3、叉叉助手逆向分析(下)
2024-05-29 18:51:45
plugin/117/xxFknsg.apk --ui-name:com/xxAssistant/FknsgUI/xxMain --activity-name:com/babeltimes/main/MainActivity --so-path:/data/data/com.xxAssistant/app_plugin/117/libxxfknsg.so
我们将手机里的apk提取出来:com.babeltime.fknsango_360-1.apk,分析xml:
<?xml version="1.0" encoding="utf-8"?><manifestxmlns:android="http://schemas.android.com/apk/res/android"android:versionCode="3"android:versionName="1.1.8"android:installLocation="0"package="com.babeltime.fknsango_360"><supports-screensandroid:anyDensity="true"android:smallScreens="true"android:normalScreens="true"android:largeScreens="true"android:resizeable="true"></supports-screens><uses-sdkandroid:minSdkVersion="8"android:targetSdkVersion="17"></uses-sdk><uses-permissionandroid:name="android.permission.ACCESS_NETWORK_STATE"></uses-permission>
……
<uses-permissionandroid:name="android.permission.VIBRATE"></uses-permission><applicationandroid:theme="@7F060001"android:label="@7F050000"android:icon="@7F020000"android:allowBackup="true"><activityandroid:theme="@android:01030007"android:label="@7F050000"android:name="com.babeltimes.main.MainActivity"android:screenOrientation="1"android:configChanges="0x00000080"><intent-filter><actionandroid:name="android.intent.action.MAIN"></action><categoryandroid:name="android.intent.category.LAUNCHER"></category></intent-filter></activity><activityandroid:theme="@android:01030007"android:label="@7F050000"android:name="com.babeltimes.main.CrashHandler"android:screenOrientation="1"android:configChanges="0x00000080"><intent-filter><categoryandroid:name="android.intent.category.LAUNCHER"></category></intent-filter></activity><activityandroid:theme="@android:01030010"android:name="com.qihoopay.insdk.activity.ContainerActivity"android:configChanges="0x400006E4"></activity><activityandroid:theme="@android:01030010"android:name="com.qihoopp.qcoinpay.QcoinActivity"android:configChanges="0x400006E4"android:windowSoftInputMode="0x00000013"></activity><meta-dataandroid:name="QHOPENSDK_APPID"android:value="200983446"></meta-data>……<meta-dataandroid:name="QHOPENSDK_CHANNEL"android:value="default"></meta-data><activityandroid:theme="@7F060015"android:name="cn.paypalm.pppayment.InitialAct"android:screenOrientation="3"android:configChanges="0x000004A0"android:windowSoftInputMode="0x00000003"></activity>……<activityandroid:theme="@7F060015"android:name="cn.paypalm.pppayment.BankcardAgreement"android:screenOrientation="3"android:configChanges="0x000004A0"android:windowSoftInputMode="0x00000003"></activity></application></manifest>
可以看出:
game-name为游戏包名,
apk-path为插件全路径
ui-name为插件界面
activity-name为游戏启动activity
so-path为插件so库全路径
再分析插件xxFknsg.apk:
<?xml version="1.0" encoding="utf-8"?><manifestandroid:versionCode="1"android:versionName="1.0"package="com.xxAssistant.FknsgUI"xmlns:android="http://schemas.android.com/apk/res/android"><applicationandroid:theme="@style/AppTheme"android:label="@string/app_name"android:icon="@drawable/ic_launcher"android:debuggable="true"android:allowBackup="true"><activityandroid:label="@string/app_name"android:name="com.xxAssistant.FknsgUI.MainActivity"><intent-filter><actionandroid:name="android.intent.action.MAIN"/><categoryandroid:name="android.intent.category.LAUNCHER"/></intent-filter></activity></application></manifest>
Application是没有name标签的,activity:com.xxAssistant.FknsgUI.MainActivity:
