In one sentence
Analysis of the location of the investigation under the kitchen APP to detect whether the phone is installed Xposed framework method, and then step by step Hook off the corresponding code, in order to remove the disgusting repeat pop-up warning dialog box.
The introduction
Because I have the habit of bringing food, I would think of the dishes to be cooked in the week one day before going to work every week, and then GO home to buy a wave of food ingredients on JD.com. Yesterday afternoon when I opened the kitchen as is my custom, and then:
Every time open a new page to play a dialog box, wow, is really annoying! I TM
You said I Hook the kitchen, so the whole I have no words, but I just install Xposed just Hook the wechat, this is very annoying, line line, that I can only Hook the kitchen, Hook off your test whether installed Xposed method line! Hence this article
Random analysis
For the new version of AS, the portal appears to be hidden. You need to go to the SDK tools directory to find it. For Windows, it is monitor.bat
First get a wave under the kitchen package name: com.xiachufang
Then find the corresponding process:
The first one is needless to say, and then track a wave of method calls, point into the next page pop-up Xposed prompt dialog box, click ok after:
Then search: Xposed one by one excluded, it is not difficult to locate (package name) :
This XposedDetectionUtil class is to determine whether to install the Xposed tool class, and then use Jadx decompilate tool, decompilate a wave of APK, and then use AS open decompilate after the project! (PS: may be used to harden or what means, not all the code can be decompiled correctly!!)
The decompiled project structure is as follows:
Uh… “, a bit too straight, the class name is not confused… Open the XposedDetectionUtil class with the following code:
SXposedInstalled and isXposedInstalled() method, preliminary guess the former is a mark, the default true, on behalf of the mobile phone installed xposed, should be in the process of some logical judgment to modify the flag variable, Then the Activity base class to get this variable before entering, and then decide whether to pop up the Xposed warning dialog box.
The easiest way to hook is to change the value of this variable to true. Try writing code
Hook flag bit static variable
The code is very simple, modify permissions, and then set the next flag bit to true
The module is installed, restarted, and then opened the kitchen, but the program unexpectedly flickered, look at the Log:
Check error exception? I guess I changed a local register variable in the wrong place, so I’m going to have to do something else. I’m going to give up on the changers and start from another point of view.
Continue the random analysis
Let’s look at the following code:
Note here that both static blocks and static variables are initialized when the class is loaded, at the same level, and are initialized in code order.
This code is to test whether the phone installed xposed one of the routines, the logic is:
When the XposedDetectionUtil class is called, load it, then explicitly throw an exception, then catch the exception, retrieve the stack information for the exception call through the EQUetStackTrace, and then traverse the stack. If there is a class name or method containing XposedBridge, the user’s phone installed Xposed.
Here is actually a small question, why there is no code in if, because the decompilation did not get the complete code, or it is ok to do so, there are know the reader can inform below!!
Hook getStackTrace() to getStackTrace();
After reading it, it’s easy to Get a few points:
- 1. The full class name of Hook is java.lang.Throwable
- 2.Hook method: getStackTrace, which returns a StackTraceElement[]
- 3. Simply filter the return value, remove the class name or method containing XposedBridge and reset it.
There you go. Write a wave of code
Hook getStackTrace method
As Array
< Array
< Array< Array
So, you need to borrow another mutable container for that, So you create a mutable list, mutableListOf
(), and then you walk through that array, and you put all the classes and methods that don’t contain XposedBridge in there. After the traversal is complete, you need to turn the mutable set one more time: toArray
() and reset the returned result.
So you have a string of code like this:
Restart the phone, open the kitchen, and check the effect:
At the same time, check the log information printed by Logcat:
Here the Hook is finished, sorry, Xposed really can do anything.
summary
Because under the kitchen has been playing the Xposed warning, so there is this article. Check whether the installation of Xposed can be more than this routine, more can be read: Android Java layer anti-hook skills. Md, do not have expectations, is still with the fate of the update, thank you ~
Attached: Hook part of the code (all available at: github.com/coder-pig/C… Find) :
object XiaChuFangHook{ fun hook(lpparam: XC_LoadPackage.LoadPackageParam) { findAndHookMethod("java.lang.Throwable", lpparam.classLoader, "getStackTrace", object : XC_MethodHook() { override fun afterHookedMethod(param: MethodHookParam) { val result = mutableListOf<StackTraceElement>() for (stackTraceElement in (param.result as Array<StackTraceElement>)) { val className = stackTraceElement.className val methodName = stackTraceElement.methodName if(className ! = null && methodName ! = null) { if(! className.contains("XposedBridge") && ! methodName.contains("XposedBridge")) { result.add(stackTraceElement) } } } param.result = toArray<StackTraceElement>(result) super.afterHookedMethod(param) } }) } }Copy the code