jadx载入
寻找xposed_init文件中定义的xposed程序的入口,发现主体只有如下三个函数,那猜想真正的hook函数被加密存储了,执行时通过dexClassloader动态加载执行
public class XposedEntry implements IXposedHookLoadPackage {
private static final String enDexName = "appcompat_v4.dex";
private static final String gsonDexName = "gson.dex";
public static String pkgName = "wechat.simpleforwarder";
private static final String soName = "libJpush.so";
public void copyFileFromAssets(InputStream inputStream, String str) {
...
}
String getCurProcessName(Context context) {
...
}
public void handleLoadPackage(LoadPackageParam loadPackageParam) {
...
}
}
在程序的assets下发现了如下几个后缀为dex的文件,直接尝试了使用jadx去反编译,发现反编译不成功,拖入010Editor
dex被作者进行了加密,那就得去代码中寻找解密执行代码
直接看ui的入口并没有发现任何的解密地方,猜想既然是xposed插件,那一定会有findAndHookMethod的地方,以及beforeHook和afterHook,直接去查找,找到如下代码
protected void afterHookedMethod(MethodHookParam methodHookParam) {
super.afterHookedMethod(methodHookParam);
Context context = (Context) met