1、申 请 I D:五个木
2、个人邮箱:245868553@qq.com
3、原创技术文章:https://bbs.ichunqiu.com/thread-21829-1-1.html
证明是自己的原创文章
文章没有达到精华技术的水准,但我非常想加入论坛与大家学习和交流,在这分享下我自己Android逆向钉钉打卡的笔记
实现以下功能:
1.钉钉自定义位置打开(非第三方虚拟定位方法)
2.钉钉自定义WIFI BSSID
3.钉钉自定义拍照图片
逆向的钉钉apk版本:com.alibaba.android.rimet_4.6.3_497.apk
逆向工具:apktool_2.3.4.jar
用到的命令:1.反编译:java -jar apktool_2.3.4.jar d xxx.apk2.编译:java -jar apktool_2.3.4.jar b 文件夹 3.编译成功后在dist文件中生成编译后的apk4.签名:jarsigner -digestalg SHA1 -sigalg SHA1withRSA -verbose -keystore 密钥.key -signedjar app-release.encrypted.apk com.alibaba.android.rimet_4.6.3_497.apk 签名别名
再逆向的过程中,需要不断的调试,以下是为了日志输出调试的smali代码输出string类型日志#test Logconst-string v1, "0.0"const-string v2, "钉钉:getEntry_111111"invoke-static {v1, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I输出boolean类型日志#test Log 钉钉日志const-string v1, "0.0"invoke-static {p1}, Ljava/lang/String;->valueOf(Z)Ljava/lang/String;move-result-object v2invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
#test booleaninvoke-static {v12}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;move-result-object v5invoke-static {v5}, Lcom/langzu/baozha/ddutil/DDUtil;->testLog(Ljava/lang/Boolean;)V
输出int类型日志#test int 旋转方向degreeinvoke-static {v10}, Lcom/langzu/baozha/ddutil/DDUtil;->testLog(I)V
输出字符串拼接整型日志#test Logconst-string v1, "0.0"const-string v2, "钉钉:定位经纬度————31 31 31 getErrorCode:"new-instance v3, Ljava/lang/StringBuilder;invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()Vinvoke-virtual {v3, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;invoke-virtual {v3, v0}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;move-result-object v3invoke-static {v1, v3}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
toast输出#test toastconst/4 v2, 0x1const-string/jumbo v3, "欢迎使用爆炸版钉钉~~"invoke-static {p0, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;move-result-object v2invoke-virtual {v2}, Landroid/widget/Toast;->show()V
钉钉模块注册 hdl.smali.class public final Lhdl;日志报文解析 service为hdl.smali中的模块名,action为模块中的方法名,例子:service=internal.request, action=lwp
钉钉数据请求日志输入修改涉及文件:.class public Lcom/alibaba/lightapp/runtime/monitor/RuntimeTrace;修改trace方法打印日志#test Log 钉钉日志invoke-static {v1}, Lcom/langzu/baozha/ddutil/DDUtil;->testLog(Ljava/lang/String;)V
开始向我们的目标前进:一. 植入工具类 DDUtil.smali 这个是比较重要的一个类,自己写的原生项目,反编译后获取到的工具类。实现的功能是:将自定义的定位数据,自定义的WIFI BSSID数据,自定义的拍照图片数据 传递给钉钉。
这里就先不贴代码了,后面申请会员通过后再贴出来吧二. 自定义wifi bssid修改修改涉及文件:
.class public Lcom/alibaba/lightapp/runtime/plugin/device/Base; .class Lcom/alibaba/lightapp/runtime/plugin/device/Base$1;
1.Landroid/net/wifi/WifiInfo;->getBSSID#修改wifiinvoke-static {}, Lcom/langzu/baozha/ddutil/DDUtil;->getMybssid()Ljava/lang/String;move-result-object v0
2.Landroid/net/wifi/WifiInfo;->getSSIDLcom/langzu/baozha/ddutil/DDUtil;->getMyssid
例子:#修改wifiinvoke-static {}, Lcom/langzu/baozha/ddutil/DDUtil;->getMyssid()Ljava/lang/String;move-result-object v5
