xposed hook 构造函数_初识Xposed（下）

“ 前言：初学逆向 请多多指教”

学习到的内容

—

1、编写Xposed模块实现对java层的加密库进行hook

Xposed API介绍

—

什么是自吐算法模块？

1、对jdk自带的加密类的包中的类的构造函数进行hook

2、对jdk自带的加密类的包中的类的加密函数进行hook

如何实现自吐算法模块？

1、XposedBridge.hookAllMethods

  public static Set hookAllMethods(Class> hookClass, String methodName, XC_MethodHook callback) {    Set unhooks = new HashSet();    for (Member method : hookClass.getDeclaredMethods())      if (method.getName().equals(methodName))        unhooks.add(hookMethod(method, callback));    return unhooks;  }

2、XposedBridge.hookAllConstructors

  public static Set hookAllConstructors(Class> hookClass, XC_MethodHook callback) {    Set unhooks = new HashSet();    for (Member constructor : hookClass.getDeclaredConstructors())      unhooks.add(hookMethod(constructor, callback));    return unhooks;  }

通过XposedBridge.jar包中可知这两个对指定的class通过反射获得所有的相关的构造函数和方法，然后对每个进行hookMethod函数操作

最后对该方法进行hookMethodNative，该方法在so层实现，自己现在也了解不多

比如实现一个消息摘要算法md5的hook，正常实现加密的代码如下：

        MessageDigest md = MessageDigest.getInstance("MD5");        byte[] bRes = md.digest("@admin".getBytes());        System.out.println("bRes字节数组的长度为：" + bRes.length);        String szMd5String = byteToString(bRes);        System.out.println(szMd5String);

所以一般都对该类的digest方法进行hook，从而获取到参数和返回值从而进行分析

需要注意的是，有时候digest也会为空，当如下的情况：

        MessageDigest md = MessageDigest.getInstance("MD5");        md.update("aaaaa".getBytes());        byte[] bRes = md.digest();        System.out.println("bRes字节数组的长度为：" + bRes.length);        String szMd5String = byteToString(bRes);        System.out.println(szMd5String);

那为什么不hook update方法呢？update的定义如下，因为update方法没有返回值所以如果需要hook的话是会死循环的(小肩膀在视频中有提到，但是自己没用亲手去试)，如果真要去hook也就只能单独功能写一个模块去hook，无法实现通用hook模块

void  update(byte[] input)使用指定的字节数组更新摘要。void  update(byte[] input, int offset, int len)使用指定的字节数组从指定的偏移量开始更新摘要。

           XposedBridge.hookAllMethods(findClass("java.security.MessageDigest", loadPackageParam.classLoader), "digest", new XC_MethodHook() {                @Override                protected void afterHookedMethod(MethodHookParam param) throws Throwable {                    Log.d("MyHook", " = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =");                    Log.d("MyHook", " = = = = = = = = = =java.security.MessageDigest's digest hooking was Starting = = = = = = = = = =");                    Log.e("MyHook", "The Stack: ", new Throwable("Stack Dump"));                    // 首先拿到MessageDigest对象                    MessageDigest messageDigest = (MessageDigest) param.thisObject;                    byte[] before_data;                    // 函数的参数是否大于1 比如digest("a12345678".getBytes())                    if (param.args.length >= 1) {                        before_data = (byte[])param.args[0];                        Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Normal digest function's args[0]: " + new String(before_data));                        Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Base64 digest function's args[0]: " + Base64.encodeToString(before_data, 0));                        Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Hex digest function's args[0]: " + byteToHexString(before_data));                    }                    byte[] bRes = (byte[])param.getResult();                    // 正常数据                    Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Normal Data: " + new String(bRes));                    // 打印Base64数据                    Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Base64 Data: " + Base64.encodeToString(bRes, 0));                    // HexString数据                    Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Hex Data: " + byteToHexString(bRes));                    Log.d("MyHook", " = = = = = = = = = =java.security.MessageDigest's digest hooking was Ending = = = = = = = = = =");                    Log.d("MyHook", " = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =");                }            });

APP实战

—

抓取相关登陆数据包，如下显示：

POST /api/sns/v2/user/login HTTP/1.1X-Tingyun-Lib-Type-N-ST: 3;1602599093071User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; Nexus 5 Build/KTU84Q) Resolution/1080*1776 Version/5.14.0 Build/5140002 Device/(LGE;Nexus 5)Content-Type: application/x-www-form-urlencodedContent-Length: 377Host: www.xiaohongshu.comConnection: closeAccept-Encoding: gzip, deflateandroid_id=86a2e5fff2b395d&phone=19817353426&type=phone&lang=zh&password=e9bc0e13a8a16cbb07b175d92a113126&zone=86&imei=358240050430040&platform=Android&deviceId=c4e6b1a6-6891-3314-ad08-7e08f5da0063&device_fingerprint=202010121332200be9f24f860e8356e0ab8037a7b69cd70008c4435e510fcc&versionName=5.14.0&channel=Store360&lang=zh-CN&t=1602598918&sign=816f8034f5bf8bcc0238478c2d2d05b4

sign：816f8034f5bf8bcc0238478c2d2d05b4

通过编写xposed模块记录的日志中进行查询该特征值

直接分析即可：

        at com.xingin.skynet.XYValueRewrite.a(SourceFile:124)        at com.xingin.skynet.XYValueRewrite.a(SourceFile:91)