packagecom.xxAssistant.FknsgUI;importandroid.app.Activity;importandroid.os.Bundle;importandroid.view.Menu;importandroid.view.MenuInflater;publicclassMainActivityextendsActivity {protectedvoidonCreate(Bundle paramBundle) {super.onCreate(paramBundle); setContentView(2130903040); xxMain.init(this,null); }publicbooleanonCreateOptionsMenu(Menu paramMenu) { getMenuInflater().inflate(2131165184, paramMenu);returntrue; } }插件的MainActivity只是调用了一个xxMain.init,查看xxMain.class:
package com.xxAssistant.FknsgUI; import android.app.Activity; import android.graphics.drawable.Drawable; import android.util.DisplayMetrics; import android.view.Display; import android.view.View; import android.view.View.OnClickListener; import android.view.ViewGroup; import android.view.WindowManager; import android.widget.FrameLayout.LayoutParams; import android.widget.LinearLayout; import android.widget.LinearLayout.LayoutParams; import android.widget.RelativeLayout; import android.widget.RelativeLayout.LayoutParams; import android.widget.TextView; import com.xxAssistant.FknsgUI.bg.ShapeBg;publicclassxxMain {publicstaticString TITLE ="叉叉放开那三国助手 1.0.0";publicstaticString mSoPath =null;privatestaticxxMain me =null;privatexxAbout mAboutView;privateActivity mActivity;privatefloatmDp;privateRelativeLayout.LayoutParams mRlparams;privateViewGroup mRootView;privatexxSettingView mSettingView;publicxxMain(Activity paramActivity) {this.mActivity = paramActivity; DisplayMetrics localDisplayMetrics =newDisplayMetrics();this.mActivity.getWindowManager().getDefaultDisplay().getMetrics(localDisplayMetrics);this.mDp = localDisplayMetrics.density; }public static void init(Activity paramActivity, String paramString){ mSoPath = paramString;if(me ==null);for(xxMain localxxMain =newxxMain(paramActivity); ; localxxMain = me) { me = localxxMain; me.show();return; } }privatevoidinitNativeFunC() {if(mSoPath !=null) xxUtility.init(this.mActivity, mSoPath); }privatevoidinitView() {this.mSettingView =newxxSettingView(this.mActivity,this.mRootView);this.mAboutView =newxxAbout(this.mActivity,this.mRootView);this.mAboutView.setXXVersionString(TITLE); LinearLayout localLinearLayout =newLinearLayout(this.mActivity); localLinearLayout.setOrientation(1); ShapeBg localShapeBg =newShapeBg(this.mActivity); localShapeBg.setColor(-16777216); localShapeBg.setCornerRadii(newfloat[] {4.0F,0.0F,0.0F,4.0F}); localLinearLayout.setBackgroundDrawable(localShapeBg); localLinearLayout.getBackground().setAlpha(153); localLinearLayout.setPadding((int)(4.0F*this.mDp), (int)(4.0F*this.mDp), (int)(4.0F*this.mDp), (int)(4.0F*this.mDp)); RelativeLayout.LayoutParams localLayoutParams =newRelativeLayout.LayoutParams(-2, -2); localLayoutParams.addRule(11); localLayoutParams.addRule(15); LinearLayout.LayoutParams localLayoutParams1 =newLinearLayout.LayoutParams(-2, -2); TextView localTextView1 =newTextView(this.mActivity); localTextView1.setText("设置"); localTextView1.setTextSize(16.0F); localTextView1.setTextColor(-1); LinearLayout.LayoutParams localLayoutParams2 =newLinearLayout.LayoutParams(-2, -2); TextView localTextView2 =newTextView(this.mActivity); localTextView2.setText("叉叉"); localTextView2.setTextSize(16.0F); localTextView2.setTextColor(-16711936); localLayoutParams2.topMargin = ((int)(5.0F*this.mDp)); localLinearLayout.addView(localTextView1, localLayoutParams1); localLinearLayout.addView(localTextView2, localLayoutParams2);this.mRootView.addView(localLinearLayout, localLayoutParams);this.mRlparams =newRelativeLayout.LayoutParams(-1, -1);this.mRlparams.addRule(11);this.mRlparams.addRule(15); localTextView1.setOnClickListener(newView.OnClickListener() {publicvoidonClick(View paramAnonymousView) { xxMain.this.mRootView.removeView(xxMain.this.mAboutView); xxMain.this.mRootView.removeView(xxMain.this.mSettingView); xxMain.this.mRootView.addView(xxMain.this.mSettingView, xxMain.this.mRlparams); } }); localTextView2.setOnClickListener(newView.OnClickListener() {publicvoidonClick(View paramAnonymousView) { xxMain.this.mRootView.removeView(xxMain.this.mAboutView); xxMain.this.mRootView.removeView(xxMain.this.mSettingView); xxMain.this.mRootView.addView(xxMain.this.mAboutView, xxMain.this.mRlparams); } }); }privatevoidshow() {this.mRootView =newRelativeLayout(this.mActivity); FrameLayout.LayoutParams localLayoutParams =newFrameLayout.LayoutParams(-1, -1);this.mActivity.addContentView(this.mRootView, localLayoutParams); initNativeFunC(); initView(); } }
packagecom.xxAssistant.FknsgUI;importandroid.app.Activity;importandroid.graphics.drawable.Drawable;importandroid.util.DisplayMetrics;importandroid.view.Display;importandroid.view.MotionEvent;importandroid.view.View;importandroid.view.View.OnTouchListener;importandroid.view.ViewGroup;importandroid.view.WindowManager;importandroid.widget.LinearLayout;importandroid.widget.LinearLayout.LayoutParams;importandroid.widget.RelativeLayout;importandroid.widget.RelativeLayout.LayoutParams;importandroid.widget.ScrollView;importandroid.widget.SeekBar;importandroid.widget.SeekBar.OnSeekBarChangeListener;importandroid.widget.TextView;importcom.xxAssistant.FknsgUI.bg.ShapeBg;publicclassxxSettingViewextendsRelativeLayout {privatestaticintMAX;privatestaticintmSpeed = 0;privateActivity mActivity;privatefloatmDp;privateViewGroup mParent;privateLinearLayout mRealSettingView;privateRelativeLayout mSettingView;static{ MAX = 100; }publicxxSettingView(Activity paramActivity, ViewGroup paramViewGroup) {super(paramActivity);this.mActivity = paramActivity;this.mParent = paramViewGroup;this.mSettingView =this; DisplayMetrics localDisplayMetrics =newDisplayMetrics();this.mActivity.getWindowManager().getDefaultDisplay().getMetrics(localDisplayMetrics);this.mDp = localDisplayMetrics.density; initView(); }privatevoidinitView() {this.mSettingView.setGravity(17);this.mSettingView.setBackgroundColor(-16777216);this.mSettingView.getBackground().setAlpha(80);this.mRealSettingView =newLinearLayout(this.mActivity);this.mRealSettingView.setOrientation(1);this.mRealSettingView.setGravity(1);inti = (int)(16.0F *this.mDp);this.mRealSettingView.setPadding(i, i, i, i); ShapeBg localShapeBg1 =newShapeBg(this.mActivity); localShapeBg1.setCornerRadius(8.0F); localShapeBg1.setColor(-16777216); localShapeBg1.setStroke(1, -1);this.mRealSettingView.setBackgroundDrawable(localShapeBg1);this.mRealSettingView.getBackground().setAlpha(153); RelativeLayout.LayoutParams localLayoutParams =newRelativeLayout.LayoutParams((int)(300.0F *this.mDp), -2);this.mSettingView.addView(this.mRealSettingView, localLayoutParams); TextView localTextView1 =newTextView(this.mActivity); localTextView1.setText("设置"); localTextView1.setTextSize(22.0F); localTextView1.setTextColor(-1); localTextView1.setGravity(1);this.mRealSettingView.addView(localTextView1); ScrollView