本帖最后由 JiangtaoChiu 于 2023-3-3 10:22 编辑
附反编译后所hook的部分
前辈们好:现在做到如下,没有思路了,烦请指点一二
现在已有想法:hook到拦截器的请求和响应请求,创建服务,伪造请求,然后不会了在xposed hook 某app时候,hook的是拦截器okhttp3(因为此处能返回我们需要的各类参数)
1、已经找到关键函数,也hook到了,能返回所需要的数据。
2、代码部分:因为初次尝试,打印有点多。贴一下完整代码[Python] 纯文本查看 复制代码 package com.example.app001.hooksig;
import android.app.Application;
import android.content.Context;
import com.yanzhenjie.andserver.AndServer;
import com.yanzhenjie.andserver.Server;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class MyHook implements IXposedHookLoadPackage {
public Server myserver;
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
XposedBridge.log("-------------进入handleLoadPackage-----------");
// 某链~
// if (lpparam.packageName.equals("com.xxxx.beike")) {
// 某家~
if (lpparam.packageName.equals("com.xxxx-homelink-xxxx.android")) {
XposedBridge.log("---------------包名验证正确,start hook-----------");
//hook 多dex
XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("-------------进入hook多个dex方法-----------");
ClassLoader cl = ((Context)param.args[0]).getClassLoader();
Class<?> hookclass = null;
try {
// hookclass = cl.loadClass("com.lianjia.soundlib.vrrecorder.util.SignUtil");
hookclass = cl.loadClass("com.ke.infrastructure.app.signature.algorithm.V1SignAlgorithm");
XposedBridge.log("-------------进去try了,查找到类名-----------");
} catch (Exception e) {
// Log.e("Debug", "查询报错"+e.getMessage());
XposedBridge.log("-----------查找不到报错了-----------"+e.getMessage());
return;
}
// Log.i("Debug", "查询成功");
XposedBridge.log("Debug, 查询成功 "+ hookclass);
XposedHelpers.findAndHookMethod(hookclass,"sign",String.class,String.class, Long.class,new XC_MethodHook() {
// 相关hook操作
@Override
protected void beforeHookedMethod(MethodHookParam param)
throws Throwable {
// Hook函数之前运行的代码
super.beforeHookedMethod(param);
XposedBridge.log("进入hook操作函数-----------");
// 传入參数1
XposedBridge.log("beforeHookedMethod a:" + param.args[0]);
XposedBridge.log("beforeHookedMethod b:" + param.args[1]);
XposedBridge.log("beforeHookedMethod c:" + param.args[2]);
// XposedBridge.log("beforeHookedMethod d:" + param.args[3]);
// XposedBridge.log("beforeHookedMethod e:" + param.args[4]);
//
// 建立服务
// get_wua(cl, param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// Hook函数之后运行的代码
XposedBridge.log("Hook函数之后代码区---------------");
//函数返回值
String[] tt = (String[]) param.getResult();
XposedBridge.log("afterHookedMethod 返回值:" + Arrays.toString(tt));
// XposedBridge.log(String.valueOf(param.getResult()));
// String gg = String.valueOf(param.getResult());
// Log.d("tttt", gg);
// XposedBridge.log(gg);
}
});
}
});
};
}
private void get_wua(final Class<?> cls, XC_MethodHook.MethodHookParam param) throws NoSuchMethodException {
Method m = cls.getDeclaredMethod("sign", String.class, String.class, Long.class);
if (MyHook.this.myserver == null) {
XposedBridge.log("创建监听10086端口");
MyHook.this.myserver = AndServer.serverBuilder().port(10010).timeout(60, TimeUnit.SECONDS)
.registerHandler("/wua_and_sign", new beike_wua(m, param.thisObject, cls)).listener(new Server.ServerListener() {
@Override
public void onStarted() {
}
@Override
public void onStopped() {
}
@Override
public void onError(Exception e) {
}
}).build();
XposedBridge.log("--- Base 10010 Build Success ---");
}
if (!MyHook.this.myserver.isRunning()) {
XposedBridge.log("监听10010端口开始");
MyHook.this.myserver.startup();
}
}
