软件提示捐赠后无广告,点击捐赠后提示“请先进行微信登录”
使用MT管理器反编译resources.arsc,定位到关键词weixin_login_first
MT管理器查看软件为360加固,一键脱壳即可
将得到的6个dex文件拖入JADX,搜索关键词
发现判断user_logged,双击跳转到声明处,发现关键词user_pay
右键查找用例,发现有1处代码为return user_pay,有点可疑,点进去看下
这段代码大概意思是从sdcard/WindCloud/user中读取user.info文件并且解密,读取并user_pay的值
那我们在这里就直接使用Frida尝试Hook返回值
[Java] 纯文本查看 复制代码 Java.perform(function(){
var ActivityThread=Java.use("android.app.ActivityThread");
ActivityThread.performLaunchActivity.overload(
"android.app.ActivityThread$ActivityClientRecord",
"android.content.Intent"
).implementation=function(record,intent){
var activity=this.performLaunchActivity(record,intent);
if(activity===null){
return activity;
}
var SharedPreferencesImpl=Java.use("android.app.SharedPreferencesImpl");
SharedPreferencesImpl.getString.overload(
"java.lang.String",
"java.lang.String"
).implementation=function(key,value){
var result=this.getString(key,value);
if(key==="user_pay"){
return "999";
}
return result;
};
return activity;
};
});
此时打开APP即显示“感谢您已经捐赠5.0元及以上”,广告也消失了
接下来将Frida脚本代码中的逻辑转换为Xposed模块代码即可
[Java] 纯文本查看 复制代码 package hack.fygsgc.vip;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class MainHook implements IXposedHookLoadPackage{
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam param_my) {
XposedHelpers.findAndHookMethod(
"android.app.SharedPreferencesImpl",
param_my.classLoader,
"getString",
String.class,
String.class,
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param){
String key=(String) param.args[0];
if("user_pay".equals(key)){
param.setResult("999");
}
}
}
);
}
} | 
发表于 2026-3-30 18:31
分享到朋友圈
