An analysis of auxiliary function scheme
With regard to WX's various functional plug-ins have been very common, and now the plug-in is dependent on the xposed framework, so the personal feel that WX should be in this convenient to deal with the use of xposed framework protection, to prevent the phenomenon of plug-ins flying, This article describes a WX app that receives a message if it is an article link that automatically opens the Browse feature. This function may be some people use is not many, but this article holds the reverse technology learning point or to analyze this technology!
About the article link message automatic point open logic, perhaps some students first idea is: with the auxiliary function to achieve analog click, but there is a problem to be solved, is how to get the message content. First of all, let's look at the types of message messages that are sent in roughly two ways:
One is the pure link style, one is the public number graphic style;
First, for the pure link style of the message, the control is TextView, but did not do the TextView click event Processing, but instead of the link in the TextView HTML formatted jump. So we get to this control with accessibility, we can't get the content and we can't simulate the click, because this control doesn't have a click event.
Second, for the graphic style of the message, you can simulate the click, but the question is how to judge the message is graphic style? We cannot judge by the type of the control, because there are several controls in the message list in the WX app, and not the control type of each message is unique.
Second, xposed plan analysis
So from the above analysis, we know that the use of accessibility should not be able to achieve this function, then only with the help of the xposed framework, the framework can intercept the WX application message content, we need to manually get the content of the message, then content parsing, to get the article link. Then open the hook with his custom webview.
There are many scenarios for how to intercept message content in WX applications, some students may be the first idea is to intercept the WX application message packet, but the WX app's message content is encrypted processing, so it is not called trouble to get up. But we have explained that the WX application message is saved to the local database, do not know the students can read this article: How to get the WX app local message and address book information in Android, in that article can be learned that the WX application is the message is in clear-text storage, So if we can find a way to save the data that can be manipulated, the general data is used to save the Insert method.
third, find Hook point
Here's the reverse analysis, how to get to the place where the database messages are inserted, Reverse operation over WX application students should know the local database name: Enmicromsg.db, this is our entrance, we still use the WX application 6.3.9 version for research, use the JADX tool to open the WX application, and then the global search "enmicromsg.db" String contents:
There are a lot of records here, filtering can be used to locate the database operation of the place, so-called filtering is a place to see, found something wrong immediately stop the next place to view. The so-called wrong that can only rely on reverse experience. There are no tricks here, let's go in and check the message:
Here is a message, that is to get the password of the database, where the database should be opened to operate, continue to look down:
Here began to operate the database, see rawquery Such query statements, we go directly to see:
Here is the Rawquery method that calls the JVM and continues to point in to see:
Enter into this class, here will be found to include the database operation of the encapsulation method, see there is an insertion method, through the parameter information can be found that the last parameter is the contentvalues type, this may be to save the data list information. So here we can guess that the Insert method is where the chat message is saved to the local database, so we hook it up directly:
The hook code is very simple, not much to say, and then after the interception method to print the parameter information, look at the message list structure:
After installation, restart the device to take effect, and then accept a message in the WX app to read the log message:
See, the first parameter of the Insert method above is the table name, the second parameter does not know, but through multiple print logs can see as long as the chat message, is the MsgId value, and then the Contentvalues value printed a bit, We found a list of content messages, which is the chat message, so we need to manipulate this column:
Here is a simple judgment on the content of the message, if found to start with http:// with the WX application WebView open . How to open the following will be described.
See above is the message content is a pure link, but there is a graphic style, message style is what? We still look at the print results:
See here, or the message table, is also the content of this column, but the difference is the contents of the change, the message content is an XML format, the content of this section of the online format:
See the URL tag content in the formatted XML content is the original link information of the article. So for this graphic style, we also need to do XML local parsing, there are many ways to parse XML in Android, here in pull mode:
So we have a plain text link style and graphic style two articles of the original link, and the following is the last question is how to use the WebView to open this link?
Iv. access to WX's page WebView objects
After the above steps are completed, you can get the link to the article, the following also need to use the WebView to open the page, we first to get the WX Application Page class, where you can open a page, and then use the ADB shell dumpsys Activity top command to view:
This class is Webviewui, and then go to the JADX to search this class:
After entering, we can search loadurl the field content directly, because this is the entrance of the loading page:
Found this, you can also see here did the link processing, and then in the search for global variables agy This value how to get:
Because we want to find the place where the value is assigned, the search can be "agy =" so the search results are very fast and a little tricky:
As you can see here, this value is obtained through the key of the Getintent Rawurl. That's good to do here, we can construct a intent, and then get Webviewui this class object, set the original link above to intent:
When we start intent here we need an activity, so we have to hook up the activity information on the homepage:
Home Activity class is Launcherui, and then hook his onresume method, interception can get this method belongs to the class object.
Five, the Operation effect analysis
With these, we can do the operation, compile the module, after the installation restart takes effect, we simulate sending a plain text article link and Text style article link, the effect is as follows:
Here we have completed, WX application interception message Implementation of the article link automatic point-open logic function.
The reverse technique learned in this article:
1, learn to quickly find a breakthrough, such as here to get the message content of the portal is the database name.
2, to dare to guess, for example, the speculation in this article that the message is stored in the database is clear text, and is inserted with INSERT statement.
How does the WX app prevent plug-ins that are now flying? Personally think should do some to prevent xposed interception function, this online actually already someone is discussing this problem, this is also the content that need to explain in the back, how to do application is xposed interception protection function.
For users, personally feel it is best not to try to install these plug-ins, because these plug-ins are non-formal developers get out, there is a great security risk, and the use of these plug-in premise is the device needs root, but a device is rooted, the safety factor directly down to 0, some users for better play , regardless of security risks to install plug-ins, and finally if the loss of some of their own benefits outweigh the cost! Install any application must be installed from the regular channel.
Serious statement: The purpose of this article is only one, through a case to learn the reverse knowledge logic, if someone use this content for any commercial purposes and illegal profit, bring any legal liability will be borne by the operator himself, and the author of this article does not have any relationship, so it is sincerely hope that we hold the purpose of technical learning to read this article Thank you so much!
v. Summary
This article uses the WX application automatic point to open the article message link as the case, has analyzed how quickly locates the breach, finds the hook the place, learns the bold conjecture, with the converse experience, can quickly find the place which we want.
Android Black Technology Series--analytic public article message and link article message Auto-open principle