如何xposed hook 带"壳"的app

前段时间做了个游戏内购xposed 插件,但是当前的游戏部分都加壳了,并且最新的游戏支付sdk也进行加密了,这样就尴尬了

于是到网上搜索了下:看到"非虫"大大在看雪上发的部分代码如何hook 360加固的应用:原帖貌似被删了,在网上找了部分代码

链接地址:http://www.jianshu.com/p/0d74461ea199

大概原理:拿到壳的ClassLoader 然后再根据壳的ClassLoader 拿到对应的Class 然后在hook

if (loadPackageParam.packageName.equals("com.package.name")) {
    XposedHelpers.findAndHookMethod("com.qihoo.util.StubAppxxxxxxxx", loadPackageParam.classLoader,
            "getNewAppInstance", Context.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    super.afterHookedMethod(param);
                    Context context = (Context) param.args[0];
                    ClassLoader classLoader =context.getClassLoader();
                    XposedHelpers.findAndHookMethod("com.amap.api.location.AMapLocation", classLoader, "getLongitude", new XC_MethodHook(){
                        @Override
                        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                            super.afterHookedMethod(param);
                            param.setResult(123.123123);
                        }
                    });
                    XposedHelpers.findAndHookMethod("com.amap.api.location.AMapLocation", classLoader, "getLatitude", new XC_MethodHook(){
                        @Override
                        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                            super.afterHookedMethod(param);
                            param.setResult(33.333333);
                        }
                    });
                }
            });
}

  根据这个原理 查看xposed源码 XposedHelpers.findAndHookMethod方法

    public static Unhook findAndHookMethod(String className, ClassLoader classLoader, String methodName, Object... parameterTypesAndCallback) {
        return findAndHookMethod(findClass(className, classLoader), methodName, parameterTypesAndCallback);
    }

  在查看:其中findclass方法

    public static Class<?> findClass(String className, ClassLoader classLoader) {
        if(classLoader == null) {
            classLoader = XposedBridge.BOOTCLASSLOADER;
        }

        try {
            return ClassUtils.getClass(classLoader, className, false);
        } catch (ClassNotFoundException var3) {
            throw new XposedHelpers.ClassNotFoundError(var3);
        }
    }

  也就是通过ClassLoader 加载Class  然后在进行hook,想到一个办法就是

  在类加载的时候进行hook

  对于加固的应用 xposed 拿到的Classloader 不一定能加载到Class

  于是根据android 源码 加载Class用到的一个是BootClassLoader(系统启动的时候创建的),另一个是PathClassLoader(应用启动时创建的),所以只用看PathClassLoader的源码

public class PathClassLoader extends BaseDexClassLoader

  接着看BaseDexClassLoader

public class BaseDexClassLoader extends ClassLoader {
    private final DexPathList pathList;

    /**
     * Constructs an instance.
     *
     * @param dexPath the list of jar/apk files containing classes and
     * resources, delimited by {@code File.pathSeparator}, which
     * defaults to {@code ":"} on Android
     * @param optimizedDirectory directory where optimized dex files
     * should be written; may be {@code null}
     * @param libraryPath the list of directories containing native
     * libraries, delimited by {@code File.pathSeparator}; may be
     * {@code null}
     * @param parent the parent class loader
     */
    public BaseDexClassLoader(String dexPath, File optimizedDirectory,
            String libraryPath, ClassLoader parent) {
        super(parent);
        this.pathList = new DexPathList(this, dexPath, libraryPath, optimizedDirectory);
    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {
        List<Throwable> suppressedExceptions = new ArrayList<Throwable>();
        Class c = pathList.findClass(name, suppressedExceptions);
        if (c == null) {
            ClassNotFoundException cnfe = new ClassNotFoundException("Didn‘t find class \"" + name + "\" on path: " + pathList);
            for (Throwable t : suppressedExceptions) {
                cnfe.addSuppressed(t);
            }
            throw cnfe;
        }
        return c;
    }
//......
}

  于是一路分析下去:

  得到:BaseDexClassLoader.findClass(String name)

   ----->DexPathList.findClass(String name, List<Throwable> suppressed)

  ----->DexFile.loadClassBinaryName(String name, ClassLoader loader, List<Throwable> suppressed)

  ---->DexFile.defineClass(String name, ClassLoader loader, Object cookie,List<Throwable> suppressed)

  ---->defineClassNative(name, loader, cookie);

  defineClassNative(name, loader, cookie);方法为native方法 xposed 无法hook

  最后如果给想在类加载完成时进行hook那么就要在DexFile.defineClass(String name, ClassLoader loader, Object cookie,List<Throwable> suppressed)这个方法上做文章:

