微信逆向之——静态分析利用微信源码解析field_lvbuff字段(blob类型）

younghare · 发表于 2017-7-25 16:40

本帖最后由 younghare 于 2017-7-25 16:51 编辑

准备：
jadx
目标app：
微信6.3.31 版本

静态分析：

用jadx工具全文搜索field_lvbuff

逐一排除，定位到

这下好了，我们只要把这部分代码copy出来稍做修改即可帮我们解析了。
需要有2个文件实现1：WechatByteBufferUtil.java 和Rcontactlvbuff.java
=========代码分割线==============

package hd.com.xposeddemo.utils;

import java.nio.ByteBuffer;

/**
* @author：牵手生活
* @date：2017/3/26
* @description：
*/
public class WechatByteBufferUtil {
private ByteBuffer mqn;
private boolean mqo;

public final int be(byte[] bArr) {
      boolean z = (bArr == null || bArr.length == 0) ? true : bArr[0] != (byte) 123 ? true : bArr[bArr.length + -1] != (byte) 125 ? true : false;
      if (z) {
         this.mqn = null;
         return -1;
      }
      this.mqn = ByteBuffer.wrap(bArr);
      this.mqn.position(1);
      this.mqo = false;
      return 0;
}

public final int getInt() throws Exception {
      if (!this.mqo) {
         return this.mqn.getInt();
      }
      throw new Exception("Buffer For Build");
}

public final long getLong() throws Exception {
      if (!this.mqo) {
         return this.mqn.getLong();
      }
      throw new Exception("Buffer For Build");
}

public final byte[] getBuffer() throws Exception {
      if (this.mqo) {
         throw new Exception("Buffer For Build");
      }
      short s = this.mqn.getShort();
      if (s > (short) 2048) {
         this.mqn = null;
         throw new Exception("Buffer String Length Error");
      } else if (s == (short) 0) {
         return new byte[0];
      } else {
         byte[] bArr = new byte;
         this.mqn.get(bArr, 0, s);
         return bArr;
      }
}

public final String getString() throws Exception {
      if (this.mqo) {
         throw new Exception("Buffer For Build");
      }
      short s = this.mqn.getShort();
      if (s > (short) 2048) {
         this.mqn = null;
         throw new Exception("Buffer String Length Error");
      } else if (s == (short) 0) {
         return "";
      } else {
         byte[] bArr = new byte;
         this.mqn.get(bArr, 0, s);
         return new String(bArr, "UTF-8");
      }
}

public final void tL(int i) {
      this.mqn.position(this.mqn.position() + i);
}

public final void bmK() throws Exception {
      if (this.mqo) {
         throw new Exception("Buffer For Build");
      }
      short s = this.mqn.getShort();
      if (s > (short) 2048) {
         this.mqn = null;
         throw new Exception("Buffer String Length Error");
      } else if (s != (short) 0) {
         this.mqn.position(s + this.mqn.position());
      }
}

public final boolean bmL() {
      return this.mqn.limit() - this.mqn.position() <= 1;
}

}
==============代码分割线===============
package hd.com.xposeddemo.utils;

import android.database.Cursor;
import android.util.Log;

import org.apache.mina.util.Base64;

import hd.com.xposeddemo.bean.FriendInfo;

/**
* @author：牵手生活
* @date：2017/3/26
* @description：
*/
public class Rcontactlvbuff {

// private static final int bAh = "alias".hashCode();
// private static final int bAi = "conRemark".hashCode();
// private static final int bAj = "domainList".hashCode();
// private static final int bAk = "pyInitial".hashCode();
// private static final int bAl = "quanPin".hashCode();
// private static final int bAm = "showHead".hashCode();
// private static final int bAn = "weiboFlag".hashCode();
// private static final int bAo = "weiboNickname".hashCode();
// private static final int bAp = "conRemarkPYFull".hashCode();
// private static final int bAq = "conRemarkPYShort".hashCode();
// private static final int bAr = "verifyFlag".hashCode();
// private static final int bAs = "encryptUsername".hashCode();
// private static final int bAt = "chatroomFlag".hashCode();
// private static final int bAu = "deleteFlag".hashCode();
// private static final int bAv = "contactLabelIds".hashCode();
// public static final String[] brH = new String[]{"CREATE INDEX IF NOT EXISTS deleteflag_index ON Contact(deleteFlag)"};
// private static final int brQ = "rowid".hashCode();
// private static final int bvK = "lvbuff".hashCode();
// private static final int byd = "username".hashCode();
// private static final int byy = "nickname".hashCode();
public String bAA;
public int bAB;
public int bAC;
public String bAD;
public String bAE;
public int bAF;
public int bAG;
public String bAH;
private String bAI;  //省份
private String bAJ;  //省市
public String bAK;
public int bAL;
public String bAM;
public String bAN;
public String bAO;
public int bAP;
public int bAQ;
public String bAR;
public String bAS;
public String bAT;
public String bAU;
public String bAV;
public String bAW;
public String bAX;
private boolean bAa = false;
private boolean bAb = false;
private boolean bAc = false;
private boolean bAd = false;
private boolean bAe = false;
private boolean bAf = false;
private boolean bAg = false;
public int bAw;
public int bAx;  //手机号码
public String bAy;
public long bAz;
public int bbt;
public String bhc;
private boolean bsz = false;
private boolean bvo = false;
private boolean bxO = false;
private boolean byu = false;
private boolean bzS = false;
private boolean bzT = false;
private boolean bzU = false;
private boolean bzV = false;
private boolean bzW = false;
private boolean bzX = false;
private boolean bzY = false;
private boolean bzZ = false;
private String field_alias;
public int field_chatroomFlag;
public String field_conRemark;
public String field_conRemarkPYFull;
public String field_conRemarkPYShort;
public String field_contactLabelIds;
public int field_deleteFlag;
public String field_domainList;
public String field_encryptUsername;
public byte[] field_lvbuff;//==========
public String field_nickname;
private String field_pyInitial;
private String field_quanPin;
public int field_showHead;
public int field_type;
public String field_username;
public int field_verifyFlag;
public int field_weiboFlag;
public String field_weiboNickname;
public int uin;

public long muj = -1; //rowid

public void setUsername(String str) {
      this.field_username = str;
      this.bxO = true;
}

public final String getUsername() {
      return this.field_username;
}

public void bO(String str) {
      this.field_alias = str;
      this.bzS = true;
}

public String pF() {
      return this.field_alias;
}

public void bP(String str) {
      this.field_conRemark = str;
      this.bzT = true;
}

public void bQ(String str) {
      this.field_domainList = str;
      this.bzU = true;
}

public void bR(String str) {
      this.field_nickname = str;
      this.byu = true;
}

public void bS(String str) {
      this.field_pyInitial = str;
      this.bzV = true;
}

public String pG() {
      return this.field_pyInitial;
}

public void bT(String str) {
      this.field_quanPin = str;
      this.bzW = true;
}

public String pH() {
      return this.field_quanPin;
}

public void cM(int i) {
      this.field_showHead = i;
      this.bzX = true;
}

public void setType(int i) {
      this.field_type = i;
      this.bsz = true;
}

public void cN(int i) {
      this.field_weiboFlag = i;
      this.bzY = true;
}

public void bU(String str) {
      this.field_weiboNickname = str;
      this.bzZ = true;
}

public void bV(String str) {
      this.field_conRemarkPYFull = str;
      this.bAa = true;
}

public void bW(String str) {
      this.field_conRemarkPYShort = str;
      this.bAb = true;
}

public void u(byte[] bArr) {
      this.field_lvbuff = bArr;
      this.bvo = true;
}

public void cO(int i) {
      this.field_verifyFlag = i;
      this.bAc = true;
}

public void bX(String str) {
      this.field_encryptUsername = str;
      this.bAd = true;
}

public void cP(int i) {
      this.field_chatroomFlag = i;
      this.bAe = true;
}

public void cQ(int i) {
      this.field_deleteFlag = i;
      this.bAf = true;
}

public void bY(String str) {
      this.field_contactLabelIds = str;
      this.bAg = true;
}

public void b_byRcontract(FriendInfo friendInfo) {

      this.field_username = friendInfo.getUsername();
      this.bxO = true;

      this.field_alias =  friendInfo.getAlias();

      this.field_conRemark = friendInfo.getConRemark();

      this.field_domainList = friendInfo.getDomainList();

      this.field_nickname = friendInfo.getNickName();

      this.field_pyInitial = friendInfo.getPyInitial();

      this.field_quanPin = friendInfo.getQuanPin();

      this.field_showHead = friendInfo.getShowHead();

      this.field_type = friendInfo.getType();

      this.field_weiboFlag = friendInfo.getWeiboFlag();

      this.field_weiboNickname = friendInfo.getWeiboNickname();

      this.field_conRemarkPYFull = friendInfo.getConRemarkPYFull();

      this.field_conRemarkPYShort = friendInfo.getConRemarkPYShort();

      this.field_lvbuff = Base64.decodeBase64(friendInfo.getLvbuff().getBytes()); //

      this.field_verifyFlag = friendInfo.getVerifyFlag();

      this.field_encryptUsername = friendInfo.getEncryptUsername();

      this.field_chatroomFlag = friendInfo.getChatroomFlag();

      this.field_deleteFlag = friendInfo.getDeleteFlag();

      this.field_contactLabelIds = friendInfo.getContactLabelIds();
      this.muj = friendInfo.getRowid();

      pI();

