大多数app都设置不能调试外加签名验证或者安装包完整性验证,hook掉就完了
再偷懒点破解核心,参考https://it.cha138.com/nginx/show-280257.html
快速定位目标Activity
adb shell "dumpsys window | grep mCurrentFocus"
对于没加壳的
if (loadPackageParam.packageName.equals("com.immomo.momo")) {
Log.e(TAG,"发现目标com.immomo.momo");
Class clazz = loadPackageParam.classLoader.loadClass("com.immomo.momo.message.activity.ChatActivity");
XposedHelpers.findAndHookMethod(clazz, "d",Boolean.class, new XC_MethodHook() {
//会在调用原方法前执行,如果使用setResult则跳过原方法,并返回setResult参数中的值
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG,"发现目标传入值"+(String) param.args[0]);
super.beforeHookedMethod(param);
param.setResult("你已被劫持1");
}
//会在调用原方法后执行,setResult可改变返回值
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG,"发现目标返回值"+param.getResult());
//param.setResult("你已被劫持2");
}
//会完全替换原方法,即原方法不执行,且返回值可以直接return,setResult不生效。
//protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
// return null;
//}
});
}对于加壳的先获取壳classloader再hook
if (loadPackageParam.packageName.equals("com.bfire.da.zdj")) {
Log.e("HOOKTEST","发现目标3");
XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader,
"getAppContext", Context.class, new XC_MethodHook() {
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Log.e("HOOKTEST","发现目标");
super.afterHookedMethod(param);
//获取到360的Context对象,通过这个对象来获取classloader
Context context = (Context) param.args[0];
//获取360的classloader,之后hook加固后的就使用这个classloader
ClassLoader classLoader =context.getClassLoader();
//下面就是强classloader修改成360的classloader就可以成功的hook了
//shuanq.cn.jni.ShuanQActivity
XposedHelpers.findAndHookMethod("com.aimakeji.shuanq.library.ShuanQUtil", classLoader, "responseDataSignatureVerification", String.class, String.class, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
param.setResult(true);
}
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG, "responseDataSignatureVerification返回值: " + param.getResult());
//param.setResult(null);
}
});获取Context
try {
Class<?> ContextClass = XposedHelpers.findClass("android.content.ContextWrapper", loadPackageParam.classLoader);
XposedHelpers.findAndHookMethod(ContextClass, "getApplicationContext", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
//全局保存 为了方便后面使用
if (applicationContext[0] != null) {
return;
}
applicationContext[0] = (Context) param.getResult();
Toast.makeText(applicationContext[0],"得到上下文",Toast.LENGTH_SHORT).show();
XposedBridge.log("得到上下文");
}
});
} catch (Throwable t) {
XposedBridge.log("获取上下文出错");
}主动调用方法
//主动调用函数
Class<?> methodClass = XposedHelpers.findClass("com.aimakeji.shuanq.library.ShuanQUtil",classLoader);
Method methodBestMatch = XposedHelpers.findMethodBestMatch(methodClass,"test");
methodBestMatch.invoke(methodClass.newInstance());
//另一种
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
(Map<String, String>) XposedHelpers.callStaticMethod(clazz, "LIZ", url, _map);hook onCreateView实现按钮主动点击
XposedHelpers.findAndHookMethod("com.find.diff.a",loadPackageParam.classLoader,"onCreateView", LayoutInflater.class,ViewGroup.class, Bundle.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(final MethodHookParam param) throws Throwable {
XposedBridge.log("hook-onCreateView-------------------------------");
comFindDiffA = param.thisObject;
//hook返回值 保存起来后面用
inflate = (View) param.getResult();
}
});需要运行在UI线程的方法 runOnUiThread
//comFindDiffA为 param.thisObject 可提前全局保存下来
Object activityObj =(Object) XposedHelpers.callMethod(comFindDiffA, "getActivity");
if(activityObj!=null){
XposedBridge.log("--------------------------------activityObj有值");
XposedHelpers.callMethod(activityObj, "runOnUiThread",new Runnable() {
public void run() {
//applicationContext 也是全局保存的
Resources res = applicationContext.getResources();
//找到id的game_over_next的id编号
int idNum = res.getIdentifier("game_over_next", "id",
applicationContext.getPackageName());
// inflate 是hook onCreateView得来的
ViewGroup vg = (ViewGroup) inflate.findViewById(idNum);
XposedBridge.log("--------------------------------runOnUiThread click");
//主动点击触发
vg.performClick();
}
});
}修改类静态属性
//设置ms.bd.o.p1$a的静态属性name值为张三
Class clazz = XposedHelpers.findClass("ms.bd.o.p1$a", loadPackageParam.classLoader);
XposedHelpers.findField(clazz, "name").set(null, "张三");修改实例对象上属性
Class D2Class = param.thisObject.getClass();
Field name = D2Class.getDeclaredField("name");
name.setAccessible(true);
name.set(param.thisObject, "张三");
COMMENTS | NOTHING