Principle analysis of Android wechat dice shaking and fist guessing cheater

1、 Foreword

In a previous article, we have introduced in detail an artifact xposed tool used by hook in Android: Principle Analysis and use case analysis of xposed framework. In that article, we introduced how to install xposed framework and how to write the first module using xposed library to modify system methods and functions, At the same time, I also mentioned a very important knowledge point: the most important point in the hook process is how to find hook points, which many students will find very difficult, because the method of modifying the system is good, because you can simply check the specific Android source code, but if you want to write some plug-ins for applications and games, Then the first step is to crack the corresponding app and find the specified hook point. This step is very difficult. Therefore, we can only try to crack more and more, and slowly gain more experience.

2、 Conjecture hypothesis

With the help of the previous xposed framework, this paper introduces how to write a plug-in function of wechat. This function is the cheater of wechat color shaker and scissors stone cloth. We all know that this function of wechat is a commonly used function, because it will be very boring in a group chat. Come to this simple competition. Who loses and turns red. Then this function must be accompanied by randomness, and we should believe that this random method must be somewhere in the wechat code, so if we find this method, we can hook him, and then intercept and return the maximum value, that is, the value we want.

3、 Preparatory work

The above roughly analyzes the principle and use of this function. We won't talk more about it. We will operate it directly. This paper uses an old version of wechat for testing: wechat 6.3.9.apk; So the first step is to reverse wechat. We need to do two things:

First, use apktools to decompile APK. Needless to say, wechat does not reinforce the application, so the decompilation process is very normal.

Second, you need to open wechat APK with the help of visual decompiler jadx. Because wechat applications are very large, you have to wait a while before you can open it.

4、 Reverse analysis

Now let's calmly analyze how we should start? After the decompilation above is successful, we still have to find an entry. This entry is also very simple, because we want to get this random function, so the effect we can see is dice. We can select a wechat chat dialog box and click a dice function:

See, after we click on the dice, we will certainly call this random function to obtain the random value, so this is our entry, so the first step is to find the click event first. If we want to find the click event, we must first find the definition of the control. Then the problem comes. What if we can quickly find the definition of the control? This technology has been introduced in my previous article, that is, the automatic red envelope grabbing function of wechat. At that time, because we wanted to find the click event of the red envelope, we used the same method to get the definition of the control of the red envelope, This method is based on a tool provided by the Android SDK: uiautomatorviewer.bat. This tool is located in the tools directory of the SDK directory. We can click Run, and then we can see this interface:

We stop the device in the chat dialog box, then use this tool and click the button in the upper left corner to analyze the interface layout of the current desktop. According to the analysis results, we can see that the dice is a user-defined control: com.tencent.mm.ui.mmimageview. Then its ID is ae7, and this value is very critical, Later, this value is used for step-by-step tracking. Here we take another look at the detailed layout of this expression area:

I guess there should be a viewpager control outside the expression area for sliding switching, and then the control of each page uses GridView for card segmentation. Then we will be reminded that the subsequent click events are either added to the view by setonclicklistener in the getview method of the GridView adapter class, Or add the onItemClick event to the GridView.

OK, let's continue tracking. Because we have the ID of the color sub control, we can directly use this ID to search the value globally. However, there is a problem here that wechat actually confuses resources. On the one hand, it increases security and on the other hand, it reduces the size of the package, We can use the decompression tool to simply check the res directory in his APK file, and we will find that it is full of alphabetic folders. As can be seen from the ID naming above, I believe wechat engineers can't foolishly name an ID ae7? Here we have another knowledge point, which was introduced in my previous article: the battle of application attack and defense in Android. In this article, after decompiling APK, in fact, all resource ID values of APK will be saved in a public.xml file, which is placed in the values directory, This file mainly stores the corresponding relationship between the ID value of the resource and the name and type. The decompiled code generally does not use the style of r.id.xxx to access the control, but uses the transformed ID value. This value is decimal, so we have to use the above ae7 ID value to find the corresponding hexadecimal value in the public.xml file:

be careful:

When looking up ae7, we will find multiple matches, and we need to distinguish them with additional information, that is, the type field. The type field has many values, such as layout, drawable, string, attr, ID, etc. because we define the control here, type = ID.

