First, the preface
In a previous article, we have introduced an artifact of the Android Hook work xposed tool: xposed Framework principle Analysis and use case study in that article we described how to install the xposed framework, And how to use the Xposed library to write the first module to modify the function of the system methods, but also mentioned a very important point of knowledge is: The hook process is the most important point is how to find the hook point, and for this point many students will feel very difficult, Because of the modification system method is OK, because you can simply go to see the specific Android source code, but if you want to write some applications and games plug-in, then the first step must first to crack the corresponding app to find the designated hook point, this step is very difficult. So you can only try more crack slowly long experience can be.
Second, conjecture hypothesis
This article is based on the previous xposed framework to introduce how to write a micro-letter of a plug-in function, this function is the micro-letter shake dice and scissors stone cloth cheat, we have used micro-letter This function is known, is a more commonly used function, because in a group chat will be very boring to this simple game, who lost a red bar what. So this feature is definitely random, and we should believe that this random method must be somewhere in the micro-code, so if we find this method, we can hook him up and intercept the maximum number, which is the value we want.
Iii. preparatory work
The above analysis of the function of the principle of use, the following we do not say more, direct operation, this article used a micro-letter of the old version of the test: micro-letter 6.3.9.apk; Then the first step we have to reverse micro-letter, need to do two jobs:
First Use Apktools decompile apk, this needless to say, the micro-letter did not strengthen the application, so the reverse compilation process is normal.
The second need to use the visual Reverse compiler tool JADX to open the micro-letter apk, because the micro-letter application is very large, so slowly wait for a while to open.
Four, reverse analysis
Here's a cool analysis of how do we get started? After the compiler succeeded, we had to look for the entrance, which is also very simple, because we want this random function, then in the effect we can see is the dice, we can select a micro-chat dialog box, and then click on a dice function:
See, we'll definitely call this random function to get random values when we click on the dice. So this is our entrance, so the first step is definitely to find this click event, if you want to find the click event, then you have to find the definition of the control, then the question is, if you can quickly find the definition of this control? This technique has been introduced in a previous article in my paper, that is, the automatic red envelope function of micro-letter to find the click of the red packet, so the same way to get the red envelope control definition of the place, This approach is a tool provided by ANDROIDSDK: Uiautomatorviewer.bat This tool is located in the SDK directory Tools directory, we can click to run, and then we can see the interface:
We parked the device in the Chat dialog box, and then use this tool, click on the top left corner of the button, you can do the current desktop interface layout analysis, analysis results we can see, This boson is a custom control: Com.tencent.mm.ui.MMImageView, and then his ID is ae7, and this value is very critical, followed by this value for step-by-step tracking, here we take another look at the expression area of the detailed layout:
Guess also guessed that the expression area outside should be a Viewpager control can be sliding switch, then the control of each page with the GridView for card segmentation, So here's a reminder: The next click event is either added to the view Setonclicklistener in the GetView method of the GridView adapter class, or the Onitemclick event is added to the GridView.
Okay, let's keep tracking. Because of the dice control ID, we can use this ID directly to the global search for this value, but here is a problem is the micro-letter itself to do the confusion of resources, and this confusion is to increase security work, on the one hand, reduce the size of the package function, We can use the decompression tool to simply view the Res directory in his apk file and find all the alphabetic folders. And from the above ID also can be seen, I believe that micro-trust engineers can not be silly to name an ID into Ae7 it? Here we have to use a knowledge point, and this knowledge point in my previous article introduced: Android in the application of attack and defense in this article, we have to decompile apk, In fact apk all of the resource ID values will be saved in a public.xml file, and this file is placed in the values directory, this file is mainly stored in the resource ID value and the corresponding relationship between Name,type, In the code after the decompile will not normally use R.ID.XXX this style to access the control, but with the conversion of the ID value, the value is decimal, so we have to use the above Ae7 ID value to public.xml file to find the corresponding hexadecimal value:
Attention:
Here when looking for ae7, there will be multiple matches, and we need to use additional information to differentiate, that is the Type field, the Type field has many kinds of values, such as Layout,drawable,string,attr,id, We are type=id here because we are defining the controls.