localScrollView =newScrollView(this.mActivity); localScrollView.setScrollBarStyle(0); LinearLayout localLinearLayout1 =newLinearLayout(this.mActivity); localLinearLayout1.setOrientation(1); LinearLayout localLinearLayout2 =newLinearLayout(this.mActivity); LinearLayout localLinearLayout3 =newLinearLayout(this.mActivity); ShapeBg localShapeBg2 =newShapeBg(this.mActivity); localShapeBg2.setCornerRadius(10.0F); localShapeBg2.setColor(-1); localLinearLayout2.setBackgroundDrawable(localShapeBg2); localLinearLayout3.setBackgroundDrawable(localShapeBg2); (int)(6.0F *this.mDp); LinearLayout.LayoutParams localLayoutParams1 =newLinearLayout.LayoutParams(-1, -2); localLayoutParams1.topMargin = (int)(8.0F *this.mDp);this.mRealSettingView.addView(localScrollView, localLayoutParams1); localScrollView.addView(localLinearLayout1); TextView localTextView2 =newTextView(this.mActivity); localTextView2.setText("游戏加速:0 倍"); localTextView2.setTextColor(-1); localTextView2.setTextSize(17.0F); localTextView2.setGravity(14); SeekBar localSeekBar =newSeekBar(this.mActivity); localSeekBar.setMinimumHeight(2 * (int)this.mDp); localLinearLayout1.addView(localTextView2, localLayoutParams1); localLinearLayout1.addView(localSeekBar, localLayoutParams1); localSeekBar.setOnSeekBarChangeListener(newSeekBar.OnSeekBarChangeListener(localTextView2) {publicvoidonProgressChanged(SeekBar paramSeekBar,intparamInt,booleanparamBoolean) { xxSettingView.mSpeed = paramInt * (xxSettingView.MAX / 100);this.val$tittle.setText("游戏加速:" + xxSettingView.mSpeed + " 倍");if(xxSettingView.mSpeed == 0);for(inti = 1000; ; i = 1000 * xxSettingView.mSpeed) {xxUtility.setTimeScale(i);return; } }publicvoidonStartTrackingTouch(SeekBar paramSeekBar) { }publicvoidonStopTrackingTouch(SeekBar paramSeekBar) { } });this.mSettingView.setOnTouchListener(newView.OnTouchListener() {publicbooleanonTouch(View paramView, MotionEvent paramMotionEvent) {floatf1 = paramMotionEvent.getX();floatf2 = paramMotionEvent.getY();floatf3 = xxSettingView.this.mRealSettingView.getLeft();floatf4 = xxSettingView.this.mRealSettingView.getTop();floatf5 = xxSettingView.this.mRealSettingView.getBottom();floatf6 = xxSettingView.this.mRealSettingView.getRight();switch(paramMotionEvent.getAction()) {default:returnfalse;case0: }if((f1 < f3) || (f1 > f6));while(true) { xxSettingView.this.mParent.removeView(xxSettingView.this.mSettingView);returnfalse;if(f2 < f4)continue;if(f2 <= f5)break; } } }); } }packagecom.xxAssistant.FknsgUI;importandroid.app.Activity;importandroid.app.AlertDialog.Builder;importandroid.content.DialogInterface;importandroid.content.DialogInterface.OnClickListener;importandroid.graphics.drawable.Drawable;importandroid.util.DisplayMetrics;importandroid.view.Display;importandroid.view.MotionEvent;importandroid.view.View;importandroid.view.View.OnClickListener;importandroid.view.View.OnTouchListener;importandroid.view.ViewGroup;importandroid.view.WindowManager;importandroid.widget.LinearLayout;importandroid.widget.LinearLayout.LayoutParams;importandroid.widget.RelativeLayout;importandroid.widget.RelativeLayout.LayoutParams;importandroid.widget.TextView;importcom.xxAssistant.FknsgUI.bg.ShapeBg;publicclassxxAboutextendsRelativeLayout {privateRelativeLayout mAbout;privateActivity