Function Hook Learning Based on Xposed framework

Function Hook Learning Based on Xposed framework

 

Xposed is an open-source Hook framework in the Java layer of Android, similar to the cydiasubstrate framework. It is said that the cydiasubstrate framework can Hook functions at the Java and Native layers of Android. It has been a while to learn the reverse direction of Android. Record the process of learning the Xposed framework.

Xposed framework learning site: http://repo.xposed.info/

 

I. Introduction to the Hook implementation principle of the Xposed framework

Zygote is the core of Android. Every time an app is run, Zygote will fork a virtual machine instance to run the app. The Xposed Framework goes deep into the Android core mechanism, we have transformed Zygote to implement some awesome functions. The STARTUP configuration of Zygote is in/init. in the rc Script, when the system starts the process, the corresponding execution file is/system/bin/app_process, which completes the Class Library Loading and some function calls.

After the Xposed Framework is installed in the system, the app_process is extended. That is to say, the Xposed Framework overwrites the app_process file provided by Android native with its own app_process. When the system starts, the process file replaced by Xposed Framework is loaded, and XposedFramework defines a jar package. When the system starts, the package is also loaded:

/Data/de. robv. android. xposed. installer/bin/XposedBridge. jar

 

Ii. Operating conditions of the Xposed framework

1. RootedDevice/Emulator (root mobile phone or simulator)

2. XposedInstaller (Xposed installer download)

3. HookingAndroid App (target App to be hooked)

 

XposedFramework is an apk package, that is, the Xposed installer downloaded above. After downloading it, run the following command to install it on your mobile phone or simulator:

Adb install de.robv.android.xposed.installer_v32_de4f0d.apk

 

After installation, open Xposed. The following is:

After Xposed is installed:

 

Iii. Implementation of the Hook Module

 

1. Add the meta-data element.

An Xposed module is an Android app that does not need to implement the Activity. In this example, the Hook module is called com. xposeddemo. below is the AndroidManifest of this instance. xml file. Note that three meta-data elements are defined:

1 ).Xposedmodule
2 ).XposeddescriptionInformation displayed after loading the Hook Module
3 ).XposedminversionEnter the version number of the imported jar package

 

2. Add XposedBridgeApi-54.jar package

Xposedminversion indicates the version number of the XposedBridge library. Copy the XposedBridge library to the lib directory (note that the lib directory is not the libs directory). IfNo lib directory, Create a new lib folder under the project directory, put the downloaded XposedBridgeApi-54.jar package into it, and then in the projectRight-click Build Path-Add to Build Path.

 

XposedBridgeApi-54.jar package:

Http://dl-1.va.us.xda-developers.com/2/7/4/8/8/7/8/XposedBridgeApi-54.jar? Key = lqjljy-2L4Sk3lItcQkWoQ & ts = 1434529310

 

3. Add the xposed_init File

Create an xposed_init file in the assets Directory.

Content:Package name + class nameFor example, com. xposeddemo. Module

 

4. Search for Hook key points in the Hooking Android App

The Android app to be hooked uses the crackme02.apk application in chapter 4 of the Book of non-insects.

The program running interface is as follows:

Decompile the apk:

Verification function of the registration code:

 

Through the decompilation of crackme02.apk, we found that as long as the checkSN value of the registration code verification function is true, it indicates that the registration code verification is successful. Our Hook point is the checkSN function.

 

5. Implement the Hook module for the Hook key points of the Hooking Android App

1) Implement the IXposedHookLoadPackage Interface

2) determine the package name of the Android App to Hook

3) determine the package name to Hook

4). Determine the AndroidApp method to Hook

5 ). the Android App function Hook is implemented and XposedHelpers is called. findAndHookMethod ("package name + class name", lpparam. classLoader, "Name of the function to be hooked", first parameter type, second parameter type ....., New XC_MethodHook (){

ProtectedvoidbeforeHookedMethod (MethodHookParam param ){

// The operation to be performed before the function is executed

}

ProtectedvoidafterHookedMethod (MethodHookParam param ){

// The operation to be performed after the function is executed

}

});

 

After importing the modules required by XposedHook into the project, a prompt will be displayed when writing the Code:

 

Implementation of XposedHook sample code:

 

Determine the Hook point of crackme02.apk. We can determine that the package of the function to be hooked is com. droider. crackme0201. The class where the Hook function is located is com. droider. crackme0201.MainActivity. The function to be hooked isPrivate BooleanCheckSN (StringuserName, String sn ).

See the XposedHook sample code:

Package com. xposeddemo; import de. robv. android. xposed. IXposedHookLoadPackage; import de. robv. android. xposed. XC_MethodHook; import de. robv. android. xposed. XC_MethodHook.MethodHookParam; import de. robv. android. xposed. xposedBridge; import de. robv. android. xposed. xposedHelpers; import de. robv. android. xposed. callbacks. optional; public class Module implements IXposedHookLoadPackage {@ Overridepublic void handleLoadPackage (LoadPackageParam lpparam) throws Throwable {// determine whether the package name is to be hooked (the package where the Hook function is located is. droider. crackme0201) if (lpparam. packageName. equals ("com. droider. crackme0201 ") {XposedBridge. log ("Loaded App:" + lpparam. packageName); // find the function XposedHelpers to Hook. findAndHookMethod ("com. droider. crackme0201.MainActivity ", // The class com. droider. crackme0201.MainActivitylpparam. classLoader, "checkSN", // name of the Hook function checkSNString. class, // StringString, the first parameter of the Hook function. class, // The second Stringnew XC_MethodHook () {@ Overrideprotected void beforeHookedMethod (MethodHookParam param) of the Hook function) throws Throwable {// code executed before the Hook function // input the 1XposedBridge parameter. log ("beforeHookedMethod userName:" + param. args [0]); // input parameter 2 XposedBridge. log ("beforeHookedMethod sn:" + param. args [1]); // function return value XposedBridge. log ("beforeHookedMethod result:" + param. getResult () ;}@ Overrideprotected void afterHookedMethod (MethodHookParam param) throws Throwable {// code executed after the Hook function // It is found by analyzing the checkSN function, you only need to modify the return value of the function to implement the registered cracking param. setResult (true); // input the 1XposedBridge parameter. log ("afterHookedMethod userName:" + param. args [0]); // input parameter 2 XposedBridge. log ("afterHookedMethod sn:" + param. args [1]); // function return value XposedBridge. log ("afterHookedMethod result:" + param. getResult ());}});}}}

 

 

The above line of code specifies that only when com. droider. crackme0201 triggers a series of hook behaviors only when the package is loaded. When this behavior is triggered, de. robv. android. xposed. the findAndHookMethod method of the XposedHelpers class is called, and beforeHookedMethod and afterHookedMethod are executed as appropriate ), in this example, you only need to modify the return value of the checkSN function to bypass registration verification.

 

According to the input requirements, enter a random user name and registration code. This process will pass (for example) verification ).

Due to the poor layout of the blog, the notes have been compiled into documents. You can use the XposedHook sample code after you modify it. Document and sample code: http://download.csdn.net/detail/qq1084283172/8873927