Android微信小程序搜索Hook

关键逻辑业务逻辑解析思路解析逆向分析梳理代码执行流获取NetSceneWebSearch参数处理翻页导出使用错误的路线：从PC入手

关键逻辑

通过搜索这些关键词都可以到达目标逻辑：

Constructors:
/mmwebsearch

业务逻辑解析

微信的小程序搜索以前是http接口，后来被移动到了cgi协议内部，导致无法直接调用。

cgi协议其实类似grpc，被包裹在mmtls中，每个api都有一个url和一个对应的cgi number

一份不完整的cgi url列表可以在这里找到
https://github.com/ByboyCn/wechat7016/blob/b52df396d8e2ecce2e15ca147f17e6c221f331ae/WeChat.Core/Protocol/WXCGIUrl.cs#L945

思路解析

小程序的搜索有多种入口，包括界面入口（移动端搜索按钮），以及内部网页的入口（桌

面端）

界面入口走的就是标准的cgi，而网页入口则是会被H5ExtTransfer包裹一层

我们应该直接在cgi请求的位置hook，然后阅读请求逻辑，并手动构造cgi包来发送，这样能够比较简单的实现搜索功能

逆向分析

梳理代码执行流

从请求类入手，hook掉构造函数和请求函数doScene

交叉引用得知该类调用位置，由于过了一层 Runnable，所以必须hook该类的构造函数才可以进一步向上探索


// Java.performNow(function(){
//         var threadef = Java.use('java.lang.Thread')
//         var threadinstance = threadef.$new()

//         function Where(stack){
//             var at = ""
//             for(var i = 0; i < stack.length; ++i){
//                 at += stack[i].toString() + "\n"
//             }
//             return at
//         }

//         var NetSceneWebSearch = Java.use("ys3.x0");

//         NetSceneWebSearch.$init.implementation = function (arg1) {
//             var stack = threadinstance.currentThread().getStackTrace()
//             var full_call_stack = Where(stack)
//             send("NetSceneWebSearch() called, Full call stack:" + full_call_stack)
//             send("Bundle " + arg1)
//             return this.$init(arg1);
//         };

//     })

在FTSWebSearchLogic中，调用了k1.d()获取了NetSceneQueue全局单例服务，然后将NetScene类提交给了NetSceneQueue。

由于SearchQueue是将所有的请求排入队列，然后按照一套复杂的dispatch流程将结果dispatch回去，这很难让我们有效调用，所以我们直接找到具体执行调用的位置。

可以看到，只要拿到q0就可以调用doScene，q0则是NetSceneQueue的d变量

获取NetSceneWebSearch参数

参数是通过ys3.s0提供的，有一堆字段。Frida里面完全没法看。在Xposed里面用jackson这种json库把他转成json就好看了。对比一下即可得到需要填写那些参数。

通过交叉引用还可以看到NetSceneWebSearch还有一个来自于Lite JSAPI的引用，这个里面有一个将json转为搜索参数的逻辑，可以对着把每个字段的名称还原