mActivity;privatefloatmDp;privateViewGroup mParent;privateLinearLayout mRealAbout;privateTextView mTvContent;privateTextView mTvTitle;publicxxAbout(Activity paramActivity, ViewGroup paramViewGroup) {super(paramActivity);this.mActivity = paramActivity;this.mParent = paramViewGroup;this.mAbout =this; DisplayMetrics localDisplayMetrics =newDisplayMetrics();this.mActivity.getWindowManager().getDefaultDisplay().getMetrics(localDisplayMetrics);this.mDp = localDisplayMetrics.density; initView(); }privatevoidinitView() {this.mAbout.setGravity(17);this.mAbout.setBackgroundColor(-16777216);this.mAbout.getBackground().setAlpha(0);this.mRealAbout =newLinearLayout(this.mActivity);this.mRealAbout.setOrientation(1);this.mRealAbout.setGravity(1); ShapeBg localShapeBg1 =newShapeBg(this.mActivity); localShapeBg1.setCornerRadius(8.0F); localShapeBg1.setColor(-16777216); localShapeBg1.setStroke(1, -1);this.mRealAbout.setBackgroundDrawable(localShapeBg1);this.mRealAbout.getBackground().setAlpha(153);inti = (int)(16.0F *this.mDp);this.mRealAbout.setPadding(i, i, i, i); RelativeLayout.LayoutParams localLayoutParams =newRelativeLayout.LayoutParams((int)(300.0F *this.mDp), (int)(150.0F *this.mDp));this.mAbout.addView(this.mRealAbout, localLayoutParams);this.mTvTitle =newTextView(this.mActivity);this.mTvTitle.setTextSize(22.0F);this.mTvTitle.setText("关于");this.mTvTitle.setTextColor(-1);this.mTvTitle.setGravity(17);this.mRealAbout.addView(this.mTvTitle);this.mTvContent =newTextView(this.mActivity); ShapeBg localShapeBg2 =newShapeBg(this.mActivity); localShapeBg2.setCornerRadius(6.0F); localShapeBg2.setColor(-1);this.mTvContent.setBackgroundDrawable(localShapeBg2);this.mTvContent.setTextColor(-16777216);this.mTvContent.setTextSize(18.0F);intj = (int)(4.0F *this.mDp);this.mTvContent.setPadding(j, j, j, j);this.mTvContent.setGravity(3); LinearLayout.LayoutParams localLayoutParams1 =newLinearLayout.LayoutParams(-1, -2); localLayoutParams1.topMargin = (int)(20.0F *this.mDp);this.mRealAbout.addView(this.mTvContent, localLayoutParams1); TextView localTextView =newTextView(this.mActivity); localTextView.setText("隐藏界面"); localTextView.setTextColor(-16711936); LinearLayout.LayoutParams localLayoutParams2 =newLinearLayout.LayoutParams(-2, -2); localLayoutParams2.topMargin = (int)(20.0F *this.mDp); localLayoutParams2.gravity = 5;this.mRealAbout.addView(localTextView, localLayoutParams2); localTextView.setOnClickListener(newView.OnClickListener() {publicvoidonClick(View paramView) { AlertDialog.Builder localBuilder =newAlertDialog.Builder(xxAbout.this.mActivity); localBuilder.setMessage("警告:界面隐藏后,只能在下次游戏启动时再次出现,请确认是否执行该操作。"); localBuilder.setPositiveButton("确定",newDialogInterface.OnClickListener() {publicvoidonClick(DialogInterface paramDialogInterface,intparamInt) { xxAbout.this.mParent.removeAllViews(); } }); localBuilder.setNegativeButton("取消",null); localBuilder.show(); } });this.mAbout.setOnTouchListener(newView.OnTouchListener() {publicbooleanonTouch(View paramView, MotionEvent paramMotionEvent) {floatf1 = paramMotionEvent.getX();floatf2 = paramMotionEvent.getY();floatf3 = xxAbout.this.mRealAbout.getLeft();floatf4 = xxAbout.this.mRealAbout.getTop();floatf5 = xxAbout.this.mRealAbout.getBottom();floatf6 = xxAbout.this.mRealAbout.getRight();switch(paramMotionEvent.getAction()) {default:returnfalse;case0: }if((f1 < f3) || (f1 > f6));while(true) { xxAbout.this.mParent.removeView(xxAbout.this.mAbout);returnfalse;if(f2 < f4)continue;if(f2 <= f5)break; } } }); }publicvoidsetXXVersionString(String paramString) {this.mTvContent.setText(paramString); } }
