My mobile phone with what not to give me cool — Xposed Hook confusion and hardened APP

A while ago just masturbated from the parent company a Google pro son Nexus 6, Root and brush the Xposed, just want to cool, the results of one of the APP opened after this kind of virtue.

Analysis of the APK

The most basic analysis can be done with Android Studio. Let’s copy the installation package to the project directory that Android Studio opens and have a cursory look

com.huimai365

shell

After a lot of Googling (and googling), I finally found dumpDex, a goofy undressing tool that works just fine

/data/data/com.huimai365/dump

dir=.. /xxx/for file in $dir/ *;do
    ./d2j-dex2jar.sh $file
done
Copy the code

Then use JD-GUI to look for the package name we need com.huimai365, luckily I finally found it, unfortunately the damn code is confused. Young man can!

Analysis of the code

We first use toe analysis, this detection Xposed basic in the Application onCreate method to perform, and then popover. Ok, so let’s look for their own implementation of the Application class.

onCreate

ar.a();

public class ar
{
  public static void a()
  {
    try
    {
      Field localField = ClassLoader.getSystemClassLoader().loadClass("de.robv.android.xposed.XposedBridge").getDeclaredField("disableHooks");
      localField.setAccessible(true);
      localField.set(null, Boolean.valueOf(true));
      return;
    }
    catch (Throwable localThrowable) {}
  }
  
  public static boolean a(Context paramContext)
  {
    return (b(paramContext)) || (c(paramContext)) || (b()) || (c());
  }
  
  private static boolean b(Context paramContext)
  {
    paramContext = paramContext.getPackageManager().getInstalledApplications(128);
    if (paramContext == null) {
      return false;
    }
    paramContext = paramContext.iterator();
    boolean bool = false;
    if (paramContext.hasNext())
    {
      ApplicationInfo localApplicationInfo = (ApplicationInfo)paramContext.next();
      if (localApplicationInfo.packageName.equals("de.robv.android.xposed.installer"))
      {
        ac.d("HookDetection"."Xposed found on the system.");
        bool = true;
      }
      if (!localApplicationInfo.packageName.equals("com.saurik.substrate")) {
        break label92;
      }
      ac.d("HookDetection"."Substrate found on the system.");
      bool = true;
    }
    label92:
    for (;;)
    {
      break;
      return bool;
    }
  }
  
  private static boolean c()
  {
    try
    {
      Object localObject = ClassLoader.getSystemClassLoader().loadClass("de.robv.android.xposed.XposedHelpers").newInstance();
      if (localObject ! = null) {if((! a(localObject, "fieldCache"&& ())! a(localObject, "methodCache")))
        {
          boolean bool = a(localObject, "constructorCache");
          if(! bool) {} }else
        {
          return true;
        }
      }
    }
    catch (Throwable localThrowable) {}
    return false; }}Copy the code

Hook method

A () and a(Context paramContext) are all used in Hook AR. Then do it!

public class XposedHookInit implements IXposedHookLoadPackage {
    private static final String TAG = "XposedHookInit";

    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {

        if ("com.huimai365".equals(lpparam.packageName)) {
            Log.e(TAG, "Find excellent products" + lpparam.packageName);
            hookCheckoutXposed(lpparam.classLoader);
        }
    }

    private void hookCheckoutXposed(ClassLoader classLoader) {
        XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", new XC_MethodReplacement() {
            @Override
            protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
                Log.e(TAG, "Replace close xposed");
                returnnull; }}); XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", Context.class, new XC_MethodReplacement() {
            @Override
            protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
                Log.e(TAG, "Replace find xposed");
                return false; }}); }}Copy the code

