【xposed】学习XXX一键
前言
最近突然想看看平行绳大佬《XXX一键(LSP模块)》是怎么个工作的,也学习一下这种一键的操作。
只实现获取Cookie,对于弹出对话框和鉴权之类的不在本文范围内。
免责声明
本文仅做学习交流使用,请勿用于违法,请在学习后24小时内清除相关内容。任何人在参考本文后产生的任何性质的直接、间接的损失,均由使用者承担,本文作者不承担任何责任。
分析
经分析,弹出的对话框是通过hookme.ele.account.ui.info.SettingMoreActivity2 的onCreate 方法,创建对话框展示内容。
获取Cookie的部分主要包括【umt、utdid、deviceId】、其它普通Cookie、autoLoginToken(续期的token)。
umt、utdid、deviceId是通过mtopsdk.security.InnerSignImpl 的getUnifiedSign 方法,utdid和deviceId是获取方法参数中对应的值,umt是返回值中x-umt的值。
private void HookX(ClassLoader classloader) {
XposedHelpers.findAndHookMethod(XposedHelpers.findClass("mtopsdk.security.InnerSignImpl", classloader), "getUnifiedSign", HashMap.class, HashMap.class, String.class, String.class, Boolean.TYPE, String.class, new XC_MethodHook() {
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
HashMap hashMap0 = (HashMap) param.getResult();
if (hashMap0.containsKey("x-umt")) {
eleHook.this.umt = "umt=" + (String) hashMap0.get("x-umt") + ";";
}
super.afterHookedMethod(param);
}
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
HashMap hashMap0 = (HashMap) param.args[0];
if (hashMap0.containsKey("utdid")) {
eleHook.this.utdid = "utdid=" + (String) hashMap0.get("utdid") + ";";
eleHook.this.deviceId = "deviceId=" + (String) hashMap0.get("deviceId") + ";";
}
super.beforeHookedMethod(param);
}
});
}其它普通Cookie是通过主动调用anetwork.channel.cookie.CookieManager 的getCookie 方法获取的。
private void getAllCookie(ClassLoader classLoader) throws IllegalAccessException, InstantiationException, InvocationTargetException {
Class<?> class0 = XposedHelpers.findClass("anetwork.channel.cookie.CookieManager", classLoader);
Method method0 = XposedHelpers.findMethodBestMatch(class0, "getCookie", String.class);
String s = (String) method0.invoke(class0.newInstance(), "https://app-monitor.ele.me/log");
this.allck = s+";";
XposedBridge.log(s);
}autoLoginToken,是通过主动调用com.taobao.login4android.session.SessionManager 的getLoginToken 方法获取的。
private void getLoginInfo(ClassLoader classLoader, Activity activity) throws ClassNotFoundException {
Class<?> clazz = classLoader.loadClass("com.taobao.login4android.session.SessionManager");
Object instance = XposedHelpers.callStaticMethod(clazz, "getInstance", activity.getApplicationContext());
String loginToken = (String) XposedHelpers.callMethod(instance, "getLoginToken");
this.token = "token=" + loginToken + ";";
XposedBridge.log("autologin" + loginToken);
}
实现
首先用Android Studio创建一个项目并将xposedApi作为开发依赖。
修改清单文件描述xposed模块信息等。
创建类进行Hook操作。
创建xposed_init指定入口类。
编写代码实现Hook。
package com.yan.eldemo;
import android.app.Activity;
import android.content.ClipData;
import android.content.ClipboardManager;
import android.content.Context;
import android.os.Bundle;
import android.widget.Toast;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.HashMap;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class eleHook implements IXposedHookLoadPackage {
private String token;
private String allck;
private String umt;
private String utdid;
private String deviceId;
private final String[] needCookie = {"cookie2", "unb", "USERID", "SID", "token", "utdid", "deviceId", "umt"};
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
ClassLoader classLoader = loadPackageParam.classLoader;
if (loadPackageParam.packageName.equals("me.ele")) {
// 进入目标应用后就开始对getUnifiedSign进行hook,以便于获取utdid、deviceId、umt
