(4.2.33) Android play Hook (1): Cydia substrate First knowledge

Selected from:

1. Play Hook on Android?
2. Follow the ghost brother learn Android Java Hook (a)

Abstract: The advent of hooks opens the way for developers wishing to change certain behaviors of other programs through a program, and as a hook-based code modification framework, Cydia substrate can modify the code of any master process. In this paper, the author introduces the process of hook in detail by the actual combat of advertisement injection.

Understanding Hooks

Have not touched the hook technology readers will certainly feel a special sense of the word hook, Hook English translation is the meaning of "hook", then when we use this "hook" it?

We know that the system maintains its own set of event distribution mechanisms in the Android operating system. Applications, including application-triggered events and background logic processing, are also executed down-to-back according to the event flow. The "hook" means intercepting and monitoring the transmission of the event before the event is delivered to the end, like a hook-and-eye event. And be able to handle some of their own specific events when the event is ticked. As shown in the following:

The hook's ability to "fit" its code into the process of a hooked program becomes a part of the target process. We also know that in the Android system using the sandbox mechanism, the ordinary user program process space is independent, the program runs between each other undisturbed.

This allows us to hope that the idea of changing certain behaviors of other programs through a program cannot be achieved directly, but the advent of hooks opens the way to solving such problems. Of course, according to the Hook object and hook after the processing of different events, hooks are divided into different types, such as message hooks, API hooks.

Hook frame 1-cydiasubstrate Frame

http://www.cydiasubstrate.com/
http://www.cydiasubstrate.com/id/20cf4700-6379-4a14-9bc2-853fde8cc9d1/

If a user who has used an Apple phone should not be unfamiliar with the cydiasubstrate framework, the CYDIASUBSTRATE framework provides the user with a jailbreak-related service framework for Apple users.

Cydiasubstrate formerly known as MobileSubstrate (the class library is the beginning of MS), the author is the famous Jay Freeman (Saurik).

Of course Cydiasubstrate also launched the Android version. Cydia substrate is a code modification platform. It can modify the code of any master process, whether it is written in Java or C/s (native code).

1.1 Configuration of the Cydiastrate framework

1. Install the Cydiasubstrate Framework's local service app on Android devices substrate.apk
   We can download the website to:
   http://www.cydiasubstrate.com/download/com.saurik.substrate.apk
   Of course, after we install substrate, we need "link substrate files" (connect to the local substrate service file), this step is required root permission, after the connection will need to restart the device to be effective.

2. Configuring the Cydiasubstrate Library in the development environment

   • Cydiasubstrate official recommends adding their plugin addresses in the Android SDK manager for updates to download.
     such as: Add in user-defined URLs
     Http://asdk.cydiasubstrate.com/addon.xml.
     After downloading the cydiasubstrate framework using the ANDROID SDK Manager tool, it is stored under directory ${android_home}\sdk\extras\saurikit\cydia_substrate.

   • However, because the Android SDK manager in the domestic use of a lot of restrictions, the download time is not very stable, so it is recommended that you go directly to the official website to download the development library.
     The official: Http://asdk.cydiasubstrate.com/zips/cydia_substrate-r2.zip.
     After the download is complete, you will get all the files (many jar packages and so libraries) that are copied to the Libs folder under the Android project and can be used directly.
     
     The substrate.h header file and the so file under the Lib folder are provided as a function support library in the development of native hook programs using the NDK.
     Tips:cydiasubstrate Framework for the operation of the inline hook there are still some bugs, the use of the possibility of a crash, some of the use of domestic custom ROM device in use must be present bug

1.2 Cydiasubstrate API Lite

How to use Cydiasubstrate? In fact, Cydiasubstrate provides three static method tool classes, and we just need to learn to use it just fine.

