Skip to content

Instantly share code, notes, and snippets.

Created January 1, 2018 07:49
Show Gist options
  • Save mysteriouss/01d7f18cdef47acc0781e8f484f2d2d0 to your computer and use it in GitHub Desktop.
Save mysteriouss/01d7f18cdef47acc0781e8f484f2d2d0 to your computer and use it in GitHub Desktop.
// ==UserScript==
// @name weixin_tiaotiao
// @namespace
// @version 0.1
// @description try to take over the world!
// @author You
// @match
// @grant GM_xmlhttpRequest
// @require
// @require
// ==/UserScript==
(function() {
'use strict';
// Your code here...
//var CryptoJS = require('crypto-js');
//var request = require('request-promise');
* npm install crypto-js request-promise
* node wx_t1t_hack.js
// export function testEncription(msg, fullKey) {
// var fullKey = fullKey.slice(0, 16)
// var key = CryptoJS.enc.Utf8.parse(fullKey)
// var iv = CryptoJS.enc.Utf8.parse(fullKey)
// var passWord = CryptoJS.AES.encrypt(msg, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 })
// var base64 = passWord.toString()
// console.log('passWord', passWord)
// console.log('sessionId', sessionId)
// console.log('key', key)
// console.log('base64', base64)
// var bytes = CryptoJS.AES.decrypt(base64, key, {
// iv: iv
// });
// console.log('bytes', bytes)
// var plaintext = CryptoJS.enc.Utf8.stringify(bytes);
// console.log('plaintext', plaintext)
// }
function encrypt (text, originKey) {
originKey = originKey.slice(0, 16);
key = CryptoJS.enc.Utf8.parse(originKey),
iv = CryptoJS.enc.Utf8.parse(originKey),
msg = JSON.stringify(text);
var ciphertext = CryptoJS.AES.encrypt(msg, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
return ciphertext.toString();
function decrypt (text, originKey) {
originKey = originKey.slice(0, 16);
key = CryptoJS.enc.Utf8.parse(originKey),
iv = CryptoJS.enc.Utf8.parse(originKey);
var bytes = CryptoJS.AES.decrypt(text, key, {
iv: iv
var plaintext = CryptoJS.enc.Utf8.stringify(bytes);
return plaintext;
function extend (target) {
var sources = [], 1);
sources.forEach(function (source) {
for (var prop in source) {
target[prop] = source[prop];
return JSON.stringify(target);
var version = 5,
score = 2018,
// replace with your session_id here
session_id = '';
var headers = {
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C153 MicroMessenger/6.6.1 NetType/WIFI Language/zh_CN',
'Referer': '' + version + '/page-frame.html',
'Content-Type': 'application/json',
'Accept-Language': 'zh-cn',
'Accept': '*/*'
var base_req = {
'base_req': {
'session_id': session_id,
'fast': 1
var base_site = '';
var path = 'wxagame_getuserinfo';
GM_xmlhttpRequest ( {
method: 'POST',
url: base_site + path,
data: JSON.stringify(base_req),
headers: headers,
onload: function (response) {
console.log (response.responseText);
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: base_req
}).then(function (response) {
// console.log(path, response);
path = 'wxagame_getfriendsscore';
GM_xmlhttpRequest ( {
method: 'POST',
url: base_site + path,
data: JSON.stringify(base_req),
headers: headers,
onload: function (response) {
console.log (response.responseText);
var times = JSON.parse(response.responseText).my_user_info.times + 1;
path = 'wxagame_init';
GM_xmlhttpRequest ( {
method: 'POST',
url: base_site + path,
data: extend({}, {version: 9}, base_req),
headers: headers,
onload: function (response) {
//console.log (response.responseText);
var action = [],
musicList = [],
touchList = [];
// for (var i = 0; i < score; i++) {
// action.push([0.752, 1.32, false])
// musicList.push(false)
// touchList.push([185, 451])
// }
var data = {
score: score,
times: times,
game_data: JSON.stringify({
action: action,
musicList: musicList,
touchList: touchList,
version: 1
var path = 'wxagame_settlement';
GM_xmlhttpRequest ( {
method: 'POST',
url: base_site + path,
data: extend({}, {action_data: encrypt(data, session_id)}, base_req),
headers: headers,
onload: function (response) {
//console.log (response.responseText);
console.log('2018! Happy new year! 🎉');
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: base_req
}).then(function (response) {
// console.log(response.my_user_info)
var times = response.my_user_info.times + 1;
path = 'wxagame_init';
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: extend({}, {version: 9}, base_req)
}).then(function (response) {
// console.log(path, response)
var action = [],
musicList = [],
touchList = [];
// for (var i = 0; i < score; i++) {
// action.push([0.752, 1.32, false])
// musicList.push(false)
// touchList.push([185, 451])
// }
var data = {
score: score,
times: times,
game_data: JSON.stringify({
action: action,
musicList: musicList,
touchList: touchList,
version: 1
path = 'wxagame_settlement';
method: 'POST',
url: base_site + path,
headers: headers,
json: true,
body: extend({}, {action_data: encrypt(data, session_id)}, base_req)
}).then(function (response) {
// console.log(path, response)
console.log('2018! Happy new year! 🎉');
}).catch(function (error) {
}).catch(function (error) {
console.log('something crash');
Copy link

touzi commented Jan 1, 2018

我在 Chrome 下创建的, 然后访问 控制台无输出.

Copy link

achengfu commented Jan 2, 2018


Copy link

achengfu commented Jan 2, 2018

成功了 ,老哥,哈哈哈

Copy link

Console : 2018!Happy new year! Haha

Copy link

qmppz commented Jan 2, 2018


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment