Xposed Hook Technology for Android reverse analysis

The tools commonly used in Android reverse engineering have a xposed in addition to the Dex2jar,jd-gui, Apktool.

This tool is a service framework that affects the process of running the APK without modifying it. You can write the module according to your own needs and let the module control the operation of the target application.

Because I am also a novice, for xposed usage There are a lot of unfamiliar, so only to its hook technology simple introduction, and let hook technology applied to the future reverse analysis of the project.

As for what is hook, do not understand the first to go to Baidu, here based on the limited experience of rookie, I can only say is a function interception technology ~

First of all, download the xposed framework, I do not provide download here, and then the phone must be root, or not be able to install the xposed framework, after all, hook technology is a system-level process, so you understand ~

This is just a framework, there is no function, in order to achieve personal needs, we also need to write our own module, let this framework to load your module.

To get a chestnut, you need to know one of the parameters in a method in a class in an app package , and then your module will indicate the package, which class, which method, when the target app package is loaded when the system restarts, The xposed framework that loads your module will recognize that, next, if you specify that a method in the application is executed by the system, then xposed will recognize it and then let your module go to the hook (as the name implies, it is the hook, the meaning of the trap, or it can be said to intercept) this method, The interface of the module can be used to expose the parameters and return results of the method.

In this blog, just combined with examples of simple introduction xposed hook, actually xposed function seems to be more than this ~

The framework is ready, then you can write the module according to your needs, but before we do that, we can test it with a simple login system app.

First put a simple code to come out first:

public class Loginactivity extends Activity {private final String account= "Samuel";    Private final String password= "123456";    Private EditText Etaccount, Etpassword;    Private Button Btnlogin;        @Override protected void OnCreate (Bundle savedinstancestate) {super.oncreate (savedinstancestate);        Setcontentview (R.layout.activity_login);        Etaccount= (EditText) Findviewbyid (R.id.et_account);        Etpassword= (EditText) Findviewbyid (R.id.et_password);        Btnlogin= (Button) Findviewbyid (R.id.btn_login);                Btnlogin.setonclicklistener (New View.onclicklistener () {@Override public void OnClick (View v) { if (IsOK (Etaccount.gettext (). ToString (), Etpassword.gettext (). ToString ())) {Toast.maketext                (Loginactivity.this, "Login Successful", Toast.length_short). Show ();                } else {Toast.maketext (loginactivity.this, "Login Failed", Toast.length_short). Show ();    }            }        });Private Boolean IsOK (string account, string password) {return account.equals (account) && Password.equa    LS (PASSWORD); }

Very simple a login page, where the key function isOK (string, string) is used to verify the account password is correct, where I have been killed as an account: Samuel, Password: 123456, that is, I must enter the above two strings to complete the verification.

So, the point is coming, we can use the Xposed module hook to isOK (string, string) This function, and intercept the account and password, even can modify the account and password!!!

So, the demand is clear, then we can write a specific module.

To write the module steps:

1, first build a new Android project, this project does not need the interface, so in the project to create a guide do not need to add mainactivity and Layout_main.xml, a project can be empty;

2, in the Empty Project Java folder to create a new class, the class is a module class, here named "Module", the next step is to configure the Andaroidmanfest.xml and add xposed_init files, such as;

3, Configuration androidmanifest.xml, which meta-data content to copy, anyway, I did not copy the instructions on the demo, the result is wrong, so that three Meta-data is best to write.

<manifest xmlns:android= "http://schemas.android.com/apk/res/android"    package= "Com.samuelzhan.xposehook" >    <application android:allowbackup= "true" android:label= "@string/app_name"        android:icon= "@mipmap/ Ic_launcher "Android:theme=" @style/apptheme ">        <meta-data            android:name=" Xposedmodule "            android: Value= "true"/>        <meta-data            android:name= "xposeddescription" android:value= "            Hook test!" />        <meta-data            android:name= "xposedminversion"            android:value= "si"/>    </ Application></manifest>

4, create a assets folder under the main folder, and create an ordinary file in it, named "Xposed_init", and then open the file, add a string inside, that is, the package name + module class name.