其中xxUtility.setTimeScale在xxUtility中:
packagecom.xxAssistant.FknsgUI;importandroid.app.Activity;publicclassxxUtility {publicstaticActivity mActivity;privatestaticbooleanmIsInitOk =false;private static native void doSetTimeScale(intparamInt);publicstaticvoidinit(Activity paramActivity, String paramString) { mActivity = paramActivity;if(paramString !=null) {System.load(paramString);mIsInitOk =xxdohook(); } }publicstaticvoidsetTimeScale(intparamInt) {if(mIsInitOk) doSetTimeScale(paramInt); }private static native boolean xxdohook();}加载对应的插件目录下的libxxfknsg.so:
对gettimeofday和clock_gettime做一些hook,然后通过xxUtility::setTimeScale加速设置加速倍数。
再分析“天天星连萌”的插件:
packagecom.xxAssistant.UI;importandroid.app.Activity;importandroid.content.Context;importandroid.util.Log;importandroid.widget.RelativeLayout;importandroid.widget.Toast;publicclassUniversalUIextendsRelativeLayout {privatestaticString mSoPath;privatestaticUniversalUI me =null;privateActivity mActivity;privateContext mContext;privatebooleanmShow;privateUniversalUI(Activity paramActivity) {super(paramActivity);this.mContext = paramActivity;this.mActivity = paramActivity;this.mShow =false; }public static void init(Activity paramActivity, String paramString){if(me ==null);for(UniversalUI localUniversalUI =newUniversalUI(paramActivity); ; localUniversalUI = me) { me = localUniversalUI; mSoPath = paramString; me.show();return; } }privatevoidshow() {if(!this.mShow) {this.mShow =true; Log.d("native", "叉叉辅助已成功装载"); Toast.makeText(this.mContext.getApplicationContext(), "叉叉辅助已成功装载1111111111111111111111111111111111", 1).show(); System.load(mSoPath); xxdohook(); } }private native voidxxdohook();}
可以看出都有一个静态的init函数,插桩修改打印参数:
.classpublicLcom/xxAssistant/UI/UniversalUI; .superLandroid/widget/RelativeLayout; .source "UniversalUI.java" #staticfields .fieldprivatestaticmSoPath:Ljava/lang/String; .fieldprivatestaticme:Lcom/xxAssistant/UI/UniversalUI; # instance fields .fieldprivatemActivity:Landroid/app/Activity; .fieldprivatemContext:Landroid/content/Context; .fieldprivatemShow:Z # direct methods .methodstaticconstructor <clinit>()V .locals 1 .prologue .line 12const/4 v0, 0x0 sput-object v0, Lcom/xxAssistant/UI/UniversalUI;->me:Lcom/xxAssistant/UI/UniversalUI; .line 17return-void.end method .methodprivateconstructor <init>(Landroid/app/Activity;)V .locals 1 .parameter "activity" .prologue .line 20 invoke-direct {p0, p1}, Landroid/widget/RelativeLayout;-><init>(Landroid/content/Context;)V .line 22 iput-object p1, p0, Lcom/xxAssistant/UI/UniversalUI;->mContext:Landroid/content/Context; .line 23 iput-object p1, p0, Lcom/xxAssistant/UI/UniversalUI;->mActivity:Landroid/app/Activity; .line 24const/4 v0, 0x0 iput-booleanv0, p0, Lcom/xxAssistant/UI/UniversalUI;->mShow:Z#debug by singconst-string v0, "MODBYSING" invoke-virtual {p1}, Ljava/lang/Object;->toString()Ljava/lang/String; move-result-object v1 invoke-static{v0, v1}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I #debug by sing.line 25return-void.end method .methodpublicstaticinit(Landroid/app/Activity;Ljava/lang/String;)V .locals 1 .parameter "activity" .parameter "soPath" .prologue .line 29 sget-object