#修改wifiinvoke-static {}, Lcom/langzu/baozha/ddutil/DDUtil;->getMybssid()Ljava/lang/String;move-result-object v5
三. 自定义定位修改修改AndroidManifest.xml高德定位com.amap.api.v2.apikey修改涉及文件:.class public Lcom/alibaba/lightapp/runtime/plugin/device/Geolocation;修改dispatchContinualLocationResult2H5方法修改入参 p1为true p2为自定义定位信息#test method 设置定位参数invoke-static {}, Lcom/langzu/baozha/ddutil/DDUtil;->getAmapLocation()Lcom/amap/api/location/AMapLocation;move-result-object p2#test 修改为trueconst/4 p1, 0x1
签到 地点微调 设置修改涉及文件 .class public Lcom/alibaba/lightapp/runtime/plugin/biz/Map;修改方法.method private navigatorToLocationForCustom#test 修改 地点微调 经纬度invoke-static {}, Lcom/langzu/baozha/ddutil/DDUtil;->getLongitude()Dmove-result-wide p2invoke-static {}, Lcom/langzu/baozha/ddutil/DDUtil;->getLatitude()Dmove-result-wide p4
四.启动设置Activity1.修改AndroidManifest.xmlcom.alibaba.android.rimet.biz.SplashActivity
<!-- 通过浏览器Url启动app --><intent-filter><action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.DEFAULT" /><category android:name="android.intent.category.BROWSABLE" /><data android:host="baozha" android:scheme="dingtalk" /></intent-filter>
2.修改文件.class public Lcom/alibaba/android/rimet/biz/SplashActivity;
onCreate方法中
#test toastconst/4 v2, 0x1const-string/jumbo v3, "欢迎使用爆炸版钉钉~~"invoke-static {p0, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;move-result-object v2invoke-virtual {v2}, Landroid/widget/Toast;->show()V
#test method 初始化invoke-virtual {p0}, Lcom/alibaba/android/dingtalkbase/DingtalkBaseActivity;->getIntent()Landroid/content/Intent;move-result-object v4
#test method 初始化invoke-static {p0}, Lcom/langzu/baozha/ddutil/DDUtil;->initBaozha(Landroid/content/Context;)V#test method wifi赋值invoke-static {v4}, Lcom/langzu/baozha/ddutil/DDUtil;->setConfigInfo(Landroid/content/Intent;)V
五.自定义签到拍照图片配置1.修改.class public Lcom/alibaba/laiwang/photokit/picker/edit/activity/picedit_activity;修改onCreate方法
#修改拍照图片(v13 # "imagePath")invoke-static {v13}, Lcom/langzu/baozha/ddutil/DDUtil;->getConfigImgUrl(Ljava/lang/String;)Ljava/lang/String;move-result-object v13
#test 修改图片方向为0 不做旋转 注意修改地方const/4 v10, 0x0
#test 修改surfaceview_resize为false 注意修改地方const/4 v12, 0x0
六.考勤打卡拍照图片配置
1.修改AndroidManifest.xml文件中的Activity的配置com.alibaba.dingtalk.facebox.camera.activity.CameraActivity2 和 com.alibaba.dingtalk.facebox.camera.activity.PiceditActivity2删除不同进程的配置android:process=":tools"
2.修改.class public Lcom/alibaba/dingtalk/facebox/camera/activity/CameraActivity2;修改的方法.method static synthetic a(Lcom/alibaba/dingtalk/facebox/camera/activity/CameraActivity2;Landroid/net/Uri;)V
#test 修改考勤打卡图片uriinvoke-static {p1}, Lcom/langzu/baozha/ddutil/DDUtil;->getCinfImgUri(Landroid/net/Uri;)Landroid/net/Uri;move-result-object p1
看下app的钉钉配置页面:
钉钉配置页面
|
吾爱游客
发表于 2020-8-3 14:25
发表于 2020-8-3 18:25
感谢通过,我编辑器里看的排版好好的,我重新排下版~~