Hacking Book | Free Online Hacking Learning

 Home

reverse practice: batch verification of the existence of micro signals

Posted by graebner at 2020-03-01
all

*The original author of this article: siotb, this article belongs to the freebuf original award program, reprint is prohibited without permission

I. Preface

Xposed is a powerful hook framework under Android platform. We can use it to develop many powerful plug-ins to help us solve some practical problems more easily. This paper will try to use xposed to solve a practical problem: how to verify the existence of micro signals in batches.

2、 Clear objectives

Now we have a batch of micro signals at hand, and we want to distinguish which of them are effective and which are not. Obviously, it will be a very troublesome thing to search on wechat by hand directly. Next, we will study how to verify these wechat in batches. First, let's look at the search interface:

It can be seen from the figure that in fact, this interface can also search whether a micro signal exists according to QQ number and mobile phone number. Our goal is to call this interface automatically and controllably to help us verify.

3、 Determine ideas

After the goal is clear, we will think that it is very important to get the function call stack of this interface, so that we can hook up and down the key functions, and then insert our own logic code, so as to control this interface at will and achieve our ultimate goal. So we can summarize the following steps: 1. Get the important function call stack in this process. 2. Find the right function from the function call stack, hook. 3. Think about the logic of the whole batch validation, insert our own logic code, and implement the xposed plug-in to control the whole validation process. 4. Use a small batch of samples to verify that our plug-in is valid.

4、 Hands on practice

1.

How to get the function call stack of a procedure? This is a problem we often encounter in the process of reverse. At the beginning, I only used keywords to search when I contacted the reverse direction. Later, I contacted more tools. I found that it was good to use andbug. I could get out all the processes in a click process. I didn't find that there were better tools until I saw tracereader in the snow a few months ago. In fact, there are many good reverse tools. The easy-to-use tools are good tools. I will not elaborate on the specific use of tools here.

I use tracereader. After getting a pile of function call stacks, we need to find the call stacks we need. I think this is the most difficult problem in the whole process. Because the amount of functions we get at this time is often very large, and we don't know the name of the functions we need at all. If we come across the application of wechat, which is confusing and super abnormal, then this step will take us a lot of time. There is no good way to do this. Luck is the key factor, and then we can infer the position of the function we need according to various signs. Eight immortals cross the sea and show their magic power. Let me talk about my practice. Because the function of this interface is to "search whether a certain micro signal exists", I first use the keyword "search" to try my luck. Of course, there are many functions including this keyword. Then I look at each of these functions containing "search" one by one, and I'm lucky to find a function with both "search" and "addfriendui". According to the function name, this function is probably the one we are looking for. As shown in the picture:

Next, verify whether we find it right or not. Use xposed to hook the "Al" function and print out its parameters. There are many uses of xposed on the Internet, which will not be explained any more. The final results are as follows:

I randomly input a string in the search box, and the input parameters of the "Al" function printed out are exactly the strings I input. It seems that the location is good. Then the whole function call stack where this function is located is what we are looking for. After using Jeb to reverse his code, we can carefully look at these functions to help us understand the whole process.

2.

The next step is to find the right hook function. In fact, the hook function needs two functions: one is the hook request, which controls the whole batch verification process; the other is the hook response part, which judges the return result of the current verified micro signal.

For the time being, the requested hook function is the "Al" function found in the front. If there is a problem during the subsequent test, we will consider changing it. There is no definite answer in this step, but we can only verify it through the actual test. So it doesn't matter which function we choose. If it doesn't work, we will go back to the source code and select the test again.

Generally, the answer hook function can be found by looking at the call stack of the previous request function, but it is not absolute. The way to find it is the same as the previous one, and you can test where you suspect. I found this step in the call stack of the request, but I didn't find a suitable location in many places, and then I didn't have the patience to continue to find it, so I used a clever way. The return page where a micro signal does not exist and exists is different, as shown in the figure:

Obviously, we can judge whether the current micro signal exists according to the different returned pages. Next, look at the activity of the two pages, as shown in the figure:

It can be seen that the activities in the two situations are different. When the micro signal exists, the information interface of the micro signal will be returned. The activity in the interface is contactinfoui. Then we can judge whether the activity is created and whether a micro signal exists by hook activity. Next, let's verify our conjecture, hook the constructor of this class:

The effect is as follows:

Indeed, printing "yes" according to our expectation verifies our conjecture.

3.

There is no definite pattern for batch verification logic, which can be customized according to individual needs. It is worth mentioning that the location of hook in the previous step has a lot to do with the logic design of this step. For example, in the previous step, I didn't find a good response hook location, but I just happened to judge it according to the activity. That is to say, I can judge the results only after a microsignal search result page is loaded, which will cause many problems. For example, I have to control the interval between two requests to allow sufficient time for the search results interface to load. For example, when the number of micro signals is large, the continuous page loading will consume a lot of memory, resulting in the program becoming slower and slower, even the machine heating up, and the battery loss. These problems are all problems that must be considered when designing programs. On the contrary, if the previous hook location is more appropriate, then the follow-up will be easier and more convenient. The debt we owe is always to be paid back. Generally speaking, if we are lazy in the front, we will have a lot of troubles in the back. If we work hard in the front, we will be more relaxed in the back. All roads lead to Rome. How to choose in the whole process is best determined according to your actual needs and resources at hand.

Now we just do a simple test and don't need to think about it too much. My idea is to cut off the "Al" function found above, and control the circular call to him by myself. The code is rough, and I will not paste it up, and I will directly see the final result.

4.

The input micro signal is stored in the txt file and placed in the sdcard. The final judgment result is output and saved as a file. The correct micro signal is followed by the "yes" label, as shown in the figure below:

Five, summary

This article is just a small example of xposed application. In this process, we must have found that as long as we use it properly, many interfaces can be used in this way, and also can meet many small needs.

Of course, if you further consider the other party's risk control rules, the automation of the whole process and other factors, this method can also meet some big needs, you can explore by yourself.

*The original author of this article: siotb, this article belongs to the freebuf original award program, reprint is prohibited without permission

© 2023