4, import a Xposedbridgeapi.jar package, such as, and add as Library. notice here, need in Build.gradle dependencies will compile change to provided, otherwise will error . Heard that the system already has the contents of the jar package, again packed into the conflict, so instead of provided, do not control the red wavy line, no hindrance ~

5, write module modules:

public class Module implements Ixposedhookloadpackage {    @Override public    void Handleloadpackage (xc_ Loadpackage.loadpackageparam Loadpackageparam) throws Throwable {        if (loadPackageParam.packageName.equals (" Com.samuelzhan.logintest ")) {            Xposedhelpers.findandhookmethod (" Com.samuelzhan.logintest.LoginActivity ",                    Loadpackageparam.classloader,                    "IsOK",                    String.class,                    string.class,                    new Xc_methodhook () {                        @Override                        protected void Beforehookedmethod (Methodhookparam param) throws Throwable {                        }                        @ Override                        protected void Afterhookedmethod (Methodhookparam param) throws Throwable {                        }                    });        }    }

Description

Module inherits the Ixposedhookloadpackage interface, callback handleloadpackage when the system loads the application package;

Xposedhelpers static method Findandhookmethod is the method of the hook function, its parameters correspond to the class name +loadpackageparam.classloader (write) + method name + The parameter type (depending on the type of parameter of the hook method, that is, how many writes, Plus. Class) +xc_methodhook callback interface;

Here the first parameter class name must have the package name prefix, namely "Packagename+classname", and a little, if the code is confused, even if you know the code to hook the class name and method name, but not necessarily can be used, must be in the name of Smali, such as: IsOk () After confusion in the Smali function named A, then the hook must write a, instead of isOK, the first parameter class name similarly!

The parameter has a listener class Xc_methodhook, which callbacks before and after the hook, and the Methodhookparam of the callback method can intercept the function parameters.

Xposed In addition to the hook target application of the function, but also hook some classes of the construction method, the corresponding method is xposedhelpers.findandhookconstructor ().

At this point, a module has been basically completed, and then packaged Build->generate signed APK ... Build an apk and install it on your phone. Because there is no mainactivity, so the installation will not pop up any interface, but if the phone has installed xposed, then xposed will be in the message bar to pop a message to inform you "module updated", you can choose the xposed menu "frame", "soft restart", Restart the phone (soft restart will not power off, the equivalent of a computer restart, faster than hard restart).

Here, the hook function is already available.

Now, try to intercept the account password in the isOK (string, String) function, first add the journal print code to the callback function to expose its account password parameters, and display the return result as well:

                    New Xc_methodhook () {                        @Override                        protected void Beforehookedmethod (Methodhookparam param) throws Throwable {                            XposedBridge.log ("Account:" + (String) param.args[0]+ "   Password:" + (String) param.args[1]);                            LOG.D ("zz", "Account:" + (String) param.args[0]+ "   Password:" + (String) param.args[1]);                        }                        @Override                        protected void Afterhookedmethod (Methodhookparam param) throws Throwable {                            log.d ("ZZ", Param.getresult (). toString ());                        }                    );

I wrote two methods in the Beforehookedmethod log, the first is the static log Xposedbridge, this log will be displayed in the xposed log option, the individual does not like this method, because each time you run the program you want to hook, Also must switch page to xposed view log, too troublesome, but it has an advantage, compared to Android in the LOG.D (),It can show the thrown exception, while Android log is not available. The second Android log is needless to say, I use both of them here.

After writing, we repack the module and install it on the phone, then let the phone soft restart, each update installation module must be restarted to take effect.

OK, after reboot, let's run the target application, enter the account password ~

Then look at the log options in Logcat and Xposed in Android Studio:

As you can see, both can see the blocked password account. Because the correct account password is Samuel 123456, here is just the random input zzz aaa, so the result is false, of course, also in the callback function Afterhookedmethod can be captured, this shows false, indicating that the login verification failed.

In addition to the ability to read parameters, Hook technology can also modify function parameters.

For example, next I modify the module, let it no matter what input, I realize landing, then I first in the hook to change the account password to Samuel 123456, that is, through the hook technology, how I input can be successfully landed.

                    New Xc_methodhook () {                        @Override                        protected void Beforehookedmethod (Methodhookparam param) throws Throwable {                            //Modify parameter                            param.args[0]= "Samuel";                            Param.args[1]= "123456";                        }                        @Override                        protected void Afterhookedmethod (Methodhookparam param) throws Throwable {                            log.d ("ZZ", Param.getresult (). toString ());                        }                    );

Then repack, install, restart your phone, run the login page again, and enter zzz AAA again to see:

Good, display successful login, indicating the success of modifying parameters.

In fact, Xposed seems to have other more powerful functions, here only with the tip of the iceberg for reverse analysis ~

Hook technology for xposed of Android reverse analysis