这章主要介绍java层的hook,首先需要找到qq加密的函数在哪里,这里采用最简单的monitor的录制方法。

monitor是android sdk里面的一个小工具,就是之前的ddms,里面的录制调用的功能可以快速定位。

这里有一个疑问:为什么搜不到onClick的操作呢,没有的话他是通过什么实现的呢?有知道的评论一下呀,谢谢

定位之后发现了一个函数:com.tencent.qphone.base.util.CodecWarpper.nativeEncodeRequest

猜测这个函数就是最终的加密函数,通过jadx反编译qq的dex,找到该函数,是一个多态函数,有3中参数的可能。

这里不知道最终调用哪一种,所以3个都写了Hook,打印输出,判断出哪个被最终调用。

得到第二个是最常见的调用。故我们最终hook第二个。

这里然后打印即可得到加密前后的数据:可以看到最终发送的数据应该是携带版本号,qq号,以及该行为的类型的:第7和第15个参数是个数组,应该包含加密前明文,这里看介绍是使用了类似google的probuf的序列化操作,腾讯这里是jcestruct,过年前研究完了加上。

01-25 03:50:26.614 I/Xposed  ( 6657): param1 = class java.lang.Integer data =  50538
01-25 03:50:26.617 I/Xposed  ( 6657): param2 = class java.lang.String data =  312576676479927
01-25 03:50:26.617 I/Xposed  ( 6657): param3 = class java.lang.String data =
01-25 03:50:26.617 I/Xposed  ( 6657): param4 = class java.lang.String data =  7.9.7.390008
01-25 03:50:26.617 I/Xposed  ( 6657): param5 = class java.lang.String data =
01-25 03:50:26.617 I/Xposed  ( 6657): param6 before = class java.lang.String data =  StatSvc.GetOnlineStatus
01-25 03:50:26.617 I/Xposed  ( 6657): param7 before = class [B data =  [B@b9790c9
01-25 03:50:26.617 I/Xposed  ( 6657): param7 now= [-84, -19, 0, 5, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 0, 4, -52, 73, 124, -95]
01-25 03:50:26.617 I/Xposed  ( 6657): param7 = ACED0005757200025B42ACF317F8060854E0020000787000000004CC497CA1
01-25 03:50:26.617 I/Xposed  ( 6657): param8 = class java.lang.Integer data =  537060431
01-25 03:50:26.617 I/Xposed  ( 6657): param9 = class java.lang.Integer data =  537060431
01-25 03:50:26.617 I/Xposed  ( 6657): param10 = class java.lang.String data =  2100327022
01-25 03:50:26.617 I/Xposed  ( 6657): param11 = class java.lang.Byte data =  0
01-25 03:50:26.617 I/Xposed  ( 6657): param12 = class java.lang.Byte data =  1
01-25 03:50:26.617 I/Xposed  ( 6657): param13 = class java.lang.Byte data =  1
01-25 03:50:26.617 I/Xposed  ( 6657): param15 type = class [B
01-25 03:50:26.617 I/Xposed  ( 6657): param15 before = [-84, -19, 0, 5, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 0, 12, 0, 0, 0, 12, 8, -18, -28, -63, -23, 7, 16, 0]
01-25 03:50:26.617 I/Xposed  ( 6657):  data =  [B@21c13ce
01-25 03:50:26.617 I/Xposed  ( 6657): param15 = [-84, -19, 0, 5, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 0, 12, 0, 0, 0, 12, 8, -18, -28, -63, -23, 7, 16, 0]
01-25 03:50:26.617 I/Xposed  ( 6657): param14 before = null
01-25 03:50:26.617 I/Xposed  ( 6657): param14 be error : java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.lang.Object.toString()' on a null object reference
