记一次逆向:云视听极光展示NBA模块

都说温饱思淫欲，但春节回家吃饱喝足之后，我是真的手痒想敲代码啊......于是乎就想找点事干干，恰好发现家里新买的小米电视安装"云视听极光"没有NBA模块(之前家里的长虹电视能展示)，查看了下Q&A发现"云视听极光"在某些设备上无法展示"NBA"的模块

根据官方的说法可以断定：“NBA”模块的展示肯定是通过获取设备型号，厂商等参数来控制的。在代码逻辑层面应该是获取到这些参数，然后将这些信息放到请求中，然后app根据Response动态地展示“NBA”的tab。

因此，我们有两个思路来尝试展示“NBA”模块

• 从请求入手,修改参数为已知能展示“NBA”设备
• 从响应入手,查看是否有一个flag来控制“NBA”的展示

抓包发现http://tv.aiseet.atianqi.com/i-tvbin/user_info/get_apk_functions这个请求很可疑

用jadx-gui打开app搜索get_apk_functions

继续搜索哪里用到了URL_DEVICE_FUNCTION

最后定位到DeviceFunctionRequest类

做过安卓开发的小伙伴们,看到这个类结构应该立马就豁然开朗了：为每一个请求创建一个Request类,添加请求信息并且反序列化响应结果 。

从DeviceFunctionRequest类中可以很明显的看出，该类会把服务器的响应反序列化成DeviceFunctionItem对象，从DeviceFunctionItem类名上看，它似乎好像可能是控制着“云视听极光”拥有哪些功能，但是仔细查看parse方法却发现，他压根就没有处理响应里的is_support_nba字段.

