一直用开fakeLocation去打卡,最近出了个某妖精游戏,记得以前有一个悬浮窗可以拨弄的(虽然到现在也不知道怎么用),就想试试,去打打鼓,但是开启后发现悬浮窗会消失,点击有时候还会crash。
Crash log大致是这样的:WindowManager$BadTokenException: Unable to add window -- window android.view.ViewRootImpl$W@363f7b1 has already been added。
查询百度后发现Android高版本对全局窗口做了限制,防止滥用。特别是type为type toast的类型,三点五秒后会消失。
说个题外话,我查询52发现有另一个版本的叫fake location,是不是原作者的新作就没查证了,我使用的是如上的版本。
通过百度上面的log的关键字,就可以得出要更改type类型为system alert window。(如果有想知道是怎么回事的我这里给出一个文章link:https://www.jianshu.com/p/1445e330114b)
那么根据经验,悬浮窗一般通过addView这个函数进行添加的,那么我们通过ui的跟踪我们可以来到这个类:com.rong.xposed.fakelocation.service.f.FxService
通过搜索addView,
,发现有两个地方调用,那么我来讲一下,刚开始是一个定位的图标,点击后会展开,所以有两个addView 动作。
其中我们可以看到,有一个叫type的东西,高版本中会设为2005(TYPE_PHONE),所以我们现在要将这个值改为system alert window(2003)。
因为想要练手frida,所以那frida测试了一下
import frida, sys,io
def on_message(message, data):
if message['type'] == 'send':
print(" {0}".format(message['payload']))
else:
print(message)
jscode = """
Java.perform(function () {
var fxService = Java.use('com.rong.xposed.fakelocation.service.f.FxService');
var clazz = Java.use('java.lang.Class');
fxService.i.overload().implementation = function(){
send('i empty args')
Java.choose("com.rong.xposed.fakelocation.service.f.FxService", {
onMatch: function(instance) {
send('fxService instance:'+instance)
var fxInstance = instance
var fxClazz = Java.cast(fxInstance.getClass(),clazz)
console.log(fxClazz)
var h = fxClazz.getDeclaredField('h')
h.setAccessible(true)
var hInstance = h.get(fxInstance)
var hClazz = Java.cast(hInstance.getClass(),clazz)
console.log(hClazz)
var type = hClazz.getDeclaredField('type')
type.setAccessible(true)
var typeVal = type.get(hInstance)
console.log('before:'+typeVal)
type.setInt(hInstance,2003)
console.log('after:'+type.get(hInstance))
instance.i()
},
onComplete: function() { }
});
}
fxService.j.overload().implementation = function(){
send('j empty args')
Java.choose("com.rong.xposed.fakelocation.service.f.FxService", {
onMatch: function(instance) {
var fxInstance = instance
var fxClazz = Java.cast(fxInstance.getClass(),clazz)
console.log(fxClazz)
var j = fxClazz.getDeclaredField('j')
j.setAccessible(true)
var jInstance = j.get(fxInstance)
var jClazz = Java.cast(jInstance.getClass(),clazz)
console.log(jClazz)
var type = jClazz.getDeclaredField('type')
type.setAccessible(true)
var typeVal = type.get(jInstance)
console.log('before:'+typeVal)
type.setInt(jInstance,2003)
console.log('after:'+type.get(jInstance))
instance.j()
},
onComplete: function() { }
});
}
fxService.n.overload().implementation = function(){
send('n')
this.n()
}
fxService.o.overload().implementation = function(){
send('o')
this.o()
}
});
"""
# process = frida.get_usb_device().attach('com.rong.xposed.fakelocation')
# script = process.create_script(jscode)
# script.on('message', on_message)
# print(' Running CTF')
# script.load()
# sys.stdin.read()
device = frida.get_device_manager().enumerate_devices()[-1]
pid = device.spawn(["com.rong.xposed.fakelocation"])
session = device.attach(pid)
print(" Attach Application id:",pid)
device.resume(pid)
print(" Application onResume")
script = session.create_script(jscode)
script.on('message', on_message)
print(' Running CTF')
script.load()
sys.stdin.read()
xp版本:public class Hook implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
if (lpparam.packageName.equals("com.rong.xposed.fakelocation")) {
final Class<?> fxServiceClass = lpparam.classLoader.loadClass("com.rong.xposed.fakelocation.service.f.FxService");
XposedHelpers.findAndHookMethod(fxServiceClass, "m", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Field jField = fxServiceClass.getDeclaredField("j");
jField.setAccessible(true);
WindowManager.LayoutParams jLayoutParam = (WindowManager.LayoutParams) jField.get(param.thisObject);
if (jLayoutParam == null) {
jLayoutParam = new WindowManager.LayoutParams();
jLayoutParam.type = 2003;
jLayoutParam.format = 1;
jLayoutParam.flags = 8;
jLayoutParam.gravity = 8388659;
jLayoutParam.width = -2;
jLayoutParam.height = -2;
jField.set(param.thisObject, jLayoutParam);
}
super.beforeHookedMethod(param);
}
});
XposedHelpers.findAndHookMethod(fxServiceClass, "l", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Field hField = fxServiceClass.getDeclaredField("h");
hField.setAccessible(true);
WindowManager.LayoutParams hLayoutParam = (WindowManager.LayoutParams) hField.get(param.thisObject);
if (hLayoutParam == null) {
hLayoutParam = new WindowManager.LayoutParams();
hLayoutParam.type = 2003;
hLayoutParam.format = 1;
hLayoutParam.flags = 8;
hLayoutParam.gravity = 8388659;
hLayoutParam.width = -2;
hLayoutParam.height = -2;
hField.set(param.thisObject, hLayoutParam);
}
super.beforeHookedMethod(param);
}
});
}
}
}
然后悬浮窗就能飘起来拉,当然,小米手机记得先去给软件悬浮窗权限!
哈哈哈哈,开开心心打开游戏,被检测到了,封了一个小时,(脸上笑嘻嘻)
| 
发表于 2019-4-26 14:56
|
发表于 2019-4-29 11:00