最后附上原始xposed的日志


12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook: SearchLogicExecutor Stack trace:
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook: java.lang.Throwable
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at moe.misty.wechat_android_app_search.WechatSearchHook$3.beforeHookedMethod(WechatSearchHook.java:186)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at T.o.QxrjJLwkHJg.UNg.jk.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at J.callback(Unknown Source:179)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at LSPHooker_.constructor(Unknown Source:14)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.w.a(Unknown Source:10)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.q.run(Unknown Source:10)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.t0.run(Unknown Source:78)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.o.dispatchMessage(Unknown Source:10)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.sdk.platformtools.j3.dispatchMessage(Unknown Source:9)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.e.dispatchMessage(Unknown Source:2)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.n.run(Unknown Source:89)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:463)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.FutureTask.run(FutureTask.java:264)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at bi4.k.run(Unknown Source:264)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.v.run(Unknown Source:8)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at vh4.c.run(Unknown Source:2)
12-09 04:23:46.778 27625 27653 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.lang.Thread.run(Thread.java:1012)
12-09 04:23:46.787 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch default: {"A":0,"B":"","C":"","D":false,"E":"","F":null,"G":0,"a":0,"b":null,"c":0,"d":0,"e":[],"f":0,"g":null,"h":0,"i":null,"j":null,"k":0,"l":[],"m":0,"n":null,"o":[],"p":[],"q":0,"r":null,"s":0,"t":null,"u":null,"v":null,"w":null,"x":null,"y":null,"z":null}
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch init: {"A":0,"B":"","C":"","D":false,"E":"","F":null,"G":0,"a":0,"b":"lala","c":0,"d":262208,"e":[],"f":14,"g":"","h":1,"i":"","j":"","k":0,"l":[],"m":0,"n":{"includeUnKnownField":false,"d":0,"e":"","f":"","data":null},"o":[{"includeUnKnownField":false,"d":"netType","e":0,"f":"wifi","data":null},{"includeUnKnownField":false,"d":"subType","e":0,"f":"","data":null},{"includeUnKnownField":false,"d":"AdPassThroughInfo","e":0,"f":"Mozilla/5.0 (Linux; Android 13; Pixel 5 Build/TQ3A.230705.001.B4; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.193 Mobile Safari/537.36 MMWEBID/597 MicroMessenger/8.0.44.2502(0x28002C36) WeChat/arm64 Weixin Android Tablet NetType/WIFI Language/zh_CN ABI/arm64","data":null},{"includeUnKnownField":false,"d":"AdCommonDeviceId","e":0,"f":"{\"uaBuildInfo\":{\"build_version_release\":\"13\",\"build_model\":\"Pixel 5\",\"build_version_codename\":\"REL\",\"build_id\":\"TQ3A.230705.001.B4\",\"sw_size\":1,\"build_manufacturer\":\"Google\",\"build_release_or_codename\":\"13\",\"chrome_version\":\"119.0.6045.193\"},\"sysUa\":\"Dalvik/2.1.0 (Linux; U; Android 13; Pixel 5 Build/TQ3A.230705.001.B4)\",\"idfa\":\"\",\"oaid\":\"\",\"imei\":\"\"}","data":null},{"includeUnKnownField":false,"d":"TemplateNightModeType","e":0,"f":"","data":null},{"includeUnKnownField":false,"d":"currentPage","e":1,"f":"","data":null},{"includeUnKnownField":false,"d":"requestId","e":0,"f":"1702067015178","data":null},{"includeUnKnownField":false,"d":"cookies","e":0,"f":"","data":null},{"includeUnKnownField":false,"d":"widgetVersion","e":1023022,"f":"","data":null},{"includeUnKnownField":false,"d":"windowWidth","e":575,"f":"","data":null},{"includeUnKnownField":false,"d":"showNewLifeSwitch","e":0,"f":"0","data":null},{"includeUnKnownField":false,"d":"parentSearchID","e":0,"f":"62:1973466217159214816:lala:170206701551380647:%7B%22clickId%22%3A%221973466217159214816-1702067026750-1666177925%22%7D","data":null}],"p":[],"q":27821547,"r":"zh_CN","s":0,"t":null,"u":null,"v":"-7262430398236275261","w":"14_4129213794_1702067015178","x":"","y":"1702067015178","z":null}
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch Stack trace:
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: java.lang.Throwable
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at moe.misty.wechat_android_app_search.WechatSearchHook$1.beforeHookedMethod(WechatSearchHook.java:145)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at T.o.QxrjJLwkHJg.UNg.jk.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at J.callback(Unknown Source:179)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at LSPHooker_.constructor(Unknown Source:11)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.v.run(Unknown Source:637)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
12-09 04:23:46.790 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.lang.Thread.run(Thread.java:1012)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch doScene Stack trace:
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook: java.lang.Throwable
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at moe.misty.wechat_android_app_search.WechatSearchHook$2.beforeHookedMethod(WechatSearchHook.java:171)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at T.o.QxrjJLwkHJg.UNg.jk.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at J.callback(Unknown Source:179)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at LSPHooker_.doScene(Unknown Source:14)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.modelbase.y1.run(Unknown Source:28)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Handler.handleCallback(Handler.java:942)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Handler.dispatchMessage(Handler.java:99)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.sdk.platformtools.i3.dispatchMessage(Unknown Source:33)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Looper.loopOnce(Looper.java:201)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Looper.loop(Looper.java:288)
12-09 04:23:46.798 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.HandlerThread.run(HandlerThread.java:67)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook: SearchLogicExecutor Stack trace:
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook: java.lang.Throwable