01-25 03:50:26.618 I/Xposed  ( 6657): hook nativeEncodeRequest afterok???
01-25 03:50:26.618 I/Xposed  ( 6657): return now is : class [B[-84, -19, 0, 5, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 1, 60, 0, 0, 1, 60, 0, 0, 0, 10, 1, 0, 0, 0, 68, -99, 68, 46, -66, -78, 95, 57, -24, -40, -54, 78, -89, -110, -72, -77, -28, 11, 26, -68, -60, -58, -20, 75, -103, -32, -36, 0, 49, -68, 92, 118, 18, -2, -57, 92, -127, -109, 17, 78, 35, -6, 55, -82, -13, 123, -55, 104, -59, 61, 110, 82, -20, 15, -60, 35, 51, -52, -119, -78, -63, -107, -33, 16, 46, 0, 0, 0, 0, 14, 50, 49, 48, 48, 51, 50, 55, 48, 50, 50, -12, -116, 109, 94, 39, 10, 31, 13, -59, 110, -85, 84, -109, 98, -105, 26, -51, 73, 12, -117, 118, 77, 78, 74, 92, 57, 49, -61, 64, -18, 56, 100, 7, -66, 45, -128, 37, 76, -99, 118, -113, 102, 94, 117, -11, 45, 3, 106, -72, 19, 37, 52, -58, -116, 60, -2, -95, 92, 57, 13, 42, -128, 37, -99, 32, -11, -16, 28, 80, 51, 70, -28, 56, -61, -34, 18, -61, -10, -57, 83, 61, -29, -86, 116, 112, 34, 6, -94, 57, -57, 55, -79, 38, -53, 78, -58, 98, -18, 52, -58, -15, -98, -49, 73, 47, 23, -29, -74, -118, -16, -8, -103, 34, 9, -45, 87, 93, -105, -80, 103, 4, 82, -111, -128, 25, 68, 63, -101, 116, 113, 124, -122, 103, 92, 69, 111, 23, -98, 3, 0, 49, -98, 17, -7, -127, -63, 0, 55, 37, 90, 126, -125, 105, 115, 8, 32, -70, 64, -74, -89, -44, -67, 1, 5, -116, 32, 88, 42, 110, 5, -80, 120, 4, 15, 111, 9, 124, -80, 38, 57, 7, -23, 110, 124, 15, 57, -118, -76, 27, 48, 24, -114, -4, -12, -98, 44, -50, 47, -116, 124, -59, -47, 5, -110, 76, 68, -7, -27, -79, -38, 13, 81, -120, 13, 19, 63, 73, -77, 117, 76, -107, 10, 110, -120]
01-25 03:50:26.618 I/Xposed  ( 6657): return is : ACED0005757200025B42ACF317F8060854E002000078700000013C0000013C0000000A01000000449D442EBEB25F39E8D8CA4EA792B8B3E40B1ABCC4C6EC4B99E0DC0031BC5C7612FEC75C8193114E23FA37AEF37BC968C53D6E52EC0FC42333CC89B2C195DF102E000000000E32313030333237303232F48C6D5E270A1F0DC56EAB549362971ACD490C8B764D4E4A5C3931C340EE386407BE2D80254C9D768F665E75F52D036AB8132534C68C3CFEA15C390D2A80259D20F5F01C503346E438C3DE12C3F6C7533DE3AA74702206A239C737B126CB4EC662EE34C6F19ECF492F17E3B68AF0F8992209D3575D97B0670452918019443F9B74717C86675C456F179E0300319E11F981C10037255A7E8369730820BA40B6A7D4BD01058C20582A6E05B078040F6F097CB0263907E96E7C0F398AB41B30188EFCF49E2CCE2F8C7CC5D105924C44F9E5B1DA0D51880D133F49B3754C950A6E88

这里不知道为什么第14个参数,jadx显示是个byte[]类型的入参,但是不管怎么打印都打印不出来,显示是个空指针。猜测是不是这个地方传递密钥,但是只有第一次有,后面没有了,真的就是只传递一个空指针了。但是这里加密函数应该是传密钥的呀。。