MS.hookClassLoad    拿到指定Class载入时的通知MS.hookMethod   使用一个Java方法去替换另一个Java方法MS.moveUnderClassLoader 使用不同的ClassLoder重载对象

/** * Hook a specified class * * @param name class's package name + class name, such as Android.content.res.Resources * @param Hook successful hoo K A class-after callback * /voidHookclassload (String name, MS. Classloadhook hook);/** * Hook a specified method and replace the code in the method * * @param _class Hook's CALSS * @param The method parameters of the member Hook class * @par the callback after the AM hook successful hook method * @param old hook method, similar to the method pointer in C */voidHookmethod (Class _class, Member Member, MS. Methodhook Hook, MS. Methodpointer old);/** * Hook a specified method and replace the code in the method * * @param _class Hook's CALSS * @param The method parameters of the member Hook class * @par Am alteration * /voidHookmethod (Class _class, Member Member, MS. Methodalteration alteration);/** * Use a ClassLoader to reload an object * * @param loader used by ClassLoader * @param object with overloaded objects * @return 
       the Overloaded object * /<T> T Moveunderclassloader (ClassLoader loader, t object);

1.3 Practical Walkthrough A: color Change of text-system API modification

The goal of this project is to hook up the text color on the phone, i.e. text messages, contacts, etc.

• Androidmanifest.xml configuration and permissions associated with Cydiasubstrate

<manifest  xmlns:android  = "Http://schemas.android.com/apk/res /android ";  <application ;  <meta-data  android:name  = "Com.saurik.substrate.main"  android:value< /span>=/>  </application ;  Span class= "Hljs-tag" ><uses-permission  android: Name  = "Cydia.permission.SUBSTRATE" />  manifest ; 

1. We use the Application object, the program is the first to start the
2. Set the main class here, different from normal Android project, this is equivalent to developing a plugin
3. This permission, which represents the Cydia can identify him as his own plugin, can start it

• Get the class name of the third-party package that you want to tick

Android.content.res.Resources System Package Name

• Main class operations

Here Initialize () is the initialization of related things, this equivalent to the main function entrance

Package Com.example.cydiaexample;import Java.lang.reflect.field;import Java.lang.reflect.method;import Java.lang.reflect.type;import Android.util.log;import Android.widget.toast;import Com.saurik.substrate.MS;import Com.saurik.substrate.MS.ClassLoadHook;//hook Method Public classMain { Public Static void Initialize() {//Set the class to be hookMs.hookclassload ("Android.content.res.Resources",NewMs. Classloadhook () { Public voidClassloaded (Class<?> Resources) {//... code to modify the class when loaded              //Definition methodMethod GetColor;Try{the method of//hook is to get the color methodGetColor = Resources.getmethod ("GetColor", Integer.type); }Catch(Nosuchmethodexception e) {GetColor =NULL; }if(GetColor! =NULL) {//Create a new Methodpointer object that you want to use in the Hookmethod methodFinal MS. Methodpointer old =NewMs. Methodpointer ();//Start hook method, write the data you want to changeMs.hookmethod (Resources, GetColor,NewMs. Methodhook () { PublicObjectinvoked(Object resources, Object ... args) throws Throwable {intcolor = (Integer) old.invoke (resources, args);//Return color                            returnColor & ~0x0000ff00|0x00ff0000;                }}, old);   }          }      }); }}

• Test

Here we do not have the main and launch entrance, so this program is no icon to display to the phone desktop, because we have specified that he is a Cydia plug-in, so this time, we restart the phone to launch this plugin

1.3 Practical Walkthrough B: ad Floating Layer--hook others application

Hearing this topic, I think a lot of packing the party also can't wait, a little too impatient. Rely on advertising is not earn money, the author is also a packaging party. Programmers still grow and develop, a quick money belt will let you in the programming road farther and further.

Back to the point, using the cydiasubstrate framework we can arbitrarily hook the Java API in the system, of course, it also uses a lot of reflection mechanism, so in addition to the system to provide developers with the API, we can also hook some methods in the application? The answer is yes. Let's look at a practical example of how to hook an application.

Below we apply for the Android operating system browser, hook its homepage activity OnCreate method (other methods do not necessarily exist, but the OnCreate method will certainly have), and inject our ads. Based on the introduction of Cydiasubstrate, we have a simple idea.

