记一次逆向:云视听极光展示"NBA"模块

都说温饱思淫欲，但春节回家吃饱喝足之后，我是真的手痒想敲代码啊......于是乎就想找点事干干，恰好发现家里新买的小米电视安装"云视听极光"没有NBA模块(之前家里的长虹电视能展示)，查看了下Q&A发现"云视听极光"在某些设备上无法展示"NBA"的模块

image

根据官方的说法可以断定：“NBA”模块的展示肯定是通过获取设备型号，厂商等参数来控制的。在代码逻辑层面应该是获取到这些参数，然后将这些信息放到请求中，然后app根据Response动态地展示“NBA”的tab。

因此，我们有两个思路来尝试展示“NBA”模块

从请求入手,修改参数为已知能展示“NBA”设备
从响应入手,查看是否有一个flag来控制“NBA”的展示

抓包发现http://tv.aiseet.atianqi.com/i-tvbin/user_info/get_apk_functions这个请求很可疑

image

用jadx-gui打开app搜索get_apk_functions

image

继续搜索哪里用到了URL_DEVICE_FUNCTION

image

最后定位到DeviceFunctionRequest类

image

做过安卓开发的小伙伴们,看到这个类结构应该立马就豁然开朗了：为每一个请求创建一个Request类,添加请求信息并且反序列化响应结果。

从DeviceFunctionRequest类中可以很明显的看出，该类会把服务器的响应反序列化成DeviceFunctionItem对象，从DeviceFunctionItem类名上看，它似乎好像可能是控制着“云视听极光”拥有哪些功能，但是仔细查看parse方法却发现，他压根就没有处理响应里的is_support_nba字段.