HookX(classLoader);
Class<?> targetActivityClass = XposedHelpers.findClass("me.ele.account.ui.info.SettingMoreActivity2", classLoader);
XposedHelpers.findAndHookMethod(targetActivityClass, "onCreate", Bundle.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
XposedBridge.log("创建前");
super.beforeHookedMethod(param);
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
// 在原onCreate方法执行后进行操作
Activity targetActivity = (Activity) param.thisObject;
getLoginInfo(classLoader, targetActivity);
getAllCookie(classLoader);
XposedBridge.log("创建后");
XposedBridge.log(eleHook.this.token + eleHook.this.allck + eleHook.this.umt + eleHook.this.utdid + eleHook.this.deviceId);
// 对Cookie进行筛选
String finalCk = processCookie(eleHook.this.token + eleHook.this.allck + eleHook.this.umt + eleHook.this.utdid + eleHook.this.deviceId);
// 将筛选后的Cookie写入剪切板
ClipboardManager manager = (ClipboardManager) targetActivity.getSystemService(Context.CLIPBOARD_SERVICE);
manager.setPrimaryClip(ClipData.newPlainText("cookie", finalCk));
// toast提示
Toast.makeText(targetActivity, "ck已复制到剪切板【"+finalCk+"】", Toast.LENGTH_SHORT).show();
}
});
}
}
private void HookX(ClassLoader classloader) {
XposedHelpers.findAndHookMethod(XposedHelpers.findClass("mtopsdk.security.InnerSignImpl", classloader), "getUnifiedSign", HashMap.class, HashMap.class, String.class, String.class, Boolean.TYPE, String.class, new XC_MethodHook() {
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
HashMap hashMap0 = (HashMap) param.getResult();
if (hashMap0.containsKey("x-umt")) {
eleHook.this.umt = "umt=" + (String) hashMap0.get("x-umt") + ";";
}
super.afterHookedMethod(param);
}
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
HashMap hashMap0 = (HashMap) param.args[0];
if (hashMap0.containsKey("utdid")) {
eleHook.this.utdid = "utdid=" + (String) hashMap0.get("utdid") + ";";
eleHook.this.deviceId = "deviceId=" + (String) hashMap0.get("deviceId") + ";";
}
super.beforeHookedMethod(param);
}
});
}
private void getAllCookie(ClassLoader classLoader) throws IllegalAccessException, InstantiationException, InvocationTargetException {
Class<?> class0 = XposedHelpers.findClass("anetwork.channel.cookie.CookieManager", classLoader);
Method method0 = XposedHelpers.findMethodBestMatch(class0, "getCookie", String.class);
String s = (String) method0.invoke(class0.newInstance(), "https://app-monitor.ele.me/log");
this.allck = s+";";
XposedBridge.log(s);
}
private void getLoginInfo(ClassLoader classLoader, Activity activity) throws ClassNotFoundException {
Class<?> clazz = classLoader.loadClass("com.taobao.login4android.session.SessionManager");
Object instance = XposedHelpers.callStaticMethod(clazz, "getInstance", activity.getApplicationContext());
String loginToken = (String) XposedHelpers.callMethod(instance, "getLoginToken");
this.token = "token=" + loginToken + ";";
XposedBridge.log("autologin" + loginToken);
}
private String processCookie(String s) {
if(s.isEmpty()) {
return s;
}
String[] arr_s = s.split(";");
StringBuilder stringBuilder0 = new StringBuilder();
for(int v = 0; v < arr_s.length; ++v) {
String s1 = arr_s[v];
String[] arr_s1 = s1.split("=");
System.out.println(arr_s1[0]);
if(Arrays.asList(this.needCookie).contains(arr_s1[0].trim())) {
stringBuilder0.append(s1);
stringBuilder0.append(";");
}
}
return stringBuilder0.toString();
}
}
最终效果如图
文章目录
关闭
