逆向某微信小程序参数签名算法

获取微信小程序压缩包

某小程序请求中有sign参数，包含在url或header中.....

打开微信小程序时，微信会把小程序压缩包（后缀名.wxapkg）下载到本地；

从目录

/data/data/com.tencent.mm/MicroMsg/{数字串}/appbrand/pkg/

找到目标小程序包（打开一下小程序，然后按时间排列方便查找）

反编译

反编译工具

切换到工具解压目录-->反编译命令：node wuWxapkg.js 小程序包

node .\wuWxapkg.js 小程序包.wxapkg

执行完毕后同目录解压缩文件（小程序主包）：

分析签名算法

直接在ide打开此目录，全局搜索关键字：

从上下文中找到相关逻辑（可以看出来是vue的工程，格式化后再看）

把相关签名逻辑放到一个文件中，并把抓包参数填入，调试一下：

<!DOCTYPE html><html><head><meta charset="utf-8"><title></title></head><body></body><script>var A = 8;start();function start() {var m = {cid: 2,from: "58_ershoufang",app: "a-wb",platform: "windows",b: "microsoft",s: "win10",t: 1590570613, //a.default.time(),cv: "5.0",wcv: "5.0",wv: "7.0.9",sv: "2.10.4",batteryLevel: 0,muid: "ff4bb653e802a502f49f1487b6d091f9",weapp_version: "1.0.0",user_id: "",oid: "oIArb4keuVN06vcQTVuN4fjNdwhs",udid: "oIArb4keuVN06vcQTVuN4fjNdwhs",page: 2,page_size: 25};for (var g in m) isEmpty(m[g]) || (m[g] = ("" + m[g]).replace(/(\s|\n|\r|\t)+/g, ""));var o = {isPost: !1,city_id: 2};var c = {};var n = o.isPost ? "POST" : "GET";delete o.isPost, "GET" == n ? m = Object.assign(m, o) : c = Object.assign(c, o);Object.keys(m).forEach(function(e) {var t = m[e];isEmpty(t) || (m[e] = decodeURI(t)), c.hasOwnProperty(e) && !isEmpty(c[e]) && (m[e] = c[e])});var sig = sign(m, c);console.log("签名：：" + sig);}function isEmpty(e) {return "" == e || null == e || void 0 === e || 0 == e || 0 == e || "{}" == JSON.stringify(e) || "[]" == JSON.stringify(e);}function sign(e, n) {var r = [];r.push("ak=" + "931d0f0a7f7bc73c7cee04b87a1f3cb83d175517"), r.push("wk=" + "3B7C4B291A9F171B1C3AC5");var o = /(\s|\n|\r|\t|\+)+/g;for (var i in e) n[i] && !isEmpty(n[i]) || r.push(i + "=" + decodeURI(e[i] + "").replace(o, ""));for (var u in n) r.push(u + "=" + decodeURI(n[u] + "").replace(o, ""));r.sort();var a, s = r.join("&");return s = s.replace(o, ""), a = decodeURIComponent(s), s = encodeURIComponent(a).replace(/[!'()*]/g, function(e) {return "%" + e.charCodeAt(0).toString(16).toUpperCase();}), hex_sha1(s);}function r(r, n) {r[n >> 5] |= 128 << n % 32, r[14 + (n + 64 >>> 9 << 4)] = n;for (var o = 1732584193, a = -271733879, i = -1732584194, h = 271733878, A = 0; A < r.length; A += 16) {var v = o,d = a,l = i,b = h;o = c(o = e(o = e(o = e(o = e(o = u(o = u(o = u(o = u(o = t(o = t(o = t(o = t(o, a, i, h, r[A + 0], 7, -680876936),a = t(a, i = t(i, h = t(h, o, a, i, r[A + 1], 12, -389564586), o, a, r[A + 2], 17, 606105819), h, o, r[A + 3], 22, -1044525330), i, h, r[A + 4], 7, -176418897), a = t(a, i = t(i, h = t(h, o, a, i, r[A + 5],12, 1200080426), o, a, r[A + 6], 17, -1473231341), h, o, r[A + 7], 22, -45705983), i, h, r[A + 8], 7,1770035416), a = t(a, i = t(i, h = t(h, o, a, i, r[A + 9], 12, -1958414417), o, a, r[A + 10], 17, -42063), h, o, r[A + 11], 22, -1990404162), i, h, r[A + 12], 7, 1804603682), a = t(a, i = t(i, h = t(h, o,a, i, r[A + 13], 12, -40341101), o, a, r[A + 14], 17, -1502002290), h, o, r[A + 15], 22, 1236535329), i,h, r[A + 1], 5, -165796510), a = u(a, i = u(i, h = u(h, o, a, i, r[A + 6], 9, -1069501632), o, a, r[A +11], 14, 643717713), h, o, r[A + 0], 20, -373897302), i, h, r[A + 5], 5, -701558691), a = u(a, i = u(i, h =u(h, o, a, i, r[A + 10], 9, 38016083), o, a, r[A + 15], 14, -660478335), h, o, r[A + 4], 20, -405537848),i, h, r[A + 9], 5, 568446438), a = u(a, i = u(i, h = u(h, o, a, i, r[A + 14], 9, -1019803690), o, a, r[A +3], 14, -187363961), h, o, r[A + 8], 20, 1163531501), i, h, r[A + 13], 5, -1444681467), a = u(a, i = u(i, h =u(h, o, a, i, r[A + 2], 9, -51403784), o, a, r[A + 7], 14, 1735328473), h, o, r[A + 12], 20, -1926607734), i,h, r[A + 5], 4, -378558), a = e(a, i = e(i, h = e(h, o, a, i, r[A + 8], 11, -574463), o, a, r[A + 11], 16,1839030562), h, o, r[A + 14], 23, -35309556), i, h, r[A + 1], 4, -1530992060), a = e(a, i = e(i, h = e(h, o, a,i, r[A + 4], 11, 1272893353), o, a, r[A + 7], 16, -155497632), h, o, r[A + 10], 23, -1094730640), i, h, r[A +13], 4, 681279174), a = e(a, i = e(i, h = e(h, o, a, i, r[A + 0], 11, -358537222), o, a, r[A + 3], 16, -722521979), h, o, r[A + 6], 23, 76029189), i, h, r[A + 9], 4, -640364487), a = e(a, i = e(i, h = e(h, o, a, i, r[A + 12], 11, -421815835), o, a, r[A + 15], 16, 530742520), h, o, r[A + 2], 23, -995338651), i, h, r[A + 0], 6, -198630844),a = c(a = c(a = c(a = c(a, i = c(i, h = c(h, o, a, i, r[A + 7], 10, 1126891415), o, a, r[A + 14], 15, -1416354905),h, o, r[A + 5], 21, -57434055), i = c(i, h = c(h, o = c(o, a, i, h, r[A + 12], 6, 1700485571), a, i, r[A + 3],10, -1894986606), o, a, r[A + 10], 15, -1051523), h, o, r[A + 1], 21, -2054922799), i = c(i, h = c(h, o = c(o,a, i, h, r[A + 8], 6, 1873313359), a, i, r[A + 15], 10, -30611744), o, a, r[A + 6], 15, -1560198380), h, o, r[A +13], 21, 1309151649), i = c(i, h = c(h, o = c(o, a, i, h, r[A + 4], 6, -145523070), a, i, r[A + 11], 10, -110379), o, a, r[A + 2], 15, 718787259), h, o, r[A + 9], 21, -343485551),o = f(o, v), a = f(a, d), i = f(i, l), h = f(h, b);}return Array(o, a, i, h);}function n(r, n, t, u, e, c) {return f(o(f(f(n, r), f(u, c)), e), t);}function t(r, t, u, e, c, f, o) {return n(t & u | ~t & e, r, t, c, f, o);}function u(r, t, u, e, c, f, o) {return n(t & e | u & ~e, r, t, c, f, o);}function e(r, t, u, e, c, f, o) {return n(t ^ u ^ e, r, t, c, f, o);}function c(r, t, u, e, c, f, o) {return n(u ^ (t | ~e), r, t, c, f, o);}function f(r, n) {var t = (65535 & r) + (65535 & n);return (r >> 16) + (n >> 16) + (t >> 16) << 16 | 65535 & t;}function o(r, n) {return r << n | r >>> 32 - n;}function a(r) {for (var n = Array(), t = 0; t < r.length * A; t += A) n[t >> 5] |= (255 & r.charCodeAt(t / A)) << t % 32;return n;}function i(r) {for (var n = "0123456789abcdef", t = "", u = 0; u < 4 * r.length; u++) t += n.charAt(r[u >> 2] >> u % 4 * 8 + 4 & 15) +n.charAt(r[u >> 2] >> u % 4 * 8 & 15);return t;}var h = {ak: "931d0f0a7f7bc73c7cee04b87a1f3cb83d175517",wk: "3B7C4B291A9F171B1C3AC5"}function hex_sha1(n) {return i(r(a(n), n.length * A));}</script></html>

浏览器看一下：

和抓包结果一致