• Androidmanifest.xml Configuration
  
  • First, we fill in some ad-related IDs in our Androidmanifest.xml file according to the requirements of an advertising platform.
  • and fill in the Androidmanifest.xml file with some configuration and permissions that are related to cydiasubstrate.
  • Of course, we will also declare an activity for an ad and set the activity as a transparent background activity, why set up activity with a transparent background, such as:
    

<!--ad-related permissions--<uses-permission android:name="Android.permission.INTERNET" /><uses-permission android:name="Android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="Android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="Android.permission.READ_PHONE_STATE" / ><uses-permission android:name="Android.permission.WRITE_EXTERNAL_STORAGE" / ><uses-permission android:name="Android.permission.GET_TASKS" /><!--join substrate permissions --<uses-permission android:name="Cydia.permission.SUBSTRATE" /><applicationandroid:allowbackup="true"android:icon="@drawable/ Ic_launcher "android:label=" @string/app_name "android:theme=" @style/apptheme " >                    <!--ADS-related parameters --    <meta-dataandroid:name= "app_id"android:value=" C62bd976138fa4f2ec853bb408bb38af " />                    <meta-dataandroid:name="App_pid"android:value="DEFAULT" / >                    <!--statement substrate injection Flavor main class--    <meta-dataandroid:name="Com.saurik.substrate.main"android:value ="Com.example.hookad.Main" />                    <!--Transparent, non-animated ads activity--    <activityandroid:name="com.example.hookad.MainActivity"android:theme ="@android: Style/theme.translucent.notitlebar" >                        <intent-filter>            <action android:name="Android.intent.action.VIEW" />            <category android:name="Android.intent.category.DEFAULT" />            <!--ad action--            <action android:name="Com.example.hook.AD" />        </intent-filter>    </activity></Application>

• Get the class name of the third-party package that you want to tick

We want to use the Ms.hookclassload method to find the activity name of the browser homepage.
Here we use the Dumpsys Activity command under the ADB shell to find the activity name of the browser home page called Com.android.browser.BrowserActivity.

• Main class operations

The main entrance of the Cydiasubstrate class, follow the previous steps to create a new main class containing the Initialize method

 Public classMain {/** * Substrate the Portal after initialization * *    Static voidInitialize () {//hook Browser's main activity,browseractivityMs.hookclassload ("Com.android.browser.BrowserActivity",NewMs. Classloadhook () { Public voidClassloaded (Class<?> resources) {LOG.E ("Test","Com.android.browser.BrowserActivity");//Get the OnCreate method of BrowseractivityMethod onCreate;Try{onCreate = Resources.getmethod ("OnCreate", Bundle.class); }Catch(Nosuchmethodexception e) {onCreate =NULL; }if(OnCreate! =NULL) {final MS. Methodpointer old =NewMs. Methodpointer ();//Hook OnCreate methodMs.hookmethod (Resources, OnCreate,NewMs. Methodhook () { PublicObjectinvoked(ObjectObject, Object...args) throws Throwable {LOG.E ("Test","Show ad");//Implement hook OnCreate method to ensure the browser starts normallyObject result = Old.invoke (Object, args);//No context                            //execute a Shell to launch our ad activityCmd.run ("AM start-a Com.example.hook.AD");returnResult                }}, old);    }            }        }); }}

• Test
  For the launch of the ad mainactivity, in which is a pop-up interstitial ad. Of course, but also other forms of advertising or floating layer, the content is relatively simple here does not do a demonstration. Compile and run the entire project. This time when we restarted Android's own browser, we found that the browser will pop up an ad box.
  
  From the above picture we can see that, before we set interstitial ads mainactivity for untitled Transparent (Theme.Translucent.NoTitleBar) is to make the pop out of the ads and browser integration, so that users feel that the browser pop-up ads. is also a malicious advertising program in order to prevent itself from being uninstalled some of the common hidden means.
  The injected ad shown here is a OnCreate method in the activity specified by the hook to initiate an ad activity. Of course, the activity we're demonstrating here is just a simple bounce out of an ad. If the activity initiated is malicious, such as fishing activity that does the same activity as the original activity, then it is very deceptive for mobile device users.

2-xposed Frame

(4.2.33) Android play Hook (1): Cydia substrate First knowledge