目标App:

WX20220110-163459@2x.png

Charles开启代理, 手机修改proxy后, 打开App显示, 并且App无法连接网络:

WX20220110-163630@2x.png

看提示知道是进行了代理检测,

脱壳

jadx反编译打开后发现App加壳了, 先进行脱壳, 参见文章 https://www.jianshu.com/p/aef7cdca8263

脱完后打开, 搜索 isWifiProxy,

WX20220110-161537@2x.png

WX20220110-161624.png

编写Xposed hook代码

1, 新建一个xposed项目:

WX20220110-161749.png

2, 准备:
AndroidMainiFest.xml文件粘贴如下代码:

WX20220110-161904.png

 <meta-data

            android:name="xposedmodule" // 说明这是个xposed模块

            android:value="true" />

        <meta-data

            android:name="xposeddescription"

            android:value="这是一个Xposed例程" /> //模块描述

        <meta-data

            android:name="xposedminversion"

            android:value="53" /> // 该模块支持的最低版本, 如53

如下位置新建assets文件夹, 并新建一个txt文件:

WX20220110-162218.png

build.gradle的dependencies粘贴如下代码,让AndroidStuido自动给我们配置XposedBridgeApi.jar

WX20220110-162342.png

    compileOnly 'de.robv.android.xposed:api:82'
    compileOnly 'de.robv.android.xposed:api:82:sources'

3, 写hook代码
新建Module class, 代码如下(加壳App hook参考文章 https://www.jianshu.com/p/ee8ff2f80d08)

WX20220110-162528.png

package com.example.demo;

import android.app.Application;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;


//创保网--加壳
public class Module implements IXposedHookLoadPackage {
    private static final String TAG = "gantb";//无所谓, 不用改
    public static XC_LoadPackage.LoadPackageParam lpparam = null;
    public static ClassLoader classLoader1 = null;

    @Override
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        // 这一行修改App包名
        if (lpparam.packageName.equals("com.pingan.genbao")) {
            XposedBridge.log(" has Hooked!");
            XposedBridge.log("inner  => " + lpparam.processName);
            Class ActivityThread = XposedHelpers.findClass("android.app.ActivityThread", lpparam.classLoader);
            XposedBridge.hookAllMethods(ActivityThread, "performLaunchActivity", new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    super.afterHookedMethod(param);
                    Object mInitialApplication = (Application) XposedHelpers.getObjectField(param.thisObject, "mInitialApplication");
                    ClassLoader finalCL = (ClassLoader) XposedHelpers.callMethod(mInitialApplication, "getClassLoader");
                    XposedBridge.log("found classload is => " + finalCL.toString());
                    //这里修改方法名
                    Class BabyMain = (Class) XposedHelpers.callMethod(finalCL, "findClass", "com.sdog.SysUtils");
                    XposedBridge.log("found final class is => " + BabyMain.getName().toString());
                    fart(finalCL);
                }
            });
        }
    }

    private void fart(ClassLoader classLoader) {

        //这里修改方法名, 变量
        XposedHelpers.findAndHookMethod("com.sdog.SysUtils", classLoader, "isWifiProxy", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                super.afterHookedMethod(param);
                //这里修改返回值false, 未root
                param.setResult(false);
            }
        });
    }
}

4, 安装到手机上, 点击安装, 稍等片刻, 显示安装success, 手机自动打开, 因为咱啥也没写, 所以只有个'hello Word':

WX20220110-162809.png

WX20220110-164223@2x.png

xposed启动模块, 然后软重启即可

WX20220110-164323@2x.png

回到Android Studio, 看到demo.apk日志正常:

WX20220110-163150.png

打开App, 去抓包:

WX20220110-163407@2x.png