Xposed Hook使用

发表于   |   分类于   |     |   阅读次数   |  

Xposed Hook 体会

空闲的时候折腾修改悦动步数的时候,用上了Xposed Hook第三方应用方法,记录一下。

Xposed太强大了,可以Hook别人的方法,在人家调用方法前能改掉别人的参数,在别人调用完成时,能修改方法返回值和获取返回值,而且能拿到当前对象,通关反射做更多的事情。

修改调用参数
比如说这个

1
com.yuedong.common.utils.OpenSign

类,有个

1
makeSig(String str,String key,HashMap<String,String>map)

方法,我来修改掉它的参数并且拿到它的加密Key:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Class<?> openSignEL = XposedHelpers.findClass(
                    "com.yuedong.common.utils.OpenSign",
                    loadPackageParam.classLoader);
XposedBridge.hookAllMethods(openSignEL, "makeSig",
                new XC_MethodHook() { 
                    protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param)
                            throws Throwable {
Log.d("xyl", "makeSig   str=="param.args[0].toString()"+++++str2="+param.args[1].toString() + "++++str3=" + param.args[3].toString());
                        HashMap<String, String> hashMap = (HashMap<String, String>) param.args[2];
                        if (hashMap != null) {
                                Log.d("xyl", "makeSig hashMap=="
                                        + hashMap.toString());
                        }
                        if (!TextUtils.equals(
                                "/sport/report_runner_info_step_batch",
                                param.args[1].toString())) {
                            return;
                        }
                        if (hashMap != null
                                && hashMap.containsKey("steps_array_json")) {
                            JSONArray jsonArray = new JSONArray(hashMap
                                    .get("steps_array_json"));
                            if (jsonArray == null
                                    || jsonArray.length() != 1) {
                                return;
                            }
                            if (!TextUtils.isEmpty(MainHook.userId)) {
                                hashMap.put("user_id", MainHook.userId);
                                hashMap.put("client_user_id", MainHook.userId);
                            }
                            JSONObject jsonObject = jsonArray
                                    .getJSONObject(0);
                            jsonObject.remove("step");
                            jsonObject.remove("cost_time");
                            jsonObject.put("step", MainHook.addValue);
                            jsonObject.put("cost_time",MainHook.addValue*2 );
                            hashMap.put("steps_array_json", "["
                                    + jsonObject.toString() + "]");
                            XposedBridge.log("newhashMap=="
                                    + hashMap.toString());
                        }
                    }

                });

这样就拿到参数,而且能修改参数后继续执行。

再来Hook别人方法的返回值,并且拿到当前对象去反射调用它的内部方法
比如说这个类

1
com.yuedong.sport.controller.account.Account

有方法

1
2
public String xyy();
pubic int uid();

继续使用Xposed的hookAllMethods

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Class<?> Account = XposedHelpers.findClass(
                    "com.yuedong.sport.controller.account.Account",
                    loadPackageParam.classLoader);
 XposedBridge.hookAllMethods(ydAccount, "xyy",
                new XC_MethodHook() {
                    @Override
                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                        super.afterHookedMethod(param);
                        //反射调用getUid()
                        Integer uid = (Integer) param.thisObject.getClass().getDeclaredMethod("uid", new Class[]{}).invoke(param.thisObject);
                        //获取返回值
                        String xyy = param.getResult().toString();
                        //通关广播发送出去
                        Intent intent = new Intent("com.anjoyo.xyl.run.yd_info");
                        intent.putExtra("action", 1);
                        intent.putExtra("uid", uid);
                        intent.putExtra("xyy", xyy);
                        if (MainHook.context != null) {
                            MainHook.context.sendBroadcast(intent);
                        }
                    }
                }
        );

这样就给别人应用挂上钩子了,在别人执行这个方法的时候,你能拿到当前对象,可以做很多很多了。(我也是刚开始玩

再看一个别人使用的方法,在钩子里开了线程循环调用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
if (loadPackageParam.packageName.equals(YUEDONG) || loadPackageParam.packageName.equals(CODOON)) {
            Thread autoThread = new Thread() {
                @Override
                public void run() {
                    while (!isInterrupted()) {
                        if (isYuedong) {
                            try {
                                Thread.sleep(100);
                                if (sObject != null) {
                                    count++;
                                    XposedHelpers.callMethod(sObject, "dispatchSensorEvent", 5, new float[]{count, 0, 0}, 3, System.currentTimeMillis());
                                }
                                if (count == Integer.MAX_VALUE) {
                                    count = 0;
                                }
                            } catch (InterruptedException e) {
                                e.printStackTrace();
                            }
                        }
                        if (isCodoon) {
                            try {
                                Thread.sleep(100);
                                if (sObject != null) {
                                    count++;
                                    XposedHelpers.callMethod(sObject, "dispatchSensorEvent", 5, new float[]{count, 0, 0}, 3, System.currentTimeMillis());
                                }
                                if (count == Integer.MAX_VALUE) {
                                    count = 0;
                                }
                            } catch (InterruptedException e) {
                                e.printStackTrace();
                            }
                        }
                    }
                }
            };
            autoThread.start();
        }