 // 下面是部分代码
 public DeviceFunctionItem parse(String str) {
        TVCommonLog.i(TAG, "responseString: " + str);
        DeviceFunctionItem deviceFunctionItem = null;
        if (!TextUtils.isEmpty(str)) {
            JSONObject jSONObject = new JSONObject(str);
            if (jSONObject.getJSONObject(ReportHelper.KEY_RESULT).getInt("ret") != 0) {
                TVCommonLog.e(TAG, "responseString fail: " + str);
            } else {
                deviceFunctionItem = new DeviceFunctionItem();
                jSONObject = jSONObject.getJSONObject("data");
                deviceFunctionItem.mRotateModel = jSONObject.optInt(DeviceFunctionItem.ROTATE_MODEL);
                if (TvBaseHelper.getIntegerForKey(TvBaseHelper.IS_APP_VERSION_VALUE, 0) == 0) {
                    deviceFunctionItem.mSupport4KType = jSONObject.optInt("is_support_4k_corp");
                    deviceFunctionItem.mSdkDevice = jSONObject.optInt("sdk_device_corp");
                    deviceFunctionItem.mSdkHevcLv = jSONObject.optInt("sdk_hevclv_corp");
                } else {
                    deviceFunctionItem.mSupport4KType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_4K);
                    deviceFunctionItem.mSdkDevice = jSONObject.optInt(DeviceFunctionItem.SDK_DEVICE);
                    deviceFunctionItem.mSdkHevcLv = jSONObject.optInt(DeviceFunctionItem.SDK_HEVCLV);
                }
                deviceFunctionItem.mSupportDolbyType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DOLBY);
                deviceFunctionItem.mWebkeyFlag = jSONObject.optInt(DeviceFunctionItem.WEBKEY_FLAG);
                deviceFunctionItem.mSupportCrosswalkType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_CROSSWALK);
                deviceFunctionItem.mIsPreloadFlag = jSONObject.optInt("is_preload");
                deviceFunctionItem.mPlayMenuFlag = jSONObject.optInt(DeviceFunctionItem.PLAY_MENU_FLAG);
                deviceFunctionItem.mUpDownVolFlag = jSONObject.optInt(DeviceFunctionItem.UP_DOWN_VOL_FLAG);
                deviceFunctionItem.mH5_reload_policy = jSONObject.optInt(DeviceFunctionItem.H5_RELOAD_POLICY);
                deviceFunctionItem.mIsSupportLive = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_LIVE);
                deviceFunctionItem.mFFRKeyReleaseDuration = jSONObject.optInt(DeviceFunctionItem.FFR_KEY_RELEASE_DURATION);
                deviceFunctionItem.mIsH5DialogSupported = jSONObject.optInt(DeviceFunctionItem.SUPPORT_H5_RECOMMEND_PAGE);
                deviceFunctionItem.mH5_Layer_Type = jSONObject.optString("h5_layer_type");
                deviceFunctionItem.mSupportToastPosstting = jSONObject.optInt(DeviceFunctionItem.SUPPORT_TOAST_POSSETTING);
                deviceFunctionItem.mSupportTrailerLoopPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_TRAILER_LOOP_PLAY);
                deviceFunctionItem.mSupportNewsLoopPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_NEWS_LOOP_PLAY);
                deviceFunctionItem.mHook_All_Sopath = jSONObject.optString(DeviceFunctionItem.HOOK_ALL_SOPATH);
                deviceFunctionItem.mIsNeedSystemExit = jSONObject.optInt(DeviceFunctionItem.IS_NEED_SYSTEM_EXIT);
                deviceFunctionItem.mPlayerConfig = jSONObject.optInt(DeviceFunctionItem.PLAYER_CONFIG);
                deviceFunctionItem.mIsNeedDelayOpen = jSONObject.optInt(DeviceFunctionItem.IS_NEED_DELAY_OPENPLAY);
                deviceFunctionItem.mSilentInstallFlag = jSONObject.optInt(DeviceFunctionItem.SILENT_INSTALL_FLAG);
                deviceFunctionItem.mAdbSocketPort = jSONObject.optInt(DeviceFunctionItem.ADB_SOCKET_PORT);
                deviceFunctionItem.mNetDetectOpen = jSONObject.optInt(DeviceFunctionItem.IS_NET_DETECT_OPEN);
                deviceFunctionItem.mIsScreenSaverSupport = jSONObject.optInt(DeviceFunctionItem.IS_SCREEN_SAVER_SUPPORT);
                deviceFunctionItem.mSupportDetailTinyPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DETAIL_TINYPLAY);
                deviceFunctionItem.mSupportAndroidTV = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_ANDROIDTV);
                deviceFunctionItem.mSupportPreloadCocosview = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_PRELOAD_COCOSVIEW);
                deviceFunctionItem.mDetailQuickplayConfig = jSONObject.optString(DeviceFunctionItem.DETAIL_QUICKPLAY_CONFIG);
                deviceFunctionItem.mSupportChannelBg = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_CHANNEL_BG);
                deviceFunctionItem.mPlayExtendParam = jSONObject.optString(DeviceFunctionItem.PLAY_EXTEND_PARAM);
                deviceFunctionItem.mIsSupportPreView = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_PREVIEW);
                deviceFunctionItem.mIsSupportNativeText = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_NATIVE_TEXT);
                deviceFunctionItem.mIsSupportDanmaku = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DANMAKU);
                deviceFunctionItem.ktFromApkFunc = this.ktFromApkFunc;
            }
        }
        return deviceFunctionItem;
    }

有没有可能是在调用parse的返回结果中处理呢，继续寻找下哪些地方调用了DeviceFunctionRequest

image

只有一处调用，在DeviceFunctionManager中

    public void getDeviceFunction() {
        BaseRequestHandler deviceFunctionRequest = new DeviceFunctionRequest();
        deviceFunctionRequest.setRequestMode(3);
        GlobalManager.getInstance().getAppEngine().get(deviceFunctionRequest, new a());
    }

其中new a()对象是网络请求的回调，下是回调的部分代码：

    private class a extends AppResponseHandler<DeviceFunctionItem> {
        final /* synthetic */ DeviceFunctionManager a;

        private a(DeviceFunctionManager deviceFunctionManager) {
            this.a = deviceFunctionManager;
        }

        public /* synthetic */ void onSuccess(Object obj, boolean z) {
            a((DeviceFunctionItem) obj, z);
        }

        public void a(DeviceFunctionItem deviceFunctionItem, boolean z) {
            if (deviceFunctionItem == null) {
                TVCommonLog.e(DeviceFunctionManager.TAG, "data == null");
                return;
            }
        
            int value = CapabilityProxy.getValue(QQLiveApplication.getAppContext(), DeviceFunctionItem.IS_SCREEN_SAVER_SUPPORT, 1);
            Map hashMap = new HashMap();
            hashMap.put(DeviceFunctionItem.IS_SUPPORT_4K, Integer.valueOf(deviceFunctionItem.mSupport4KType));
            