After you find this item, convert the hexadecimal value of the following ID to the corresponding decimal value: 0x7f07060e=2131166734
With this value, it is good to do, we are directly in the JADX opened in the micro-letter APK Global Search This value:
Alas, it was not found, so here it began to hurt the egg, but also the biggest obstacle to the reverse, think for a long time, and finally suddenly think of the reverse micro-letter in the local address book information when found that micro-letter using the subcontract technology, that is, micro-envelope too large, Because of the number of methods in the Android system, you need to split the APK, you can view this article: Android application of the unpacking technology details then we will find that the decompile did not see more than one Dex file, so this time to guess that he should have a local directory, When the application starts, the main DEX function loads the second Dex file, and by looking at the precompiled directory, it finds him in the assets directory:
And this is the two from the Dex file, where he did the Dex file into the jar file operation, so we first use the decompression tool to extract the jar file, the corresponding Dex file can be. And then we open up a JADX window that opens this from the Dex file and then on the global search for that value:
See, finally found the definition of this control place, click the first to go in to see:
As we look down at the information on this class, we find that there is a GetView method:
See this can be judged, this class is actually a baseadapter type, and in the GetView did not see the control of the click event, so guess should be external to the GridView added Onitemclick event, we continue to select this class name, Then right-click to track where the class is invoked, and this function is really practical:
After clicking the lookup, there are many places to call:
Here we can guess the GridView type from the parameter command of the first item, and here we seem to see the dawn of Victory:
Then look at the definition of this Smileygrid variable:
Here is a smileygrid type, and we can search this class globally to see his definition:
As expected, here is a GridView type, and then we see the Onitemclick method we are looking forward to, and then we begin to analyze the logic of this Onitemclick method:
Here I did not find a good way, and do not want to go deep tracking, because here is not a lot of judgment, so in order to try each method, the result found the last a method, and then click to view the logic:
We need to think about it a little bit more, after we click on the effect of the dice, there is no dialog box and toast hint, then there are only two branches are most likely to execute, after the sequential attempt, discovery is the first branch of the logic, that is, h.a.amz.b () This method of execution, By importing the imported classes, you get the path definition for this class:
But this class was not found in Dex, so it was supposed to be in main Dex, and it was found in the class definition, and then went into the class for detailed viewing:
Go ahead and look at the definition of the B method:
Rub, here's the B method is returned is NULL, then here is to think, if returned null, the previous click event is definitely invalid, and this is not in line with the actual situation, so guess where there is another place for this IOP assignment operation. Let's take a look at this IOP definition:
As you can see from the definition, it's possible to perform assignment operations elsewhere, so we're looking at this variable value IOP globally:
Find the search results or the return NULL code we just saw, so we have to go on another Dex search:
Here we found an assignment operation, and immediately clicked into the view:
Then look at the definition of the PD method:
Continue to see this class G definition:
See his B method, here's a bb.pu this method is suspicious, because the final return value is related to him, and this method is not found in this Dex, so we look at his import to find a global definition path, and then go to another dex to view the definition:
When you get here, you're going to be very excited. Because we have seen victory, this very obvious random method has finally been found, and through this random formula we can see that the function of this method is to return a random value between the 0-i, and for the boson should be the value between 0-6, scissors is the value between 0-3. So this method hundred percent is used for the random function.
V. Mastery of Reverse skills
And here we are, and we've found the place we want to hook. The reverse process from above will find that the micro-letter project is very large, and for us to reverse the work is very difficult, but fortunately we have some powerful tools to quickly locate the problem, the following is to summarize the knowledge of the reverse harvest:
First, for the reverse to want the control click event Portal, you can use the following steps to
1, using the interface analysis tool to get the ID name of the specified control
2, through the ID name to the values/public.xml after the compiler to find the specified value, converted to decimal
3, through the JADX of the global all features, find this decimal value can be
This step will be useful for getting a click event logic entry for a control in an application, and is also a common method.
