一.加固原理:

使用加固之后的应用的classloader会被换成其加固应用本身的,所以只需要在hook的时候把classloader换成壳的就可以了。

二.具体操作和分析

被加固的应用是可以反编译的,反编译之后dex里面只有很少的几个类,比较重要的就是壳入口这个类,可以在这个类里面的里面去获取context参数,然后就可以通过context获得到壳的类加载器,之后只需要用这个类加载器来hook就可以成功的hook到加固的app。

记着加载原理,万变不离其宗

爱加密

XposedHelpers.findAndHookMethod("s.h.e.l.l.S", lpparam.classLoader,
                    "attachBaseContext", Context.class, new XC_MethodHook() {
                        @Override
                        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                            super.afterHookedMethod(param);
                            try {
                                Context context = (Context) param.args[0];
                                Toast.makeText(context, "Hook成功", Toast.LENGTH_SHORT).show();
                            } catch (Throwable e) {
                                LogUtil.logError(e);
                            }
                        }
                    });

360加固

XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader,
                "ᵢˋ", Context.class, new XC_MethodHook() {
                    @Override
                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                        super.afterHookedMethod(param);
                        //获取到360的Context对象,通过这个对象来获取classloader
                        Context context = (Context) param.args[0];
                        //获取360的classloader,之后hook加固后的就使用这个classloader
                        ClassLoader classLoader = context.getClassLoader();
                    }
                });

腾讯乐固

XposedHelpers.findAndHookMethod("com.tencent.StubShell.TxAppEntry", loadPackageParam.classLoader,
                    "attachBaseContext", Context.class, new XC_MethodHook() {
                        @Override
                        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                            super.afterHookedMethod(param);
                            //获取到Context对象,通过这个对象来获取classloader
                            Context context = (Context) param.args[0];
                            //获取classloader,之后hook加固后的就使用这个classloader
                            ClassLoader classLoader =context.getClassLoader();
                            //下面就是强classloader修改成壳的classloader就可以成功的hook了
                       
        }
    }

梆梆加固

Class<?> ApplicationWrapper = XposedHelpers.findClass("com.secneo.apkwrapper.ApplicationWrapper", lpparam.classLoader);
                        XposedHelpers.findAndHookMethod(ApplicationWrapper,
                                "onCreate", new XC_MethodHook() {
                                    @Override
                                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                                        super.afterHookedMethod(param);
                                        try {
                                            Application application = (Application) XposedHelpers.getStaticObjectField(ApplicationWrapper, "realApplication");
                                            if (application != null) {
                                                if (Config.CCB_PACKAGE.equals(processName) && !HAS_HOOK) {
                                                    HAS_HOOK = true;
                                                    LogUtil.d("Hook成功,当前context:" + application);
                                                    LogUtil.d("Hook成功,当前版本:" + PayHelperUtils.getVerName(application));
                                                }
                                            } else {
                                                LogUtil.d("Hook成功,但是是个空的");
                                            }
                                        } catch (Throwable e) {
                                            LogUtil.logError(e);
                                        }
                                    }
                                });