            CapabilityProxy.setMapAsync(QQLiveApplication.getAppContext(), hashMap);
            if (value == 1 && deviceFunctionItem.mIsScreenSaverSupport == 0) {
                ScreenSaverProxy.getInstance(QQLiveApplication.getAppContext()).stopService();
            } else if (value == 0 && deviceFunctionItem.mIsScreenSaverSupport == 1) {
                ScreenSaverProxy.getInstance(QQLiveApplication.getAppContext()).startService(true);
            }
            if (deviceFunctionItem.mIsSupportNativeText == 1) {
                AndroidNDKSyncHelper.setNativeTextEnabled(true);
            }
        }

        public void onFailure(RespErrorData respErrorData) {
           //省略
        }
    }

将请求的结果放入HashMap中,然后调用CapabilityProxy.setMapAsync(QQLiveApplication.getAppContext(), hashMap);

public static void setMapAsync(Context context, Map<String, Object> map) {
        CapabilityPreference.getInstance(context).setMapAsync(map);
    }

从类名上看好像将信息写入到SharePreference中，进入文件夹管理器，查看shared_prefs文件夹，确实有一个capability_info.xml。这个文件类也确实没有存放nba相关的flag，哇~~好像我们找错请求了

继续查看抓包信息还有一个可疑的请求
http://tv.aiseet.atianqi.com/i-tvbin/qtv_video/home_page/hp_waterfall 继续跟了一下发现解析相关的操作是放在native层处理的，能力有限没法跟下去（感觉就是这个请求控制这个nba模块的显示，屌大的同学可以去分析下，能分享一下过程最好了）

回过头，我们再看看修改请求的思路。

在DeviceFunctionRequest类中可以发现makeRequestUrl方法拼接并生成请求的url,其中TenVideoGlobal.getCommonUrlSuffix()应该是为每一个请求添加公共的参数，

    protected String makeRequestUrl() {
        StringBuilder stringBuilder = new StringBuilder(CGIPrefix.URL_DEVICE_FUNCTION);
        stringBuilder.append(TenVideoGlobal.getCommonUrlSuffix());
        stringBuilder.append("&logintype=1");
        stringBuilder.append("&appid=").append(AppConstants.OPEN_APP_ID);
        stringBuilder.append("&openid=").append(AccountProxy.getOpenID());
        stringBuilder.append("&access_token=").append(AccountProxy.getAccessToken());
        TVCommonLog.i(TAG, "makeRequestUrl: " + stringBuilder);
        return stringBuilder.toString();
    }

一直跟进这个方法的调用链TenVideoGlobal.getCommonUrlSuffix()->TvBaseHelper.getCommonUrlSuffix()->TvBaseHelper.setCommonUrlSuffix()->TvBaseHelper.getTvAppQUA()

粗略的看一下getTvAppQUA方法，它会给请求添加最基本的公共参数，包括版本信息，设备信息。

    public static String getTvAppQUA(String str, String str2, boolean z) {
        Object appVersion = getAppVersion();
        int channelID = getChannelID();
        String str3 = "0";
        String[] split = appVersion.split("\\.");
        if (split.length > 3) {
            str3 = split[3];
            appVersion = split[0] + "." + split[1] + "." + split[2];
        }
        String screenResolution = getScreenResolution();
        if (TextUtils.isEmpty(str) || TextUtils.isEmpty(str2) || TextUtils.isEmpty(appVersion) || channelID <= 0) {
            return "";
        }
        StringBuilder stringBuilder = new StringBuilder();
        stringBuilder.append("QV=1");
        stringBuilder.append("&PR=").append(str);
        stringBuilder.append("&PT=").append(str2);
        stringBuilder.append("&CHID=").append(channelID);
        String stringBuilder2 = stringBuilder.toString();
        try {
            stringBuilder.append("&RL=").append(URLEncoder.encode(screenResolution, "UTF-8"));
            stringBuilder.append("&VN=").append(URLEncoder.encode(appVersion, "UTF-8"));
            stringBuilder.append("&VN_CODE=").append(getAppVersionCode());
            stringBuilder.append("&SV=").append(URLEncoder.encode(VERSION.RELEASE, "UTF-8"));
            stringBuilder.append("&DV=").append(getDevice());
            stringBuilder.append("&VN_BUILD=").append(str3);
            stringBuilder.append("&MD=").append(getModel());
            stringBuilder.append("&BD=").append(getBoard());
            stringBuilder.append("&MF=").append(getManufacturer());
            if ("VIDEO".equals(str)) {
                stringBuilder.append("&TVKPlatform=").append(getMediaPlayerPlatform());
            }
            if (z) {
                encodeQua = URLEncoder.encode(stringBuilder.toString());
                return encodeQua;
            }
            qua = stringBuilder.toString();
            return qua;
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
            TVCommonLog.e(TAG, "exception qua: " + qua + ".");
            return stringBuilder2;
        }
    }

