简体中文 / [English]


Summary of Reverse Engineering Results on "Infinite Treasure" Online School Software

 
Topic-OrientedVizpower

This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.

A few days ago, I spent some time—mainly out of curiosity and for learning purposes—reverse-engineering Infinite Treasure… Here’s a summary of the new knowledge and other insights I’ve gained recently (?).

Reverse Engineering the Software Protocol

The focus was mainly on the network protocol. However, if I were to disclose specific details and someone misused them, Infinite Treasure would likely change their system anyway—so it’s not really worth it. Therefore, I’ll keep some of the technical specifics hidden.

First comes an HTTP login: the username and password (salted hash) are sent via HTTP to xx.kehou.com. Then you’re redirected to login.kehou.com, which returns an ini-formatted file containing your basic information and the LoginServer address needed for the next step.

Next, information such as userId, meetingId, name, and role is sent to the LoginServer. After chatting with one of the developers, I found out that the LoginServer actually doesn’t know anything about you—it verifies everything through a hash function (though the latest version as of 2020/04 seems to have switched to a different function, the principle remains similar).

After that, you’re logged into the classroom and can start sending operation-related packets.

Xposed Development

The source code wasn’t obfuscated, only packed with a shell, so reverse engineering wasn’t too difficult.

Mainly involved hooking relevant components afterward.

On Software Permission Issues

  • Android Camera Permissions

Initially, I noticed the app requests all runtime permissions (like microphone and camera) upon startup, meaning teachers can directly turn on your camera during class. This design effectively defeats the original purpose of Android’s runtime permission model.

At first, I didn’t understand why they’d do this, and it’s easy to see how this could raise concerns about potential misuse of camera data.

Later, after my decompiled code was discovered on GitHub, I managed to get in touch with their developers. Their explanation actually made a lot of sense. (Turns out I just lack development experience….)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Infinite Treasure Dev 2020/3/13 13:22:46
It's more about mindset. Back when we were smaller, issues like the ones people complain about online were mainly to reduce problems during actual usage.

lyc8503 2020/3/13 13:23:34
Yeah... (To be honest, I started reverse-engineering because I kept hearing online rumors about privacy issues, so I wanted to check the code myself...)

Infinite Treasure Dev 2020/3/13 13:23:58
It's just a mindset thing. That part wasn't our priority back then.

lyc8503 2020/3/13 13:24:25
Yeah, Android 6 introduced runtime permissions, which do add some complexity...

Infinite Treasure Dev 2020/3/13 13:25:16
Exactly. Imagine a teacher trying to unmute a student, but the student denies the permission after a long wait—frustrating for everyone.

Infinite Treasure Dev 2020/3/13 13:25:46
So we decided to request permissions upfront, prioritizing teacher convenience.

Infinite Treasure Dev 2020/3/13 13:27:29
Take DingTalk for example—its users are students, but the ones paying are education bureaus. Naturally, you have to prioritize the needs of the ones holding the purse strings.

Infinite Treasure Dev 2020/3/13 13:27:56
Trying to please everyone? Sorry, I just can't do it.
  • PC Driver Issues
1
2
3
4
5
6
7
8
9
10
11
12
13
14
lyc8503 2020/3/15 21:10:23
But why does your PC version *have* to use a driver for screen capture?

lyc8503 2020/3/15 21:10:44
Drivers have such high privileges—basically on par with SYSTEM—people are bound to raise concerns.

Infinite Treasure Dev 2020/3/15 21:10:59
Because back then, using standard APIs was too slow—we couldn’t achieve smooth screen sharing.

Infinite Treasure Dev 2020/3/15 21:11:15
It’s used for teachers to share their screens.

lyc8503 2020/3/15 21:11:22
Oh, so there *is* a screen sharing feature... Ah, right.

Not a bad haul of insights after all?

This article is licensed under the CC BY-NC-SA 4.0 license.

Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/vizpower-conclusion/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/