0x0 The origin of the story
Some time ago, I changed the X20 that was drawn on Double Eleven in 2017 to a k40 with 2 million icons (Android 11, the stable version of the mobile phone has a mask+lsposed), but there are several previous
apps that need to use the specified imei Or oaid to counterfeit the original device and continue to use it, so there is this post...
0x1 used tools and purposes
1. VMOS Pro (Android virtual machine, with xposed and root, similar to multi-opening)
2. MT/NP manager (file management)
3. Reflection Master 3.5.3+XP framework (does not support unpacking of Android 11, so I use VMOS pro, BlackDex in the forum tried to get rid of the shell)
4. JADX (decompile APP to view JAVA code)
0x2 VMOS has real machine detection after installing APP
Because I want to open more, I use VOMS to install the APP, and it is detected when I open it. .
But I remember that VMOS Pro seems to be able to turn on the sensor for virtual machines, but turning the phone around after turning it on has no effect. (I don’t know if it’s a problem with my operation or a problem with VMOS)
Thinking of the xposed hook that I just learned a few days ago, I want to start hooking him from the code
0x3 MT View installation package
Use MT to see that it is *60 reinforcement, you can't directly look at SMAIL, you have to remove the shell first. So use reflection master or something else.
0x4 Reflection Master installation and use
Install the xposed framework on VMOS and install Reflection Master. After activating the module,
Reflection Master selects the APP to be unpacked
Then run the APP, click Mangxing-current ACTIVITY, long press "Write DEX" (write all DEX)
and tick repair
0x5 decompile and view the code
JADX search positioning
I use JADX, select all dex to view all codes directly (you can also use MT/NP manager directly)
Search keywords "please use your mobile phone", if you find one, it must be him
let's click in
Then it was even more certain that it was him. .
MyDialog myDialog7 = this.this$0.this$0.this$0.this$0.vmdialog;
if (myDialog7 != null) {
myDialog7.show(); /* 显示这个检测弹窗 */
}
Find the show method
Right click "jump to statement" to find the show method, class: com. . *.activity.ui.MyDialog
public void show() {
getWindow().setGravity(17);
super.show();
}
Now that the method has been found, this pop-up window will not be displayed if it is not running
0x6 e4a_xposed_hook
Because I have never learned JAVA, I can only use e4a interface functions to write modules...
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable
{
if (lpparam.processName.equals("com.***.****"))//***** 判断应用名
{
XposedBridge.log("加载 App:" + lpparam.packageName);
XposedHelpers.findAndHookMethod("com.stub.StubApp", lpparam.classLoader, "a", Context.class, new XC_MethodHook() {
//或者a
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);//获取到360的Context对象,通过这个对象来获取classloader
Context context = (Context) param.args[0];//获取360的classloader,之后hook加固后的代码就使用这个classloader
ClassLoader classLoader = context.getClassLoader();//替换classloader,hook加固后的真正代码
XposedHelpers.findAndHookMethod("com.***.***.activity.ui.MyDialog", classLoader, "show", new XC_MethodReplacement() {
//类名和方法名
@Override
protected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {
return null;//不再使用原方法
}
});
}
});
}
}
After installing and enabling the module, restart the VMOS virtual machine and open the APP, the detection window will no longer be displayed. (But it seems that all the pop-up windows are gone... You can study the rewriting function next time)
[PS: Hooking is cool for a while, and hooking is always cool. . ]
[Re-PS: A certain watermark camera posted before can also use hook to customize the function results, but the forum can't post finished products, so everyone needs to do it]