} [Python] 纯文本查看 复制代码 package com.example.app001.hooksig;
import com.yanzhenjie.andserver.RequestHandler;
import com.yanzhenjie.andserver.util.HttpRequestParser;
import org.apache.httpcore.HttpException;
import org.apache.httpcore.HttpRequest;
import org.apache.httpcore.HttpResponse;
import org.apache.httpcore.protocol.HttpContext;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import de.robv.android.xposed.XposedBridge;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
/**
* C
*/
public class beike_wua implements RequestHandler {
//创建OkHttpClient 对象
// private OkHttpClient ok;
private Class<?> cla;
private Method m;
private Object instance;
public beike_wua(Method m, Object instance, Class<?> cla) {
// Interceptor
// ok = new OkHttpClient().newBuilder().addInterceptor((Interceptor) instance).build();
this.m = m;
this.instance = instance;
this.cla = cla;
}
public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException {
Map<String, String> map = HttpRequestParser.parseParams(request);
XposedBridge.log("---------进入handle------"+map);
String data_1 = String.valueOf(map.get("str1"));
String data_2 = String.valueOf(map.get("str2"));
Long data_3 = Long.valueOf(map.get("long3"));
XposedBridge.log("---------进入handle---00000000000--");
// 发起伪请求
// 请求地址
String url = "https://apps.api.ke.com/house/chengjiao/searchV2?condition=&limit_offset=60&containerType=1&limit_count=20&city_id=110000";
//创建okhtto请求的对象
OkHttpClient client = new OkHttpClient()
.newBuilder()
.connectTimeout(10, TimeUnit.SECONDS) // 设置超时时间
.readTimeout(10, TimeUnit.SECONDS) // 设置读取超时时间
.writeTimeout(10, TimeUnit.SECONDS) // 设置写入超时时间
.addInterceptor((Interceptor) instance)
.build();
XposedBridge.log("---------进入handle---11111111111--");
//创建请求连接,url里面存放请求连接,get表示其实get请求 放全局
Request req = new Request.Builder()
.url(url)
.header("User-Agent", "Beike2.95.0;Xiaomi MI+8; Android 11")
.addHeader("Referer", "https://bj.ke.com/ershoufang/")
.build();
XposedBridge.log("---------进入handle---11111111111--");
//使用execute()方法执行请求
try (Response resp = client.newCall(req).execute()) {
XposedBridge.log(resp.code()+"");
if (!resp.isSuccessful()) {
throw new IOException("Unexpected code " + resp);
}
//定义字符串接收请求信息
final String string = resp.body().string();
// 处理响应数据
System.out.println("处理响应数据---------"+string);
XposedBridge.log("处理响应数据---------"+string);
} catch (IOException e) {
// e.printStackTrace();
XposedBridge.log("---------进入handle---eeeeeeeeee--");
XposedBridge.log(e);
}
XposedBridge.log("data_1 --- "+data_1);
XposedBridge.log("data_2 --- "+data_2);
XposedBridge.log("data_3 --- "+data_3);
// try {
// String[] arr = (String[]) this.m.invoke(this.instance,data_1, data_2, data_3 );
//
// String a = "";
// for (int i = 0; i < arr.length; i++) {
// if (i==0){
// a = arr[i];
// }else {
// a = a+"8888888888888"+arr[i];
// }
// }
// XposedBridge.log("通过插件获取加密参数中..." + arr);
//
// String re = JSONObject.toJSONString(arr);
// XposedBridge.log("通过插件获取加密结束..." + re);
// response.setEntity(new StringEntity(re, HttpRequestParser.CHARSET_UTF8));
// response.setEntity(new StringEntity(a, HttpRequestParser.CHARSET_UTF8));
// } catch (Exception e) {
// XposedBridge.log(e.getMessage());
// }
XposedBridge.log("---------进入handle---99999999999999--");
}
}
// private HashMap<String,String> parse(String data){
// HashMap jobj = JSONObject.parseObject(data, HashMap.class);
// return null;
// }
|