But things are not as simple as imagined, reported wrong

The 2019-01-17 12:46:17. 038, 5888-5888 /? E/Xposed: de.robv.android.xposed.XposedHelpers$ClassNotFoundError: java.lang.ClassNotFoundException: com.huimai365.util.ar
        at de.robv.android.xposed.XposedHelpers.findClass(XposedHelpers.java:71)
        at de.robv.android.xposed.XposedHelpers.findAndHookMethod(XposedHelpers.java:260)
        at com.example.xposeddemo.XposedHookInit.hookCheckoutXposed(XposedHookInit.java:35)
        at com.example.xposeddemo.XposedHookInit.handleLoadPackage(XposedHookInit.java:20)
        at de.robv.android.xposed.IXposedHookLoadPackage$Wrapper.handleLoadPackage(IXposedHookLoadPackage.java:34)
        at de.robv.android.xposed.callbacks.XC_LoadPackage.call(XC_LoadPackage.java:61)
        at de.robv.android.xposed.callbacks.XCallback.callAll(XCallback.java:106)
        at de.robv.android.xposed.XposedInit$2.beforeHookedMethod(XposedInit.java:134)
        at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:340)
        at android.app.ActivityThread.handleBindApplication(<Xposed>)
        at android.app.ActivityThread.-wrap2(ActivityThread.java)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1546)
        at android.os.Handler.dispatchMessage(Handler.java:102)
        at android.os.Looper.loop(Looper.java:154)
        at android.app.ActivityThread.main(ActivityThread.java:6121)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
        at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:107)
     Caused by: java.lang.ClassNotFoundException: com.huimai365.util.ar
        at java.lang.Class.classForName(Native Method)
        at java.lang.Class.forName(Class.java:400)
        at external.org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:823)
Copy the code

To analyze problems

Why ClassNotFoundError when you have this class? To understand the reinforcement principle, I learned that after the original APP was loaded, the classLoader was changed. Therefore, if we used the original classLoader, we would report an exception that the class could not be found. The APP is using tencent’s solid, we see the AndroidManifest. The inside of the XML application has been replaced by com. Tencent. StubShell. TxAppEntry

TxAppEntry
classes.dex

  protected void attachBaseContext(Context paramContext)
  {
    super.attachBaseContext(paramContext);
    SystemClassLoaderInjector.fixAndroid(paramContext, this);
    if(! b(this)) {return;
    }
    d(paramContext);
    a(this);
  }
Copy the code

The classloader has been changed here, so we need to get the changed classloader and Hook it again. ! OK, OK, OK, let’s do it again in another position

public class XposedHookInit implements IXposedHookLoadPackage {
    private static final String TAG = "XposedHookInit";

    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {

        if ("com.huimai365".equals(lpparam.packageName)) {
            Log.e(TAG, "Find excellent products" + lpparam.packageName);
            XposedHelpers.findAndHookMethod("com.tencent.StubShell.TxAppEntry", lpparam.classLoader,
                    "attachBaseContext", Context.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); Context = (Context) param.args[0]; Context = (Context) param.args[0]; RealClassLoader = context.getClassLoader(); realClassLoader = context.getClassLoader(); HookCheckoutXposed (realClassLoader); }}); } } private void hookCheckoutXposed(ClassLoader classLoader) { XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", new XC_MethodReplacement() {
            @Override
            protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
                Log.e(TAG, "Replace close xposed");
                returnnull; }}); XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", Context.class, new XC_MethodReplacement() {
            @Override
            protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
                Log.e(TAG, "Replace find xposed");
                return false; }}); }}Copy the code

The ending

conclusion

In fact, I am only here to integrate a variety of tools, most of the knowledge is obtained from the Internet. Hope can have the effect that cast a brick to attract jade, let each reader can have a little harvest. In addition, I sincerely admire these tool makers, it seems that I still have a long way to go!

In fact, this is my first time to write a technical article, I specially put it on the Nuggets, because it is my favorite domestic platform (there is no one), I hope the Nuggets get better and better, do not forget the original intention!

The resources

Sorry, Xposed really can do whatever you want – 5. I brush the Xposed with what not to give me

DumpDex – Android shells

Reverse the path of Android – Shell 360 reinforcement