if (loadPackageParam.packageName.equals(WEIBO) || loadPackageParam.packageName.equals(PINGAN) || loadPackageParam.packageName.equals(WEXIN) || loadPackageParam.packageName.equals(QQ) || loadPackageParam.packageName.equals(LEDONG) || loadPackageParam.packageName.equals(YUEDONG) || loadPackageParam.packageName.equals(CODOON)) {
            getKey();
            final Class<?> sensorEL = XposedHelpers.findClass("android.hardware.SystemSensorManager$SensorEventQueue", loadPackageParam.classLoader);
            XposedBridge.hookAllMethods(sensorEL, "dispatchSensorEvent", new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    int handle = (Integer) param.args[0];
                    sObject = param.thisObject;
                    Field field = param.thisObject.getClass().getDeclaredField("mSensorsEvents");
                    field.setAccessible(true);
                    Sensor ss = ((SparseArray<SensorEvent>) field.get(param.thisObject)).get(handle).sensor;
                    if (ss == null) {
                        XposedBridge.log("传感器为NULL");
                        return;
                    }
                    if (ss.getType() == Sensor.TYPE_ACCELEROMETER) {
                        if (isLedong && loadPackageParam.packageName.equals(LEDONG)) {
                            ledongCount += 1;
                            //完美
                            if (ledongCount % 3 == 0) {
                                ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * 100;
                                ((float[]) param.args[1])[1] += (float) -10;
                            } else if (ledongCount % 2 == 0) {
                                ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * 1000;
                                ((float[]) param.args[1])[2] += (float) -20;
                                ((float[]) param.args[1])[1] += (float) -5;
                            } else {
                                ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * 10;
                                ((float[]) param.args[1])[2] += (float) 20;
                                ((float[]) param.args[1])[1] += (float) -15;
                            }
                        }
                        if (isYuedong && loadPackageParam.packageName.equals(YUEDONG)) {
                            yuedongCount += 1;
                            ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * 1000;
                            if (yuedongCount % 2 == 0) {
                                ((float[]) param.args[1])[2] += (float) -20;
                                ((float[]) param.args[1])[1] += (float) -5;
                            } else {
                                ((float[]) param.args[1])[2] += (float) 20;
                                ((float[]) param.args[1])[1] += (float) -15;
                            }
                        }
                        if (isPingan && loadPackageParam.packageName.equals(PINGAN)) {
                            pinganCount += 1;
                            ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * 1000;
                            if (pinganCount % 2 == 0) {
                                ((float[]) param.args[1])[2] += (float) -20;
                                ((float[]) param.args[1])[1] += (float) -5;
                            } else {
                                ((float[]) param.args[1])[2] += (float) 20;
                                ((float[]) param.args[1])[1] += (float) -15;
                            }
                        }
                        if (isCodoon && loadPackageParam.packageName.equals(CODOON)) {
                            codoonCount += 1;
                            ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * 1000;
                            if (codoonCount % 2 == 0) {
                                ((float[]) param.args[1])[2] += (float) -20;
                                ((float[]) param.args[1])[1] += (float) -5;
                            } else {
                                ((float[]) param.args[1])[2] += (float) 20;
                                ((float[]) param.args[1])[1] += (float) -15;
                            }
                        }
                    }
                    if (ss.getType() == Sensor.TYPE_STEP_COUNTER || ss.getType() == Sensor.TYPE_STEP_DETECTOR) {
                        if ((isWeixin && loadPackageParam.packageName.equals(WEXIN))) {
                            if (isAuto) {
                                if (m * weixinCount < max) {
                                    ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] + m * weixinCount;
                                    weixinCount += 1;
                                } else {
                                    weixinCount = 0;
                                }
                            } else {
                                ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * m;
                            }
                        }
                        if ((isQQ && loadPackageParam.packageName.equals(QQ))) {
                            if (isAuto) {
                                if (m * qqCount < max) {
                                    ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] + m * qqCount;
                                    qqCount += 1;
                                } else {
                                    qqCount = 0;
                                }
                            } else {
                                ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * m;
                            }
                        }
                        if ((isWeibo && loadPackageParam.packageName.equals(WEIBO))) {
                            ((float[]) param.args[1])[0] = ((float[]) param.args[1])[0] * m;
                        }
                        XposedBridge.log(loadPackageParam.packageName + "传感器类型:" + ss.getType() + ",修改后:" + ((float[]) param.args[1])[0]);
                    }
                }
            });
        }

使用Xposed模块,记录一下~~

热评文章