目标App:
WX20220110-163459@2x.png
Charles开启代理, 手机修改proxy后, 打开App显示, 并且App无法连接网络:
WX20220110-163630@2x.png
看提示知道是进行了代理检测,
脱壳
jadx反编译打开后发现App加壳了, 先进行脱壳, 参见文章 https://www.jianshu.com/p/aef7cdca8263
脱完后打开, 搜索 isWifiProxy,
WX20220110-161537@2x.png
WX20220110-161624.png
编写Xposed hook代码
1, 新建一个xposed项目:
WX20220110-161749.png
2, 准备:
AndroidMainiFest.xml文件粘贴如下代码:
WX20220110-161904.png
<meta-data
android:name="xposedmodule" // 说明这是个xposed模块
android:value="true" />
<meta-data
android:name="xposeddescription"
android:value="这是一个Xposed例程" /> //模块描述
<meta-data
android:name="xposedminversion"
android:value="53" /> // 该模块支持的最低版本, 如53
如下位置新建assets文件夹, 并新建一个txt文件:
WX20220110-162218.png
build.gradle的dependencies粘贴如下代码,让AndroidStuido自动给我们配置XposedBridgeApi.jar
WX20220110-162342.png
compileOnly 'de.robv.android.xposed:api:82'
compileOnly 'de.robv.android.xposed:api:82:sources'
3, 写hook代码
新建Module class, 代码如下(加壳App hook参考文章 https://www.jianshu.com/p/ee8ff2f80d08)
WX20220110-162528.png
package com.example.demo;
import android.app.Application;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
//创保网--加壳
public class Module implements IXposedHookLoadPackage {
private static final String TAG = "gantb";//无所谓, 不用改
public static XC_LoadPackage.LoadPackageParam lpparam = null;
public static ClassLoader classLoader1 = null;
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
// 这一行修改App包名
if (lpparam.packageName.equals("com.pingan.genbao")) {
XposedBridge.log(" has Hooked!");
XposedBridge.log("inner => " + lpparam.processName);
Class ActivityThread = XposedHelpers.findClass("android.app.ActivityThread", lpparam.classLoader);
XposedBridge.hookAllMethods(ActivityThread, "performLaunchActivity", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Object mInitialApplication = (Application) XposedHelpers.getObjectField(param.thisObject, "mInitialApplication");
ClassLoader finalCL = (ClassLoader) XposedHelpers.callMethod(mInitialApplication, "getClassLoader");
XposedBridge.log("found classload is => " + finalCL.toString());
//这里修改方法名
Class BabyMain = (Class) XposedHelpers.callMethod(finalCL, "findClass", "com.sdog.SysUtils");
XposedBridge.log("found final class is => " + BabyMain.getName().toString());
fart(finalCL);
}
});
}
}
private void fart(ClassLoader classLoader) {
//这里修改方法名, 变量
XposedHelpers.findAndHookMethod("com.sdog.SysUtils", classLoader, "isWifiProxy", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
//这里修改返回值false, 未root
param.setResult(false);
}
});
}
}
4, 安装到手机上, 点击安装, 稍等片刻, 显示安装success, 手机自动打开, 因为咱啥也没写, 所以只有个'hello Word':
WX20220110-162809.png
WX20220110-164223@2x.png
xposed启动模块, 然后软重启即可
WX20220110-164323@2x.png
回到Android Studio, 看到demo.apk日志正常:
WX20220110-163150.png
打开App, 去抓包:
WX20220110-163407@2x.png
网友评论