* The author of this article is a network security expert. This article belongs to FreeBuf original award plan, and is prohibited to be reproduced without permission

Every time a house dormitory takeout who go down to take is a big problem, xiaobian bedroom generally choose wechat dice who small who to take, but xiaobian is not very good luck always lose, so thinking can let dice is 6 points every time, god pays off to those who help them, sure enough, found a way.

The preparatory work

Need a root and installed Hook magic Xposed framework. The most important part in the Hook process is to find the Hook point, which is also the hardest part. After finding the Hook point to write the Xposed module is relatively simple.

The weixin version used in this experiment is 6513.

Guess hypothesis

Let’s first guess how wechat dice is implemented. If you have experience in simple programming, you will definitely guess that it is random function. Actually, that’s what I thought.

Reverse analysis

Decompiling apk

Simple preparation: Decompile APK using apkTool. Open wechat apK with Jadx. Wechat is relatively slow to open due to its large size.

Find the id of the control corresponding to the dice

This step can be done using a tool provided by the AndroidSDK: uiautomatorviewer.bat. You can see the interface below.

You can see that the id of the dice control is CPH. Then find in public.xml that CPH corresponds to the value 0x7F100d28.

 

Finally, use this value to find the true name of the R class BFQ

 

Find the Hook point

The hardest part is finding hook points. Search globally for BQF in JADX. Obviously this findViewById() is what we’re looking for, so double-click on it and look at the code. If you have more than one you need to look at them one by one.

 

Look up and down at what this class contains. You know that this is a baseAdapter class. But the getView method does not set the click event.

 

 

 

Global search to find where this function is called.

 

 

Double-click on the code to view the SmileyGrid control. View the SmileyGrid definition.

 

After analyzing the methods in onItemClick one by one, we found that the method in the red box was the one we were looking for.

 

If you look at the code for function A, you can see that the bottom two toast, which are obviously not toast. Now you need to look at the remaining branches.

 

Check after we know is the first, that is, c = c ((com. Tencent. Mm. Plugin. Emoji. Biggest) h.j(com.tencent.mm.plugin.emoji.b.c.class)).getEmojiMgr().c(cVar);

According to import the package information we can know is com. Tencent. Mm. The kernel, and h type is com. Tencent. Mm. The plugin. Emoji. The biggest code continue to look at all these places were analyzed.

 

Here is the code for H.J, and the return is J.

The following is the code of emoji.b.c, which we can know is an interface.

 

Do here when the card for a long time no ideas, and then write a simple Xposed module hook com.tencent.mm. Kernel. h j function to see what type is returned.

 

After the module is installed and restarted, open weixin to clear logcat and click the dice to see the following output, Can know the type of the input parameter is the com. Tencent. Mm. Plugin. Emoji. The biggest return type is a com. Tencent. Mm. Plugin. Emoji. PluginEmoji. Then look at the PluginEmoji code.

 

Notice that PluginEmoji includes the getEmojiMgr method.

 

 

With that in mind, here’s where the previous module hooked this method to see what exactly is returned. Click and another line appears in the prompt above. Return is the specific com. Tencent. Mm. Plugin. Emoji. Um participant to see emoji. Um participant code.

 

The focus is of course on analyzing emoji. Here’s the code. By yH.movToPosition(dM) know that dM is the key, continue to track the code of bf.dm. By importing the package can know from com. Tencent. Mm. SDK. Platformtools. Bf.

 

 

It’s a little exciting to see the Random function. I think this is the right place. Also hook to see what the input and return parameters are.

 

The input parameters are 5 and 0, and the output corresponds exactly to the number of points, 3 corresponds to 4 points, 1 corresponds to 2 points, 1 corresponds to 0 points.

Write modules

Find the return point of random number, then write hook module is simple. One other thing to note is that rock, paper, Scissors also uses this random function. So be careful when you write it.

 

Finally, let’s see how it works.

Finally, I don’t have to get takeout.

conclusion

1. Find the ID: You can use UIAutomatorViewer to locate the id of the control for the click event, and then use public. XML and R classes to find the real class name and hexadecimal ID.

2. Locating the key code: The next hardest part is locating the key code. It usually takes a lot of time.

3 write xposed module: after finding the key function, write the module is relatively simple. Some apps should be paid attention to when subcontracting.

* The author of this article is a network security expert. This article belongs to FreeBuf original award plan, and is prohibited to be reproduced without permission