所以这两天还会接着分析一下so层的。

代码如下:


package com.example.liuti.hooksport;import android.app.Application;
import android.content.Context;
import android.hardware.Sensor;
import android.hardware.SensorEvent;
import android.util.Log;
import android.util.SparseArray;import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Arrays;import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;import static de.robv.android.xposed.XposedBridge.log;
import static de.robv.android.xposed.XposedHelpers.findClass;public class HookSport implements IXposedHookLoadPackage {@Overridepublic void handleLoadPackage(final XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {// filterif (!loadPackageParam.packageName.equals("com.tencent.mobileqq")) {return;}
//
//        XposedHelpers.findAndHookMethod("com.tencent.qphone.base.util.QLog",loadPackageParam.classLoader, "setManualLogLevel",int.class,new XC_MethodHook(){
//            //进行hook操作
//            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
//                param.setResult(true);
//                log("hook setManualLogLevel ok");
//
//            };
//
//        });XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {ClassLoader cl = ((Context)param.args[0]).getClassLoader();Class<?> hookclass = null;try {hookclass = cl.loadClass("com.tencent.qphone.base.util.CodecWarpper");log("hook CodecWarpper ok");} catch (Exception e) {return;}//                XposedHelpers.findAndHookMethod(hookclass, "nativeOnReceData",byte[].class,new XC_MethodHook(){
//                    //进行hook操作
//                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
//                        //param.setResult(true);
//                        log("hook nativeEncodeRequest ok");
//
//                    };
//
//                });XposedHelpers.findAndHookMethod(hookclass, "nativeEncodeRequest",int.class,String.class,String.class,String.class,String.class,String.class,byte[].class,int.class,int.class,String.class,byte.class,byte.class,byte[].class,byte[].class,boolean.class,new XC_MethodHook(){//进行hook操作protected void beforeHookedMethod(MethodHookParam param) throws Throwable {//param.setResult(true);log("hook nativeEncodeRequest 1ok???");//log("1" + param.args[2].toString());};});XposedHelpers.findAndHookMethod(hookclass, "nativeEncodeRequest",int.class,String.class,String.class,String.class,String.class,String.class,byte[].class,int.class,int.class,String.class,byte.class,byte.class,byte.class,byte[].class,byte[].class,boolean.class,new XC_MethodHook(){//进行hook操作protected void beforeHookedMethod(MethodHookParam param) throws Throwable {//param.setResult(true);log("hook nativeEncodeRequest 2ok???");//log("param count = " + param.)log("param1 = " + param.args[0].getClass() + " data =  " + param.args[0].toString());log("param2 = " + param.args[1].getClass() + " data =  " + param.args[1].toString());log("param3 = " + param.args[2].getClass() + " data =  " + param.args[2].toString());log("param4 = " + param.args[3].getClass() + " data =  " + param.args[3].toString());log("param5 = " + param.args[4].getClass() + " data =  " + param.args[4].toString());log("param6 before = " + param.args[5].getClass() + " data =  " + param.args[5].toString());//String param6 = ByteArrayToHexString(objectToByteArray(param.args[5]));//log("param6 = " + param6);try {log("param7 before = " + param.args[6].getClass() + " data =  " + param.args[6].toString());} catch (Exception e) {log("param7 be error : " + e.toString());return;}try {log("param7 now= " + Arrays.toString(objectToByteArray(param.args[6])));String param7 = ByteArrayToHexString(objectToByteArray(param.args[6]));log("param7 = " + param7);} catch (Exception e) {log("param7 error : " + e.toString());return;}log("param8 = " + param.args[7].getClass() + " data =  " + param.args[7].toString());log("param9 = " + param.args[8].getClass() + " data =  " + param.args[8].toString());log("param10 = " + param.args[9].getClass() + " data =  " + param.args[9].toString());log("param11 = " + param.args[10].getClass() + " data =  " + param.args[10].toString());log("param12 = " + param.args[11].getClass() + " data =  " + param.args[11].toString());log("param13 = " + param.args[12].getClass() + " data =  " + param.args[12].toString());//String param13 = ByteArrayToHexString(objectToByteArray(param.args[12]));//log("param13 = " + param13);//                        try {
//                            log("param14 before = " + param.args[13].getClass());
//                            log(" data =  " + param.args[13].toString());
//                        } catch (Exception e) {
//                            log("param14 be error : " + e.toString());
//                            return;
//                        }
//                        try {
//                            String param14 = Arrays.toString(objectToByteArray(param.args[13]));
//                            log("param14 = " + param14);
//                        } catch (Exception e) {
//                            log("param14 error : " + e.toString());
//                            return;
//                        }try {log("param15 type = " + param.args[14].getClass());log("param15 before = " + Arrays.toString(objectToByteArray(param.args[14])));log( " data =  " + param.args[14].toString());} catch (Exception e) {log("param15 be error : " + e.toString());return;}try {String param15 = Arrays.toString(objectToByteArray(param.args[14]));log("param15 = " + param15);} catch (Exception e) {log("param15 error : " + e.toString());return;}try {log("param14 before = " + param.args[13]);log(param.args[13].toString());log(" data =  " + param.args[13].toString());} catch (Exception e) {log("param14 be error : " + e.toString());return;}try {String param14 = Arrays.toString(objectToByteArray(param.args[13]));log("param14 = " + param14);} catch (Exception e) {log("param14 error : " + e.toString());return;}};protected void afterHookedMethod(MethodHookParam param) throws Throwable {//param.setResult(true);log("hook nativeEncodeRequest afterok???");String res = ByteArrayToHexString(objectToByteArray(param.getResult()));log("return now is : " + param.getResult().getClass() + Arrays.toString(objectToByteArray(param.getResult())));log("return is : " + res);};});XposedHelpers.findAndHookMethod(hookclass, "nativeEncodeRequest",int.class,String.class,String.class,String.class,String.class,String.class,byte[].class,int.class,int.class,String.class,byte.class,byte.class,byte[].class,boolean.class,new XC_MethodHook(){//进行hook操作protected void beforeHookedMethod(MethodHookParam param) throws Throwable {//param.setResult(true);log("hook nativeEncodeRequest 3ok???");//log("1" + param.args[2].toString());};});}});}private static String ByteArrayToHexString(byte[] bytes) {final char[] hexArray = {'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};char[] hexChars = new char[bytes.length * 2];int v;for ( int j = 0; j < bytes.length; j++ ) {v = bytes[j] & 0xFF;hexChars[j * 2] = hexArray[v >>> 4];hexChars[j * 2 + 1] = hexArray[v & 0x0F];}return new String(hexChars);}public static byte[] objectToByteArray(Object obj) throws IOException {ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);objectOutputStream.writeObject(obj);return byteArrayOutputStream.toByteArray();}}