Second, for the micro-letter, because the project is huge, so there will certainly be a unpacking phenomenon, so he has more than one Dex file. Must be a number of Dex files, so you need to continue to write a micro-letter plug-in, then analysis is to pay attention to this point.
Third, the powerful tool for JADX in this article has played a very important function: Tracking method calls, the global lookup function.
Additional notes:
In this article we will find that there is a painful place where multiple Dex files find the appropriate method, so in fact we can do this, if we get the application of all the Dex files, you can convert first to the corresponding Java class, and then merge the class, where we can use beyond The Compare comparison tool merges several different folders together:
After the merger, we are using tools to convert it into a Dex file, also completed a number of Dex file merging work. In this project, we can be very clever with the JADX of another powerful function, that is, can save the post-compiled content to Local:
He had the advantage of saving Dex in APK as a Java file, a resource decoding and saving the specified XML file, and the final save style was a Gradle project, and it was very convenient for the project to be imported directly into a development tool. In particular, resource files, we will find that the Apktools tool did not decompile the XML file. And here we are.
Vi. Start intercept operation
Here we have the hook operation, which has been given the name of the random function:
COM.TENCENT.MM.SDK.PLATFORMTOOLS.BB.PU (int i)
Hook work is very simple, we intercept this method, based on the value of the passed to make a decision to roll the dice or scissors operation:
First of all, we have to do a filtration operation, is only hook micro-letter applications, and then to intercept the operation, through the passing of the parameters to make a judgment is the boson or scissors, if it is a shake boson return a little, scissors will return the scissors.
After writing successfully, compile into a module, and then restart the device to take effect, click on the micro-letter open a chat box, start shaking dice:
By printing the value you can see that our conjecture is correct and look at the actual effect:
hahaha, all the operations are under control, here we also successfully wrote a micro-letter plug-in function, and this plug-in may have some students feel the use is not so big, and now the mainstream plug-in can prevent the revocation of the function, sharing video to friends Circle, but these features will be explained slowly, do not worry, And for this article and subsequent plug-in content articles, I would like to express is that the results are not important, the important thing is the entire reverse process, each time after the reverse of what we learned, whether or not to raise the reverse experience, this is what we need to get.
Supplementary Note:
1th: Some students will find that the way they get the method seems to be confused after, also said that if the day the micro-letter changed the confusion mechanism, then this hook is ineffective, This article uses the micro-letter 6.3.9 version, for other versions I think the method class name should be changed, also said that if the micro-letter every time out of a version of how we have to go to the reverse one time to get the method name, but this is not difficult, thought this article has the entire reverse process explained, so as long as follow this step, the search method is also minutes!
2nd: The purpose of this article is to share the reverse skills of knowledge, so also please students can know the results are not important, it is important that the whole process of reverse, that is how to find the hook point
Serious statement: The knowledge points introduced in this article are entirely from a technical sharing point of view, and are not used for any commercial activities and purposes, if any legal issues involved will be the operator's own responsibility. The author of this article will not be responsible for any legal liability! Students are also invited to adhere to the principle of technical point of view, do not use in business!
Vii. Summary
This article mainly introduces a micro-letter simple plug-in function, is the boson and scissors cheat function, and throughout the process, we can see that the hook point is the most critical, and the hardest is to find this point. It is generally necessary to do a reverse analysis of the micro-letter application to find this point. In this process we have learned some new reverse application skills knowledge, follow-up will continue to bring us to share other functions of the plug-in knowledge points, please look forward to, but also to support the proliferation of sharing, but also to a lot of praise? Writing this article is not easy, because the reverse of my head is blown!