}
public void b(Cursor cursor) {

      this.field_username = cursor.getString(cursor.getColumnIndex("username"));
      this.bxO = true;

      this.field_alias =  cursor.getString(cursor.getColumnIndex("alias"));

      this.field_conRemark = cursor.getString(cursor.getColumnIndex("conRemark"));

      this.field_domainList = cursor.getString(cursor.getColumnIndex("domainList"));

      this.field_nickname = cursor.getString(cursor.getColumnIndex("nickname"));

      this.field_pyInitial = cursor.getString(cursor.getColumnIndex("pyInitial"));

      this.field_quanPin = cursor.getString(cursor.getColumnIndex("quanPin"));

      this.field_showHead = cursor.getInt(cursor.getColumnIndex("showHead"));

      this.field_type = cursor.getInt(cursor.getColumnIndex("type"));

      this.field_weiboFlag = cursor.getInt(cursor.getColumnIndex("weiboFlag"));

      this.field_weiboNickname = cursor.getString(cursor.getColumnIndex("weiboNickname"));

      this.field_conRemarkPYFull = cursor.getString(cursor.getColumnIndex("conRemarkPYFull"));

      this.field_conRemarkPYShort = cursor.getString(cursor.getColumnIndex("conRemarkPYShort"));

      this.field_lvbuff = cursor.getBlob(cursor.getColumnIndex("lvbuff"));
      String s =new String(Base64.encodeBase64(field_lvbuff));
      Log.i("TAG",s);
//new String(Base64.encodeBase64(blob_lvbuff))
      this.field_verifyFlag = cursor.getInt(cursor.getColumnIndex("verifyFlag"));

      this.field_encryptUsername = cursor.getString(cursor.getColumnIndex("encryptUsername"));

      this.field_chatroomFlag = cursor.getInt(cursor.getColumnIndex("chatroomFlag"));

      this.field_deleteFlag = cursor.getInt(cursor.getColumnIndex("deleteFlag"));

      this.field_contactLabelIds = cursor.getString(cursor.getColumnIndex("contactLabelIds"));
      this.muj = cursor.getLong(cursor.getColumnIndex("rowid"));

      pI();