  使用xposed hook dalvik.system.DexFile.defineClass方法在然后在hook 后方法里进行过滤拿到想要的Class

    public void hookDefineClass() {
        try {
            /*get DexFile Class*/
            Class clazz = loadPackageParam.classLoader.loadClass("dalvik.system.DexFile");
            Method[] methods = clazz.getDeclaredMethods();
            for (int i = 0; i < methods.length; i++) {
                String name = methods[i].getName();
                if (name.equalsIgnoreCase("defineClass")) {
                    hookhelper.hookMethod(methods[i], new MethodHookCallBack() {
                        @Override
                        public void beforeHookedMethod(HookParam param) throws IOException, ClassNotFoundException {
                        }

                        @Override
                        public void afterHookedMethod(HookParam param) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException, JSONException {
                            //ClassName
			String ClassName = (String) param.args[0];;
			if(ClassName.equalsIgnoreCase("xxxx")){
			  //here do something
			  //get Class
			  Class clazz = (Class) param.getResult();
			  // do something you want
			  XposedHelpers.findAndHookMethod(Class<?> clazz, String methodName, Object... parameterTypesAndCallback)
			}

                        }
                    });
                }
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }

  一个例子(由于使用自己封装的xposed方法):

  UnicomPay.java(联通支付sdk)

package com.xiaobai.viptools.xposedpay;

import com.xiaobai.viptools.impl.PayOrderHook;
import com.xiaobai.viptools.xposed.HookParam;
import com.xiaobai.viptools.xposed.MethodHookCallBack;

import java.io.IOException;
import java.lang.reflect.Method;

import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

/**
 *
 * Created by xiaobai on 2017/2/3.
 */

public class UnicomPay implements PayOrderHook {
    private XC_LoadPackage.LoadPackageParam lpparam;

    public UnicomPay(XC_LoadPackage.LoadPackageParam loadPackageParam) {
        this.lpparam = loadPackageParam;
    }

    @Override
    public void Hookpay(Class clazz) throws ClassNotFoundException {
        Method[] methods=clazz.getMethods();
        for (int i = 0; i <methods.length; i++) {
            String name=methods[i].getName();
            if (name.equalsIgnoreCase("pay")){
                Method paymethod=methods[i];
                HookPayMethond(paymethod);
            }
        }
    }

    private void HookPayMethond(Method method){
        hookhelper.hookMethod(method, new MethodHookCallBack() {
            @Override
            public void beforeHookedMethod(HookParam param) throws IOException {
                XposedBridge.log("paymethod arg size:"+param.args.length);
                Class clazz= param.args[param.args.length-1].getClass();
                HookPayresult(clazz);
            }

            @Override
            public void afterHookedMethod(HookParam param) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {

            }
        });

    }
    private void  HookPayresult(Class clazz){
        Method[] methods=clazz.getMethods();
        for (int i = 0; i < methods.length; i++) {
            if (methods[i].getName().equalsIgnoreCase("PayResult")){
                hookhelper.hookMethod(methods[i], new MethodHookCallBack() {
                    @Override
                    public void beforeHookedMethod(HookParam param) throws IOException {
                        XposedBridge.log("arg[1]:code "+param.args[1]);
                        param.args[1]=1;
                        XposedBridge.log("payhook success");
                    }
                    @Override
                    public void afterHookedMethod(HookParam param) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {

                    }
                });
            }
        }
    }
}

  HookPayMethod.java

package com.xiaobai.viptools.XposedModule;

import android.content.Context;

import com.xiaobai.viptools.helper.JsonHelper;
import com.xiaobai.viptools.impl.HookHelperInterface;
import com.xiaobai.viptools.util.ContextHolder;
import com.xiaobai.viptools.xposed.HookHelperFacktory;
import com.xiaobai.viptools.xposed.HookParam;
import com.xiaobai.viptools.xposed.MethodHookCallBack;

import de.robv.android.xposed.callbacks.XC_LoadPackage;

/**
 * Created by xiaobai on 2017/2/3.
 */

public class HookPayMethod {
    private XC_LoadPackage.LoadPackageParam loadPackageParam;
    private HookHelperInterface hookhelper = HookHelperFacktory.getHookHelper();

    public HookPayMethod(XC_LoadPackage.LoadPackageParam loadPackageParam) {
        this.loadPackageParam = loadPackageParam;
    }

    /*针对加壳app hook defineclass 过滤app*/
    public void hookDefineClass() {
        try {
            /*获取DexFile Class*/
            Class clazz = loadPackageParam.classLoader.loadClass("dalvik.system.DexFile");
            Method[] methods = clazz.getDeclaredMethods();
            for (int i = 0; i < methods.length; i++) {
                String name = methods[i].getName();
                if (name.equalsIgnoreCase("defineClass")) {
                    hookhelper.hookMethod(methods[i], new MethodHookCallBack() {
                        @Override
                        public void beforeHookedMethod(HookParam param) throws IOException, ClassNotFoundException {
                        }