After finding this item, convert the hexadecimal value of the following ID into the corresponding decimal value: 0x7f07060e = 2131166734

With this value, it's easy to do. We can directly search this value globally in the wechat APK opened in jadx:

Alas, it's a pity that I didn't find it, so it started to hurt here, which is also the biggest obstacle to the reverse. After thinking for a long time, I suddenly remembered that when I reversed the local address book information of wechat in the past, I found that wechat adopted subcontracting technology, that is, the wechat package is too large. Because there are restrictions on the number of methods in the Android system, it is necessary to unpack APK, For details, please refer to this article: detailed explanation of application unpacking technology in Android. Then we will find that we do not see multiple DEX files after decompilation, so we have to guess that there should be a local directory. When the application starts, the main DEX function loads the secondary DEX file. By viewing the decompilated directory, we found him in the assets Directory:

This is the two from the DEX file. Here, he has done the operation of converting the DEX file into a jar file, so we first use the decompression tool to decompress the jar file to get the corresponding DEX file. Then we open a jadx window, open the slave DEX file, and then search the above value globally:

Yes, I finally found the definition of this control. Click the first one to check it:

When we look at the information of this class, we will find that there is a getview method:

After seeing this, we can judge that this class is actually a baseadapter type, but we don't see the click event of the control in getview, so we guess it should be the onItemClick event added externally to the GridView. We continue to select this class name, and then right-click to track where this class is called. This function is indeed very practical:

After clicking find, there will be many places to call:

From the parameter command in the first item, we can guess that it should be the GridView type, and here we seem to see the dawn of victory:

Then view the definition of the smileygrid variable:

Here is a smileygrid type. We can search this class globally and see its definition:

Sure enough, this is a GridView type, and then we see the onItemClick method we are looking forward to. Let's start analyzing the logic of this onItemClick method:

I didn't find a good method here, and I don't want to go deep into tracking. Because there are not many judgments here, I tried each method in sequence. As a result, I found the last method a, and then click in to check the logic:

Here we need to think more. From the effect after we click the Dicer, there is no dialog box and toast prompt, so there are only two branches that are most likely to be executed. After sequential attempts, it is found that it is the logic of the first branch, that is, the method h.a.amz. B() is executed, and the path definition of the class is obtained by importing the class:

However, this class is not found in this DEX, so I guess it should be in the main DEX. Sure enough, I found this class definition, and then enter this class to view it in detail:

Continue to the definition of B method:

Wipe, the B method here returns null, so we have to think about it here. If NULL is returned, the previous click event must be invalid, and this is not in line with the actual situation, so we guess where else to assign the IOP. Let's look at this IOP definition:

It can be seen from the definition that assignment operations may be performed in other places, so we search the variable value IOP globally:

It is found that the search result is still the code that returns null, so we have to continue to search in another DEX:

An assignment operation is found here. Click to view it immediately:

Then view the definition of PD method:

Continue to view this G class definition:

Seeing his B method, there is a bb.pu method. This method is suspicious because the final returned values are related to him, and this method is not found in this DEX, so let's look at his import, find the global definition path, and then check the definition in another DEX:

Here, you will be very excited because we have seen the victory. This very obvious random method has finally been found. Through this random formula, you can see that the function of this method is to return a random value between 0-I, for the boson, it should be a value between 0-6, and for guessing, it should be a value between 0-3. So this method is 100% used for random functions.