}

public void cR(int i) {
      this.bAw = i;
      this.bvo = true;
}

public void cS(int i) {
      this.bAx = i;
      this.bvo = true;
}

public void bZ(String str) {
      this.bAy = str;
      this.bvo = true;
}

public void t(long j) {
      this.bAz = j;
      this.bvo = true;
}

public void cT(int i) {
      this.uin = i;
      this.bvo = true;
}

public void ca(String str) {
      this.bAA = str;
      this.bvo = true;
}

public void cb(String str) {
      this.bhc = str;
      this.bvo = true;
}

public void cU(int i) {
      this.bAB = i;
      this.bvo = true;
}

public void cV(int i) {
      this.bAC = i;
      this.bvo = true;
}

public void cc(String str) {
      this.bAD = str;
      this.bvo = true;
}

public void cd(String str) {
      this.bAE = str;
      this.bvo = true;
}

public void cW(int i) {
      this.bAF = i;
      this.bvo = true;
}

public void cX(int i) {
      this.bAG = i;
      this.bvo = true;
}

public void ce(String str) {
      this.bAH = str;
      this.bvo = true;
}

public String getProvince() {
      return this.bAI;
}

public void cf(String str) {
      this.bAI = str;
      this.bvo = true;
}

public String getCity() {
      return this.bAJ;
}

public void cg(String str) {
      this.bAJ = str;
      this.bvo = true;
}

public void ch(String str) {
      this.bAK = str;
      this.bvo = true;
}

public void cY(int i) {
      this.bAL = i;
      this.bvo = true;
}

public void setSource(int i) {
      this.bbt = i;
      this.bvo = true;
}

public void ci(String str) {
      this.bAM = str;
      this.bvo = true;
}

public void cj(String str) {
      this.bAN = str;
      this.bvo = true;
}

public void ck(String str) {
      this.bAO = str;
      this.bvo = true;
}

public void cZ(int i) {
      this.bAP = i;
      this.bvo = true;
}

public void da(int i) {
      this.bAQ = i;
      this.bvo = true;
}

public void cl(String str) {
      this.bAR = str;
      this.bvo = true;
}

public void cm(String str) {
      this.bAS = str;
      this.bvo = true;
}

public void cn(String str) {
      this.bAT = str;
      this.bvo = true;
}

public void co(String str) {
      this.bAU = str;
      this.bvo = true;
}

public void cp(String str) {
      this.bAV = str;
      this.bvo = true;
}

public void cq(String str) {
      this.bAW = str;
      this.bvo = true;
}

public void cr(String str) {
      this.bAX = str;
      this.bvo = true;
}

public final void pI() {
      try {
         if (this.field_lvbuff != null && this.field_lvbuff.length != 0) {
            WechatByteBufferUtil wechatByteBufferUtilVar = new WechatByteBufferUtil();
            int be = wechatByteBufferUtilVar.be(this.field_lvbuff);
            if (be != 0) {
//                   v.e("MicroMsg.SDK.BaseContact", "parse LVBuffer error:" + be);
                  Log.e("BaseContact","parse LVBuffer error:" + be);
                  return;
            }
            this.bAw = wechatByteBufferUtilVar.getInt();
            this.bAx = wechatByteBufferUtilVar.getInt();
            this.bAy = wechatByteBufferUtilVar.getString();
            this.bAz = wechatByteBufferUtilVar.getLong();
            this.uin = wechatByteBufferUtilVar.getInt();
            this.bAA = wechatByteBufferUtilVar.getString();
            this.bhc = wechatByteBufferUtilVar.getString();
            this.bAB = wechatByteBufferUtilVar.getInt();
            this.bAC = wechatByteBufferUtilVar.getInt();
            this.bAD = wechatByteBufferUtilVar.getString();
            this.bAE = wechatByteBufferUtilVar.getString();
            this.bAF = wechatByteBufferUtilVar.getInt();
            this.bAG = wechatByteBufferUtilVar.getInt();
            this.bAH = wechatByteBufferUtilVar.getString();
            this.bAI = wechatByteBufferUtilVar.getString();
            this.bAJ = wechatByteBufferUtilVar.getString();
            this.bAK = wechatByteBufferUtilVar.getString();
            this.bAL = wechatByteBufferUtilVar.getInt();
            this.bbt = wechatByteBufferUtilVar.getInt();
            this.bAM = wechatByteBufferUtilVar.getString();
            this.field_verifyFlag = wechatByteBufferUtilVar.getInt();
            this.bAN = wechatByteBufferUtilVar.getString();
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAO = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAP = wechatByteBufferUtilVar.getInt();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAQ = wechatByteBufferUtilVar.getInt();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAR = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAS = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAT = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAU = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAV = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAW = wechatByteBufferUtilVar.getString();
            }
            if (!wechatByteBufferUtilVar.bmL()) {
                  this.bAX = wechatByteBufferUtilVar.getString();
            }
         }
      } catch (Exception e) {
//          v.e("MicroMsg.SDK.BaseContact", "get value failed");
         //Log.e("BaseContact","get value failed" );
         System.out.println("get value failed");

      }
}

}

younghare · 发表于 2017-7-25 16:42

这篇我也有发布在
http://www.toutiao.com/i6446610233325257230/

l13t · 发表于 2017-7-25 18:23

mark~~~~

守望者warden · 发表于 2017-7-25 16:46

你这个颜色看得我有点累 0.0

liu5585 · 发表于 2017-7-25 16:52

bytebuffer是数据缓存不

尕可 · 发表于 2017-7-25 17:06

火钳刘明

幸运物牛 · 发表于 2017-7-25 17:09

膜拜大牛

冰露㊣神 · 发表于 2017-7-25 17:10

请问如何防封

lm8 · 发表于 2017-7-25 17:18

感谢分享，学习了

23king · 发表于 2017-7-25 17:27

666,楼主顺便讲解下如何防止被封呢?

x6666u · 发表于 2017-7-25 17:28

学习了谢谢大神

帐号		自动登录	找回密码
密码			注册[Register]

[Android 原创] 微信逆向之——静态分析利用微信源码解析field_lvbuff字段(blob类型）

免费评分

免费评分