-
-
[原创]某聊天app自动回复
-
2021-3-18 22:39
-
上样本:
链接:https://pan.baidu.com/s/1u9pmyYpL2v9bneghSC9lJA
提取码:z3w7
1,问题提出
发现有个聊天的app, 想看下能不能做到智能回复。
2,解决方案
2.1
Fart 砸壳,脚本批量导出java文件,安装模拟器准备运行,移动操作猛如虎,结果弹出不能模拟器运行。刚开始认为是native,360加固,是不是需要修复,想的很麻烦,后边直接打出堆栈,看到了代码。
1 2 3 4 5 | 插入代码var bcls = Java.use("com.xm.bottle.utils.ToolUtils"); bcls.isEmulator.overload("android.content.Context").implementation = function(arg1) { return false; } |
2.2 刷新对话列表,找到有未读消息,然后自动回复
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | // 根据回话列表,自动回复 var hdcls = Java.use('com.tencent.qcloud.tim.uikit.modules.conversation.holder.ConversationCommonHolder') // public abstract void layoutViews( com.tencent.qcloud.tim.uikit.modules.conversation.base.ConversationInfo conversationInfo, int i); hdcls.layoutViews.overload('com.tencent.qcloud.tim.uikit.modules.conversation.base.ConversationInfo','int').implementation = function(arg1,arg2) { //console.log('conv layoutview' + arg2); this.layoutViews(arg1,arg2); /** * 有未读的,则需要打开 * if (conversationInfo.getUnRead() > 0) { MessageInfo lastMessage = conversationInfo.getLastMessage(); public TIMMessage getTIMMessage() { return this.TIMMessage;} */ var unred = arg1.getUnRead(); if(unred > 0) { var lst = arg1.getLastMessage(); var isself = lst.isSelf(); if(!isself) { var nt = lst; var timcls=Java.use("com.tencent.imsdk.TIMTextElem"); var els = nt.getElement(); var NewTypeClass=Java.cast(els,timcls); var rectxt = NewTypeClass.getText(); var ret = ""; if(rectxt.length >0) { console.log('rect2' + rectxt); //发送智能数据 this.itemView.value.performClick() //getreps2(rectxt,'',lst); } } } } |
找到handler, 找到未读>0 ,然后点击中间的view,自动打开聊天窗口。
1 | var lcls = Java.use("com.tencent.qcloud.tim.uikit.modules.chat.base.AbsChatLayout"); |
// var layoutcht ;
lcls.setDataProvider.overload("com.tencent.qcloud.tim.uikit.modules.chat.interfaces.IChatProvider").implementation = function(arg1) {
console.log("set data prd me" + arg1);
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | var layoutcht = this; console.log("layout" + layoutcht); // public InputLayout getInputLayout() { // console.log('input alyout' + this.getInputLayout()) this.setDataProvider(arg1); var mesg = arg1.getDataSource(); var leng = mesg.size(); console.log('length:' + leng); if(leng > 0) { var last = mesg.get(leng-1); var strcls = Java.use('com.tencent.qcloud.tim.uikit.modules.message.MessageInfo'); var newtpy = Java.cast(last,strcls); var isself = newtpy.isSelf(); if(!isself) { console.log("last msg:" + newtpy); //请求获取,然后发送 var nt = newtpy; var timcls=Java.use("com.tencent.imsdk.TIMTextElem"); var els = nt.getElement(); var NewTypeClass=Java.cast(els,timcls); var rectxt = NewTypeClass.getText(); var ret = ""; if(rectxt.length >0) { console.log('rect33' + rectxt); //发送智能数据 getreps(rectxt,'',newtpy,this.getInputLayout()); }else { ret = "恩恩"; } }else { back2(); } }else { }}} |
function getreps(rectxt,mainact,msg,input) {
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | const runncls = Java.registerClass({ name: 'com.tencent.imsdk.tmprunn', implements: [Java.use('java.lang.Runnable')], methods: { run() {// 请求智能机器人,获取数据var medcls = Java.use('okhttp3.MediaType');var meins = medcls.parse("application/json;charset=UTF-8");var clentcls = Java.use('okhttp3.OkHttpClient');var clentins = clentcls.$new();var rebod = Java.use('okhttp3.RequestBody').create(meins,'{"query_text": "'+rectxt+'"}'); var reqestcls = Java.use('okhttp3.Request$Builder'); var reqins = reqestcls.$new().url('http://xxx/api/v1/search') .addHeader('Accept-Encoding','gzip, deflate') .addHeader('Accept','application/json, text/plain, */*') .addHeader('User-Agent','Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36') //User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 .addHeader('Accept-Language','zh-CN,zh;q=0.9') .post(rebod).build(); console.log('begin req' + reqins); var resp = clentins.newCall(reqins).execute(); var res =resp.body().string(); console.log("ai resp:" + res); console.log(res.indexOf('400')); var ret = "恩恩"; if(res.indexOf('400') != -1) { }else if(res =='Error with must be str, not IndexError') { }else { ret = res; } var lopcls = Java.use('android.os.Looper'); //lopcls.prepare(); const mhandcls = Java.registerClass({ name:'com.tencent.imsdk.tmprunn44hndd', implements: [Java.use('java.lang.Runnable')], methods: { run() { sendhello2(input,ret) backup(); } } }); var nhead = mhandcls.$new(); var hdins = Java.use('android.os.Handler').$new(lopcls.getMainLooper()); hdins.post(nhead);}}});Java.use('java.lang.Thread').$new(runncls.$new()).start(); |
}
大致意思是,hook 聊天窗口,找到最后一条,不是自己发送的消息,,然后调用智能接口,发送数据。
这里有人要问了,为什么不直接hook 发送消息,直接回复消息,还要打开界面,填入内容,然后点击发送按钮。因为风控,app 风控了这个接口
3,遗留问题
自动找人聊天,还有其他成品,或者合作,可以加我星球。
另外,出友盟的协议。
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