5、 Master reverse skills

Here we have successfully found the place where we want to hook. From the above reverse process, we will find that the wechat project is very huge, and the reverse work is very difficult for us. Fortunately, we have some powerful tools to quickly locate problems. Here is a summary of the reverse harvest of this article:

First, for the click event entry of the control you want in the reverse, you can do it through the following steps

1. Use the interface analysis tool to get the ID name of the specified control

2. Find the specified value in values / public.xml after decompiled by ID name and convert it into decimal

3. Through all global functions of jadx, you can find this decimal value

This step will be applicable to the click event logic entry of a control in an application, which is very effective and common.

Second, for wechat, because the project is huge, there must be unpacking, so it has more than one DEX file. It must contain multiple DEX files, so we need to continue to write wechat plug-ins later. We should pay attention to this in the analysis at that time.

Third, the powerful tool for jadx plays a very important role in this paper: tracking method calls and global search.

Additional notes:

In this article, we will find that there is a hard place to find the corresponding methods among multiple DEX files, so we can actually do this. If we get all the DEX files applied, we can first convert them into corresponding Java classes, and then merge them, Here, we can use beyond compare to merge multiple different folders together:

After merging, we are using tools to convert it into a DEX file, which completes the merging of multiple DEX files. In this project, we can skillfully use another powerful function of jadx, that is, we can save the decompiled content locally:

One advantage is that the Dex in APK is saved as a java file, all resources are decoded and the specified XML file is saved, and the final saving style is a gradle project, which can be directly imported into a development tool, which is very convenient. Especially for resource files, we will find that apktools tool does not decompile XML files before. And here it is.

6、 Start intercept operation

Let's do the hook operation. The name of the random function has been obtained above:

com.tencent.mm.sdk.platformtools.bb.pu(int i)

Hook is very simple. After intercepting this method, we judge whether to roll dice or guess boxing according to the passed value:

First of all, we have to do a filtering operation, that is, we only know the hook wechat application, and then in the interception operation, we judge whether it is dice shaking or fist guessing through the passed parameters. If it is dice shaking, we will return a little, and fist guessing will return to scissors.

After successful writing, compile it into a module, restart the device to take effect, click wechat to open a chat box and start shaking the dice:

It can be seen from the printed value that our conjecture is correct. Let's take a look at the actual effect:

Hahaha, all the operations are under control. Here we have also successfully written a wechat plug-in function. Some students may feel that the plug-in is not so useful. Now the mainstream plug-in can prevent revocation of the function and share videos to the circle of friends, but these functions will be explained slowly. Don't worry, For this article and the subsequent plug-in content articles, what I want to express is that the results are not important. What matters is the whole reverse process. What we learned after each reverse and whether we gained the reverse experience are what we need to get.

Supplementary notes:

First point: some students will find that the method we got above seems to be after confusion, that is, if wechat changes the confusion mechanism one day, the hook will fail. In this paper, wechat version 6.3.9 is used. For other versions, I think the class name of this method should be changed, That is to say, if wechat releases a version every time, we have to reverse to get the method name once, but this is not difficult. I think this article has explained the whole reverse process, so as long as we follow this step in the future, it will take minutes to find the method!

Second point: the purpose of this paper is to share the knowledge points of reverse skills, so please know that the result is not important, but the whole reverse process, that is, how to find hook points

Serious statement: the knowledge points introduced in this article are completely from the perspective of technology sharing and are not used for any commercial activities and purposes. If any legal issues are involved, the operator will be responsible for them. The author of this article will not be responsible for any legal liability! Please also adhere to the principle of technical perspective and do not use it in business!

7、 Summary

This paper mainly introduces a simple plug-in function of wechat, that is, the function of color shaker and fist guessing cheater. In the whole process, we can see that finding the hook point is the most critical and the most difficult point is to find it. Generally, it is necessary to conduct reverse analysis for wechat applications to find this point. In this process, we have learned some new reverse application skills and knowledge points. In the future, we will continue to share other plug-in function knowledge points with you. Please look forward to it. At the same time, we should also support the diffusion and sharing, and praise it more? It's not easy to write this article, because my head blew up!