Android enables wechat circle of friends to send local video

1、 Foreword

The previous article has described in detail how to use the xposed framework to write the first wechat plug-in: dice shaking and fist guessing cheater. This article continues to introduce how to use the xposed framework to write the second wechat plug-in, which can publish local small videos to the circle of friends. Before that, we still need to have the old routine and make preparations. Here we still use wechat version 6.3.9 for operation. Preparations:

1. Using apktool tool for decompilation, wechat has no reinforcement protection, so there is no problem in decompilating this version of wechat package.

2. Open the wechat package with the help of the visual decompiler jadx, which is used for almost important subsequent analysis.

2、 Conjecture and hypothesis

After completing the above two steps and based on the previous plug-in, our operation should be very simple. Do you remember the breakthrough of the previous plug-in? Students who have read this article should understand the breakthrough of obtaining the ID value by analyzing the controls of the interface, and then global search. In fact, this article may not need this method, but another method. Let's introduce it in detail below. Before that, let's take a look at the normal way wechat releases small videos to the circle of friends. It will jump to this release page:

Then we're going to start a bold guess:

First, some elements of this page: title, small video, geographic location and other information, which should be carried to the server when publishing is requested. This is a bit similar to the upload function of small files. So how did you get the file of this video. Then the assumption can be made: this page is an activity page, which may jump from other pages, and these element information will be carried over through intent, while the small video is a file, so it should carry the name of the file.

3、 Reverse analysis

With this conjecture, we can start the operation. First, we can get the activity name of the page. This is relatively simple. We can directly use a command: ADB shell dumpsys activity top

See that the name of this page is sightuploadui. After decompiling wechat with jadx, we find this class:

We can directly check whether the oncreate method resolves the intent parameter, or we can search the getintent field globally in this class, or we can quickly get the resolved place:

When you see the first field kdescription, it should be the description information from the name of the field, and it can be confirmed from the settext call in the following code that this is the title information. We continue to find:

Another field ksightdraftentrance is found. This code is a little too much. It is a boolean type, so it doesn't matter first, because even if you try later, you will operate twice, false once and true once. It's okay! However, we can't find other fields here, but this is different from our expectation. How many elements are missing? The most important video file path does not exist, so it should be remembered that an AE class in oncreate method passed in the current activity during initialization, so it may continue parameter analysis internally. We can go in and have a look:

Sure enough, there are three fields to parse inside him: ksightthumbpath, ksightpath and sight_ md5； In terms of field naming, I guess this should be the field related to video information. As long as students with Android development experience can guess here: the ksightpath field is the short video path, and the ksightthumbpath is the default cover image of the short video_ MD5 is the check value of short video. In fact, we feel that we are about to succeed. With these five parameters, we can directly try the operation:

Store a short video and cover image locally, then calculate the MD5 code of the short video, and finally start this page through intent. Regardless of the later upload process, we can test that we can successfully jump to this page to display the local small video function.

Unfortunately, we have a problem here, that is, how to obtain the activity of the startup page? Which activity is used to start him? Some students may do this? Write a small program directly and simply, and then start the page with the activity of the small program. This guess is OK, but I didn't try, because I think wechat has done activity startup security protection, so it's impossible to start any page in wechat in other applications. So I don't have that trouble here. But think of using wechat's own page to start him, so how to get another page of wechat? This is also simple. We can open a chat page and continue to use the ADB shell dumpsys activity top command to view the page:

OK, this is the launcher UI page. How do you get this object under this page? At this time, you need to hook with the help of the xposed framework. The code is as follows:

See, the code is very simple. We use the onresume method of the hook page. Because the page has been initialized at this time, it is a relatively late method in the whole activity life cycle, so we can intercept it. Then use the thisobject attribute of methodhookparam in the interception callback to get the object to which this method belongs, that is, the launcherui type.

Well, now that the wechat startup page is available, it's simple to directly construct the above five parameters to get intent to start directly:

The code is very simple. We directly run the module, restart the device to take effect, and then open the wechat interface to see the effect instantly:

Sure enough, we jump to this page, which means our guess is right. Next, we click send and find that the sending failed:

There may be two reasons:

1. Didn't get the MD5 code of the video file right

2. The video format does not meet the requirements accepted by the server: the length and size of the video

The second reason is that there is an answer on the Internet, that is, the length of the small video released by wechat cannot exceed 15s and the size cannot exceed 1m. So here I made the local video to meet these two standards, and the operation again still has such a failure effect. Then it is possible to guess that there is a problem with the MD5 code verification of the video. It can be seen that the MD5 code I passed in in the code is AAA. I didn't get it for convenience. But it has to be written here. The MD5 code of the file is not explained here, but unfortunately, the MD5 file failed. At this time, I guess he may not be the true MD5 value, but may have added his own algorithm. So here comes another question, how to get this algorithm?

