例子:
https://blog.csdn.net/zhangyongfeiyong/article/details/52979774
https://www.cnblogs.com/luoyesiqiu/p/9524651.html
吾爱破解入门
https://www.52pojie.cn/thread-873013-1-1.html?tdsourcetag=s_pctim_aiomsg
jni原理
https://www.cnblogs.com/java-jiawa/p/9420243.html
继续看
initForZygote
xposed的zip下载地址在哪里?
http://dl-xda.xposed.info/framework/
SetEntryPointFromJni方法如何理解?
参考:https://blog.csdn.net/a314131070/article/details/81092526
就是这种hook的方法不是native的肯定。然后把accessflag也改一下。
ART的方法分成几类?
invoke-virtual、invoke-direct、invoke-super
参考:
https://www.cnblogs.com/larrylawrence/p/3985464.html
https://www.cnblogs.com/linwx/p/7966181.html
handleLoadPackage是在什么时候调用的?
看看下面的堆栈就知道了。是在应用启动的时候做的。看样子明显是hook住了handleBindApplication的方法啦。
05-19 01:48:49.118 3235 3235 E HotXposed: handleLoadPackage = com.tencent.androidqqmail
05-19 01:48:49.118 3235 3235 E HotXposed: java.lang.Throwable
05-19 01:48:49.118 3235 3235 E HotXposed: at bin.xposed.Unblock163MusicClient.Main.handleLoadPackage(Main.java:17)
05-19 01:48:49.118 3235 3235 E HotXposed: at de.robv.android.xposed.IXposedHookLoadPackage$Wrapper.handleLoadPackage(IXposedHookLoadPackage.java:34)
05-19 01:48:49.118 3235 3235 E HotXposed: at de.robv.android.xposed.callbacks.XC_LoadPackage.call(XC_LoadPackage.java:61)
05-19 01:48:49.118 3235 3235 E HotXposed: at de.robv.android.xposed.callbacks.XCallback.callAll(XCallback.java:106)
05-19 01:48:49.118 3235 3235 E HotXposed: at de.robv.android.xposed.XposedInit$2.beforeHookedMethod(XposedInit.java:134)
05-19 01:48:49.118 3235 3235 E HotXposed: at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:340)
05-19 01:48:49.118 3235 3235 E HotXposed: at android.app.ActivityThread.handleBindApplication(<Xposed>)
05-19 01:48:49.118 3235 3235 E HotXposed: at android.app.ActivityThread.-wrap2(ActivityThread.java)
05-19 01:48:49.118 3235 3235 E HotXposed: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1546)
05-19 01:48:49.118 3235 3235 E HotXposed: at android.os.Handler.dispatchMessage(Handler.java:102)
05-19 01:48:49.118 3235 3235 E HotXposed: at android.os.Looper.loop(Looper.java:154)
05-19 01:48:49.118 3235 3235 E HotXposed: at android.app.ActivityThread.main(ActivityThread.java:6121)
05-19 01:48:49.118 3235 3235 E HotXposed: at java.lang.reflect.Method.invoke(Native Method)
05-19 01:48:49.118 3235 3235 E HotXposed: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
05-19 01:48:49.118 3235 3235 E HotXposed: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
05-19 01:48:49.118 3235 3235 E HotXposed: at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:107)
handleBindApplication是在哪里被hook住的呢?
在XposedInit.java类中
进而调用
XC_LoadPackage.callAll(lpparam);
XCallback的callAll方法如下。
/** @hide */
public static void callAll(Param param) {
if (param.callbacks == null)
throw new IllegalStateException("This object was not created for use with callAll");
for (int i = 0; i < param.callbacks.length; i++) {
try {
((XCallback) param.callbacks[i]).call(param);
} catch (Throwable t) { XposedBridge.log(t); }
}
}
进热调用XC_LoadPackage.java的
protected void call(Param param) throws Throwable {
if (param instanceof LoadPackageParam)
handleLoadPackage((LoadPackageParam) param);
}
那initForZygote是什么时候调用的呢?
在XposedBridge的main方法调用的。
main方法又是在哪里调用呢?
在app_main.cpp的
if (zygote) {
runtime.start(isXposedLoaded ? XPOSED_CLASS_DOTS_ZYGOTE : "com.android.internal.os.ZygoteInit",
startSystemServer ? "start-system-server" : "");
hiddenapistubs是怎么来的?
问题转化为访问隐藏api。
image.png
可以看到Android.jar包里面的都是空实现。
任意查看一个apk,发现Android.jar的类根本就没有编译进apk中。
image.png
参考:
https://blog.yuuta.moe/2017/09/12/new-way-access-hidden-api/index.html
https://blog.csdn.net/hudan2714/article/details/7853908
compile fileTree是什么意思?
下载的三方jar包放在哪里?
放在config//gradle/caches中
image.png
XposedBridge怎么编译?
导入到Androidstudio,然后修改成可以debug编译,主要是去掉下面这个
image.png
然后在output编译出apk,重新命名为XposedBridge.jar,然后push到system/framework就行。成功如下
image.png
手机不刷三方recovery的情况下,如何刷Xposed框架?
将Xposed框架包解压,然后push到手机,然后执行安装脚本。
image.png
compile与api的区别?
没区别
implementation与compile区别?
api或compile关键字引用的包对于其他module来说是可见的,而implementation关键字引用的包对于其他module来说是不可见的。
参考:https://www.jianshu.com/p/c1e9f30c88a0
网友评论