v0, Lcom/xxAssistant/UI/UniversalUI;->me:Lcom/xxAssistant/UI/UniversalUI;if-nez v0, :cond_0new-instance v0, Lcom/xxAssistant/UI/UniversalUI; invoke-direct {v0, p0}, Lcom/xxAssistant/UI/UniversalUI;-><init>(Landroid/app/Activity;)V :goto_0 sput-object v0, Lcom/xxAssistant/UI/UniversalUI;->me:Lcom/xxAssistant/UI/UniversalUI; .line 30 sput-object p1, Lcom/xxAssistant/UI/UniversalUI;->mSoPath:Ljava/lang/String; .line 31 sget-object v0, Lcom/xxAssistant/UI/UniversalUI;->me:Lcom/xxAssistant/UI/UniversalUI; invoke-direct {v0}, Lcom/xxAssistant/UI/UniversalUI;->show()V .line 32return-void.line 29 :cond_0 sget-object v0, Lcom/xxAssistant/UI/UniversalUI;->me:Lcom/xxAssistant/UI/UniversalUI;goto:goto_0 .end method .methodprivateshow()V .locals 3 .prologueconst/4 v2, 0x1 .line 35 iget-booleanv0, p0, Lcom/xxAssistant/UI/UniversalUI;->mShow:Zif-nez v0, :cond_0 .line 36 iput-booleanv2, p0, Lcom/xxAssistant/UI/UniversalUI;->mShow:Z .line 38const-string v0, "native"const-string v1, "\u53c9\u53c9\u8f85\u52a9\u5df2\u6210\u529f\u88c5\u8f7d" invoke-static{v0, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I .line 39 iget-object v0, p0, Lcom/xxAssistant/UI/UniversalUI;->mContext:Landroid/content/Context; invoke-virtual {v0}, Landroid/content/Context;->getApplicationContext()Landroid/content/Context; move-result-object v0const-string v1, "\u53c9\u53c9\u8f85\u52a9\u5df2\u6210\u529f\u88c5\u8f7d1111111111111111MODBYSING" invoke-static{v0, v1, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; move-result-object v0 invoke-virtual {v0}, Landroid/widget/Toast;->show()V .line 40 sget-object v0, Lcom/xxAssistant/UI/UniversalUI;->mSoPath:Ljava/lang/String;#debug by singconst-string v1, "MODBYSING" invoke-static{v1,v0} ,Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I #debug by singinvoke-static{v0}, Ljava/lang/System;->load(Ljava/lang/String;)V .line 41 invoke-direct {p0}, Lcom/xxAssistant/UI/UniversalUI;->xxdohook()V .line 43 :cond_0return-void.end method .methodprivatenativexxdohook()V .end method
此插件实现的效果是任意消除,捕获的log信息:
04-0915:46:23.770: V/MODBYSING(13478): com.tencent.lian.MiniGame@41c711a804-0915:46:23.800: V/MODBYSING(13478): /data/data/com.xxAssistant/app_plugin/105/libxxlianmeng_mm.so
实际运行中MainActivity::onCreate并没有执行(单独直接运行APK会执行,仅仅方便开发使用,具体启动游戏时插件的运行逻辑中不会执行到MainActivity::onCreate),证实Activity确实是游戏的主Activity。
再看插件so文件导出的xxdohook函数,Java_com_xxAssistant_UI_UniversalUI_xxdohook:
函数内部调用了do_hook:
调用了MSHookFunction(libSubstrate.so提供的函数)来hook原游戏libGameApp.so中的函数。
下面把插件APK直接安装运行,这个是滑雪大冒险的插件运行效果图:
可以看出和启动游戏后的插件显示效果类似,只不过单独运行时只是一个hello world的界面。
综合以上分析猜测:
所有插件按照一定格式编写,需要有一个.xxplist配置文件,一个可以安装运行的APK(可以直接安装运行是为了方便插件的开发),如果有做底层hook操作的还会有一个so文件。
.xxplist配置文件的内容格式如下:
game-name为游戏包名,
apk-path为插件全路径
ui-name为插件界面
activity-name为游戏启动activity
so-path为插件so库全路径
叉叉助手游戏列表中保存有插件id,点击“启动游戏”时按照item对应的插件id加载创建目录对应的插件apk,启动规则是按照插件目录下的.xxplist配置文件来的。
叉叉助手在运行时会做一次注入操作,在叉叉助手里启动游戏时,将相应的插件配置文件重定向到一个plist.xx的公共配置文件,由于做了注入,处于底层的监控层监控到游戏启动时判断当前的activity的包名是否和配置文件中的包名吻合,如果吻合说明当前游戏和当前插件匹配,则通过配置文件读取插件apk并动态加载,并调用一个静态的init函数,传递参数为:参数1是游戏的activity启动实例,参数2为配置文件中的插件so库文件路径。init函数完成插件的界面配置,显示为游戏界面上的悬浮窗口,加载so库并调用so的导出函数进行hook操作。
待研究内容:
1、libsubstrate的hook框架。
2、验证:注入后如何监控游戏的启动并加载插件。
版权声明:本文为博主原创文章,未经博主允许不得转载。
3、叉叉助手逆向分析(下)相关推荐
- 2、叉叉助手逆向分析(上)
描述:主要讲解如何有条例地逆向分析出软件的主要逻辑. 工具:APKIDE,JD-GUI 方法:顺藤摸瓜,smali代码主要看invoke关键函数调用,定位到相应的类中看代码. 使用APKIDE反编译x ...
