Decompile a WeChat Mini Program .wxapkg file to read and understand its JavaScript, WXML, and WXSS source code.
Scan decompiled Mini Program code for hardcoded credentials or sensitive data using the built-in export feature.
Patch the WeChat desktop client to enable developer tools and an F12 console on Mini Programs for security research.
Repack modified Mini Program source code back into a .wxapkg file for testing or analysis.
| ackites/killwxapkg | guangzhengli/k8s-tutorials | cortexproject/cortex | |
|---|---|---|---|
| Stars | 5,805 | 5,805 | 5,801 |
| Language | Go | Go | Go |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 3/5 | 3/5 | 5/5 |
| Audience | developer | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
The Hook feature requires running WeChat desktop and carries a risk of account suspension, the README recommends using a secondary account.
KillWxapkg is a Go command-line tool for decompiling WeChat Mini Programs. WeChat Mini Programs are small applications that run inside the WeChat messaging app on mobile devices. They are distributed as compiled and encrypted package files with the .wxapkg extension. This tool takes those package files and reverses them back into readable source code. The tool handles the full decompilation process in one step: it detects whether a package is encrypted, decrypts it automatically if needed, then unpacks it. After unpacking, it can restore the original project directory structure, separating the code back into its component files: JavaScript, JSON configuration files, WXML (WeChat's HTML-like template language), and WXSS (WeChat's CSS-like style language). A code beautification option reformats the output for easier reading. Beyond decompilation, the tool includes a Hook feature that patches the WeChat desktop client to enable developer tools and an F12 console on Mini Programs that normally do not allow it. This requires running WeChat and is noted to carry a risk of account suspension, so the README recommends using a secondary account. There is also a repack option that takes a modified source directory and packages it back into a .wxapkg file, and a sensitive data export feature that scans decompiled code for hardcoded credentials and similar information. The tool is compiled from Go source code or downloaded as a prebuilt binary. The README is written in Chinese and includes a disclaimer stating the tool is intended for security research and learning only, and that users are responsible for complying with applicable law.
A Go command-line tool that decompiles WeChat Mini Program package files back into readable source code, with extra features for enabling developer tools, scanning for leaked credentials, and repacking modified code.
Mainly Go. The stack also includes Go.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.