这个输出byte[]的方式,因为没学过java。。都是百度的,后面有时间还是要多补补基础知识呀。。关于byte[]打印有想法的欢迎留言呀。

xposed输出qq加密前明文数据相关推荐

  1. java 赋值md5_Hook Java API以获得MD5加密前数据

    Java实现MD5加密 在Java中,我们用MD5对数据进行加密,代码大概是这样的: import java.security.MessageDigest; import java.security. ...

  2. 数据脱敏和加密_Apache ShardingSphere数据脱敏全解决方案详解

    解决方案详解 在了解了ShardingSphere脱敏处理流程后,即可将脱敏配置.脱敏处理流程与实际场景进行结合.所有的设计开发都是为了解决业务场景遇到的痛点.那么面对之前提到的业务场景需求,又应该如 ...

  3. springMVC前后端数据交互

    springMVC前后端数据及交互部分是最重要的,因为其余部分都被封装好了,我们要做的就是这个部分,我的框架才用SSM,进公司以来在项目组也用到了这些,但是不够全面,系统,脑子里面思路混乱,所以总结下 ...

  4. 前后端数据加解密的几种方式比较

    对称加密 对称加密指的就是加密和解密使用同一个秘钥,所以叫做对称加密.对称加密只有一个秘钥,作为私钥. 具体算法有:DES,3DES,TDEA,Blowfish,RC5,IDEA.常见的有:DES,A ...

  5. 加密后的数据如何进行模糊查询?

    加密后的数据对模糊查询不是很友好,本篇就针对加密数据模糊查询这个问题来展开讲一讲实现的思路,希望对大家有所启发. 为了数据安全我们在开发过程中经常会对重要的数据进行加密存储,常见的有:密码.手机号.电 ...

  6. 被问懵了,加密后的数据如何进行模糊查询?

    来源:ningyu1.github.io/20201230/encrypted-data-fuzzy-query.html 我们知道加密后的数据对模糊查询不是很友好,本篇就针对加密数据模糊查询这个问题 ...

  7. html文件bak,轻松解包MIUI小米备份bak文件 还原出明文数据

    轻松解包MIUI小米备份bak文件 还原出明文数据 1.将目标Bak备份数据拷贝到电脑端 小米MIUI手机备份后的文件会存放在手机存储下 /MIUI/backup/Allbackup/xxx 目录中( ...

  8. android读取hex文件格式,轻松解包MIUI备份bak文件 还原出明文数据

    之前小伙伴们学到了利用 Android 原生备份功能提取解包.ab文件的方法,但是有所限制有点不爽.而小米手机MIUI系统的自带备份工具则功能强大,可以备份出一切我们想得到的APP数据,那么又该如何解 ...

  9. java aes ecb_java-AES / CBC和AES / ECB加密后的数据大小

    java-AES / CBC和AES / ECB加密后的数据大小 我想知道AES加密后的数据大小,这样我就可以避免主要出于了解大小而缓存我的后AES数据(在磁盘或内存上). 我使用128位AES和ja ...

最新文章

  1. homebrew可以管理众多开源软件的安装和卸载
  2. 判断非负整数是否是3的倍数_二、因数与倍数教案
  3. php任意文件删除漏洞,phpshe后台任意文件删除漏洞及getshell | CN-SEC 中文网
  4. C和指针之字符串编程练习11(统计一串字符包含the的个数)
  5. 使用Zapier将应用程序与Neo4j集成
  6. 机器学习入门系列(2)--如何构建一个完整的机器学习项目(一)
  7. 西门子1212c 通过高速脉冲输出控制台达B2伺服电机
  8. biopython有什么用_Biopython简介
  9. 关于惠普笔记本电脑电源已连接但显示未充电的解决办法
  10. 奥克兰大学商学院计算机专业,奥克兰大学的商科专业 推荐三大专业
  11. MAC通过HDMI转VGA转接头连接显示器
  12. 【编程100%】22-08 字符串子序列
  13. cocos creator(12)
  14. PAT甲级 1042 Shuffling Machine 模拟洗牌 map的使用
  15. 专为工程模型而生,全新PolyJet J850 Pro 3D打印机现已上市
  16. DPDK的meter库(单速率三色算法)
  17. php word excel表格数据库,记一次使用PHP将word转为excel的经历
  18. arduino智能闹钟_【Arduino综合项目】小闹钟
  19. 马云:如果银行不改变 我们就改变银行
  20. 深度解密京东登月平台基础架构

热门文章

  1. 自动变速器换档规律的研究 外文翻译
  2. win10怎么用记事本编译C语言,大师教你win10系统使用记事本打开文件的设置教程...
  3. 抖音提取封面php,PHP 解析抖音无水印视频
  4. [电子书地址]小学、初中、高中电子课本大全(为孩子收藏吧)
  5. iOS专宠WebKit,苹果正在扼杀Web应用创新?
  6. virtualbox 的安装和下载
  7. 前端开发:艺术字体ttf资源文件
  8. 中国风禅文化简白PPT模板
  9. es 搜索推荐:Suggest
  10. Sphinx的一个应用实例