luotron/wxinvokehelper

WxInvokeHelper is an Xposed module for the Android version of WeChat. The README is in Chinese and frames the tool as a debug helper for authorized testing. It is meant to be installed into a rooted phone running LSPosed or EdXposed, hooked into the running WeChat process, and used by developers who are wiring up their own back end to WeChat's mini program login or OAuth login. The module exposes internal login functions of an already logged in WeChat account so the developer can grab a login code and exchange it server side, without touching the official scan flow by hand. Once injected, the module starts a local HTTP server on port 18080 and also listens for Android broadcasts. The HTTP endpoints are getMiniCode, which returns a one shot mini program login code given an appId, getOauthCode, which walks through an OAuth authorize URL and returns the redirect URL with code and state, and autoOAuth, which simulates a QR code scan and confirm for the connect.qrconnect login used by third party websites. There is also a ping endpoint that just confirms the module is loaded. The README is clear that no tokens are cracked and no business signing is bypassed, the user's own server still has to exchange the code for a real token through the normal API. The broadcast interface mirrors the HTTP one and is meant for situations where HTTP is not reachable, for example an adb shell on a tethered device. Each action has its own intent name, OAuth URLs are passed in as base64 to dodge escaping issues, and results come back on the ACTION_RESULT broadcast. Quick start is four steps: install the module APK, enable it in LSPosed against the WeChat package, force stop and reopen WeChat, then call ping with curl to confirm injection. The README says the module was tested against WeChat 8.0.71 and warns that obfuscated class names change between versions, so each upgrade needs the hook to be re mapped. Class names are kept in one central file to make this easier. The author lists intended uses as mini program login debugging, integrating a self built app with WeChat login, Android reverse engineering practice, migrating Frida scripts to Xposed, and internal enterprise test automation. The README then bans a list of uses outright: capturing third party account state without permission, mass token collection, evading platform risk control, and scams, scalping, or credential stuffing. Users are asked not to paste real appId, code, token, or cookie values into the issue tracker. A disclaimer at the end states the project is for security research, reverse learning, own business debugging, and authorized testing only, and that the user takes on any legal risk from improper use.