package com.xxxxx.mm.sdk.platformtools;
public class ad
public interface a {
void appenderClose();
void appenderFlush(boolean z);
int getLogLevel();
void logD(String str, String str2, String str3, int i, int i2, long j, long j2, String str4);
void logE(String str, String str2, String str3, int i, int i2, long j, long j2, String str4);
void logF(String str, String str2, String str3, int i, int i2, long j, long j2, String str4);
void logI(String str, String str2, String str3, int i, int i2, long j, long j2, String str4);
void logV(String str, String str2, String str3, int i, int i2, long j, long j2, String str4);
void logW(String str, String str2, String str3, int i, int i2, long j, long j2, String str4);
void moveLogsFromCacheDirToLogDir();
}
package com.xxxxx.mars.xlog;
public class Xlog implements ad.a
public static native void logWrite(XLoggerInfo xLoggerInfo, String str);
public static void open(boolean z, int i, int i2, String str, String str2, String str3, int i3) {
if (z) {
System.loadLibrary("xxxxxxlog");
}
AppenderOpen(i, i2, str, str2, str3, i3);
}
public static native void logWrite2(int i, String str, String str2, String str3, int i2, int i3, long j, long j2, String str4);
public void logV(String str, String str2, String str3, int i, int i2, long j, long j2, String str4) {
logWrite2(0, decryptTag(str), str2, str3, i, i2, j, j2, str4);
}
public void logD(String str, String str2, String str3, int i, int i2, long j, long j2, String str4) {
logWrite2(1, decryptTag(str), str2, str3, i, i2, j, j2, LogLogic.appendMemLog(str4));
}
public void logI(String str, String str2, String str3, int i, int i2, long j, long j2, String str4) {
logWrite2(2, decryptTag(str), str2, str3, i, i2, j, j2, LogLogic.appendMemLog(str4));
}
public void logW(String str, String str2, String str3, int i, int i2, long j, long j2, String str4) {
logWrite2(3, decryptTag(str), str2, str3, i, i2, j, j2, LogLogic.appendMemLog(str4));
}
public void logE(String str, String str2, String str3, int i, int i2, long j, long j2, String str4) {
logWrite2(4, decryptTag(str), str2, str3, i, i2, j, j2, LogLogic.appendMemLog(str4));
}
public void logF(String str, String str2, String str3, int i, int i2, long j, long j2, String str4) {
logWrite2(5, decryptTag(str), str2, str3, i, i2, j, j2, str4);
}
查找Xlog的引用,找到isLogcatOpen, 总之先把这个变量置为true试试
package com.xxxxx.mm.xlog.app;
public class XLogSetup {
public static Boolean isLogcatOpen;
...
}
frida代码:
function hook_java(){
Java.perform(function () {
var XLogSetup = Java.use("com.xxxxx.mm.xlog.app.XLogSetup");
var Xlog = Java.use("com.xxxxx.mars.xlog.Xlog");
Xlog.setConsoleLogOpen(true);
});
}
通话过程分析
尝试发起通话请求,此时可以看到一些日志:
keyword: MicroMsg.Voip
2020-06-26 10:57:24.948 15584-15584/? I/MicroMsg.Voip.VoipService: [, , 15584]:startVoiceCall, toUser:wxid_XXXXXXXXXXXX
2020-06-26 10:57:24.949 15584-15584/? I/MicroMsg.Voip.VoipService: [, , 15584]:start VideoActivity in foreground,true
2020-06-26 10:57:34.141 15584-15648/? I/MicroMsg.Voip.AudioPlayer: [, , 15648]:m_iLefSamples value is 640 and iPos value is 3840
2020-06-26 10:57:34.149 15584-15647/? I/MicroMsg.Voip.VoipDeviceHandler: [, , 15647]:[629]amyfwang,first record
2020-06-26 10:57:34.164 15584-15648/? I/MicroMsg.Voip.AudioPlayer: [, , 15648]:m_iLefSamples value is 640 and iPos value is 4160
2020-06-26 10:57:34.187 15584-15648/? I/MicroMsg.Voip.AudioPlayer: [, , 15648]:m_iLefSamples value is 640 and iPos value is 4480
由于通话请求并没有走http,所以尝试hook了一下send
function hook_native() {
var send_ptr = Module.findExportByName("libc.so", "send");
console.log("send: ");
Interceptor.attach(send_ptr, {
onEnter: function (args) {
console.log("calling send: ", send_ptr, args[0], args[1], args[2], args[3]);
console.log("send_hex:", hexdump(ptr(args[1]), {length : parseInt(args[2])}));
console.log("open" + ' called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}, onLeave: function (retval) {
}
});
}
发起通话请求后,可以看到如下日志
[Pixel::com.xxxxx.mm]-> calling send: 0xe6d327e3 0x124 0xfffa8ad0 0x18 0x0
send_hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
fffa8ad0 18 00 00 00 16 00 01 01 00 00 00 00 00 00 00 00 ................
