A while ago just masturbated from the parent company a Google pro son Nexus 6, Root and brush the Xposed, just want to cool, the results of one of the APP opened after this kind of virtue.
Analysis of the APK
The most basic analysis can be done with Android Studio. Let’s copy the installation package to the project directory that Android Studio opens and have a cursory look
com.huimai365
shell
After a lot of Googling (and googling), I finally found dumpDex, a goofy undressing tool that works just fine
/data/data/com.huimai365/dump
dir=.. /xxx/for file in $dir/ *;do
./d2j-dex2jar.sh $file
done
Copy the code
Then use JD-GUI to look for the package name we need com.huimai365, luckily I finally found it, unfortunately the damn code is confused. Young man can!
Analysis of the code
We first use toe analysis, this detection Xposed basic in the Application onCreate method to perform, and then popover. Ok, so let’s look for their own implementation of the Application class.
onCreate
ar.a();
public class ar
{
public static void a()
{
try
{
Field localField = ClassLoader.getSystemClassLoader().loadClass("de.robv.android.xposed.XposedBridge").getDeclaredField("disableHooks");
localField.setAccessible(true);
localField.set(null, Boolean.valueOf(true));
return;
}
catch (Throwable localThrowable) {}
}
public static boolean a(Context paramContext)
{
return (b(paramContext)) || (c(paramContext)) || (b()) || (c());
}
private static boolean b(Context paramContext)
{
paramContext = paramContext.getPackageManager().getInstalledApplications(128);
if (paramContext == null) {
return false;
}
paramContext = paramContext.iterator();
boolean bool = false;
if (paramContext.hasNext())
{
ApplicationInfo localApplicationInfo = (ApplicationInfo)paramContext.next();
if (localApplicationInfo.packageName.equals("de.robv.android.xposed.installer"))
{
ac.d("HookDetection"."Xposed found on the system.");
bool = true;
}
if (!localApplicationInfo.packageName.equals("com.saurik.substrate")) {
break label92;
}
ac.d("HookDetection"."Substrate found on the system.");
bool = true;
}
label92:
for (;;)
{
break;
return bool;
}
}
private static boolean c()
{
try
{
Object localObject = ClassLoader.getSystemClassLoader().loadClass("de.robv.android.xposed.XposedHelpers").newInstance();
if (localObject ! = null) {if((! a(localObject, "fieldCache"&& ())! a(localObject, "methodCache")))
{
boolean bool = a(localObject, "constructorCache");
if(! bool) {} }else
{
return true;
}
}
}
catch (Throwable localThrowable) {}
return false; }}Copy the code
Hook method
A () and a(Context paramContext) are all used in Hook AR. Then do it!
public class XposedHookInit implements IXposedHookLoadPackage {
private static final String TAG = "XposedHookInit";
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
if ("com.huimai365".equals(lpparam.packageName)) {
Log.e(TAG, "Find excellent products" + lpparam.packageName);
hookCheckoutXposed(lpparam.classLoader);
}
}
private void hookCheckoutXposed(ClassLoader classLoader) {
XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG, "Replace close xposed");
returnnull; }}); XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", Context.class, new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG, "Replace find xposed");
return false; }}); }}Copy the code
But things are not as simple as imagined, reported wrong
The 2019-01-17 12:46:17. 038, 5888-5888 /? E/Xposed: de.robv.android.xposed.XposedHelpers$ClassNotFoundError: java.lang.ClassNotFoundException: com.huimai365.util.ar
at de.robv.android.xposed.XposedHelpers.findClass(XposedHelpers.java:71)
at de.robv.android.xposed.XposedHelpers.findAndHookMethod(XposedHelpers.java:260)
at com.example.xposeddemo.XposedHookInit.hookCheckoutXposed(XposedHookInit.java:35)
at com.example.xposeddemo.XposedHookInit.handleLoadPackage(XposedHookInit.java:20)
at de.robv.android.xposed.IXposedHookLoadPackage$Wrapper.handleLoadPackage(IXposedHookLoadPackage.java:34)
at de.robv.android.xposed.callbacks.XC_LoadPackage.call(XC_LoadPackage.java:61)
at de.robv.android.xposed.callbacks.XCallback.callAll(XCallback.java:106)
at de.robv.android.xposed.XposedInit$2.beforeHookedMethod(XposedInit.java:134)
at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:340)
at android.app.ActivityThread.handleBindApplication(<Xposed>)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1546)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6121)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:107)
Caused by: java.lang.ClassNotFoundException: com.huimai365.util.ar
at java.lang.Class.classForName(Native Method)
at java.lang.Class.forName(Class.java:400)
at external.org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:823)
Copy the code
To analyze problems
Why ClassNotFoundError when you have this class? To understand the reinforcement principle, I learned that after the original APP was loaded, the classLoader was changed. Therefore, if we used the original classLoader, we would report an exception that the class could not be found. The APP is using tencent’s solid, we see the AndroidManifest. The inside of the XML application has been replaced by com. Tencent. StubShell. TxAppEntry
TxAppEntry
classes.dex
protected void attachBaseContext(Context paramContext)
{
super.attachBaseContext(paramContext);
SystemClassLoaderInjector.fixAndroid(paramContext, this);
if(! b(this)) {return;
}
d(paramContext);
a(this);
}
Copy the code
The classloader has been changed here, so we need to get the changed classloader and Hook it again. ! OK, OK, OK, let’s do it again in another position
public class XposedHookInit implements IXposedHookLoadPackage {
private static final String TAG = "XposedHookInit";
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
if ("com.huimai365".equals(lpparam.packageName)) {
Log.e(TAG, "Find excellent products" + lpparam.packageName);
XposedHelpers.findAndHookMethod("com.tencent.StubShell.TxAppEntry", lpparam.classLoader,
"attachBaseContext", Context.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); Context = (Context) param.args[0]; Context = (Context) param.args[0]; RealClassLoader = context.getClassLoader(); realClassLoader = context.getClassLoader(); HookCheckoutXposed (realClassLoader); }}); } } private void hookCheckoutXposed(ClassLoader classLoader) { XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG, "Replace close xposed");
returnnull; }}); XposedHelpers.findAndHookMethod("com.huimai365.util.ar", classLoader, "a", Context.class, new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG, "Replace find xposed");
return false; }}); }}Copy the code
The ending
conclusion
In fact, I am only here to integrate a variety of tools, most of the knowledge is obtained from the Internet. Hope can have the effect that cast a brick to attract jade, let each reader can have a little harvest. In addition, I sincerely admire these tool makers, it seems that I still have a long way to go!
In fact, this is my first time to write a technical article, I specially put it on the Nuggets, because it is my favorite domestic platform (there is no one), I hope the Nuggets get better and better, do not forget the original intention!
The resources
Sorry, Xposed really can do whatever you want – 5. I brush the Xposed with what not to give me
DumpDex – Android shells
Reverse the path of Android – Shell 360 reinforcement