This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.
Here’s the GitHub link first: https://github.com/lyc8503/VizpowerHook.
As everyone knows, due to a certain bat, summer vacation is gone, and winter break keeps getting longer and longer like a snowball—though online classes continue as usual.
My school uses an online learning app called Winupon. Its main function is live-streaming courses, along with some extra features—like roll call check-ins, automatic screen locking, and “attention tracking” (which directly captures your screen). After using it for a few days, I wanted to add some automation: auto-enter class, auto-check-in, and automatic recording of lectures.
At first, I planned to reverse-engineer its communication protocol. But it uses a custom TCP-based protocol built on Java NIO, which turned out to be quite complex. Rewriting the entire protocol stack seemed too time-consuming and costly, so I changed my approach: instead, I decided to reverse and modify the client directly.
Since I’ve always worked with Java and have some Android development experience, I thought reverse-engineering the client wouldn’t be too hard… (flag firmly planted, obviously x
Well, I hit a snag right away when decompiling the client: What the heck—this app is packed!
Turns out it’s protected by Qihoo 360’s packer. But no worries—there are tools online that can unpack it. Alternatively, using Java reflection or hooking the system’s Dex loading code can easily achieve unpacking. It’s a bit tedious, but doable—so I won’t go into details here.
Soon enough, I got the real Dex file. Threw it straight into Jadx for decompilation—and to my surprise, the code wasn’t obfuscated at all. (??)
Decompiled source code
Take login protocol reverse engineering as an example:
First, capture the relevant network traffic. After analyzing packets via Fiddler, I replicated the request using Python’s requests library:
1 | r = requests.get("http://" + prefix + ".kehou.com/courseList.action", params={ |
Here, salt is the current Unix timestamp, and pwd / pwd2 are MD5-hashed passwords:
1 | String pwd = MD5.stringMD5(UserName + strPassword + strSalt + "WINUPON").toLowerCase(); |
With the login protocol figured out, simulating client login becomes straightforward. The response is an .ini-style file, for example:
1 | [mt1] |
From this response, we can extract the server IP and port for the next connection step. But from here on, communication uses TCP—making protocol analysis significantly more complicated. So I changed my strategy: use the Xposed framework to directly hook into the app and retrieve or modify data.
For example, to force-enable public chat: I searched for the term “private chat” and found this code:
1 | public final void clickSwitchChatTo() { |
Clearly, ChatMgr.getInstance().canSendChatPub() determines whether public chat is allowed.
So I used Xposed to hook this method and simply return true.
The hook code is as follows (I won’t include the lengthy unpacking part for bypassing 360’s protection x):
1 | public class PubChatHook extends XC_MethodHook { |
After logging back in, I could now send public messages even when the teacher hadn’t enabled public chat.
Result screenshot
Following this pattern, many more features can be implemented. See the full project on GitHub: https://github.com/lyc8503/VizpowerHook.
As for automatic lecture recording—well, I got lazy and didn’t implement it yet (instead, I started writing cheats, lol). Anyway, just running the app in a VM with OBS is enough to record the session.
Summary: Learned a lot through this project—definitely had my share of pitfalls (maybe I’ll write another post about those later). Got more familiar with Android development (finally not just copying sample code anymore x), and picked up Xposed API along the way. This was a relatively simple project to practice on. Now I’m wondering—can I hook QQ and WeChat next? (Though maybe it’s smarter to use existing QQ/WeChat frameworks instead of reinventing the wheel?)
(Fun fact: I originally learned Xposed just to build a QQ bot—never expected this Winupon hack to be the side project that actually came together.)
Mar 12, 2020 Update: Later, the official team noticed the decompiled code was public, so I removed the actual Winupon app code from GitHub. They probably patched the vulnerabilities too. But they didn’t ask me to take down the whole project, so I’m leaving it here as a keepsake. Coincidentally, my school stopped using Winupon in mid-March due to poor large-class performance, so this feels like a pretty satisfying ending. That’s it for now~
Aug 13, 2020 Update: After writing a Winupon homework crawler, I found they now use AES encryption for login parameters. The reverse engineering approach is similar—so I won’t write another post about it.
This article is licensed under the CC BY-NC-SA 4.0 license.
Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/vizpower-hook/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/