At this time, you need to track the code to see what MD5 code is when other pages jump to this page? We can do this by globally searching any of the five fields. Here, we can globally search in jadx: sight_ md5

We click to enter the view method:

Continue to find out where this method was called:

We continue to click to view:

Here we see that the penultimate parameter is the MD5 code value. Let's search globally where this variable is used:

See the assignment here, click to enter the view:

Then look at the kbvar variable. In the above code:

Here we can take a look at the definition of this KB class:

The AFL here is the MD5 code value. We continue with the a method above to see where it is called, but the search is ineffective. Because this method may be abstract, we have to find the place where it is abstractly defined. Above is an abstract class C:

Then enter class C to view the abstract method a:

Then find the place where the a method is called:

Continue to see where this method is called:

At this time, let's take a look. The class of this method is a singleton:

Then, you can continue to check where this g method is called, or search the use of JJA variable globally:

Returning to the mainsightcontainerview class just now, you can see the assignment place, and the assignment is for the AFL field. This is the field value in the KB class seen above. Here, a method is still called to calculate the MD5 code value, and the passed in parameter is the video path:

Here, first judge whether the current video file exists, and then operate the file:

The real encryption algorithm is in method A. It can also be seen here that since calculating the MD5 code of the file is time-consuming, an optimization is made here. Only the first 100kb data of the file will be calculated:

Hey, the truth is finally revealed here. I see that he did use the MD5 algorithm, but he improved a simple algorithm later. Therefore, for simplicity, we can directly copy these three methods into our xposed module code:

Then put the sight in the previous intent_ Replace the MD5 field value:

At this time, we call it again in the onresume method of the previous interception, then restart the device to take effect, and click send:

Ha ha, you can see here that it is so exciting to send a successful Lala. Finally realized this function. You can pretend to be forced in the future.

Note: in the above, we can locate where a method is called. Sometimes we can't find it, but it doesn't mean that the method is not called, but because the method is abstract and direct tracking may have no effect. At this time, we need to go to the definition place of the abstract method and search globally.

4、 Add publish event

However, whether we have finished this operation here is actually not, because some students will find in the above practice that sometimes wechat cannot be opened and will flash back as soon as it is opened. In fact, this reason is that although we have intercepted the onresume method of the launcherui page, the unique feature of this page is that it is also the home page in wechat, So it is possible that you just want to open the wechat page and some initialization operations are not completed. At this time, you will immediately jump to the sightuploadui page to publish the video, which will cause problems. Therefore, there is a trigger time to release video. In order to better experience the effect, we decided to be more humanized, that is, add a menu to trigger the video release logic when it can be clicked. So another question is how to add a menu we want in wechat? I think this is simpler than the above one. We are going to add a submenu to the pop-up menu after selecting a message in the chat interface:

Here we add one item. Some students think it may be troublesome. In fact, it is very simple. We just need to find the place where the menu is defined. Take a look at the steps directly: it's easy to get the definition of this menu. First, find the definition of this string in the decompiled values / strings.xml file:

Get his ID value as ne, and then search globally in jadx: r.string.ne

Note: some students here may be curious. In the previous article, didn't you have to find the ID integer value corresponding to NE in public.xml and then search globally? This may be related to the resource confusion work done by wechat. At first, it was not found through integer value, and finally it was found inadvertently in this way. Therefore, in the future, we can use the standard scheme to find the integer value corresponding to the ID in public.xml. If it is not found, we can use this method to find it.

Find the definition of this string above and click to enter it directly:

You can see that the ContextMenu class provided by the system is used for menu definition. You need to understand this class here. You must use the add method to add the menu later, but this method is still relatively simple. The parameters are easy to understand, mainly the ID value of the menu group, the ID value of the menu itself, the menu name, and then set the click event. Let's continue to see where this method is called:

However, this method tracking has no result. I guess it may be an abstract method, so I go to the place defined by it to check the Y class:

Sure enough, it is an abstract method, which can be tracked here:

Click search results:

Continue to look at the method and class definitions before this Code:

Here is a variable FHR, that is, the callback interface created by the menu. View it above:

From here, we can see that there is an internal static class A in chattingui. Start to create a menu in this class, then define an FHR variable to represent the callback interface type of menu creation, and then add a submenu in the oncreatecontextmenu callback method.

Well, we have analyzed the menu creation code above. Now we will start practicing. We still have to intercept it with the help of xposed. Which one will be intercepted this time? We can intercept the static internal class a of chatingui, and then define a menu creation interface to replace the value of FHR variable. Finally, we just need to operate in our callback interface:

The interception code here is also relatively simple. It is mainly to define our own callback interface, and then replace the FHR value. Let's take a look at the interface definition:

Here is the key code. Create a menu in the oncreatecontextmenu callback method, but there is a problem here: how to get the ID value of the menu group. We have to go back to the beginning and add the menu code:

As you can see, he first gets the DD object through the tag of the view, and then calls the position attribute. Then our operation is simple. We can get this value by continuing to use the reflection mechanism. Code above.

