Reverse Engineering a WeChat Mini Program Software#
0x01#
Because I recently needed to decompile a WeChat mini program, I used a tool that I found to be quite good. However, after a few days, a payment requirement popped up, which seemed fairly simple to verify. I decided to try cracking it.
After running the program, there was a window on the main program. I don't understand reverse engineering very well, but based on my limited knowledge, I thought maybe I could push this window away.
0X02#
I saw the pdb and DLL files in the folder and guessed that it was probably written in C#. I looked up the shell.
I threw it into dnspy to take a look.
This source code and interface are obviously obfuscated. It feels very similar to Net Reactor's shell. I'll try to unpack it.
Using a commonly available Net Reactor unpacking solution from the internet, I was able to successfully unpack it and then reload the main program to take a look.
Now the code looks normal.
At first, I couldn't find the updated code in the main program, but later I found it in Common.dll (also obfuscated, so it needs to be unpacked).
I set a breakpoint and ran the code to see where it would break when exiting.
I found that it uploads a lot of data to the server, including BIOS USER network card ID, motherboard number, CPU model, and other information. I guess it's used for confirming the payment status after payment.
If the payment page is opened, the variable becomes true. If it is exited directly, it becomes false. I'll search for this method to see the corresponding code.
The program update is also in this section of code, and the logic is quite simple.
A code flag is used for judging. If the code is -45, it opens the sponsorship window. If it is 0, it proceeds to the next step.
So the cracking approach is quite simple. I just need to nop out all the judgments in this section, and then fill in a 0 at the end to keep the original code intact and pass the verification logic.
Done.