| 记一次逆向:云视听极光展示"NBA"模块 | 您所在的位置:网站首页 › 云视听极光snm是什么软件 › 记一次逆向:云视听极光展示"NBA"模块 |
|
都说温饱思淫欲,但春节回家吃饱喝足之后,我是真的手痒想敲代码啊......于是乎就想找点事干干,恰好发现家里新买的小米电视安装"云视听极光"没有NBA模块(之前家里的长虹电视能展示),查看了下Q&A发现"云视听极光"在某些设备上无法展示"NBA"的模块 根据官方的说法可以断定:“NBA”模块的展示肯定是通过获取设备型号,厂商等参数来控制的。在代码逻辑层面应该是获取到这些参数,然后将这些信息放到请求中,然后app根据Response动态地展示“NBA”的tab。 因此,我们有两个思路来尝试展示“NBA”模块 从请求入手,修改参数为已知能展示“NBA”设备从响应入手,查看是否有一个flag来控制“NBA”的展示抓包发现http://tv.aiseet.atianqi.com/i-tvbin/user_info/get_apk_functions这个请求很可疑 用jadx-gui打开app搜索get_apk_functions 继续搜索哪里用到了URL_DEVICE_FUNCTION 最后定位到DeviceFunctionRequest类 做过安卓开发的小伙伴们,看到这个类结构应该立马就豁然开朗了:为每一个请求创建一个Request类,添加请求信息并且反序列化响应结果 。 从DeviceFunctionRequest类中可以很明显的看出,该类会把服务器的响应反序列化成DeviceFunctionItem对象,从DeviceFunctionItem类名上看,它似乎好像可能是控制着“云视听极光”拥有哪些功能,但是仔细查看parse方法却发现,他压根就没有处理响应里的is_support_nba字段. // 下面是部分代码 public DeviceFunctionItem parse(String str) { TVCommonLog.i(TAG, "responseString: " + str); DeviceFunctionItem deviceFunctionItem = null; if (!TextUtils.isEmpty(str)) { JSONObject jSONObject = new JSONObject(str); if (jSONObject.getJSONObject(ReportHelper.KEY_RESULT).getInt("ret") != 0) { TVCommonLog.e(TAG, "responseString fail: " + str); } else { deviceFunctionItem = new DeviceFunctionItem(); jSONObject = jSONObject.getJSONObject("data"); deviceFunctionItem.mRotateModel = jSONObject.optInt(DeviceFunctionItem.ROTATE_MODEL); if (TvBaseHelper.getIntegerForKey(TvBaseHelper.IS_APP_VERSION_VALUE, 0) == 0) { deviceFunctionItem.mSupport4KType = jSONObject.optInt("is_support_4k_corp"); deviceFunctionItem.mSdkDevice = jSONObject.optInt("sdk_device_corp"); deviceFunctionItem.mSdkHevcLv = jSONObject.optInt("sdk_hevclv_corp"); } else { deviceFunctionItem.mSupport4KType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_4K); deviceFunctionItem.mSdkDevice = jSONObject.optInt(DeviceFunctionItem.SDK_DEVICE); deviceFunctionItem.mSdkHevcLv = jSONObject.optInt(DeviceFunctionItem.SDK_HEVCLV); } deviceFunctionItem.mSupportDolbyType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DOLBY); deviceFunctionItem.mWebkeyFlag = jSONObject.optInt(DeviceFunctionItem.WEBKEY_FLAG); deviceFunctionItem.mSupportCrosswalkType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_CROSSWALK); deviceFunctionItem.mIsPreloadFlag = jSONObject.optInt("is_preload"); deviceFunctionItem.mPlayMenuFlag = jSONObject.optInt(DeviceFunctionItem.PLAY_MENU_FLAG); deviceFunctionItem.mUpDownVolFlag = jSONObject.optInt(DeviceFunctionItem.UP_DOWN_VOL_FLAG); deviceFunctionItem.mH5_reload_policy = jSONObject.optInt(DeviceFunctionItem.H5_RELOAD_POLICY); deviceFunctionItem.mIsSupportLive = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_LIVE); deviceFunctionItem.mFFRKeyReleaseDuration = jSONObject.optInt(DeviceFunctionItem.FFR_KEY_RELEASE_DURATION); deviceFunctionItem.mIsH5DialogSupported = jSONObject.optInt(DeviceFunctionItem.SUPPORT_H5_RECOMMEND_PAGE); deviceFunctionItem.mH5_Layer_Type = jSONObject.optString("h5_layer_type"); deviceFunctionItem.mSupportToastPosstting = jSONObject.optInt(DeviceFunctionItem.SUPPORT_TOAST_POSSETTING); deviceFunctionItem.mSupportTrailerLoopPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_TRAILER_LOOP_PLAY); deviceFunctionItem.mSupportNewsLoopPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_NEWS_LOOP_PLAY); deviceFunctionItem.mHook_All_Sopath = jSONObject.optString(DeviceFunctionItem.HOOK_ALL_SOPATH); deviceFunctionItem.mIsNeedSystemExit = jSONObject.optInt(DeviceFunctionItem.IS_NEED_SYSTEM_EXIT); deviceFunctionItem.mPlayerConfig = jSONObject.optInt(DeviceFunctionItem.PLAYER_CONFIG); deviceFunctionItem.mIsNeedDelayOpen = jSONObject.optInt(DeviceFunctionItem.IS_NEED_DELAY_OPENPLAY); deviceFunctionItem.mSilentInstallFlag = jSONObject.optInt(DeviceFunctionItem.SILENT_INSTALL_FLAG); deviceFunctionItem.mAdbSocketPort = jSONObject.optInt(DeviceFunctionItem.ADB_SOCKET_PORT); deviceFunctionItem.mNetDetectOpen = jSONObject.optInt(DeviceFunctionItem.IS_NET_DETECT_OPEN); deviceFunctionItem.mIsScreenSaverSupport = jSONObject.optInt(DeviceFunctionItem.IS_SCREEN_SAVER_SUPPORT); deviceFunctionItem.mSupportDetailTinyPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DETAIL_TINYPLAY); deviceFunctionItem.mSupportAndroidTV = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_ANDROIDTV); deviceFunctionItem.mSupportPreloadCocosview = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_PRELOAD_COCOSVIEW); deviceFunctionItem.mDetailQuickplayConfig = jSONObject.optString(DeviceFunctionItem.DETAIL_QUICKPLAY_CONFIG); deviceFunctionItem.mSupportChannelBg = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_CHANNEL_BG); deviceFunctionItem.mPlayExtendParam = jSONObject.optString(DeviceFunctionItem.PLAY_EXTEND_PARAM); deviceFunctionItem.mIsSupportPreView = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_PREVIEW); deviceFunctionItem.mIsSupportNativeText = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_NATIVE_TEXT); deviceFunctionItem.mIsSupportDanmaku = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DANMAKU); deviceFunctionItem.ktFromApkFunc = this.ktFromApkFunc; } } return deviceFunctionItem; } 复制代码有没有可能是在调用parse的返回结果中处理呢,继续寻找下哪些地方调用了DeviceFunctionRequest 只有一处调用,在 DeviceFunctionManager中 public void getDeviceFunction() { BaseRequestHandler deviceFunctionRequest = new DeviceFunctionRequest(); deviceFunctionRequest.setRequestMode(3); GlobalManager.getInstance().getAppEngine().get(deviceFunctionRequest, new a()); } 复制代码其中new a()对象是网络请求的回调,下是回调的部分代码: private class a extends AppResponseHandler { final /* synthetic */ DeviceFunctionManager a; private a(DeviceFunctionManager deviceFunctionManager) { this.a = deviceFunctionManager; } public /* synthetic */ void onSuccess(Object obj, boolean z) { a((DeviceFunctionItem) obj, z); } public void a(DeviceFunctionItem deviceFunctionItem, boolean z) { if (deviceFunctionItem == null) { TVCommonLog.e(DeviceFunctionManager.TAG, "data == null"); return; } int value = CapabilityProxy.getValue(QQLiveApplication.getAppContext(), DeviceFunctionItem.IS_SCREEN_SAVER_SUPPORT, 1); Map hashMap = new HashMap(); hashMap.put(DeviceFunctionItem.IS_SUPPORT_4K, Integer.valueOf(deviceFunctionItem.mSupport4KType)); CapabilityProxy.setMapAsync(QQLiveApplication.getAppContext(), hashMap); if (value == 1 && deviceFunctionItem.mIsScreenSaverSupport == 0) { ScreenSaverProxy.getInstance(QQLiveApplication.getAppContext()).stopService(); } else if (value == 0 && deviceFunctionItem.mIsScreenSaverSupport == 1) { ScreenSaverProxy.getInstance(QQLiveApplication.getAppContext()).startService(true); } if (deviceFunctionItem.mIsSupportNativeText == 1) { AndroidNDKSyncHelper.setNativeTextEnabled(true); } } public void onFailure(RespErrorData respErrorData) { //省略 } } 复制代码将请求的结果放入HashMap中,然后调用CapabilityProxy.setMapAsync(QQLiveApplication.getAppContext(), hashMap); public static void setMapAsync(Context context, Map map) { CapabilityPreference.getInstance(context).setMapAsync(map); } 复制代码从类名上看好像将信息写入到SharePreference中,进入文件夹管理器,查看shared_prefs文件夹,确实有一个capability_info.xml。这个文件类也确实没有存放nba相关的flag,哇~~好像我们找错请求了 继续查看抓包信息还有一个可疑的请求 http://tv.aiseet.atianqi.com/i-tvbin/qtv_video/home_page/hp_waterfall 继续跟了一下发现解析相关的操作是放在native层处理的,能力有限没法跟下去(感觉就是这个请求控制这个nba模块的显示,屌大的同学可以去分析下,能分享一下过程最好了) 回过头,我们再看看修改请求的思路。 在DeviceFunctionRequest类中可以发现makeRequestUrl方法拼接并生成请求的url,其中TenVideoGlobal.getCommonUrlSuffix()应该是为每一个请求添加公共的参数, protected String makeRequestUrl() { StringBuilder stringBuilder = new StringBuilder(CGIPrefix.URL_DEVICE_FUNCTION); stringBuilder.append(TenVideoGlobal.getCommonUrlSuffix()); stringBuilder.append("&logintype=1"); stringBuilder.append("&appid=").append(AppConstants.OPEN_APP_ID); stringBuilder.append("&openid=").append(AccountProxy.getOpenID()); stringBuilder.append("&access_token=").append(AccountProxy.getAccessToken()); TVCommonLog.i(TAG, "makeRequestUrl: " + stringBuilder); return stringBuilder.toString(); } 复制代码一直跟进这个方法的调用链TenVideoGlobal.getCommonUrlSuffix()->TvBaseHelper.getCommonUrlSuffix()->TvBaseHelper.setCommonUrlSuffix()->TvBaseHelper.getTvAppQUA() 粗略的看一下getTvAppQUA方法,它会给请求添加最基本的公共参数,包括版本信息,设备信息。 public static String getTvAppQUA(String str, String str2, boolean z) { Object appVersion = getAppVersion(); int channelID = getChannelID(); String str3 = "0"; String[] split = appVersion.split("\\."); if (split.length > 3) { str3 = split[3]; appVersion = split[0] + "." + split[1] + "." + split[2]; } String screenResolution = getScreenResolution(); if (TextUtils.isEmpty(str) || TextUtils.isEmpty(str2) || TextUtils.isEmpty(appVersion) || channelID encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; move-result-object v0 return-object v0 .end method .method public static getModel()Ljava/lang/String; .locals 2 .annotation system Ldalvik/annotation/Throws; value = { Ljava/io/UnsupportedEncodingException; } .end annotation .prologue const-string/jumbo v0, "ONEPLUS A3010" const-string/jumbo v1, "UTF-8" invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; move-result-object v0 return-object v0 .end method .method public static getManufacturer()Ljava/lang/String; .locals 2 .annotation system Ldalvik/annotation/Throws; value = { Ljava/io/UnsupportedEncodingException; } .end annotation .prologue const-string/jumbo v0, "OnePlus" const-string/jumbo v1, "UTF-8" invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; move-result-object v0 return-object v0 .end method 复制代码 重新打包 $ apktool b tv_video_3.2.0.1057_android_15000 复制代码在dist文件夹内会生成新的apk安装包 重新签名 $ jarsigner -verbose -keystore ~/.android/debug.keystore -signedjar app_signed.apk ~/Desktop/tv_video_3.2.0.1057_android_15000/dist/tv_video_3.2.0.1057_android_15000.apk androiddebugkey 复制代码 安装到小米设备上看看是不是大功告成哎,一不小心又写了篇水文章。虽然处理很简单,但内心还是非常激动的,毕竟让家里的父老乡亲认识到读书还是有用的。哈哈~ |
| CopyRight 2018-2019 实验室设备网 版权所有 |