After the code is written and run again, restart the device to take effect, open a chat room, and then select a message:

Haha, you can see this menu option. After you click it, you can jump to the release page:

5、 Summary of knowledge and skills

Well, here we have completed the function of how to publish local small videos to the circle of friends mentioned in this article. Here are the implementation steps and reverse skills we can learn:

1. First, I guess several important element information in the page where wechat releases video: title, video information, geographical location, etc. then these information may be transmitted through intent on other pages, so it should not be possible to transmit the whole video data, but the video path.

2. Practice with conjecture. Use the command to find the activity name of the page publishing the video, and then find this class in jadx. Analyze the fields in intent. Sure enough, you can get five important parameter information: kdescription, ksightdraftentry, ksightthumbpath, ksightpath, and sight_ md5。

3. Then, with these five fields, guess the meaning of each field again, and then directly do a simple experiment, store the video and cover map locally, and then construct an intent in the code to start.

4. However, when starting the page, we found that wechat should check the security of page startup. Some pages can only be started on other pages in the application, so we still need to get a page in wechat. Here we use the chat interface. We still use the ADB command to obtain the class name of the chat page, and then use xposed to intercept the onresume method of this page, and then start publishing the video page after interception.

5. After the experiment, we found that since it can be called directly, it means that the first step above is right, and we also guessed the fields correctly, but at this time, we found that the click to send failed. Then, it is analyzed that there are two reasons for the failure: one is that the wechat server limits the time and size of the published video, and the other is that the MD5 code of the video is calculated incorrectly. After modifying the size and duration of the local video, we found that the experiment still failed, so we can guess that the MD5 code of the video was calculated incorrectly. Wechat has its own algorithm, so we have to find the logic of the algorithm.

6. The following is the general route, which is tracked with the help of jadx's find method call function. A skill learned in this process is that if a method is found not to be called, it may be because the method is abstract. Specifically, you have to go to the place defined in the abstract class to continue tracking.

7. Finally, we tracked the MD5 code algorithm. For simplicity, we directly copied those methods, changed them and used them directly to calculate the MD5 code of the video. After another experiment, we found that the transmission was successful.

8. Finally, I found a problem that many wechat pages are called launcherui. Therefore, if the onresume method of this method is intercepted and then the video is sent, there will be a problem, resulting in wechat startup failure. So here we want to get an event to control the sending operation.

9. After selecting a message on the chat page, you can pop up a menu option and decide to add an item here to trigger the sending operation. The method of finding the resource ID mentioned in the previous article is used in the process of creating the menu. However, it should be noted that wechat may have made a resource confusion strategy, resulting in the failure of this method to find the ID value, Finally, it is found directly by using r.string.xxx.

Skills learned:

1. For a new reverse breakthrough, quickly locate the page and use the ADB shell dumpsys activity top command.

2. If no results are found during method tracking using jadx, the method may be abstract. You need to find the original definition of the abstract method and continue tracking.

3. When wechat may cause resource confusion (or encounter APK with resource confusion in the future), if you find that you can't find the result through the ID value in public.xml, you can directly use r.xxx.xxx to find the ID value.

6、 Explain

1. In fact, this article can also do an effect, that is, when we see the chat interface and select a message, a menu defined by ourselves pops up, which can obtain the type of the message (video, text, picture, expression, etc.) and specific information, and send it directly for sharing. This requires parsing the selected message content. Of course, this has been done in the project code of this article. I won't do analysis here.

2. Because wechat version 6.3.9 is used in this article, the interception methods here are:

Onresume method of com.tencent.mm.ui.launcherui.

Com. Tencent. Mm. UI. Chatting. Chattingui. A to replace the FHR variable value.

For each version, the class name will change after confusion, so don't blindly use the code mentioned in this article to practice. First understand all the reverse processes, and the specific analysis of the specific version is the king.

Serious statement

The purpose of this paper is only one, sharing more reverse knowledge and reverse skills, without any business purpose operation. If someone uses this knowledge to achieve any business purpose, all legal liabilities will be borne by the operator himself. It has nothing to do with this article and the author. I sincerely hope that every reader can read with the attitude of technical learning.

7、 Summary

This paper introduces in detail the function of sending local small videos by wechat using xposed framework. I think this function is still useful, but it may not be so useful for some people, because few people publish videos in the circle of friends now, because even if it is published, it will not have any effect due to traffic restrictions. Then, in fact, wechat still has many restrictions on small videos, and these restrictions are carried out on the server, such as video verification, duration, size, etc. This also shattered Xiao Bian's dream of releasing a few gigabytes of film to his circle of friends. Finally, of course, I still hope that every reader can learn more reverse skills from this article. If Xiaobian doesn't write such a reverse article, he will be very tired and feel like he has been hollowed out, so we must remember to praise more after reading it. If there is a reward, it will be better!