If we use frida -U com.tencent.mm -l xxx or objection -g com.tencent.mm explore to hook directly, we can’t see the function call, because the process you hook is not the process of WeChat applet but the process of WeChat itself.

So we have to specify the pid to hook, we can use

dumpsys activity top | grep ACTIVITY

to get it; we can also use frida -UF -l xxx to hook the current top-level Activity.

In order to reach the hook Wechat API, we need to locate the concrete JAVA class. Since we don’t know that yet, we can just make up a random class. And we will see the error.

After that, we just need to look for it in the apk.

1 hook Miniapp API

Step 1 : Just hook the api when it is called

Java.perform(function () {
   console.log("Entering.........");
​
   // Hook wx.getLocation()
   var getLocationClass = Java.use('xxx');
   getLocationClass.x.overload('xxx', 'org.json.JSONObject', 'int').implementation = function (context, jsonObject, i15) {
       console.log('getLocation called with data: ' + jsonObject.toString());
       var result = this.x(context, jsonObject, i15);
       return result;
  };
});
​

This is a easy python script that we can use with all the proposed examples in this tutorial:

import frida, sys
​
with open(sys.argv[1], 'r') as f:
   jscode = f.read()
​
pid = 16171
process = frida.get_usb_device().attach(pid)
​
script = process.create_script(jscode)
​
print('[ * ] Running Frida')
script.load()
​
sys.stdin.read()
​

And we can see the prompt.

2 MiniApp API -> Android API

…continue