Android realizes the local video function of micro-trust friends _android

First, the preface

The previous article has detailed how to write the first micro-plug-in using the xposed framework: roll dice and scissors cheats This article continues to explain how to use the xposed framework to write a second micro-letter plug-in that can publish local small video to a friend's circle. Before that we still have to have the old routine, prepare the work to do well, here still uses the micro-letter 6.3.9 version to carry on the operation, prepares the work:

1, the use of Apktool tools to decompile, micro-letter does not do reinforcement protection, so this version of the micro-packet decompile is no problem.

2, with the help of the visual Reverse compiler tool JADX open the micro-envelope, the follow-up almost important analysis is to use this tool to operate.

Ii. conjecture and hypothesis

Do the above two steps, plus we are in the previous writing plug-ins on the basis of our operation should be very simple, but also remember the previous plug-in breakthrough is what? Read the article students should understand the interface through the analysis of the control to obtain the ID value, and then the global search for the breakthrough, then this article may not need this way, but another way, the following to detail. Before that, let's take a look at the way micro-trust releases a small video to a circle of friends and jump to this release page:

Then we have to start the bold conjecture:

First of all, this page has elements: title, small video, geographic location and other information, which should be brought to the server at the time of the request. This is somewhat similar to the upload function for small files. So how does the file for this video get. So the assumption is: This page is an activity page that may jump from other pages, and it will carry the information through the intent, and the small video is a file, so you should bring the file name.

Third, reverse analysis

With this conjecture, we can start the operation, the first to get the name of the activity of this page, this relatively simple, direct use of a command can be: the adb shell Dumpsys activity top

See the name of this page is Sightuploadui, we use the JADX decompile after the micro-letter, find this class:

We see directly in the OnCreate method there is no intent parameter parsing operation, or we can in this class global search Getintent field, also can be quickly resolved where:

See the first field kdescription, from the name of the field should be descriptive information, and from the following code SetText call can confirm this is the title information. We continue to find:

Also found a field ksightdraftentrance, this piece of code is a bit more, he is a Boolean type, so first, because even after the attempt to two operations, once false once true. It's not a hindrance! But here we can not search the other fields, but this is not the same as our expectations, but also a few elements of information? The most important video file path is not, so this should be remembered in the OnCreate method when there is an AE class initialization of the current activity passed in, then maybe he continued the internal parameter parsing, we can go in to see:

Sure enough, there were three more field resolutions in him, respectively: KSIGHTTHUMBPATH,KSIGHTPATH,SIGHT_MD5; and from the name of the field to guess this should be the video information related to the field. Here as long as the experience of Android developers should be able to guess: Ksightpath field is a short video path, Ksightthumbpath is short-sighted frequency of the default cover chart, SIGHT_MD5 is short-sighted frequency of the check value. In fact, we have already felt very successful, and got these five parameters, then we can directly try the operation:

In the local store a short video, cover picture, and then calculate the short video of the MD5 code, and finally through the intent to start this page can be. First, regardless of the upload process behind, we can first test to successfully jump to this page to display the local small video function.

Unfortunately, we have a problem here, how to get the activity of this startup page? Which activity is used to activate him? Some students may do so? Write a small program directly and easily, and then start the page with the activity of a small program. This conjecture is OK, but I did not try, because I want to do the activity of micro-letters to start security protection, it is not possible in other applications can start any of the micro-mail page. So I don't have the strength to do it here. Instead of starting him with a micro-credit page, how do I get to a different page of the micro-mail? This is also simple. We can open a chat page and continue using the ADB shell dumpsys Activity top command to view the page:

OK, this is the Launcherui page, so how do you get the object below this page? This time you need to use the xposed framework for the hook, the code is as follows:

See, the code is very simple, we hook the page Onresume method, because this time the page has been initialized to complete the entire activity life cycle of a relatively late method, so intercept him on it. Then you can get the object that this method belongs to, that is, the Launcherui type, using the Methodhookparam thisobject attribute on the Intercept callback.

Okay, now that the micro-mail startup page also has, the following is simple, directly constructs the above five parameters to get intent Direct start:

The code is very simple, we run the module directly, and then restart the device to take effect, and then open the micro-letter interface instantly see the effect:

Sure enough to jump to this page, that is to say our guess right, below we click to send, will find that send failed:

There may be two reasons:

1, did not get to the video file MD5 code

2, video format does not meet the requirements of the server: video length and video size

On the second reason, in fact, there is an answer online, that is, micro-mail This release of small video length can not exceed 15s, size can not exceed 1M. So here I have made the local video to meet these two standards, again operation is still such a failure effect. Then it is possible to guess that the video MD5 code checksum problem, above see the code I passed the MD5 code is AAA, I was to facilitate not to get. But it has to be written here. Get the MD5 code of the file here is not much to explain, but unfortunately, MD5 into the file or failure. Then it is assumed that he may not be the true value of the MD5, may add his own algorithm. So here's another question, how do we get this algorithm?