fffa8ae0 00 00 00 00 00 00 00 00 ........
open called from:
0xbf0e0f71 libvoipComm.so!_Z10getifaddrsPP7ifaddrs+0x54
通话请求接通后,刷出如下日志
calling send: 0xe6d327e3 0x121 0xfffa92d0 0x18 0x0
send_hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
fffa92d0 18 00 00 00 16 00 01 01 00 00 00 00 00 00 00 00 ................
fffa92e0 00 00 00 00 00 00 00 00 ........
open called from:
0xbf0e0f71 libvoipComm.so!_Z10getifaddrsPP7ifaddrs+0x54
calling send: 0xe6d327e3 0x148 0xbd90afe0 0x9d 0x0
send_hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
bd90afe0 47 45 54 20 2f 64 79 6e 64 65 76 2f 75 75 69 64 GET /dyndev/uuid
bd90aff0 3a 30 34 34 30 61 39 63 65 2d 65 61 36 36 2d 30 :0440a9ce-ea66-0
bd90b000 34 34 30 2d 61 39 63 65 2d 65 61 36 36 30 30 30 440-a9ce-ea66000
bd90b010 30 31 63 35 38 20 48 54 54 50 2f 31 2e 31 0d 0a 01c58 HTTP/1.1..
bd90b020 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31 38 Host: 192.168.18
bd90b030 38 2e 31 3a 35 34 33 31 0d 0a 43 6f 6e 6e 65 63 8.1:5431..Connec
bd90b040 74 69 6f 6e 3a 20 43 6c 6f 73 65 0d 0a 55 73 65 tion: Close..Use
bd90b050 72 2d 41 67 65 6e 74 3a 20 4f 53 2f 31 2e 30 2c r-Agent: OS/1.0,
bd90b060 20 55 50 6e 50 2f 31 2e 31 2c 20 57 65 63 68 61 UPnP/1.1, Wecha
bd90b070 74 55 50 6e 50 2f 31 2e 30 0d 0a 0d 0a tUPnP/1.0....
calling send: 0xe6d327e3 0x14a 0xfffa9380 0x18 0x0
send_hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
fffa9380 18 00 00 00 16 00 01 01 00 00 00 00 00 00 00 00 ................
fffa9390 00 00 00 00 00 00 00 00 ........
open called from:
0xbf0e0f71 libvoipComm.so!_Z10getifaddrsPP7ifaddrs+0x54
open called from:
0xbf0db47b libvoipComm.so!_ZN9MMTinyLib11MMTSockSendEiPKvPlj+0xe
0xbf0dcf27 libvoipComm.so!_ZN9MMTinyLib10MMTIoqueue24DispatchTcpWritableEventEPNS_14AsyncTCPSocketEb+0xda
0xbf0dd601 libvoipComm.so!_ZN9MMTinyLib10MMTIoqueue4PollENS_10MMTTimeValE+0x298
0xbbaaf8f7 libvoipChannel.so!_ZN19MultiMediaComponent10CoreThread4PollEv+0xe
0xbbac6753 libvoipChannel.so!_ZN19MultiMediaComponent8CHttpMgr11HttpOpenSynERKNS_12CHttpRequestERiPi+0x8a
0xbbab5777 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp12HttpOpenSyncERKNSt6__ndk112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEES9_S9_RS7_+0xce
0xbbab5387 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp16CheckValidDeviceERNS_8CUPNPDevE+0x3e
0xbbab5227 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp13OnFoundDeviceERKNSt6__ndk112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEES9_S9_+0x4a6
0xbbab4d29 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp10OnRecvFromEiPKhlPN9MMTinyLib20mmt_sockaddr_storageE+0x164
0xbbab4bbd libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp10OnRecvfromEiPKhlPN9MMTinyLib20mmt_sockaddr_storageEPv+0xc
0xbbaaf5df libvoipChannel.so!_ZThn4_N19MultiMediaComponent10CoreThread10onRecvfromEPN9MMTinyLib14AsyncUDPSocketEPNS1_20mmt_sockaddr_storageEPKvl+0x30
0xbf0dd533 libvoipComm.so!_ZN9MMTinyLib10MMTIoqueue4PollENS_10MMTTimeValE+0x1ca
0xbbaaf8f7 libvoipChannel.so!_ZN19MultiMediaComponent10CoreThread4PollEv+0xe
0xbbab43c1 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp4InitEjb+0x8c
0xbbab77e7 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp20_StartAddPortMappingEjtPFvijtPvEbS1_+0x66
0xbbab7771 libvoipChannel.so!_ZN19MultiMediaComponent13CNatPunchUpnp20StartAddPortMapTimerERN9MMTinyLib10MMTTimeValERiPv+0x24
calling sendto: 0xe6d327e3 0x23 0xbdaf5600 0x51 0x0
sendto_hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
bdaf5600 75 2c 22 00 00 00 00 06 a0 fc 94 01 76 2a da 70 u,".........v*.p
bdaf5610 32 7e 52 aa 71 d9 55 32 da 6a 0b b3 92 2f 53 b7 2~R.q.U2.j.../S.
bdaf5620 8f 0c 3a 0a 25 2a f4 78 ea 26 b2 ac 36 d7 3b 55 ..:.%*.x.&..6.;U
bdaf5630 b4 6c 4e af 9f 54 56 20 57 d3 79 73 c3 b5 61 62 .lN..TV W.ys..ab
bdaf5640 74 62 dd 34 90 f8 a5 08 bd 8b fe 7c 2f b3 1e 65 tb.4.......|/..e
bdaf5650 98 .
sendto open called from:
0xb9e24577 libvoipComm.so!_ZN9MMTinyLib13MMTSockSendtoEiPKvljPKNS_20mmt_sockaddr_storageEPNSt6__ndk13mapIS2_S2_NS5_4lessIS2_EENS5_9allocatorINS5_4pairIS3_S2_EEEEEEi+0xe2
0xb9e24573 libvoipComm.so!_ZN9MMTinyLib13MMTSockSendtoEiPKvljPKNS_20mmt_sockaddr_storageEPNSt6__ndk13mapIS2_S2_NS5_4lessIS2_EENS5_9allocatorINS5_4pairIS3_S2_EEEEEEi+0xde
0xb9e26a03 libvoipComm.so!_ZN9MMTinyLib10MMTIoqueue21DispatchWritableEventEPNS_14AsyncUDPSocketE+0xf2
0xb9e2664d libvoipComm.so!_ZN9MMTinyLib10MMTIoqueue4PollENS_10MMTTimeValE+0x2e4
0xb70a8689 libvoipChannel.so!_ZN19MultiMediaComponent10CoreThread17WorkingThreadFuncEv+0x40
0xb70a993f libvoipChannel.so!_ZNSt6__ndk114__thread_proxyINS_5tupleIJNS_10unique_ptrINS_15__thread_structENS_14default_deleteIS3_EEEEMN19MultiMediaComponent10CoreThreadEFvvEPS8_EEEEEPvSD_+0x28
0xe6d59ee7 libc.so!0x47ee7
0xe6d2d1d9 libc.so!0x1b1d9
首先根据通话接通后就一直刷出的日志:I/MicroMsg.Voip.AudioPlayer: [, , 15648]:m_iLefSamples value is 640 and iPos value is 4800搜索,可找到如下函数, 其功能是创建一个线程循环的请求,直到通话结束才会退出循环
public final int dRU() {
...
this.xdx = new b() {
public final String getKey() {
return "AudioPlayer_play";
}
public final void run() {
int i;
int Q;
AppMethodBeat.i(114813);
Process.setThreadPriority(-19);
ad.d("MicroMsg.Voip.AudioPlayer", "AudioPlayer enter to start....");
int i2 = 0;
while (c.this.zfx && c.this.aUg != null && c.this.aUg.getPlayState() != 1 && !c.this.zfI.get()) {
try {
i = c.this.aUg.getPlaybackHeadPosition();
} catch (Exception e2) {
ad.w("MicroMsg.Voip.AudioPlayer", "getPlaybackHeadPosition: ", e2);
int unused = c.this.zgf = 7;
i = 0;
}
long currentTimeMillis = System.currentTimeMillis();
int unused2 = c.this.zfR = c.this.zfO - i;
ad.i("MicroMsg.Voip.AudioPlayer", "m_iLefSamples value is %s and iPos value is %s", Integer.valueOf(c.this.zfR), Integer.valueOf(i));
...
}