什么原因?
@EnderZhou
分数不能改小
@JonyFang 是代码中所有的version都要改为9吗
@jujueyouhuo 我没有改小,我最开始改成234。然后想继续往高了改就没反应了。我用session_id在别人的网站上改倒是成功了。
显示2018! Happy new year! ,但是分数没变
不行的啊,108了
截止到目前,没有成功过
@greatemoon 只修改了 Post API 的 version (66 行
显示2018! Happy new year! ,但是分数没变
可以执行,修改分数为 2018
修改时间 2018-01-04 15:37
@wubianxiaoxian 你改成功了?我为啥报错 base_resp: { errcode: 108 }
sec_id不是一直在变吗?(重启微信就变一次)怎么成功的??
下午朋友反馈,我的12018他已经看不见了。只有自己微信上能看见。2018-01-04
格式不对,是base64的格式,类似于
9bRHE9JJxANVvjXUpdv+g0MXUN+kl2QGUujOwxNsY9RVHeFPsnv7DZGgvbS97qd/T+YLPA13uOhUCiR91HXzFtp8/0sCnFwqFeaIt9rjhM27PkzMiJ12Da5i42cH7kxcBbZSG4SocOwD7UbBGdWQgw==