- 4、叉叉助手逆向分析续集--模拟实现游戏插件框架--再扩展到脱壳机
这里以HOOK程序启动后调用天天星联盟为例,下面是2014年4月30日抠出来的天天星联盟插件APK代码: package com.xxAssistant.UI; import android.app. ...
- 6、XPOSED二、叉叉助手框架--用XPOSED实现
继<xposed框架初探>之后,编写一个小小的demo应用,刚好之前分析叉叉的游戏辅助框架(参考<叉叉助手逆向分析续集--模拟实现游戏插件框架--再扩展到脱壳机>,我们是用了l ...
- android 叉叉助手 弹幕原理
叉叉助手能实现从它的app打开另外的app,并实现弹幕,请问下这种弹幕效果是用的什么技术呢?
- 【干货最多】逆向分析学生机房管理助手7.8随机进程名算法、极域U盘、网络、键盘限制
目录 逆向分析7.8算法 解极域U盘限制 硬解禁 软解禁 网络.键盘限制 逆向分析7.8算法 先给个开幕雷击吧: 这真不知道怎么评价好呢,学生机房管理助手上一个版本还是7.5,在11月23号这天直接跳 ...
- 第5篇 熊猫烧香逆向分析(下)
本实验仅用于信息防御学习,请勿用于非法用途!!! 目录 一.前言 二.实验环境 三.函数sub_408024分析 1.函数sub_40532C分析 2.函数sub_4054BC分析 3.函数sub_4 ...
- android每天定时打卡,钉钉定时打卡脚本下载|叉叉助手钉钉定时打卡插件安卓版下载 v4.3.1 - 跑跑车安卓网...
叉叉助手钉钉定时打卡插件是一个实用的工具,让用户自定义打卡的时间,无论是上班还是下班都能通过这个应用来自动打卡. 软件介绍 钉钉是中国领先的智能移动办公平台,由阿里巴巴集团开发,免费提供给所有企业,用 ...
- 剑网3指尖江湖开局门派选TA最好 叉叉助手伴你快意江湖
万众期待的<剑网3:指尖江湖>将于6月12日上线!在国创武侠网游界,剑网三的大名可谓无人不知无人不晓.该作是西山居以端游IP研发的一款角色扮演类手游,有别于大部分角色扮演游戏的单人物多职业 ...
- 病毒木马查杀实战第007篇:熊猫烧香之逆向分析(下)
前言 这次我们会接着上一篇的内容继续对病毒进行分析.分析中会遇到一些不一样的情况,毕竟之前的代码我们只要按照流程顺序一步一步往下走,就能够弄清楚病毒的行为,但是在接下来的代码中,如果依旧如此,在某些分 ...
最新文章
- xunsearch php,GitHub - ziyueit/xunsearch: 迅搜的一个PHP封装类
- lua如何判断是否支持cookie_我们应该如何判断机油是否变质?
- 方向梯度直方图(HOG)和颜色直方图的一些比較
- Qt Creator与调试器进行交互
- ffmpeg - AVPacket内存问题分析(AVFrame一样的)
- 洛谷 P2725 邮票题解
- 转g代码教程_图深度学习入门教程(九)——图滤波神经网络模型
- 系统动力学模型_RCR新文:基于系统动力学模型的中国煤炭产能情景预测
- 一. APP连续闪退修复方案初版
- 【NDN转发】Community Aware Content Retrieval in Disruption Tolerant Networks 全文翻译
- 服务器基本搭建(Windows系统阿里云服务器为例)-购买云服务器
- 基于CSS盒模型的页面布局
- 用 Go STL 查询 DB 引发的内存泄露
- 2018年最新(传智播客)黑马训练营JAVAEE49期培训视频教程
- 星岚技术 Win10 x64 无精简完整版 V2021.5
- 提高工作效率的外贸管理软件
- 中投民生:今日A股大面积飘绿;注册制独领风骚
- 期货主力合约及其移仓特点(转)
- 开源项目演示_3种开源工具可让您的演示文稿流行
- 计算机技术转让增值税,技术转让时增值税怎么处理?