最近對一款網絡電視app進行分析,要求是找到其訪問直播源的接口,初次打開apk,先做一個簡單的瞭解,並沒有加固等處理,只是對代碼做了混淆處理我們目的是找到其訪問直播源的接口,初次打開apk,先做一個簡單的瞭解.手指上下滑動可轉換頻道,這時根據Android正向開發可以搜索下滑動事件點擊,看他到底做了什麼處理
二.代碼反編譯逆向分析.
對apk進行反編譯,靜態分析定位此處發現在此處已經獲取DefaultStreamUrl,打印日誌可直接獲取當前直播源url,可以說已經是稍有眉目了
.method private X()V
.locals 4
.prologue
.line 1174
sget-object v0, Lcom/dianshijia/newlive/home/logic/h;->a:Lcom/dianshijia/newlive/epg/model/Channel;
if-eqz v0, :cond_0
.line 1175
iget-object v0, p0, Lcom/dianshijia/newlive/home/logic/h;->h:Lcom/dianshijia/newlive/core/utils/t;
const-string v1, "CHANNEL_HASHCODE"
sget-object v2, Lcom/dianshijia/newlive/home/logic/h;->a:Lcom/dianshijia/newlive/epg/model/Channel;
.line 1176
invoke-virtual {v2}, Lcom/dianshijia/newlive/epg/model/Channel;->hashCode()I
move-result v2
.line 1175
invoke-virtual {v0, v1, v2}, Lcom/dianshijia/newlive/core/utils/t;->a(Ljava/lang/String;I)V
.line 1177
iget-object v0, p0, Lcom/dianshijia/newlive/home/logic/h;->h:Lcom/dianshijia/newlive/core/utils/t;
const-string v1, "CHANNEL_ID"
sget-object v2, Lcom/dianshijia/newlive/home/logic/h;->a:Lcom/dianshijia/newlive/epg/model/Channel;
.line 1178
invoke-virtual {v2}, Lcom/dianshijia/newlive/epg/model/Channel;->getId()Ljava/lang/String;
move-result-object v2
.line 1177
invoke-virtual {v0, v1, v2}, Lcom/dianshijia/newlive/core/utils/t;->a(Ljava/lang/String;Ljava/lang/String;)V
.line 1179
iget-object v0, p0, Lcom/dianshijia/newlive/home/logic/h;->h:Lcom/dianshijia/newlive/core/utils/t;
const-string v1, "CHANNEL_NAME"
sget-object v2, Lcom/dianshijia/newlive/home/logic/h;->a:Lcom/dianshijia/newlive/epg/model/Channel;
iget-object v3, p0, Lcom/dianshijia/newlive/home/logic/h;->e:Landroid/content/Context;
.line 1180
invoke-virtual {v2, v3}, Lcom/dianshijia/newlive/epg/model/Channel;->getName(Landroid/content/Context;)Ljava/lang/String;
move-result-object v2
.line 1179
invoke-virtual {v0, v1, v2}, Lcom/dianshijia/newlive/core/utils/t;->a(Ljava/lang/String;Ljava/lang/String;)V
.line 1181
iget-object v0, p0, Lcom/dianshijia/newlive/home/logic/h;->h:Lcom/dianshijia/newlive/core/utils/t;
const-string v1, "last_channel_url"
sget-object v2, Lcom/dianshijia/newlive/home/logic/h;->a:Lcom/dianshijia/newlive/epg/model/Channel;
.line 1182
invoke-virtual {v2}, Lcom/dianshijia/newlive/epg/model/Channel;->getDefaultStreamUrl()Ljava/lang/String;
Lcom/dianshijia/newlive/epg/model/Channel;爲封裝的直播源信息,那麼何時進行封裝的呢,我們知道封裝實體類,要麼通過構造器傳遞數據,要麼set進入數據,以此爲突破口繼續分析.method public constructor <init>(Landroid/os/Parcel;)V
.locals 2
.prologue
new-instance v0, Ljava/lang/Exception;
const-string v1, "print trace Channel"
invoke-direct {v0, v1}, Ljava/lang/Exception;-><init>(Ljava/lang/String;)V
invoke-virtual {v0}, Ljava/lang/Exception;->printStackTrace()V
在構造器中打印堆棧,看看有什麼收穫....同時對此apk進行抓包分析
GET /api/v1/channels HTTP/1.1
Cache-control: public, max-age=0
Host: api.idianshijia.com
hwBrand: OPPO
cityCode: 610100
routerSsid: %22vqs.com%22
appVerName: 3.0.8
Connection: close
routerMac: 089b4b972fdc
hwModel: R8207
hwDevice: R1C
deviceType: 0
hwHardware: qcom
appVerCode: 309
hwId: null
generation: com.dianshijia.newlive
deviceId: 5456acf1a8154d70cde2bcbfb941da1f
platform: 1
riskId: null
areaCode: 610000
hwImei: 865685028269134
hwMac: A81B5A222B9B
countryCode: CN
ethMac: null
User-Agent: android/client
systemSdkVersion: 19
Accept-Encoding: gzip,deflate
hwSerial: e32824668a84417ba8782425816c59cf
language: zh_CN
uuid: e6766de8186b70e6129c2e7f28d7f7ed
marketChannelName: tvapk
openId: null
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 25 Dec 2017 03:28:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 88
Connection: close
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Origin,Accept,Content-Type,Authorization
Access-Control-Allow-Origin: *
Location: http://cdn.idianshijia.com/api/channel/groupSimplifiedChinese_217
Expires: Mon, 25 Dec 2017 04:28:20 GMT
Cache-Control: max-age=3600
<a href="http://cdn.idianshijia.com/api/channel/groupSimplifiedChinese_217">Found</a>.
這個非常可疑,將其地址提出http://api.idianshijia.com/api/v1/channels,訪問是發現並沒有數據,用fillder進行訪問運氣不錯
三.正向角度分析
public void run(){
HttpURLConnection connection = null;
BufferedInputStream bis = null ;
RandomAccessFile accessFile = null ;
try{
URL url = new URL(url_str);
connection = (HttpURLConnection)url.openConnection();
connection.setConnectTimeout(10000);
connection.setReadTimeout(10000);
fileSize = connection.getContentLength();
對於網絡請求無外乎那幾種格式,openConnection是一個切入口,進行追蹤分析發現http://cdn.idianshijia.com/api/channel/groupSimplifiedChinese_217正是我們所需要的,至此分析完成(本文章僅用作分析思考,切勿非法用途)