1. 本文重点记录Nanohttp配合xposed的使用
对于本文使用的样本,使用frida-dump脱壳
用jadx打开搜索关键词X-App-Token
样本代码
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import fi.iki.elonen.NanoHTTPD;
import org.apache.commons.lang3.StringUtils;
import com.gd.aiqiyi.myHttpServer;
/*
appname: ka
packagename: com.****.market
*/
public class kuan implements IXposedHookLoadPackage {
private static final String TAG = "ka---";
public static Context CommonContext;
public static void log(String s) {
Log.i(TAG, s);
}
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if (loadPackageParam.packageName.equals("com.***.market")) {
XposedBridge.log("ka has Hooked!");
XposedHelpers.findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader,
//com.stub.StubApp 加壳的类
"attachBaseContext", Context.class, new XC_MethodHook() {
// attachBaseContext 加壳的方法
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Context context = (Context) param.args[0];
ClassLoader classLoader = context.getClassLoader();
entrance(classLoader);
kk(classLoader, loadPackageParam, context);
}
});
}
};
private void kk(ClassLoader classLoader, XC_LoadPackage.LoadPackageParam loadPackageParam, Context context) throws IOException {
// http server
class myHttpServer extends NanoHTTPD {
private static final String REQUEST_ROOT = "/";
public myHttpServer() throws IOException {
// 端口是8899,也就是说要通过http://127.0.0.1:8899来访当问
// 电脑使用adb forward tcp:8899 tcp:8899 转发端口
super(8899);
start(NanoHTTPD.SOCKET_READ_TIMEOUT, true);
log("---fenfei Server---");
}
@Override
public Response serve(IHTTPSession session) {
// log("serve");
//这个就是之前分析,重写父类的一个参数的方法,
//这里边已经把所有的解析操作已经在这里执行了
return super.serve(session);
}
@Override
public Response serve(String uri, Method method, Map<String, String> headers, Map<String, String> parms, Map<String, String> files) {
// log("serve xxx");
//这就是上边的serve方法最后一行调用的那个过时的方法,这里简单的做个判断就好了
// if (!method.equals(Method.POST)) {//判断请求方式是否争取
// return newFixedLengthResponse("the request method is incoorect");
// }
log(uri);
Class<?> clazzZy = null;
try {
clazzZy = loadPackageParam.classLoader.loadClass("com.***.market.util.AuthUtils");
log("load class:" + clazzZy);
} catch (Exception e) {
log("load class err:" + Log.getStackTraceString(e));
return newFixedLengthResponse("load class is null");
}
if (StringUtils.containsIgnoreCase(uri, "getAS")) {
// String postData = files.get("postData");
String postData = parms.get("postData");
log("postdata: " + postData);
if (!StringUtils.isEmpty(postData)) {
return sign(clazzZy, postData);
}else{
return newFixedLengthResponse("postData is null");
}
}
if (StringUtils.containsIgnoreCase(uri, "")) {
String msg = "<html><body><h1>Hello AutoPy</h1>\n";
msg += "<form action='?' method='get'>\n <p>Your code: <input type='text' name='code'></p>\n" + "</form>\n";
return newFixedLengthResponse(msg + "</body></html>\n");
}
return super.serve(uri, method, headers, parms, files);
}
public Response sign(Class<?> clazzUse, String strData){
String rc = (String)XposedHelpers.callStaticMethod(clazzUse, "getAS", context, strData);
log("sign = "+rc);
return newFixedLengthResponse(rc);
}
}
new myHttpServer();
}
};
}
配合python脚本访问
