Practical Guide to Extracting and Decompiling WeChat Mini Program .wxapkg Files

This practical tutorial explains how to "decompile" WeChat Mini Programs by obtaining their .wxapkg packages, unpacking them, and preparing the source code for further analysis, referencing posts and tools from forums such as XueSnow, V2EX and GitHub.

When a Mini Program is uploaded via the WeChat Developer Tools, the tool compiles JavaScript, wxml , wxss and other resources into a single .wxapkg file that is sent to the WeChat server. To reverse‑engineer a Mini Program, the first step is to locate this .wxapkg file on the device.

Obtaining the .wxapkg File

Tools required: a jail‑broken iPhone (or a rooted Android phone). The example uses an iPhone 4S with iOS 8.4.1 and WeChat v6.6.6.

On the iPhone, install a file‑browser app such as Cydia → iFile or Filza , then navigate to /var/mobile/Containers/Data/Application/ . Inside you will find the WeChat sandbox directory (e.g., 297286CE-9055-400A-99FA-D2D7C0735DCF ).

Search this sandbox for the keyword wxapkg . The resulting files are named numerically (e.g., 2.wxapkg , 25.wxapkg ) and are stored under a path similar to:

/path/to/WeiChat SandBox/Library/WechatPrivate/{UserId}/WeApp/LocalCache/release/

Here {UserId} is the MD5 hash of the logged‑in WeChat account. Each Mini Program has a folder named wx… (the 18‑character AppId) that contains its numbered .wxapkg file.

On Android, the packages reside at /data/data/com.tencent.mm/MicroMsg/{UserId}/appbrand/pkg/ and require root access.

Copying .wxapkg to a Computer

Install OpenSSH via Cydia, note the iPhone’s Wi‑Fi IP (e.g., 192.168.1.17 ), then use SSH from a Mac terminal:

ssh [email protected]

Transfer the package with scp without logging in first, for example:

scp [email protected]:/var/mobile/Containers/Data/Application/297286CE-9055-400A-99FA-D2D7C0735DCF/Library/WechatPrivate/c15d9cced65acecd30d2d6522df2f973/WeApp/LocalCache/release/wx48...85db/2.wxapkg /Users/YourName/Desktop/WeApp/

Alternatively, tools like iTool or PP Assistant can access the sandbox directly on a jail‑broken device.

Unpacking .wxapkg

The .wxapkg file is a binary container, not a simple ZIP. The author of wechat-app-unpack provides unpack scripts in several languages. Using the Python 2 script:

python unwxapkg.py 2.wxapkg

After unpacking, the directory structure resembles the original Mini Program project and includes files such as:

app-service.js : aggregated and obfuscated JavaScript.

app-config.json (derived from app.json ) and page‑specific JSON files.

page-frame.html : combined .wxml and app.wxss files (needs further de‑obfuscation).

*.html : pages with embedded .wxss information.

Resource files (images, audio, etc.).

Conclusion

The article demonstrates how to locate, copy, and unpack a Mini Program’s .wxapkg package, revealing the compiled and obfuscated code and assets. The next tutorial will cover restoring the source to its pre‑compiled state.