【xposed】学习某二字黄色图标app一键提取ck
前言
最近听说有个老秦帅模块可以一键获取某二字黄色图标app的token和UUID,今天就看一下它是怎能做的,学习一下(仅实现部分功能,远程获取公告之类的无关功能不在本文范围内)!!
感谢老秦的模块可以让大家学习到新的操作!!
免责声明
本文仅做学习交流使用,请勿用于违法,请在学习后24小时内清除相关内容。任何人在参考本文后产生的任何性质的直接、间接的损失,均由使用者承担,本文作者不承担任何责任。
分析
经分析,整个流程分为三步:
1. 注入提示
通过hookandroid.app.Activity 的onCreate 方法,在Activity创建后发出注入成功,打开团团赚后返回即可看到ck 的提示
XposedHelpers.findAndHookMethod("android.app.Activity",classLoader, "onCreate", android.os.Bundle.class,new XC_MethodHook() {
protected void afterHookedMethod(XC_MethodHook.MethodHookParam methodHookParam) throws Throwable {
super.afterHookedMethod(methodHookParam);
if (HookEntry.this.context == null) {
HookEntry.this.context = (Activity) methodHookParam.thisObject;
Toast.makeText(HookEntry.this.context, "注入成功,打开团团赚后返回即可看到ck", Toast.LENGTH_SHORT).show();
}
}
});
并保存好context,用于判断并保证只在软件打开时弹出一次提示。
2. 获取相关参数
通过hookcom.sankuai.meituan.kernel.net.impl.a 的appendAnalyzeParams 方法,拿到返回值,返回值是拼接好参数的url,可以通过这个url拿到需要的参数。
XposedHelpers.findAndHookMethod("com.sankuai.meituan.kernel.net.impl.a",classLoader, "appendAnalyzeParams", java.lang.String.class,new XC_MethodHook() {
protected void afterHookedMethod(XC_MethodHook.MethodHookParam methodHookParam) throws Throwable {
super.afterHookedMethod(methodHookParam);
String result = (String) methodHookParam.getResult();
XposedBridge.log(result);
showTokenAndUserID(result);
}
});3.创建对话框并显示内容
通过上一步获取到的url,匹配出对应的token、userid和uuid,并进行拼接得到最终结果,显示到对话框中。
复刻实现
首先用Android Studio创建一个项目并将xposedApi作为开发依赖。
修改清单文件描述xposed模块信息等。
创建类进行Hook操作。
创建xposed_init指定入口类。
编写代码实现Hook。
package com.yan.mtcktest;
import android.annotation.SuppressLint;
import android.app.Activity;
import android.app.AlertDialog;
import android.content.ClipData;
import android.content.ClipboardManager;
import android.content.Context;
import android.content.DialogInterface;
import android.widget.Button;
import android.widget.LinearLayout;
import android.widget.TextView;
import android.widget.Toast;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class HookEntry implements IXposedHookLoadPackage {
private Activity context = null;
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) {
if (loadPackageParam.packageName.equals("com.sankuai.meituan")){
ClassLoader classLoader = loadPackageParam.classLoader;
XposedHelpers.findAndHookMethod("android.app.Activity",classLoader, "onCreate", android.os.Bundle.class,new XC_MethodHook() {
protected void afterHookedMethod(XC_MethodHook.MethodHookParam methodHookParam) throws Throwable {
super.afterHookedMethod(methodHookParam);
if (HookEntry.this.context == null) {
HookEntry.this.context = (Activity) methodHookParam.thisObject;
Toast.makeText(HookEntry.this.context, "注入成功,打开团团赚后返回即可看到ck", Toast.LENGTH_SHORT).show();
}
}
});
XposedHelpers.findAndHookMethod("com.sankuai.meituan.kernel.net.impl.a",classLoader, "appendAnalyzeParams", java.lang.String.class,new XC_MethodHook() {
protected void afterHookedMethod(XC_MethodHook.MethodHookParam methodHookParam) throws Throwable {
super.afterHookedMethod(methodHookParam);
String result = (String) methodHookParam.getResult();
XposedBridge.log(result);
showTokenAndUserID(result);
}
});
}
}
@SuppressLint("SetTextI18n")
public void showTokenAndUserID(String str) {
if (context != null) {
LinearLayout linearLayout = new LinearLayout(context);
linearLayout.setOrientation(LinearLayout.VERTICAL);
TextView textView = new TextView(context);
if (str.contains("userid=") && str.contains("token=")) {
int indexOf = str.indexOf("userid=") + 7;
String substring = str.substring(indexOf, str.indexOf("&", indexOf));
int indexOf2 = str.indexOf("token=") + 6;
int indexOf3 = str.indexOf("&", indexOf2);
if (indexOf3 == -1) {
indexOf3 = str.length();
}
textView.setText(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("https://i.meituan.com/mttouch/page/account?cevent=imt%2Fhomepage%2Fmine&userId=").append(substring)).append("&token=")).append(str.substring(indexOf2, indexOf3)).toString());
linearLayout.addView(textView);
}
int indexOf4 = str.indexOf("uuid=") + 5;
String substring2 = str.substring(indexOf4, str.indexOf("&", indexOf4));
Button button = new Button(context);
button.setText("复制美团ck");
button.setOnClickListener(view -> {
((ClipboardManager) HookEntry.this.context.getSystemService(Context.CLIPBOARD_SERVICE)).setPrimaryClip(ClipData.newPlainText("Token and UserID", textView.getText()));
Toast.makeText(HookEntry.this.context, "此处是复制Token后的toast提示", Toast.LENGTH_SHORT).show();
});
linearLayout.addView(button);
Button button2 = new Button(context);
button2.setText("复制uuid");
button2.setOnClickListener(view -> {
((ClipboardManager) HookEntry.this.context.getSystemService(Context.CLIPBOARD_SERVICE)).setPrimaryClip(ClipData.newPlainText("UUID", substring2));
Toast.makeText(HookEntry.this.context, "此处是复制UUID后的toast提示", Toast.LENGTH_SHORT).show();
});
linearLayout.addView(button2);
TextView textView2 = new TextView(context);
linearLayout.addView(textView2);
context.runOnUiThread(() -> new AlertDialog.Builder(HookEntry.this.context).setTitle("此处是对话框标题").setView(linearLayout).setPositiveButton("关闭", (DialogInterface.OnClickListener) null).show());
}
}
}
最终效果如图
文章目录
关闭