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at moe.misty.wechat_android_app_search.WechatSearchHook$3.beforeHookedMethod(WechatSearchHook.java:186)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at T.o.QxrjJLwkHJg.UNg.jk.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at J.callback(Unknown Source:179)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at LSPHooker_.constructor(Unknown Source:14)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.w.a(Unknown Source:10)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.q.run(Unknown Source:10)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.t0.run(Unknown Source:78)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.o.dispatchMessage(Unknown Source:10)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.sdk.platformtools.j3.dispatchMessage(Unknown Source:9)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.e.dispatchMessage(Unknown Source:2)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.n.run(Unknown Source:89)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:463)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.FutureTask.run(FutureTask.java:264)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at bi4.k.run(Unknown Source:264)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at ci4.v.run(Unknown Source:8)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at vh4.c.run(Unknown Source:2)
12-09 04:23:52.580 27625 27664 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.lang.Thread.run(Thread.java:1012)
12-09 04:23:52.586 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch default: {"A":0,"B":"","C":"","D":false,"E":"","F":null,"G":0,"a":0,"b":null,"c":0,"d":0,"e":[],"f":0,"g":null,"h":0,"i":null,"j":null,"k":0,"l":[],"m":0,"n":null,"o":[],"p":[],"q":0,"r":null,"s":0,"t":null,"u":null,"v":null,"w":null,"x":null,"y":null,"z":null}
12-09 04:23:52.589 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch init: {"A":0,"B":"","C":"","D":false,"E":"","F":null,"G":0,"a":0,"b":"lala","c":20,"d":262208,"e":[],"f":14,"g":"15843516513229630641","h":1,"i":"","j":"","k":0,"l":[],"m":0,"n":{"includeUnKnownField":false,"d":0,"e":"","f":"","data":null},"o":[{"includeUnKnownField":false,"d":"netType","e":0,"f":"wifi","data":null},{"includeUnKnownField":false,"d":"subType","e":0,"f":"","data":null},{"includeUnKnownField":false,"d":"AdPassThroughInfo","e":0,"f":"Mozilla/5.0 (Linux; Android 13; Pixel 5 Build/TQ3A.230705.001.B4; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.193 Mobile Safari/537.36 MMWEBID/597 MicroMessenger/8.0.44.2502(0x28002C36) WeChat/arm64 Weixin Android Tablet NetType/WIFI Language/zh_CN ABI/arm64","data":null},{"includeUnKnownField":false,"d":"AdCommonDeviceId","e":0,"f":"{\"uaBuildInfo\":{\"build_version_release\":\"13\",\"build_model\":\"Pixel 5\",\"build_version_codename\":\"REL\",\"build_id\":\"TQ3A.230705.001.B4\",\"sw_size\":1,\"build_manufacturer\":\"Google\",\"build_release_or_codename\":\"13\",\"chrome_version\":\"119.0.6045.193\"},\"sysUa\":\"Dalvik/2.1.0 (Linux; U; Android 13; Pixel 5 Build/TQ3A.230705.001.B4)\",\"idfa\":\"\",\"oaid\":\"\",\"imei\":\"\"}","data":null},{"includeUnKnownField":false,"d":"TemplateNightModeType","e":0,"f":"","data":null},{"includeUnKnownField":false,"d":"currentPage","e":2,"f":"","data":null},{"includeUnKnownField":false,"d":"requestId","e":0,"f":"b7c7bd6e-5135-4691-9907-dd0c41d8ef09","data":null},{"includeUnKnownField":false,"d":"cookies","e":0,"f":"{\"box_offset\":0,\"businessType\":64,\"cookies_buffer\":\"UhgIDhABGMCAECIEbGFsYVABggEFEACiAQA=\",\"doc_offset\":0,\"dup_bf\":\"\",\"isHomepage\":0,\"page_cnt\":1,\"query\":\"lala\",\"scene\":14}\n","data":null},{"includeUnKnownField":false,"d":"widgetVersion","e":1023022,"f":"","data":null},{"includeUnKnownField":false,"d":"windowWidth","e":575,"f":"","data":null},{"includeUnKnownField":false,"d":"showNewLifeSwitch","e":0,"f":"0","data":null},{"includeUnKnownField":false,"d":"parentSearchID","e":0,"f":"62:1973466217159214816:lala:170206701551380647:%7B%22clickId%22%3A%221973466217159214816-1702067026750-1666177925%22%7D","data":null}],"p":[],"q":27821547,"r":"zh_CN","s":0,"t":null,"u":null,"v":"-7262430398236275261","w":"14_4129213794_1702067015178","x":"","y":"b7c7bd6e-5135-4691-9907-dd0c41d8ef09","z":null}
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch Stack trace:
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook: java.lang.Throwable
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at moe.misty.wechat_android_app_search.WechatSearchHook$1.beforeHookedMethod(WechatSearchHook.java:145)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at T.o.QxrjJLwkHJg.UNg.jk.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at J.callback(Unknown Source:179)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at LSPHooker_.constructor(Unknown Source:11)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.plugin.websearch.v.run(Unknown Source:637)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
12-09 04:23:52.590 27625 30089 I moe.misty.wechat_android_app_search.WechatSearchHook:  at java.lang.Thread.run(Thread.java:1012)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook: NetSceneWebSearch doScene Stack trace:
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook: java.lang.Throwable
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at moe.misty.wechat_android_app_search.WechatSearchHook$2.beforeHookedMethod(WechatSearchHook.java:171)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at T.o.QxrjJLwkHJg.UNg.jk.XposedBridge$LegacyApiSupport.handleBefore(Unknown Source:24)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at J.callback(Unknown Source:179)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at LSPHooker_.doScene(Unknown Source:14)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.modelbase.y1.run(Unknown Source:28)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Handler.handleCallback(Handler.java:942)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Handler.dispatchMessage(Handler.java:99)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at com.tencent.mm.sdk.platformtools.i3.dispatchMessage(Unknown Source:33)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Looper.loopOnce(Looper.java:201)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.Looper.loop(Looper.java:288)
12-09 04:23:52.629 27625 27676 I moe.misty.wechat_android_app_search.WechatSearchHook:  at android.os.HandlerThread.run(HandlerThread.java:67)