我们先看看之前的抓包信息到底传递是哪些参数

GET /i-tvbin/user_info/get_apk_functions?Q-UA=QV%3D1%26PR%3DVIDEO%26PT%3DSNMAPP%26CHID%3D15000%26RL%3D1920*1080%26VN%3D3.2.0%26VN_CODE%3D3210%26SV%3D7.1.1%26DV%3DOnePlus3T%26VN_BUILD%3D1057%26MD%3DONEPLUS%2BA3010%26BD%3DQC_Reference_Phone%26MF%3DOnePlus%26TVKPlatform%3D670603&guid=&omg_id=&omg_biz_id=&licence=snm&pkg_tag=0&logintype=1&appid=101161688&openid=&access_token=&timeforhj=1519368054956 HTTP/1.1

URLDecode后

GET /i-tvbin/user_info/get_apk_functions?Q-UA=QV=1&PR=VIDEO&PT=SNMAPP&CHID=15000&RL=1920*1080&VN=3.2.0&VN_CODE=3210&SV=7.1.1&DV=OnePlus3T&VN_BUILD=1057&MD=ONEPLUS+A3010&BD=QC_Reference_Phone&MF=OnePlus&TVKPlatform=670603&guid=&omg_id=&omg_biz_id=&licence=snm&pkg_tag=0&logintype=1&appid=101161688&openid=&access_token=&timeforhj=1519368054956 HTTP/1.1

分析请求发现，比较明显的设备信息字段是DV=OnePlus3T，MD=ONEPLUS+A3010以及MF=OnePlus，获取这些信息的方法分别是TvBaseHelper类中的getDevice，getModel以及getManufacturer

简单点处理，我们把这几个方法的返回结果写死

先反编译apk

$ apktool d ~/Downloads/tv_video_3.2.0.1057_android_15000.apk

修改相应的方法

.method public static getDevice()Ljava/lang/String;
    .locals 2
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/io/UnsupportedEncodingException;
        }
    .end annotation

    .prologue
    const-string/jumbo v0, "OnePlus"

    const-string/jumbo v1, "UTF-8"

    invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

.method public static getModel()Ljava/lang/String;
    .locals 2
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/io/UnsupportedEncodingException;
        }
    .end annotation

    .prologue
    const-string/jumbo v0, "ONEPLUS A3010"

    const-string/jumbo v1, "UTF-8"

    invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

.method public static getManufacturer()Ljava/lang/String;
    .locals 2
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/io/UnsupportedEncodingException;
        }
    .end annotation

    .prologue
    const-string/jumbo v0, "OnePlus"

    const-string/jumbo v1, "UTF-8"

    invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

重新打包

$ apktool b tv_video_3.2.0.1057_android_15000

在dist文件夹内会生成新的apk安装包

重新签名

$ jarsigner -verbose -keystore ~/.android/debug.keystore -signedjar app_signed.apk ~/Desktop/tv_video_3.2.0.1057_android_15000/dist/tv_video_3.2.0.1057_android_15000.apk androiddebugkey