// 下面是部分代码public DeviceFunctionItem parse(String str) {TVCommonLog.i(TAG, "responseString: " + str);DeviceFunctionItem deviceFunctiOnItem= null;if (!TextUtils.isEmpty(str)) {JSONObject jSOnObject= new JSONObject(str);if (jSONObject.getJSONObject(ReportHelper.KEY_RESULT).getInt("ret") != 0) {TVCommonLog.e(TAG, "responseString fail: " + str);} else {deviceFunctiOnItem= new DeviceFunctionItem();jSOnObject= jSONObject.getJSONObject("data");deviceFunctionItem.mRotateModel = jSONObject.optInt(DeviceFunctionItem.ROTATE_MODEL);if (TvBaseHelper.getIntegerForKey(TvBaseHelper.IS_APP_VERSION_VALUE, 0) == 0) {deviceFunctionItem.mSupport4KType = jSONObject.optInt("is_support_4k_corp");deviceFunctionItem.mSdkDevice = jSONObject.optInt("sdk_device_corp");deviceFunctionItem.mSdkHevcLv = jSONObject.optInt("sdk_hevclv_corp");} else {deviceFunctionItem.mSupport4KType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_4K);deviceFunctionItem.mSdkDevice = jSONObject.optInt(DeviceFunctionItem.SDK_DEVICE);deviceFunctionItem.mSdkHevcLv = jSONObject.optInt(DeviceFunctionItem.SDK_HEVCLV);}deviceFunctionItem.mSupportDolbyType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DOLBY);deviceFunctionItem.mWebkeyFlag = jSONObject.optInt(DeviceFunctionItem.WEBKEY_FLAG);deviceFunctionItem.mSupportCrosswalkType = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_CROSSWALK);deviceFunctionItem.mIsPreloadFlag = jSONObject.optInt("is_preload");deviceFunctionItem.mPlayMenuFlag = jSONObject.optInt(DeviceFunctionItem.PLAY_MENU_FLAG);deviceFunctionItem.mUpDownVolFlag = jSONObject.optInt(DeviceFunctionItem.UP_DOWN_VOL_FLAG);deviceFunctionItem.mH5_reload_policy = jSONObject.optInt(DeviceFunctionItem.H5_RELOAD_POLICY);deviceFunctionItem.mIsSupportLive = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_LIVE);deviceFunctionItem.mFFRKeyReleaseDuration = jSONObject.optInt(DeviceFunctionItem.FFR_KEY_RELEASE_DURATION);deviceFunctionItem.mIsH5DialogSupported = jSONObject.optInt(DeviceFunctionItem.SUPPORT_H5_RECOMMEND_PAGE);deviceFunctionItem.mH5_Layer_Type = jSONObject.optString("h5_layer_type");deviceFunctionItem.mSupportToastPosstting = jSONObject.optInt(DeviceFunctionItem.SUPPORT_TOAST_POSSETTING);deviceFunctionItem.mSupportTrailerLoopPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_TRAILER_LOOP_PLAY);deviceFunctionItem.mSupportNewsLoopPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_NEWS_LOOP_PLAY);deviceFunctionItem.mHook_All_Sopath = jSONObject.optString(DeviceFunctionItem.HOOK_ALL_SOPATH);deviceFunctionItem.mIsNeedSystemExit = jSONObject.optInt(DeviceFunctionItem.IS_NEED_SYSTEM_EXIT);deviceFunctionItem.mPlayerCOnfig= jSONObject.optInt(DeviceFunctionItem.PLAYER_CONFIG);deviceFunctionItem.mIsNeedDelayOpen = jSONObject.optInt(DeviceFunctionItem.IS_NEED_DELAY_OPENPLAY);deviceFunctionItem.mSilentInstallFlag = jSONObject.optInt(DeviceFunctionItem.SILENT_INSTALL_FLAG);deviceFunctionItem.mAdbSocketPort = jSONObject.optInt(DeviceFunctionItem.ADB_SOCKET_PORT);deviceFunctionItem.mNetDetectOpen = jSONObject.optInt(DeviceFunctionItem.IS_NET_DETECT_OPEN);deviceFunctionItem.mIsScreenSaverSupport = jSONObject.optInt(DeviceFunctionItem.IS_SCREEN_SAVER_SUPPORT);deviceFunctionItem.mSupportDetailTinyPlay = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DETAIL_TINYPLAY);deviceFunctionItem.mSupportAndroidTV = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_ANDROIDTV);deviceFunctionItem.mSupportPreloadCocosview = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_PRELOAD_COCOSVIEW);deviceFunctionItem.mDetailQuickplayCOnfig= jSONObject.optString(DeviceFunctionItem.DETAIL_QUICKPLAY_CONFIG);deviceFunctionItem.mSupportChannelBg = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_CHANNEL_BG);deviceFunctionItem.mPlayExtendParam = jSONObject.optString(DeviceFunctionItem.PLAY_EXTEND_PARAM);deviceFunctionItem.mIsSupportPreView = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_PREVIEW);deviceFunctionItem.mIsSupportNativeText = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_NATIVE_TEXT);deviceFunctionItem.mIsSupportDanmaku = jSONObject.optInt(DeviceFunctionItem.IS_SUPPORT_DANMAKU);deviceFunctionItem.ktFromApkFunc = this.ktFromApkFunc;}}return deviceFunctionItem;}


有没有可能是在调用parse的返回结果中处理呢，继续寻找下哪些地方调用了DeviceFunctionRequest

public void getDeviceFunction() {BaseRequestHandler deviceFunctiOnRequest= new DeviceFunctionRequest();deviceFunctionRequest.setRequestMode(3);GlobalManager.getInstance().getAppEngine().get(deviceFunctionRequest, new a());}


其中new a()对象是网络请求的回调，下是回调的部分代码：

private class a extends AppResponseHandler<DeviceFunctionItem> {final /* synthetic */ DeviceFunctionManager a;private a(DeviceFunctionManager deviceFunctionManager) {this.a = deviceFunctionManager;}public /* synthetic */ void onSuccess(Object obj, boolean z) {a((DeviceFunctionItem) obj, z);}public void a(DeviceFunctionItem deviceFunctionItem, boolean z) {if (deviceFunctiOnItem== null) {TVCommonLog.e(DeviceFunctionManager.TAG, "data == null");return;}int value = CapabilityProxy.getValue(QQLiveApplication.getAppContext(), DeviceFunctionItem.IS_SCREEN_SAVER_SUPPORT, 1);Map hashMap = new HashMap();hashMap.put(DeviceFunctionItem.IS_SUPPORT_4K, Integer.valueOf(deviceFunctionItem.mSupport4KType));CapabilityProxy.setMapAsync(QQLiveApplication.getAppContext(), hashMap);if (value == 1 && deviceFunctionItem.mIsScreenSaverSupport == 0) {ScreenSaverProxy.getInstance(QQLiveApplication.getAppContext()).stopService();} else if (value == 0 && deviceFunctionItem.mIsScreenSaverSupport == 1) {ScreenSaverProxy.getInstance(QQLiveApplication.getAppContext()).startService(true);}if (deviceFunctionItem.mIsSupportNativeText == 1) {AndroidNDKSyncHelper.setNativeTextEnabled(true);}}public void onFailure(RespErrorData respErrorData) {//省略}}