处理翻页

根据上面的xposed输出，对比两个request可以看出差别有cookies、searchID、pageNum、offset，这四个分别在response的json中都可以找到，填上去就可以完美翻页。

导出使用

直接编写一个HTTP Server接受调用即可。

错误的路线：从PC入手

PC的整体逻辑，甚至函数名都和安卓端相同，但是pc端数据结构不透明，极其难以还原

这是测试的frida脚本。


var wechatwin = Module.getBaseAddress("WeChatWin.dll")
// Hook cgi number
// Interceptor.attach(wechatwin.add(0x1148610), {
//     onEnter(args) {
//         var mm = new ModuleMap()
//         var backtraces = Thread.backtrace(this.context).map((addr) => {
//             const mod = mm.find(addr)
//             return `${mod.name}!func_${addr.sub(mod.base)}`
//         }).join('\n')
//         // send(backtraces)
//     }, 
//     onLeave(retval) {
//         send(retval)
//     }
// })
// Interceptor.attach()

function readWString(s) {
    var buf = s.readPointer()
    var len = s.add(8).readU32()
    var size = s.add(12).readU32()
    return buf.readUtf16String(), len, size
}

Interceptor.attach(wechatwin.add(0x1A5B4F0), {
    onEnter(args) {
        send(readWString(args[1]))
        send(readWString(args[2]))
        send(args[3])
        send((args[4]))

    }, 
    onLeave(retval) {
        send(retval)
    }
})

// Interceptor.attach(wechatwin.add(0x1A5B8C0), {
//     onEnter(args) {
//         // var mm = new ModuleMap()
//         // var backtraces = Thread.backtrace(this.context).map((addr) => {
//         //     const mod = mm.find(addr)
//         //     return `${mod.name}!func_${addr.sub(mod.base)}`
//         // }).join('\n')
//         // send(backtraces)
//     }, 
//     onLeave(retval) {
//         send(retval)
//     }
// })

Interceptor.attach(wechatwin.add(0x1A5C641), {
    onEnter(args) {
        // send(hexdump(args[1], {
        //     ansi: true,
        //     length: args[2].toInt32(),
        // }))
    }, 
    // onLeave(retval) {
    //     send(retval)
    // }
})

var Search2Mgr_getInstance = new NativeFunction(wechatwin.add(0x9A70D0), 'pointer', [])
send(Search2Mgr_getInstance())

var Search2Mgr__SendSerachLocalpage = new NativeFunction(wechatwin.add(0x1A521B0), 'pointer', ['pointer', 'pointer', 'pointer', 'pointer', 'pointer'])
var p1 = Memory.alloc(Process.pointerSize)
p1.writePointer(Memory.allocUtf16String("a11221\u0000"))
var p2 = Memory.alloc(Process.pointerSize)
p2.writePointer(Memory.allocUtf16String("\u0000"))
// Search2Mgr__SendSerachLocalpage(Search2Mgr_getInstance(), p1, p2, new NativePointer(0), new NativePointer(0))