安装到小米设备上看看是不是大功告成

image

哎，一不小心又写了篇水文章。虽然处理很简单，但内心还是非常激动的，毕竟让家里的父老乡亲认识到读书还是有用的。哈哈~

最后编辑于：2018.02.23 20:02:01

人面猴
序言：七十年代末，一起剥皮案震惊了整个滨河市，随后出现的几起案子，更是在滨河造成了极大的恐慌，老刑警刘岩，带你破解...
沈念sama阅读 204,293评论 6赞 478
死咒
序言：滨河连续发生了三起死亡事件，死亡现场离奇诡异，居然都是意外死亡，警方通过查阅死者的电脑和手机，发现死者居然都...
沈念sama阅读 85,604评论 2赞 381
救了他两次的神仙让他今天三更去死
文/潘晓璐我一进店门，熙熙楼的掌柜王于贵愁眉苦脸地迎上来，“玉大人，你说我怎么就摊上这事。” “怎么了？”我有些...
开封第一讲书人阅读 150,958评论 0赞 337
道士缉凶录：失踪的卖姜人
文/不坏的土叔我叫张陵，是天一观的道长。经常有香客问我，道长，这世上最难降的妖魔是什么？我笑而不...
开封第一讲书人阅读 54,729评论 1赞 277
港岛之恋（遗憾婚礼）
正文为了忘掉前任，我火速办了婚礼，结果婚礼上，老公的妹妹穿的比我还像新娘。我一直安慰自己，他们只是感情好，可当我...
茶点故事阅读 63,719评论 5赞 366
恶毒庶女顶嫁案：这布局不是一般人想出来的
文/花漫我一把揭开白布。她就那样静静地躺着，像睡着了一般。火红的嫁衣衬着肌肤如雪。梳的纹丝不乱的头发上，一...
开封第一讲书人阅读 48,630评论 1赞 281
城市分裂传说
那天，我揣着相机与录音，去河边找鬼。笑死，一个胖子当着我的面吹牛，可吹牛的内容都是我干的。我是一名探鬼主播，决...
沈念sama阅读 38,000评论 3赞 397
双鸳鸯连环套：你想象不到人心有多黑
文/苍兰香墨我猛地睁开眼，长吁一口气：“原来是场噩梦啊……” “哼！你这毒妇竟也来了？” 一声冷哼从身侧响起，我...
开封第一讲书人阅读 36,665评论 0赞 258
万荣杀人案实录
序言：老挝万荣一对情侣失踪，失踪者是张志新（化名）和其女友刘颖，没想到半个月后，有当地人在树林里发现了一具尸体，经...
沈念sama阅读 40,909评论 1赞 299
护林员之死
正文独居荒郊野岭守林人离奇死亡，尸身上长有42处带血的脓包…… 初始之章·张勋以下内容为张勋视角年9月15日...
茶点故事阅读 35,646评论 2赞 321
白月光启示录
正文我和宋清朗相恋三年，在试婚纱的时候发现自己被绿了。大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
茶点故事阅读 37,726评论 1赞 330
活死人
序言：一个原本活蹦乱跳的男人离奇死亡，死状恐怖，灵堂内的尸体忽然破棺而出，到底是诈尸还是另有隐情，我是刑警宁泽，带...
沈念sama阅读 33,400评论 4赞 321
日本核电站爆炸内幕
正文年R本政府宣布，位于F岛的核电站，受9级特大地震影响，放射性物质发生泄漏。R本人自食恶果不足惜，却给世界环境...
茶点故事阅读 38,986评论 3赞 307
男人毒药：我在死后第九天来索命
文/蒙蒙一、第九天我趴在偏房一处隐蔽的房顶上张望。院中可真热闹，春花似锦、人声如沸。这庄子的主人今日做“春日...
开封第一讲书人阅读 29,959评论 0赞 19
一桩弑父案，背后竟有这般阴谋
文/苍兰香墨我抬头看了看天上的太阳。三九已至，却和暖如春，着一层夹袄步出监牢的瞬间，已是汗流浃背。一阵脚步声响...
开封第一讲书人阅读 31,197评论 1赞 260
情欲美人皮
我被黑心中介骗来泰国打工，没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留，地道东北人。一个月前我还...
沈念sama阅读 44,996评论 2赞 349
代替公主和亲
正文我出身青楼，却偏偏与公主长得像，于是被迫代替她去往敌国和亲。传闻我的和亲对象是个残疾皇子，可洞房花烛夜当晚...
茶点故事阅读 42,481评论 2赞 342

记一次逆向:云视听极光展示"NBA"模块

推荐阅读更多精彩内容