This time you need to follow the code to see what other pages jump to this page to carry over the MD5 code is what? We can do that. Global search for any one of those five fields, here in JADX Global search: SIGHT_MD5

We click into the view method:

Continue to find out where this method was invoked:

We continue to click into the view:

Here we see the penultimate parameter is the MD5 code value, and we're going to look at the global where the variable is being used:

See the place where the value is assigned, click Enter to view:

Then look at the Kbvar variable, in the code above:

Here we'll look at the definition of this KB class:

The AFL here is the MD5 code value, and we go on to see which places are called, but the lookup is not effective, because the method may be abstract, so we have to find out where he's going to define the abstract, which is an abstract class C:

Then go to Class C to view the abstract method A:

And then find where the A method call is:

Continue to see where this method is called:

This time we take a look at the class that this method belongs to is a single example:

Then keep looking at where this G method is being invoked, or search the Jja for a global use of this variable:

It's back to the Mainsightcontainerview class, where we see the assignment, and it's assigned to the AFL field, which is the value of the field in the KB class, which still calls a method to compute the MD5 code value, and the incoming parameter is the video path:

Here we first determine if the current video file exists, and then do the file operation:

The real encryption algorithm is in the A method, which is also seen here because the MD5 code of the computed file is time-consuming, so here is an optimization that only calculates the first 100KB data of the file:

Ah, here finally the truth, see he is indeed using the MD5 algorithm, but in the back of their own high a simple algorithm. So here we can simply copy these three methods directly into our xposed module code:

Then replace the SIGHT_MD5 field values in the previous intent:

At this point we are called again in the previous intercept Onresume method, then reboot the device and click Send:

Haha, here you can see, send success, good excited AH. Finally realized this function. Later can be filled with the force.

Note: On the above we locate where a method is invoked, sometimes it may not be found, but it does not mean that the method is not really called, but because the method is abstract and direct tracking may not be effective, this time it is necessary to go to the definition of the abstract method to the global search.

Iv. Adding publishing events

But here we end the operation, in fact, because some students in the above practice will find that sometimes the micro-letter will not open, a flash on the back, in fact, this is because we intercepted the Launcherui page of the Onresume method, But this page is more unique is the micro-letter of the homepage is also he, so this is likely to appear you just want to open the micro-letter page, some initialization operation did not finish, and this time you immediately jump to the Sightuploadui page to publish the video will appear problems. So here there is a release video trigger time, in order to better experience the effect, we decided to do more human, is to add a menu can click on the time to trigger the release of video logic. So another question is, how do you add a menu that we want in a micro-letter? I think it's a little bit simpler than the one above, and we're going to add a submenu to the menu that pops up after selecting a message in the chat interface:

Is here, we add one, some students think this may be more trouble, in fact, it is very simple, we just find this menu definition of the place can be. Take a look at the steps: To get the menu definition is very simple, we first go back to compile the Values/strings.xml file to find the definition of this string:

Get his ID value is NE, and then global search in JADX: r.string.ne

Note: There may be some students are curious, in the previous article is not going to find the public.xml in the NE corresponding ID integer value, and then global search? Here may be with the micro-letter to do the work of resource confusion, at the beginning of the value of the integer is not found, and finally inadvertently used this way to find. So in the future we can use the standard solution to Public.xml to find the corresponding integer value, if not found, in this way to find.

To find the definition of the string above, click Enter directly:

As you can see here, using the ContextMenu class provided by the System for menu definitions, here's what you need to know about this class. Add a menu must use the Add method to add, but this method is relatively simple, the parameters are better to understand the main menu group ID value, menu ID value, menu name, and then click on the set of events can be. Here we continue to see where this method is invoked:

But this method traces no results and guesses that he may be an abstract method, so go to the place where he defines it. View y:

Really is an abstract method, here in the tracking can be:

Click to find results:

Continue to look at the method and class definitions before this code:

Here is a variable FHR, which is the callback interface created by the menu, which is viewed above:

It's clear from here that there is an internal static class A inside the Chattingui that starts creating the menu inside the class, then defines a FHR variable representing the type of callback interface created by the menu, and then adds work to the submenu in the Oncreatecontextmenu callback method.

All right, the above analysis of the menu to create the code, the following we began to drill, or have to use xposed to intercept, this interception Which? We can intercept the static internal class A of this class Chattingui, then we ourselves define an interface to create the menu to replace the FHR variable, and in the end we simply operate in our callback interface:

Intercepting the code here is also simpler, primarily by defining our own callback interface, and then replacing the FHR value, and then looking at the interface definition:

Here is the most critical code, create a menu in the Oncreatecontextmenu callback method, but here's the question of how to get the ID value of the menu group, which we have to go back to the beginning of the Add menu code:

See, here he is first through the view of the tag to get the DD object, and then call the Position property can be, then we operate simple, continue to use the reflection mechanism can get this value. Code as above.