将请求的结果放入HashMap中,然后调用CapabilityProxy.setMapAsync(QQLiveApplication.getAppContext(), hashMap);

public static void setMapAsync(Context context, Map map) {CapabilityPreference.getInstance(context).setMapAsync(map);}


从类名上看好像将信息写入到SharePreference中，进入文件夹管理器，查看shared_prefs文件夹，确实有一个capability_info.xml。这个文件类也确实没有存放nba相关的flag，哇~~好像我们找错请求了

继续查看抓包信息还有一个可疑的请求 http://tv.aiseet.atianqi.com/i-tvbin/qtv_video/home_page/hp_waterfall 继续跟了一下发现解析相关的操作是放在native层处理的，能力有限没法跟下去（感觉就是这个请求控制这个nba模块的显示，屌大的同学可以去分析下，能分享一下过程最好了）

回过头，我们再看看修改请求的思路。

在DeviceFunctionRequest类中可以发现makeRequestUrl方法拼接并生成请求的url,其中TenVideoGlobal.getCommonUrlSuffix()应该是为每一个请求添加公共的参数，

protected String makeRequestUrl() {StringBuilder stringBuilder = new StringBuilder(CGIPrefix.URL_DEVICE_FUNCTION);stringBuilder.append(TenVideoGlobal.getCommonUrlSuffix());stringBuilder.append("&logintype=1");stringBuilder.append("&appid=").append(AppConstants.OPEN_APP_ID);stringBuilder.append("&openid=").append(AccountProxy.getOpenID());stringBuilder.append("&access_token=").append(AccountProxy.getAccessToken());TVCommonLog.i(TAG, "makeRequestUrl: " + stringBuilder);return stringBuilder.toString();}


一直跟进这个方法的调用链TenVideoGlobal.getCommonUrlSuffix()->TvBaseHelper.getCommonUrlSuffix()->TvBaseHelper.setCommonUrlSuffix()->TvBaseHelper.getTvAppQUA()

粗略的看一下getTvAppQUA方法，它会给请求添加最基本的公共参数，包括版本信息，设备信息。

public static String getTvAppQUA(String str, String str2, boolean z) {Object appVersion = getAppVersion();int channelID = getChannelID();String str3 = "0";String[] split = appVersion.split("\\.");if (split.length > 3) {str3 = split[3];appVersion = split[0] + "." + split[1] + "." + split[2];}String screenResolution = getScreenResolution();if (TextUtils.isEmpty(str) || TextUtils.isEmpty(str2) || TextUtils.isEmpty(appVersion) || channelID <= 0) {return "";}StringBuilder stringBuilder = new StringBuilder();stringBuilder.append("QV=1");stringBuilder.append("&PR=").append(str);stringBuilder.append("&PT=").append(str2);stringBuilder.append("&CHID=").append(channelID);String stringBuilder2 = stringBuilder.toString();try {stringBuilder.append("&RL=").append(URLEncoder.encode(screenResolution, "UTF-8"));stringBuilder.append("&VN=").append(URLEncoder.encode(appVersion, "UTF-8"));stringBuilder.append("&VN_CODE=").append(getAppVersionCode());stringBuilder.append("&SV=").append(URLEncoder.encode(VERSION.RELEASE, "UTF-8"));stringBuilder.append("&DV=").append(getDevice());stringBuilder.append("&VN_BUILD=").append(str3);stringBuilder.append("&MD=").append(getModel());stringBuilder.append("&BD=").append(getBoard());stringBuilder.append("&MF=").append(getManufacturer());if ("VIDEO".equals(str)) {stringBuilder.append("&TVKPlatform=").append(getMediaPlayerPlatform());}if (z) {encodeQua = URLEncoder.encode(stringBuilder.toString());return encodeQua;}qua = stringBuilder.toString();return qua;} catch (UnsupportedEncodingException e) {e.printStackTrace();TVCommonLog.e(TAG, "exception qua: " + qua + ".");return stringBuilder2;}}


