破解某交(y)友(p)app的VIP&&半自动im设备人-天涯论坛

qzmjef 发表于 2024-8-22 15:38:24

破解某交(y)友(p)app的VIP&&半自动im设备人

<h2 style="color: black; text-align: left; margin-bottom: 10px;">案例</h2>
就不放了，某交(y)友(p)app
<h2 style="color: black; text-align: left; margin-bottom: 10px;">致谢</h2>
Youpk环信IM文档hanbing&&r0ysue
<h2 style="color: black; text-align: left; margin-bottom: 10px;">加固简单分析</h2>
拿到app就先拿到jadx中分析，发掘这是360加壳。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9D8w24I9QOuER0yicM6WqTURRKypoTWHgsYHSHQbU6Sd6zIN1SzII0JBw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">这是时候咱们就要祭出脱壳神奇Youpk
 Youpk的操作文档详细能够看Youpk的github，再次感谢Youpk。咱们在吧修复好的dex放在jadx中分析。修复的很给力，亦能够看出源代码基本无混淆，这就更利于咱们的分析了。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DFIfkS6uIzdOqMdKKulNPmJt2MYXoyp5OfUxQba1fExJEKsDo8vannQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<h2 style="color: black; text-align: left; margin-bottom: 10px;">破解VIP</h2>利用Xposed/Frida破解
咱们首要打开这个app，在主页点到一个人->进去，点击私信，发掘要开通会员才能够呢。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DrdrkzfMpFHsiaBG16Fsp0ucLNrlB4CV1kX2stJwV5tmr4WAeIaPc9Vg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">此时候就能够 祭出搜索大法。打开jadx-全局搜索这个关键词“作为会员”。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DaC8zxJnEbxwrom8w3rqLRhNfWEkhUvopJriaP2DbkEeEdib7N2ibiasVPw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">这儿能够看到有两个相同的。进入瞧瞧看。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DyhcXyybN5agPNxVLEq2IfN8VibbQW9ibMZFJEsxKhOGudzJrcEPe8Msg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">这两处都是，咱们分析一下这两处。第1处 else if (this.isVip <= 1) {new CommomDialog(this, R.style.dialog, true, "作为会员才可私聊哦！", new CommomDialog.OnCloseListener() { /* class com.**.**.main.user.UserInfoActivity.AnonymousClass6 *//* JADX WARN: Type inference failed for: r0v0, types: */ @Override // com.**.**.widget.dialog.CommomDialog.OnCloseListenerpublic void onClick(Dialog dialog, boolean z) { if (z) { UserInfoActivity.this.startActivity(new Intent((Context) UserInfoActivity.this, MembersActivity.class)); dialog.dismiss(); } }}).setTitle("温馨提示").setPositiveButton("开通会员").show(); return;
else if 里面的this.isVip仅有少于1才会进入，亦便是提示让你开通会员。第二处 if (this.isVip > 1) {Intent intent = new Intent((Context) this, (Class<?>) ChatActivity.class); intent.putExtra(UserCacheInfo.COLUMNNAME_USERIDIMID, this.user_id);intent.putExtra("userId", this.user_imid); startActivity(intent); return; } new CommomDialog(this, R.style.dialog, true, "作为会员才可私聊哦！", new CommomDialog.OnCloseListener() {/* class com.**.**.main.user.UserInfoActivity.AnonymousClass8 *//* JADX WARN: Type inference failed for: r0v0, types: */ @Override // com.u**.**.widget.dialog.CommomDialog.OnCloseListener public void onClick(Dialog dialog, boolean z) { if (z) {UserInfoActivity.this.startActivity(new Intent((Context) UserInfoActivity.this, MembersActivity.class)); dialog.dismiss(); } }}).setTitle("温馨提示").setPositiveButton("开通会员").show(); return; } return;
这儿能够看到this.isVip 大于1的话就会提示“开通会员了呢”最后
其实只要进入到this.isVip大于1那不就，，，，嘿嘿嘿
继续分析一下这个isVip是在哪里赋值呢。查询用例。。。。。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DwrqFazcSKKUElx8AibfrphOSt4BlxJgiamTH6rIyLSnevzdeAnF0cVYw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">找到啦。。咱们改下返回值<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DL3Bod818icYshGUu52ZWvGQPyuYgj9dK6GO7Ox9vnSBDibEB6eAxnnrw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">咱们这儿frida改一下。献上代码
这儿还会有个小问题，便是这块类没在内存加载的时候会报错，此时候点下某人的主页就好了。Java.perform(function () {var pre = Java.use("com.***.***.utils.UncleSharedPreferences"); pre.getInt.overload(android.content.Context, java.lang.String).implementation = function (a1, a2) { return 2; }})
