duangsuse::Echo

重启再看看

21 views09:56

duangsuse::Echo

>> class-trace com.drakeet.purewriter.Ww
## Setting Hooks
   -- Hooked com.drakeet.purewriter.Ww
>> class-trace android.widget.Toast
## Setting Hooks
   -- Hooked android.widget.Toast
>> resume
## Process Resumed
>> ## trace thread <1> main        (running suspended)
   -- com.drakeet.purewriter.Ww.WwWw()V:0
   -- com.drakeet.purewriter.AboutActivity.onCreate(Landroid/os/Bundle;)V:9
      -- this=Lcom/drakeet/purewriter/AboutActivity; <830058757392>
   -- android.app.Activity.performCreate(Landroid/os/Bundle;)V:1
      -- this=Lcom/drakeet/purewriter/AboutActivity; <830058757392>
      -- icicle=None

就是这个类！抓住现行一次 🙈

22 views09:59

duangsuse::Echo

在 AboutActivity 被创建时唤起一次

22 views10:00

duangsuse::Echo

既然是这样，我就要 Hook PackageManager 这样的类了

21 views10:00

duangsuse::Echo

第二次抓住现行！

21 views10:04

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

19 views10:04

duangsuse::Echo

现在所有的对象都在我手里, 我可以随便看

19 views10:05

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

18 views10:05

duangsuse::Echo

   -- com.drakeet.purewriter.ts.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww(Landroid/content/Context;Ljava/lang/String;)Landroid/content/pm/Pac
      kageInfo;:6
      -- this=Lcom/drakeet/purewriter/ts; <830063735840>

就是你这个坏家伙在 Activity 堆操作时调用了自省 API android.content.pm.PackageInfo android.app.ApplicationPackageManager.getPackageInfo(java.lang.String, int)

27 views10:07

duangsuse::Echo

值得注意的地方是这些都是异步操作

  -- java.util.concurrent.FutureTask.run()V:30
      -- this=Ljava/util/concurrent/ScheduledThreadPoolExecutor$ScheduledFutureTask; <830058067072>
      -- c=Lcom/drakeet/purewriter/alf; <830058067040>
-- snip --
   -- java.lang.Thread.run()V:6
      -- this=Lcom/drakeet/purewriter/ald$Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww; <830055181040>

19 views10:08

duangsuse::Echo

## trace thread <1> main        (running suspended)
   -- com.drakeet.purewriter.Ww.WwWvw()V:0
   -- com.drakeet.purewriter.AboutActivity.onDestroy()V:0
      -- this=Lcom/drakeet/purewriter/AboutActivity; <830059138752>
   -- android.app.Activity.performDestroy()V:13
      -- this=Lcom/drakeet/purewriter/AboutActivity; <830059138752>
   -- android.app.Instrumentation.callActivityOnDestroy(Landroid/app/Activity;)V:0
      -- this=Landroid/app/Instrumentation; <830053404864>
      -- activity=Lcom/drakeet/purewriter/AboutActivity; <830059138752>

果然是你 com.drakeet.purewriter.Ww.WwWvw

20 viewsedited 10:09

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

18 views10:09

duangsuse::Echo

## trace thread <1> main (running suspended) -- com.drakeet.purewriter.Ww.WwWvw()V:0 -- com.drakeet.purewriter.AboutActivity.onDestroy()V:0 -- this=Lcom/drakeet/purewriter/AboutActivity; <830059138752> -- android.app.Activity.performDestroy()V:13…

这是个静态方法，估计是在为调用 native 逻辑校验签名做预备（

18 views10:10

duangsuse::Echo

 -- android.app.ApplicationPackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;:8
      -- this=Landroid/app/ApplicationPackageManager; <830060831888>
      -- packageName=com.drakeet.purewriter
      -- flags=64
   -- com.drakeet.purewriter.ts.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww(Landroid/content/Context;Ljava/lang/String;)Landroid/content/pm/Pac
      kageInfo;:6

还是这个

com.drakeet.purewriter.ts.Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww(Landroid/content/Context;Ljava/lang/String;)Landroid/content/pm/PackageInfo;:6

20 views10:12

duangsuse::Echo

19 views10:12

duangsuse::Echo

This media is not supported in your browser

VIEW IN TELEGRAM

18 views10:12

duangsuse::Echo

随便看几个对象然后 resume 好了
如果是单线程应用调试起来还方便一些

看情况真正的验证还没有开始，过会还会中断的

18 views10:14

duangsuse::Echo

>> navi
## navigating process state at http://localhost:8080
   -- Process suspended for navigation.

18 views10:15

duangsuse::Echo

感觉暂停的不是时候，好像没什么可看的（

17 views10:22

duangsuse::Echo

不过感觉很好

19 views10:24

duangsuse::Echo

@drakeet 果然 #dalao

19 views10:25

About

Blog

Apps

Platform