我们先看看之前的抓包信息到底传递是哪些参数

GET /i-tvbin/user_info/get_apk_functions?Q-UA=QV%3D1%26PR%3DVIDEO%26PT%3DSNMAPP%26CHID%3D15000%26RL%3D1920*1080%26VN%3D3.2.0%26VN_CODE%3D3210%26SV%3D7.1.1%26DV%3DOnePlus3T%26VN_BUILD%3D1057%26MD%3DONEPLUS%2BA3010%26BD%3DQC_Reference_Phone%26MF%3DOnePlus%26TVKPlatform%3D670603&guid=&omg_id=&omg_biz_id=&licence=snm&pkg_tag=0&logintype=1&appid=101161688&openid=&access_token=&timeforhj=1519368054956 HTTP/1.1

URLDecode后

GET /i-tvbin/user_info/get_apk_functions?Q-UA=QV=1&PR=VIDEO&PT=SNMAPP&CHID=15000&RL=1920*1080&VN=3.2.0&VN_CODE=3210&SV=7.1.1&DV=OnePlus3T&VN_BUILD=1057&MD=ONEPLUS+A3010&BD=QC_Reference_Phone&MF=OnePlus&TVKPlatform=670603&guid=&omg_id=&omg_biz_id=&licence=snm&pkg_tag=0&logintype=1&appid=101161688&openid=&access_token=&timeforhj=1519368054956 HTTP/1.1

分析请求发现，比较明显的设备信息字段是DV=OnePlus3T，MD=ONEPLUS+A3010以及MF=OnePlus，获取这些信息的方法分别是TvBaseHelper类中的getDevice，getModel以及getManufacturer

简单点处理，我们把这几个方法的返回结果写死

1. 先反编译apk

$ apktool d ~/Downloads/tv_video_3.2.0.1057_android_15000.apk


修改相应的方法

.method public static getDevice()Ljava/lang/String;
.locals 2
.annotation system Ldalvik/annotation/Throws;value = {Ljava/io/UnsupportedEncodingException;}.end annotation .prologue const-string/jumbo v0, "OnePlus" const-string/jumbo v1, "UTF-8" invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; move-result-object v0 return-object v0
.end method.method public static getModel()Ljava/lang/String;
.locals 2
.annotation system Ldalvik/annotation/Throws;value = {Ljava/io/UnsupportedEncodingException;}.end annotation .prologue const-string/jumbo v0, "ONEPLUS A3010" const-string/jumbo v1, "UTF-8" invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; move-result-object v0 return-object v0
.end method.method public static getManufacturer()Ljava/lang/String;
.locals 2
.annotation system Ldalvik/annotation/Throws;value = {Ljava/io/UnsupportedEncodingException;}.end annotation .prologue const-string/jumbo v0, "OnePlus" const-string/jumbo v1, "UTF-8" invoke-static {v0, v1}, Ljava/net/URLEncoder;->encode(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; move-result-object v0 return-object v0
.end method


2. 重新打包

$ apktool b tv_video_3.2.0.1057_android_15000


在dist文件夹内会生成新的apk安装包

3. 重新签名

$ jarsigner -verbose -keystore ~/.android/debug.keystore -signedjar app_signed.apk ~/Desktop/tv_video_3.2.0.1057_android_15000/dist/tv_video_3.2.0.1057_android_15000.apk androiddebugkey


4. 安装到小米设备上看看是不是大功告成

哎，一不小心又写了篇水文章。虽然处理很简单，但内心还是非常激动的，毕竟让家里的父老乡亲认识到读书还是有用的。哈哈~