解密微信自动抢红包插件“幕后元凶”
大家经常看到,群里的红包老是被人抢了,其实不是人家手快,人家有家伙
今天给大家解密一款Android中神秘的框架 xposed
用xposed抢红包现在已经过时了,微信已经抓得很严,小心封号,微信也是通过获得手机有没有安装xposed来检测是否是机器行为,进而进行封杀,xposed可以用来修改定位,比如微信朋友圈的定位,钉钉打卡的定位,界面颜色,输入捕获等等,非常强大,有点像windows中的钩子
今天我们来讲讲原理,好让小伙伴们来学习学习
微信抢红包的基本原理:基于 Xposed 框架,给APP应用代码挂钩子,不断监听接受消息的函数,如果遇到是红包的息之后,直接调用抢红包的代码。
Xposed框架的原理是修改系统文件,有一定风险,如变砖、无限重启等。需谨慎! Xposed框架的原理是替换安卓系统/System/bin目录下的文件,从而实现对系统某些功能的接管,进而给予基于Xposed框架开发的App更多权限,安卓玩家们可以通过安装基于Xposed框架的App(Xposed模块)。
由于是通过安装基于Xposed框架的App来修改系统,所以风险会比直接修改系统文件来得少。当然一个不小心,也有可能会把系统玩坏。
首先下载xposed的安装文件
安装完成后我们看到
下面我们来用这个框架来写一个小例子,如何修改app的定位信息,非常有用
首先要引入xposed的jar包,点击下载jar包
package wiki.bfw.xposedhook; import java.lang.reflect.Method; import java.lang.reflect.Modifier; import android.location.Location; import android.location.LocationListener; import android.location.LocationManager; import android.util.Log; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.XposedBridge; import de.robv.android.xposed.XposedHelpers; import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam; public class Main implements IXposedHookLoadPackage { private void hook_method(String className, ClassLoader classLoader, String methodName, Object... parameterTypesAndCallback){ try { XposedHelpers.findAndHookMethod(className, classLoader, methodName, parameterTypesAndCallback); } catch (Exception e) { XposedBridge.log(e); } } private void hook_methods(String className, String methodName, XC_MethodHook xmh){ try { Class<?> clazz = Class.forName(className); for (Method method : clazz.getDeclaredMethods()) if (method.getName().equals(methodName) && !Modifier.isAbstract(method.getModifiers()) && Modifier.isPublic(method.getModifiers())) { XposedBridge.hookMethod(method, xmh); } } catch (Exception e) { XposedBridge.log(e); } } @Override public void handleLoadPackage(final LoadPackageParam lpp) throws Throwable{ Log.i("jw", "pkg:"+lpp.packageName); hook_method("android.telephony.TelephonyManager", lpp.classLoader, "getDeviceId", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { Log.i("jw", "hook getDeviceId..."); Object obj = param.getResult(); Log.i("jw", "imei args:"+obj); param.setResult("jiangwei"); } }); //定位 hook_methods("android.location.LocationManager", "getLastKnownLocation", new XC_MethodHook(){ @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { Log.i("jw", "hook getLastKnownLocation..."); Location l = new Location(LocationManager.PASSIVE_PROVIDER); double lo = -10000d; //经度 double la = -10000d; //纬度 l.setLatitude(la); l.setLongitude(lo); param.setResult(l); } }); hook_methods("android.location.LocationManager", "requestLocationUpdates", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { Log.i("jw", "hook requestLocationUpdates..."); if (param.args.length == 4 && (param.args[0] instanceof String)) { LocationListener ll = (LocationListener)param.args[3]; Class<?> clazz = LocationListener.class; Method m = null; for (Method method : clazz.getDeclaredMethods()) { if (method.getName().equals("onLocationChanged")) { m = method; break; } } try { if (m != null) { Object[] args = new Object[1]; Location l = new Location(LocationManager.PASSIVE_PROVIDER); double lo = -10000d; //经度 double la = -10000d; //纬度 l.setLatitude(la); l.setLongitude(lo); args[0] = l; m.invoke(ll, args); } } catch (Exception e) { XposedBridge.log(e); } } } }); } }
写一个app的例子,看看定位是否修改了
package wiki.bfw.xposedhook;
import android.annotation.SuppressLint;
import android.app.Activity;
import android.content.Context;
import android.location.Location;
import android.location.LocationListener;
import android.location.LocationManager;
import android.os.Bundle;
import android.telephony.TelephonyManager;
import android.util.Log;
import android.widget.TextView;
/**
* 演示地图缩放,旋转,视角控制
*/
public class MainActivity extends Activity {
private LocationManager locationManager;
private TextView locationTxt, imeiTxt;
@SuppressLint("NewApi")
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_demo);
locatiBfwOnTxt= (TextView)findViewById(R.id.location);
imeiTxt = (TextView)findViewById(R.id.imei);
//获取地理位置管理器
locatiBfwOnManager= (LocationManager) getSystemService(Context.LOCATION_SERVICE);
//获取Location
Location location = locationManager.getLastKnownLocation(LocationManager.NETWORK_PROVIDER);
if(location!=null){
//不为空,显示地理位置经纬度
showLocation(location);
}
//监视地理位置变化
locationManager.requestLocationUpdates(LocationManager.NETWORK_PROVIDER, 3000, 1, locationListener);
TelephonyManager telephBfwOnyManager= (TelephonyManager) this.getSystemService(Context.TELEPHONY_SERVICE);
String imei = telephonyManager.getDeviceId();
imeiTxt.setText("imei:"+imei);
}
/**
* 显示地理位置经度和纬度信息
* @param location
*/
private void showLocation(Location location){
String locatiBfwOnStr= "纬度:" + location.getLatitude() + ",经度:" + location.getLongitude();
locationTxt.setText(locationStr);
Log.i("jw", "location:"+locationStr);
}
/**
* LocationListern监听器
* 参数:地理位置提供器、监听位置变化的时间间隔、位置变化的距离间隔、LocationListener监听器
*/
LocationListener locatiBfwOnListener= new LocationListener() {
@Override
public void onStatusChanged(String provider, int status, Bundle arg2) {
}
@Override
public void onProviderEnabled(String provider) {
}
@Override
public void onProviderDisabled(String provider) {
}
@Override
public void onLocationChanged(Location location) {
//如果位置发生变化,重新显示
showLocation(location);
}
};
}由此可见Xposed在逆向分析中可以帮助分析代码流程和关键参数信息等,是安卓逆向分析中不可或缺的辅助工具。当然也可以利用它来优化或辅助安卓软件及系统应用。
ok,完成了,下一讲,我们来看看红包是怎么抢的
{{collectdata}}
网友评论0