瞧瞧效果。。。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DSmwTLsk6m3hJUpQRK4b6F0ObKOnPrRqPNzRXPBfBiaZRcuAFUk9TvpQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">发过去了。。。然则咱们需要始终用的话就要一个xposed的插件。这儿app采用的360加固，那咱们就不可用常规的classloader进行hook，直接用360壳的classloader进行hook。XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader, "attachBaseContext", Context.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param); Context context = (Context) param.args; ClassLoader classLoader = context.getClassLoader(); classLoaders = classLoader;XposedHelpers.findAndHookMethod("com.***.***.utils.UncleSharedPreferences", classLoader, "getInt", Context.class, String.class, new XC_MethodHook() {@Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { //设置返回值为2 param.setResult(2); } });XposedHelpers.findAndHookMethod("com.***.***.utils.DateUtil", classLoader, "getDayDiff", Date.class, Date.class, new XC_MethodHook() { @Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable { param.setResult(0L); } }); } });
好了完美。。。私聊小姐姐（****）们暗坑
最后发掘她们有个体验会员，到期便是放弃（退出）<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9D4YSTbPibDlfURfekHZs3T5TibzPBRib2ZYwVbctAXKZyRG4heacfajFgg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">那还能咋办，继续分析
搜索大法<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DSXgEMwibfkywP6YkIVBiaUWMKibWmKxpFn1r3n4jOXFTK616jEvQXy7LQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">这儿的if都是&&，一真则真，一假则假。前边几个看着欠好搞，就dayDiff入手，改他返回值，少于3就行了。<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9Dw2MBpcgoEFnRsyaILoUaGppHH6qvj0T0Iicng4YgA9dDv3iaLTuPetbw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">代码就不放了。小结
这个vip的破解还是很简单的那种。。。这块其实能够经过拦截请求的方式更改数据包，将vip字段设置一下，没详细分析。<h2 style="color: black; text-align: left; margin-bottom: 10px;">聊天IM&&半自动im设备人</h2>
按照com.hyphenate.chat.EMMessage能够得到这是环信的im聊天，那就很简单了。两种方式实现发信息：1.运用环信sdk，逆向该app的inti环境的有些配置信息，完成发信息。2运用app本身的信息发送办法，用frida或xposed主动调用。这儿因为无pythonSdk，因此采用第二种。<h3 style="color: black; text-align: left; margin-bottom: 10px;">分析信息发送</h3>
这儿咱们上ddms和环信的文档，分析它的调用状况。文档如下发送文本信息//创建一条文本信息，content为信息文字内容，toChatUsername为对方用户或群聊的id，后文皆是如此EMMessage message = EMMessage.createTxtSendMessage(content, toChatUsername);//倘若是群聊，设置chattype，默认是单聊if (chatType == CHATTYPE_GROUP) message.setChatType(ChatType.GroupChat);//发送信息EMClient.getInstance().chatManager().sendMessage(message);
ddms如下<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DcTkicfnTgFic53MVrQfJMrFnso3awIoUwYj7EZWpg5sMAY5d7lGyxQcg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">打开jadx分析这个类代码，能够看到如下<img src="https://mmbiz.qpic.cn/mmbiz_png/RQicOzqf0IHYzaUUuLgqPcP9NnSWjJZ9DWqZ2Lb5jypEwh5MIjCqpZm8N1ZwrR1XwRdvGIyDvTjVLQj31Z4cjrQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">发送信息时候，创建了EMMessage.createTxtSendMessage，需要发送文本和对方的id。下面的代码是发送文本信息的 if (this.chatFragmentHelper != null) {this.chatFragmentHelper.onSetMessageAttributes(eMMessage); } if (this.chatType == 2) { eMMessage.setChatType(EMMessage.ChatType.GroupChat); } else if (this.chatType == 3) {eMMessage.setChatType(EMMessage.ChatType.ChatRoom); }EaseUser userInfo = EaseUserUtils.getUserInfo(eMMessage.getFrom(), UncleSharedPreferences.getString(SZApplication.getContext(), UncleSharedPreferences.SP_UID)); eMMessage.setAttribute("avatar", userInfo.getAvatar());eMMessage.setAttribute("gender", UncleSharedPreferences.getString(SZApplication.getContext(), UncleSharedPreferences.SP_USER_SEX));eMMessage.setAttribute("name", userInfo.getNickname()); eMMessage.setAttribute("token", UncleSharedPreferences.getString(SZApplication.getContext(), UncleSharedPreferences.SP_UID));if (UserCacheManager.getImidFromCache(this.toChatUsername) != null) { eMMessage.setAttribute("tokenTo", UserCacheManager.getImidFromCache(this.toChatUsername).getUserId());} else { eMMessage.setAttribute("tokenTo", ""); } eMMessage.setAttribute("nameTo", eMMessage.getTo());eMMessage.setAttribute("avatarTo", UncleSharedPreferences.getString(SZApplication.getContext(), UncleSharedPreferences.SP_TO_USER_AVATAR)); EMClient.getInstance().chatManager().saveMessage(eMMessage);
