xposed绕过root/模拟器检测(无壳和有壳2种)
2021-06-24 本文已影响0人
朝朝朝朝朝落
App : dayima
如果手机root或用虚拟机, 会提示如图, 无法继续, jadx打开apk, 搜索'运行...',
大姨妈.png
大姨妈2.png
大姨妈4.png
编写xposed
(入门: https://www.cnblogs.com/albertzhangyu/p/12656588.html)
这里只贴出关键类代码
package com.example.dym;
import android.content.Context;
import android.util.Log;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class dym implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if (loadPackageParam.packageName.equals("com.yoloho.dayima")) {
XposedHelpers.findAndHookMethod("com.yoloho.libcore.util.f",//类名
loadPackageParam.classLoader,//不变
"f",//方法名
Context.class,//参数类型.class, 有几个写几个
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("-----------方法f--返回false------------");
param.setResult(false);
}
});
XposedHelpers.findAndHookMethod("com.yoloho.libcore.util.f",//类名
loadPackageParam.classLoader,//不变
"t",//方法名
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("-----------方法t--返回false------------");
param.setResult(false);
}
});
}
}
}
运行, OK, 抓包, OK
大姨妈5.png
================2021-12-13===分割线===========
当遇到加壳的App, 如: hunliji(无法截图)
WX20211213-154600@2x.png
WX20211213-155957@2x.png
jadx打开App, 找到检测root的位置:
WX20211213-154827.png
WX20211213-154940.png
要修改hook代码:
//hunliji--加壳
public class Module implements IXposedHookLoadPackage {
private static final String TAG = "gantb";//无所谓, 不用改
public static XC_LoadPackage.LoadPackageParam lpparam = null;
public static ClassLoader classLoader1 = null;
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
// 这一行修改App包名
if (lpparam.packageName.equals("me.suncloud.marrymemo")) {
XposedBridge.log(" has Hooked!");
XposedBridge.log("inner => " + lpparam.processName);
Class ActivityThread = XposedHelpers.findClass("android.app.ActivityThread", lpparam.classLoader);
XposedBridge.hookAllMethods(ActivityThread, "performLaunchActivity", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Object mInitialApplication = (Application) XposedHelpers.getObjectField(param.thisObject, "mInitialApplication");
ClassLoader finalCL = (ClassLoader) XposedHelpers.callMethod(mInitialApplication, "getClassLoader");
XposedBridge.log("found classload is => " + finalCL.toString());
//这里修改方法名
Class BabyMain = (Class) XposedHelpers.callMethod(finalCL, "findClass", "me.suncloud.marrymemo.fragment.login.zg.ZGRootChecker");
XposedBridge.log("found final class is => " + BabyMain.getName().toString());
fart(finalCL);
}
});
}
}
private void fart(ClassLoader classLoader) {
//这里修改方法名, 变量
XposedHelpers.findAndHookMethod("me.suncloud.marrymemo.fragment.login.zg.ZGRootChecker", classLoader, "isDeviceRooted", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
//这里修改返回值false, 未root
param.setResult(false);
}
});
}
}
可以正常使用了:
WX20211213-155545@2x.png