After the code is written and run again, the reboot device takes effect, opens a chat room, and then selects a message:

haha see this menu option, we click on it can jump to the publishing page:

V. Summary of knowledge and skills

All right, we're done here. How to publish the local small video to the friend Circle function realization, the following summarizes the implementation steps of this article and can learn the reverse technique:

1, first guess the micro-letter published video page of several important elements of information: title, video information, geographical location, etc., and then this information may be passed through the intent in other pages, it should not be possible to pass the entire video data, but the video path.

2, with conjecture to practice, use the command to find the publication of the video page activity name, and then go to JADX to find this class analysis intent in the field, sure enough to get five important parameter information: Kdescription,ksightdraftentrance, Ksightthumbpath,ksightpath,sight_md5.

3, then have these five fields again guess the meaning of each field, and then directly do a simple experiment, local storage video and cover map, and then in the code to construct a intent, start.

4, but in the start of the page found that there is a problem is that micro-mail should be done to start the Security page, some pages can only be in the application of other pages to start, so here also need to get a micro-letter page. Here is the chat interface, still using the ADB command to get the Chat page class name, and then use xposed to do this page Onresume method to intercept, and then launch the release video page after blocking.

5, after the experiment found that since you can directly call up, the first step above the conjecture is right, those few fields we also guessed right, but this time found that the click sent when the failure phenomenon. Then there are two reasons why the analysis failed: one is that the micro-server has made the time and size limit for the published video, and one reason is that the video MD5 code is wrong. We have to modify the size of the local video and the length of time after the experiment again found or failed, so you can guess that the video should be MD5 code calculation error, micro-letter has an algorithm, so we have to find this algorithm logic.

6, the following is the regular route with the JADX lookup method call function to track, in the process of learning a skill is that if you find a method is not called may be because the method is abstract, specific to the abstract class defined in the place to continue tracking only results.

7, the final tracking to the MD5 code algorithm, we in order to simple, directly copy the several methods to change the direct use of the video to calculate the MD5 code, again after the experiment found that sent success.

8, in the end found a problem, that is, many of the pages of micro-letter is called Launcherui, so if you intercept this method of Onresume method and then send the video will have problems, resulting in micro-letter startup failure. So here's an event to control the send operation.

9, in the chat page Select a message can pop up a menu option, decided to add an item here to trigger the send operation, here to navigate to the creation of the menu, used in the previous article mentioned in the search resource ID method, But it's worth noting that it's possible that the micro-trust has made a resource obfuscation strategy that causes this method to find the ID value as a failure, and finally to use r.string.xxx this way.

Tips to learn:

1, the new reverse breach, the rapid positioning of the page, using the ADB shell dumpsys activity top command.

2, using JADX to track the time if you find no results, perhaps this method is abstract, you need to find the abstract method of the most original definition of where to continue tracking.

3, the micro-letter may have done a resource confusion (or later encountered with the apk of resource confusion), if found through the Public.xml ID value to find the result, you can directly use R.XXX.XXX to find the ID value.

Vi. description

1, in fact, this article can also do an effect, is the above in the chat interface to select a message to pop up a menu of our own definition, you can get to the type of message (video, text, pictures, expressions, etc.), as well as specific information, directly sent to share. And this needs to parse the message content after the selection, of course, this is in the project code in this article has been done. I will not do the analysis here.

2, because this article uses the micro-letter 6.3.9 version, so here to intercept the methods are:

The Onresume method of Com.tencent.mm.ui.LauncherUI.

COM.TENCENT.MM.UI.CHATTING.CHATTINGUI.A to replace the FHR variable value.

For each version of the confusion after the class name will change, so do not blindly use the code mentioned in this article to practice, to first understand all the reverse flow, specific version of the specific analysis is kingly.

Serious statement

The purpose of this article is only one, to share more reverse knowledge and reverse skills, without any commercial purposes, if someone uses this knowledge to achieve any commercial purposes of all legal liability will be responsible for the operator itself. Has nothing to do with this article or the author. Also sincerely hope that each reader can grasp the attitude of technology learning to read.

Vii. Summary

This article introduces the use of xposed framework to achieve micro-mail to send local small video function, this feature is considered useful by individuals, but it may not work for some people, because the number of people who publish video in a circle of friends is very small, because even if the traffic restrictions are released it will not be effective. Then it is actually micro-letter for small video to do or have a lot of restrictions, and these restrictions are in the service side, such as video calibration, length, size and so on. This also shattered the small knitting want to release a few G movies to friends circle dream. Finally, of course, I hope that every reader can learn from this article to more reverse skills, small series did not write such a reverse article will be very tired, feel that they have been hollowed out the same, so we must remember to read a lot of praise, if there is a reward on the better!