Android Black Technology Series--anti-auto-Rob Red Envelope principle analysis

Source: Internet
Author: User
Tags unique id

First, preface

Spring Festival to send a red envelope is originally to get a festive, friends and relatives of relations between exchanges, but now with the technology change, Rob red envelopes More and more, leading to now not too willing to send red envelopes, especially in a lot of people, diving very much, but lost a red envelope instant no, feel really very uncomfortable ah, Then caused by the phenomenon is that you use plug-ins, I also use, the result of the red envelopes become no meaning. Here I still think try not to use these so-called red envelopes plug-in. How nice to read more books!

second, auto-grab Red envelopes plug-in Analysis

This article to deal with those who automatically rob red envelopes plug-in function of the protection function, we know that there are three ways to automatically steal red envelopes:

The first: using Accessibility and notification bar message interception to do the first time the red envelopes to remind the user

The second kind: Use the xposed frame to carry on the hook to rob the red envelope function

The third type: directly modify the code with the Red Envelope function app, two times packaging installation

But these three ways in fact, only one purpose: after receiving the red envelope can immediately remind the user, the core point on a word "fast", then prevent these plug-in is how to get the starting point of the time to rob red envelopes, through this time to determine whether a person in the end there is no plug-in. Because we have robbed the red envelopes know, under normal circumstances rob a red envelope need to experience: Accept Red envelopes + Manual Click Red Envelopes + Red Envelopes Open animation, these three scenes. Install the average speed and the response rate of people, rob a red envelope time spent around 4s-5s. Of course it may be longer, if the longer time is not within the scope of our discussion, and this time is our own reckoned out, not very accurate. So our idea now is how to be able to get a red envelope to be robbed after everyone steals the packet and consumes the time.

third, find the hook entrance

Let's take a look at the details of a red envelope after it's been robbed. Page information:


From this detail page you can see that there is a value is the Time field, and this page should be a ListView control, so here is our breakthrough, here still use the command to view the current page name: adb shell Dumpsys activity top


Then open the WX application with JADX, and here I still use 6.3.9 Version:


Why can't you find this kind of block? In a previous article has stepped on this hole, is the WX application has been unpacking technology, is a number of Dex files, do not know how to read this article: How to get the WX app chat records and contacts information; He put the assets directory from Dex:


So we can directly unzip the jar, get the corresponding Dex file, and then open with JADX, continue to search the class:


See, this is the time to find, click to enter:


Find the ListView control, to see the specific data is sure to find his adapter value:


The code here is very simple, the popular adapter code, in order to be able to see the data, directly find the data list information:


We just hook this ix method and then get his return value, printing all the field values using reflection:


Iv. Printing of red envelopes detail information

The above analysis of the Red Envelope Details page data information, the following can be directly written xposed module, to hook this method can be, but here is a pit to note: xposed default is to load the Classes.dex main Dex class. For the class from the Dex, according to the previous mode of loading will be prompted to find no class information, so we need to do a processing, is to hook the system application class attach method, and then get the corresponding context of the class loader, The class loader is then used to load the specified class, and if the class is not found, it is returned directly because there is no way to know which Dex the class is to be loaded in, and you cannot know which Dex file the current hook is. So you can only try it once, and once the load is successful, the subsequent operation begins, and the loading code is very simple, as shown here:


After loading the com.tencent.mm.plugin.luckymoney.ui.h This class succeeds, we hook his IX method:


After the module is written, install the restart device to take effect, and then in the open a Red Envelope details page, print the following values:


We see that the value of the enc field here should be a timestamp, which is 10 bits, and note that if you want to calculate the time difference, pay attention to the 13-bit timestamp and the 10-bit timestamp problem. The ENC field represents an ID value. For the moment, it is the unique ID value of the current red envelope.

v. Get the red Envelope ID value and timestamp

Then, with this information, we should also need to know that the time stamp and ID value of the red envelope is accepted, so that we can calculate the time value for each person to grab the packet. This value is also relatively simple, this can intercept the message directly, filter is the red packet information, parse the XML information to get the corresponding value, about how to intercept the message in a previous article about: How to automatically open the public number of articles and links to the article has been detailed, here no longer say, directly on the code:


We can see that after sending a red envelope the message XML format is as follows:


We see that this paymsgid value is very similar to the ENC field value above, but is not consistent, but can be handled as a unique ID value, where we start truncating the key value as the map storage structure with the last 13 bits of the ID value. This saves the ID value and timestamp of the current red envelope, and then calculates the time difference information when viewing the details of the red envelope.