                        @Override
                        public void afterHookedMethod(HookParam param) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException, JSONException {
                            selectPayMethod(param);
                        }
                    });
                }
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }

    private void selectPayMethodDebug(HookParam param) throws ClassNotFoundException {
        String ClassName = (String) param.args[0];
        // System.out.println(ClassName);
        if (unicompay && ClassName.equalsIgnoreCase("com.unicom.dcLoader.Utils")) {
            Class PayClass = (Class) param.getResult();
            UnicomPay unicomPay = new UnicomPay(loadPackageParam);
            unicomPay.Hookpay(PayClass);
        }
    }

}

  好了:有任何问题联系:[email protected]

  

时间: 2024-10-03 22:32:48

如何xposed hook 带"壳"的app的相关文章

阿里系产品Xposed Hook检测

p.MsoNormal { margin-top: 0.0000pt; margin-right: 0.0000pt; margin-bottom: 0.0000pt; margin-left: 0.0000pt; text-indent: 0.0000pt; padding: 0pt 0pt 0pt 0pt; text-align: justify; font-family: Calibri; color: rgb(0,0,0); letter-spacing: 0.0000pt; font-

基于xposed Hook框架实现个人免签支付方案

我的个人网站如何实现支付功能? 想必很多程序员都有过想开发一个自己的网站来获得一些额外的收入,但做这件事会遇到支付这个问题.目前个人网站是无法实现支付功能的. 今天我就给大家分享一下我的实现方案:<基于xposed逆向微信.支付宝.云闪付来实现个人免签支付方案> 测试页面(点我) 接下来给大家简单分享一下实现过程,这个过程其实是非常复杂的,关键点在于如何逆向微信支付宝云闪付这些App,找到核心函数钩子,然后写一个hook程序来模拟调用这些方法,来实现根据服务端传过来的金额,订单号自动调用微信支

阿里宣布Atlas正式开源:带你重返App开发的田园时代

继Weex之后,阿里在移动技术领域又有开源大动作. 3月13日,手机淘宝安卓客户端容器化框架Atlas正式宣布开源(https://github.com/alibaba/atlas ).Atlas由阿里巴巴移动团队自研,以容器化思路解决大规模团队协作问题,实现并行开发.快速迭代和动态部署,适用于Android 4.x以上系统版本的大小型App开发. Atlas特别适用于大规模团队的协同开发.通过提供组件化.动态性.解耦化的支持,Atlas能够实现每个业务在开发阶段独立编译.独立调试.独立运行,最

Xposed hook实验小程序

1.新建安卓工程: 2.libs文件夹下导入xposedbridge的jar包,并libs右键build path: 3.androidmanifest文件配置修改如下(添加几行即可): <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="

Xposed Hook &amp; Anti-hook

一点简单记录. xposed原理包括将hook的method转为Native.因此可检测如下: for (ApplicationInfo applicationInfo : applicationInfoList) { if (applicationInfo.processName.equals("com.example.hookdetection")) { Set classes = new HashSet(); DexFile dex; try { dex = new DexFil

微信打开链接后如何自动调用手机自带默认浏览器下载APP

微信被认为是目前最具营销价值的营销渠道之一,原因很简单,微信是目前超高活跃度的app稳稳第一名,但是在微信中点击app下载链接,都是无法下载app的.因为腾讯为了自身利益,屏蔽了其他app直接在微信中下载.我们要怎么解决这个问题呢? 解决方式: 微信中打开链接,自动打开外部浏览器打开页面 微信中点击或打开链接,自动打开外部浏览器打开指定页面.全程完全自动化,无需用户任何手工操作. 这种方案可以说是完美解决这个的问题.效果如下面这样子: 这个样子,用户点击下载按钮后,全过程自动化下载,用户操作非常

xposed hook所有类的所有函数

package com.xiaojianbang.xposed; import android.util.Log; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.XC_MethodHook.MethodHookParam; import de.robv.android.xposed.Xp

湛江七星彩投注网站系统建设开发,出租带手机版APP

本工作室专注开发南方湛江海南七星彩投注网站系统建设开发,出租,支持带手机版投注,以及手机APP开发,安装版本,苹果版. QQ私聊:2046 771739 演示图:学网 www.xue163.com

南方湛江海南七星彩投注网站系统建设开发,出租带手机版APP

本工作室专注开发南方湛江海南七星彩投注网站系统建设开发,出租,支持带手机版投注,以及手机APP开发,安装版本,苹果版. QQ私聊:2046 771739 演示图: