duangsuse::Echo

19 views09:37

duangsuse::Echo

我点击了纯纯打码标签，然后它带我去了宽市场下载
回来之后就出现了这个
🌚 我无限回滚的虚拟终端已经把发生的所有事情都记录下来了

19 views09:39

duangsuse::Echo

19 views09:40

duangsuse::Echo

所以说面对调试器混淆还是很苍白无力的 🌑

## trace thread <1> main        (running suspended)
   --
      android.app.ApplicationPackageManager.getCachedString(Landroid/app/ApplicationPackageManager$ResourceName;)Ljava/lang/CharSeque
      nce;:0
      -- this=Landroid/app/ApplicationPackageManager; <830057170080>
      -- name=Landroid/app/ApplicationPackageManager$ResourceName; <830057179696>

到这里都没什么

## trace thread <1> main        (running suspended)
   -- android.app.ApplicationPackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;:0
      -- this=Landroid/app/ApplicationPackageManager; <830057170080>
      -- packageName=me.drakeet.puremosaic
      -- flags=1
   -- com.drakeet.purewriter.vk.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww(Landroid/content/Context;Ljava/lang/String;)Z:5
   -- com.drakeet.purewriter.TimeMachineService.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww()V:55
      -- this=Lcom/drakeet/purewriter/TimeMachineService; <830057085360>
   --
      com.drakeet.purewriter.TimeMachineService.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww(Lcom/drakeet/purewriter/Wwwwwwwwwwwwwwwwwwwwwwww;)
      V:5

也没什么，实际上我 Hook android.content.pm.PackageInfo.getPackageInfo 会更简洁

19 views09:45

duangsuse::Echo

不过虽然弹了框，我还是没在记录里找到 Toast 类的访问记录（

18 views09:46

duangsuse::Echo

现在我能看到应用的类了

18 views09:48

duangsuse::Echo

>> classes com.drakeet
## Loaded Classes
   -- com.drakeet.purewriter.ahp
   -- com.drakeet.purewriter.Repositories$2
   -- com.drakeet.purewriter.ayr
   -- com.drakeet.purewriter.es$Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
   -- com.drakeet.purewriter.ahq
   -- com.drakeet.purewriter.Repositories$3
   -- com.drakeet.purewriter.Kkkkkkkkkkkkkkkk
   -- com.drakeet.purewriter.ahr
   -- com.drakeet.purewriter.Repositories$4
   -- com.drakeet.purewriter.ahs
   -- com.drakeet.purewriter.Repositories$5
   -- com.drakeet.purewriter.aig$Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
   -- com.drakeet.purewriter.aht
   -- com.drakeet.purewriter.widget.ShortcutLayout$Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

18 views09:49

duangsuse::Echo

19 views09:51

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

19 views09:52

duangsuse::Echo

不过现在打几乎是没有用的

20 views09:52

duangsuse::Echo

因为可能只是启动时检查一次

20 views09:52

duangsuse::Echo

这是 JaDX 反编译出的结果, 比 smali 好看多了

20 views09:53

duangsuse::Echo

重启再看看

21 views09:56

duangsuse::Echo

>> class-trace com.drakeet.purewriter.Ww
## Setting Hooks
   -- Hooked com.drakeet.purewriter.Ww
>> class-trace android.widget.Toast
## Setting Hooks
   -- Hooked android.widget.Toast
>> resume
## Process Resumed
>> ## trace thread <1> main        (running suspended)
   -- com.drakeet.purewriter.Ww.WwWw()V:0
   -- com.drakeet.purewriter.AboutActivity.onCreate(Landroid/os/Bundle;)V:9
      -- this=Lcom/drakeet/purewriter/AboutActivity; <830058757392>
   -- android.app.Activity.performCreate(Landroid/os/Bundle;)V:1
      -- this=Lcom/drakeet/purewriter/AboutActivity; <830058757392>
      -- icicle=None

就是这个类！抓住现行一次 🙈

22 views09:59

duangsuse::Echo

在 AboutActivity 被创建时唤起一次

22 views10:00

duangsuse::Echo

既然是这样，我就要 Hook PackageManager 这样的类了

21 views10:00

duangsuse::Echo

第二次抓住现行！

21 views10:04

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

19 views10:04

duangsuse::Echo

现在所有的对象都在我手里, 我可以随便看

19 views10:05

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

18 views10:05

duangsuse::Echo

   -- com.drakeet.purewriter.ts.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww(Landroid/content/Context;Ljava/lang/String;)Landroid/content/pm/Pac
      kageInfo;:6
      -- this=Lcom/drakeet/purewriter/ts; <830063735840>

就是你这个坏家伙在 Activity 堆操作时调用了自省 API android.content.pm.PackageInfo android.app.ApplicationPackageManager.getPackageInfo(java.lang.String, int)

27 views10:07

About

Blog

Apps

Platform