Here in order to better see everyone in the interface to grab the time, we need to modify the list information, we may need to go to hook the GetView method of the information list, we know every time we show the item will call the GetView method, to see the implementation of the GetView method of the logic:


The code here is also very popular, no difficulty, we find the interface display time of the TextView control, the contents of the change to grab packet timing information, the method found here is relatively simple, the direct calculation of the ID value into 16 binary, Then go to the Public.xml file to find the corresponding ID name, view the layout file. First we find the item layout file, convert the above 21,313,626,020 binary into 16, and then go to Public.xml to see:


Locate the layout file that is v6.xml, open this file:


See here the layout level is the outer linearlayout, and then the inner layer of the second sub-view is LinearLayout, and then the interior of a plurality of sub-textview display information, the following continue to find the TextView of the display time, this is relatively simple, Because printing field information from above can be known as enc this value is the timestamp information, you can view the code: ERQ is to show the timestamp information


Convert decimal: 2131167693 into 16, view public.xml content:


The B45 ID control is then found in the layout file above:


See this is the 4th sub-TextView control in the sub-linearlayout, it is important to note the order and index values of the child controls, followed by the index value to find the corresponding TextView control, the following directly see the code implementation:


Code implementation is relatively simple, mainly divided into three steps:

First step: Hook the GetView method to get the item index value of the list, and use the previous IX method of reflection to get the data information of the corresponding item, including the timestamp and ID value.

The second step: Use the ID value of the red envelope to the global map structure to retrieve the time stamp value sent by the red envelope, calculate the timing of the grab packet.

The third step: through the return value view of the method, to retrieve the original display time information of the TextView, it is important to note that the invocation of Getchildat this method must depend on the index value of the child control.

After the completion of the module, we will install the restart device to take effect, and then open a red envelope details page to see:


See, in this group really have a lot of hanging force, altogether within 2s can grab the red envelopes, not hanging force is what!

Vi. Summary Techniques

We're done here. Prevent auto-grab Red envelopes plug-in principle, the following to summarize the operation of the skills of knowledge points:

1, for multi-dex application hook, there will be no class error, can hook the system's application attach method, get the context, the use of its ClassLoader load class can be.

2, in the hook when you want to modify the interface data, the general idea is to find the specified display control, usually through the ID value to find the layout file public.xml. Of course, some layouts may be code-written. That's easier to find. The specified control can then be found using the layout's hierarchical relationship.

Serious statement: The purpose of this article is only one, through a case analysis of the current application of the reverse analysis skills, if someone uses this content for any commercial purposes and illegal profit, any legal liability will be borne by the operator himself, and the author of this article does not have any relationship, So still sincerely hope that everyone holds the purpose of technical learning to read this article, thank you very much!

Vii. Summary

This paper mainly through the WX application to prevent the use of Red envelope plug function as a case, to introduce some of the problems encountered when using xposed hook, as well as the solution, in speaking of the case to rob red envelopes The solution is very simple, is to seize the time to judge, but this is not hundred percent accurate, Because there are a lot of uncertainties in the inside, such as the speed of the network, may determine a red envelope was robbed of time. But in a certain time to grab the bag we can determine whether to use the auto-grab package plug-in, if you want to do more intelligent, it is best to sample a number of red envelopes are robbed of information to carry out a simple data analysis to determine whether someone really did use the automatic package plug-in.

Android Black Technology Series--anti-auto-Rob Red Envelope principle analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.