仅供技术交流 禁止用于各类非法用途!!!
Hook
分析可以看上一篇文章
这里就不重复App内需要Hook的地方了
主要说一下怎么Hook这个App向系统注入的dex
通过分析可知 这个dex位于assets/3DFly.lis
在运行时会解压到 /data/fl/libfl.so 然后注入系统
这就需要Hook Android这个进程
通过Hook ClassLoader的loadClass方法来获取一个可以操作libfl.so的ClassLoader
因为App可能会多次注入 所以需要每次都创建一个线程来钩住
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
| XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
if (param.hasThrowable()){
return;
}
Class<?> clsloader = (Class<?>) param.getResult();
if(clsloader.getClassLoader().toString().contains("/data/fl/libfl.so")) {
XposedBridge.log("FFLBL: Android Init");
new Thread(new Runnable() {
@Override
public void run() {
try {
XposedBridge.log("FFLBL: Android Injected");
XposedHelpers.findAndHookMethod("؛.ׯ", clsloader.getClassLoader(), "Ϳ", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
ArrayList <String> buildin = (ArrayList <String>) param.getResult();
if (buildin.contains(PKG.pkgName)) {
buildin.remove(PKG.pkgName);
buildin.add(PKG.replaceName);
XposedBridge.log("FFLBL: Replaced " + PKG.pkgName +" to " + PKG.replaceName);
}
param.setResult(buildin);
}
});
XposedHelpers.findAndHookMethod("؛.ލ", clsloader.getClassLoader(), "ؠ", java.util.List.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
List<String> input = (List<String>) param.args[0];
if (input.contains(PKG.pkgName)) {
input.remove(PKG.pkgName);
input.add(PKG.replaceName);
XposedBridge.log("FFLBL: Replaced " + PKG.pkgName +" to " + PKG.replaceName);
}
param.args[0] = input;
}
});
XposedHelpers.findAndHookMethod("com.lerist.inject.utils.Ϳ", clsloader.getClassLoader(), "setSafeApps", java.util.List.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
List<String> input = (List<String>) param.args[0];
if (input.contains(PKG.pkgName)) {
input.remove(PKG.pkgName);
input.add(PKG.replaceName);
XposedBridge.log("FFLBL: Replaced " + PKG.pkgName +" to " + PKG.replaceName);
}
param.args[0] = input;
}
});
} catch (Exception e){
XposedBridge.log("FFLBL: "+e);
}
}
}).start();
}
}
});
|
我在这里自定义了一个PKG类
其中pkgName为要解除黑名单的包名 replaceName为要在黑名单列表后添加的包名(因为部分地方存在List数量的判断 不排除以后校验数量的可能性)
成品
Bitbucket
知道你们懒
123云盘 提取码:ZTPy