Processing ideas for decrypting WeChat applet packages on PC in node.js

It was originally posted on Nuggets, so I moved it here.

WeChat mini programs are stored in encrypted form on the PC. If you open them directly, you will not see any useful information. They need to be decrypted before you can see the specific contents of the package. This article uses nodejs to implement the decryption algorithm, which mainly involves the use of three packages: crypto, commander, and chalk.

Where is the source code of the applet?

Mini-programs opened on the PC will be cached to the default save location of local WeChat files. You can view them through WeChat PC => More => Settings:

Enter the /WeChat Files/WeChat Files/Applet folder in the default save location, and you can see a series of files with the prefix wx (the file name is actually the appid of the mini-program). These are the mini-programs we have opened:

Entering the folder of one of the mini-programs, we can see a folder named with a string of numbers. Click into this folder, and you will see a __APP__.wxapkg file, which is the code corresponding to the applet:

However, when we opened the file, we found this:

WTF can be seen from this 🔨. Obviously, this file is encrypted and needs to be decrypted to see what we want to see.

How are PC mini programs encrypted?

Here is a reference to the PC-side wxapkg decryption code written in Go language by a big guy. To put it in order, the encryption process is as follows:

First, the plaintext code is split into two at the 1024th byte. The first half is encrypted using AES in CBC mode, and the second half is directly XORed. Finally, concatenate the two encrypted sections and write a fixed string at the front: "V1MMWX".

Therefore, when we open the __APP__.wxapkg file, what we see is the encrypted code. If we want to restore it, we need to push it back step by step from the back to the front.

Decryption ideas

Preprocessing

We use node.js to write a decoding program. According to the encryption process above, we first read the encrypted file and remove the fixed string of the first 6 bytes. Since the number of bits before and after AES encryption and XOR is the same, we can get the encrypted 1024-byte header and the encrypted tail:

const fs = require('fs').promises;
...
 
const buf = await fs.readFile(pkgsrc); // Read the original Buffer
const bufHead = buf.slice(6, 1024 + 6);
const bufTail = buf.slice(1024 + 6);

Encrypted header

In order to get this 1024 bytes of plaintext, we need to know the initial vector iv of AES encryption and a 32-bit key. Knowing that the 16-byte initial vector iv is the string: "the iv: 16 bytes", we next need to calculate the 32-bit key derived by the pbkdf2 algorithm.

pbkdf2 (Password-Based Key Derivation Function) is a function used to generate a key. It uses a pseudo-random function, takes the original password and salt as input, and obtains the key through continuous iteration. In the crypto library, the pbkdf2 function looks like this:

const crypto = require('crypto');
...
 
crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)

The parameters are: original password, salt value, number of iterations, key length, hash algorithm, and callback function. It is known that the salt is "saltiest", the original password is the id of the WeChat applet (that is, the folder name starting with wx), the number of iterations is 1000, and the hash algorithm is sha1. Therefore, we can write the code to calculate the key:

crypto.pbkdf2(wxid, salt, 1000, 32, 'sha1', (err, dk) => {
    if (err) {
        // mistake}
    // dk is the calculated key})

After we have the key and the initial vector iv, we can start decrypting the ciphertext. The AES encryption algorithm is an asymmetric encryption algorithm. Its key is divided into a public key and a private key known only to the user. Anyone can use the public key to encrypt, but only the person holding the private key can decrypt the plaintext.

The encryption algorithm used by the applet is AES in CBC (Cipher Block Chaining) mode. That is, when encrypting, it first divides the plaintext into blocks, then XORs each block with the encrypted ciphertext of the previous block, and then uses the public key to encrypt it to obtain the ciphertext of each block. For the first block of plaintext, since it does not exist in the previous block of plaintext, it will be XORed with the initial vector iv and then encrypted with the public key. When implementing, we only need to call the decryption function provided by crypto.

We know that AES algorithms include AES128, AES192 and AES256 according to different key lengths. Looking back, our key is 32 bytes, or 256 bits, so obviously we should use AES256. In summary, we can write the decryption code:

const decipher = crypto.createDecipheriv('aes-256-cbc', dk, iv);
const originalHead = Buffer.alloc(1024, decipher.update(bufHead));

Among them, originalHead is the first 1024 bytes of plaintext we want. We can print it out and see:

Hmm... that's a bit interesting.

Encrypted tail part

This part is easy. Since the XOR operation is reflexive, we only need to simply determine the number of digits in the applet id to obtain the XOR xorKey, and then XOR it with the ciphertext to get the original text:

const xorKey = wxid.length < 2 ? 0x66 : wxid.charCodeAt(wxid.length - 2);
const tail = [];
for(let i = 0; i < bufTail.length; ++i){
    tail.push(xorKey ^ bufTail[i]);
}
const originalTail = Buffer.from(tail);

Concatenate the plaintext in the header part with the plaintext in the tail part, and then write them into the file in binary form to get the final plaintext.

Be more beautiful

Based on the above description, we can encapsulate our entire decryption process into a black box:

commander

We can use the commander library to allow the program to read the applet's id and ciphertext package directly from the command line. Commander is a nodejs command line interface solution that allows you to easily define your own cli commands. For example, for the following code:

const program = require('commander');
...
program
    .command('decry <wxid> <src> [dst]')
    .description('Decoding PC WeChat applet package')
    .action((wxid, src, dst) => {
        wxmd(wxid, src, dst);
    })
 
program.version('1.0.0')
    .usage("decry <wxid> <src> [dst]")
    .parse(process.argv);

I defined a command "decry <wxid> <src> [dst]", where angle brackets represent required parameters and square brackets represent optional parameters. Description contains the description text about this command, and action is to execute this command. After using node to execute the code in the console, you can see the following interface:

Then we can enter the parameters for decryption according to the prompts. The Chinese documentation of commander.js is here.

chalk

To add a touch of color to our console, we can use chalk.js to beautify the output. The basic usage of chalk is also relatively simple:

const chalk = require('chalk');
...
 
console.log(chalk.green('green'))

In this way, we can add a touch of green to the black and white console and realize the panda's dream:

In addition, we can also use es6 string tag templates to use chalk more conveniently. Please refer to the chalk official documentation for details.

source code

The code has been published to github and gitee, you can refer to it~

Click here for github and here for gitee

This is the end of this article about the decryption of the WeChat applet package on the PC in node.js. For more relevant nodejs WeChat applet decryption content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!