晓得上边的咱们就能够用frida玩玩。 var to_user_id = 1000477560; var content = 我是一个设备人你信吗; var uid = 1000511189; var EMMessage = Java.use("com.hyphenate.chat.EMMessage");var eMMessage = EMMessage.createTxtSendMessage(content, to_user_id); eMMessage.setAttribute("avatar", "http://***/android/pic/1591284964")//头像eMMessage.setAttribute("gender", "1") eMMessage.setAttribute("name", "看123了看刻录机") eMMessage.setAttribute("token", uid)//自己uideMMessage.setAttribute("nameTo", to_user_id)//对方imid eMMessage.setAttribute("avatarTo", "") eMMessage.setAttribute("tokenTo", to_user_id)var EMClient = Java.use("com.hyphenate.chat.EMClient"); EMClient.getInstance().chatManager().saveMessage(eMMessage)
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">发送之后，需要点进去聊天界面，才会发送过去，并且倘若这个app无缓存这个用户信息，就会闪退。
<h3 style="color: black; text-align: left; margin-bottom: 10px;">处理闪退</h3>
继续ddms，点击私信。<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">搜索startAc，能够看到在UserInfoActivity下<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">分析到如下代码，能够很清楚到看到，这儿吧用户信息存起来了。而后起步聊天的tActivity。 UserCacheManager.save(this.user_id, this.user_imid, this.nickname, this.avatar);EaseUser easeUser = new EaseUser(this.user_imid); easeUser.setAvatar(this.avatar); easeUser.setNickname(this.nickname); if (this.isVip > 1) {Intent intent = new Intent((Context) this, (Class<?>) ChatActivity.class); intent.putExtra(UserCacheInfo.COLUMNNAME_USERIDIMID, this.user_id);intent.putExtra("userId", this.user_imid); startActivity(intent); return; }
这次用xposed实现发送信息和起步ui。 Class EMMessage = XposedHelpers.findClass("com.hyphenate.chat.EMMessage", classLoaders);Object eMMessage = XposedHelpers.callStaticMethod(EMMessage, "createTxtSendMessage", content, to_user_id);XposedHelpers.callMethod(eMMessage, "setAttribute", "avatar", avatar); XposedHelpers.callMethod(eMMessage, "setAttribute", "gender", gender);XposedHelpers.callMethod(eMMessage, "setAttribute", "name", name); XposedHelpers.callMethod(eMMessage, "setAttribute", "token", token); XposedHelpers.callMethod(eMMessage, "setAttribute", "nameTo", nameTo);XposedHelpers.callMethod(eMMessage, "setAttribute", "avatarTo", avatarTo); XposedHelpers.callMethod(eMMessage, "setAttribute", "tokenTo", tokenTo);Class EMClient = XposedHelpers.findClass("com.hyphenate.chat.EMClient", classLoaders); Object getInstance = XposedHelpers.callStaticMethod(EMClient, "getInstance");Object chatManager = XposedHelpers.callMethod(getInstance, "chatManager"); XposedHelpers.callMethod(chatManager, "saveMessage", eMMessage);Class ChatActivity = XposedHelpers.findClass("com.***.***.main.im.ChatActivity", classLoaders);Class UserCacheManager = XposedHelpers.findClass("com.***.***.main.im.cache.UserCacheManager", classLoaders); XposedHelpers.callStaticMethod(UserCacheManager, "save", to_user_id, to_user_id, to_user_id, avatar);Class EaseUser = XposedHelpers.findClass("com.hyphenate.easeui.domain.EaseUser", classLoaders);Object easeUsernewInstance = XposedHelpers.newInstance(EaseUser, to_user_id); XposedHelpers.callMethod(easeUsernewInstance, "setNickname", to_user_id);XposedHelpers.callMethod(easeUsernewInstance, "setAvatar", avatar); Intent intentChat = new Intent(contexts, ChatActivity); intentChat.putExtra("userImId", to_user_id); intentChat.putExtra("userId", to_user_id);contexts.startActivity(intentChat);
这就基本完成为了。
<h2 style="color: black; text-align: left; margin-bottom: 10px;">效果展示</h2>
最后借助NanoHTTPD做了web接口。看下效果
gif传不上来，戳原文看效果吧。
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<h2 style="color: black; text-align: left; margin-bottom: 10px;">‍‍总结</h2>
这个app比较简单，虽然360加壳，然则经过youpk脱壳之后，发掘基本没混淆。文中是借助ddms分析调用状况。这个能够继续扩展到，hook接收信息，收到信息之后，自动回复信息。接口在com...SZHelper$9.onMessageReceived上，以后有时间再分析写出来。
<h3 style="color: black; text-align: left; margin-bottom: 10px;">参考资料</h3>
 Youpk: https://github.com/Youlor/Youpk

 环信IM文档: http://docs-im.easemob.com/im/android/basics/message

nykek5i 发表于 2024-10-3 23:21:24

你的话语如春风拂面，温暖了我的心房，真的很感谢。

4lqedz 发表于 2024-10-20 08:30:16

你的见解独到，让我受益匪浅，非常感谢。

qzmjef 发表于 2024-10-31 01:24:58

seo常来的论坛，希望我的网站快点收录。

4lqedz 发表于 2024-11-7 22:36:27

seo常来的论坛，希望我的网站快点收录。

页: [1]

天涯论坛's Archiver

破解某交(y)友(p)app的VIP&&半自动im设备人