代码链接:聊呗红包插件 基于xposed的聊呗红包插件。 原理: 1.hook360加固的软件 对聊呗进行反编译,发现用360加固了代码,直接hook方法名是hook不到的。如图: 需要这样处理: 找到attachBaseContext方法,并hook此方法attachBaseContext
findAndHookMethod("com.stub.StubApp", loadPackageParam.classLoader, "attachBaseContext", Context.class, new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); //获取到360的Context对象,通过这个对象来获取classloader Context context = (Context) param.args[0]; //获取360的classloader,之后hook加固后的就使用这个classloader ClassLoader classLoader = context.getClassLoader();2.获取聊天消息 主要是hook以下方法获取聊呗的聊天消息
findAndHookMethod("com.cqchat.j.n.c.c.b.b.f", classLoader,"a","com.cqchat.e.a.k.o",new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); JSONObject jsonobject = new JSONObject(param.args[0].toString()); int messagetype = jsonobject.getInt("msgtp"); if( messagetype == 15){//16为拆开红包消息 if(!pre.open()){ return; }3.打开红包:
private void qiang_hb(String mtdata,String uid,String uuid,String ver,String roomname,String sengname,String msg,Long starttime){ //抢 String openLuckyMoneyUrl = new StringBuffer("https://api.liaobe.cn/csh/rhb?") .append("cid").append("=").append(1003) .append("&").append("cpt").append("=").append("1566733373002") .append("&").append("data").append("=").append(mtdata) .append("&").append("den").append("=").append("iPhone 6S") .append("&").append("dv").append("=").append(2) .append("&").append("evs").append("=").append("e_0.0.1") .append("&").append("idfa").append("=").append(uuid) .append("&").append("pkgn").append("=").append("com.chaoqu.lailiaobei") .append("&").append("uid").append("=").append(uid) .append("&").append("uuid").append("=").append(uuid) .append("&").append("ver").append("=").append(ver) .toString(); try { URL url = new URL(openLuckyMoneyUrl); HttpURLConnection connection = (HttpURLConnection) url.openConnection(); connection.setDoOutput(true); // 设置该连接是可以输出的 connection.setRequestMethod("GET"); // 设置请求方式 connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); BufferedReader br = new BufferedReader(new InputStreamReader(connection.getInputStream(), "gbk")); String line = null; StringBuilder result = new StringBuilder(); while ((line = br.readLine()) != null) { // 读取数据 result.append(line + "\n"); } connection.disconnect(); JSONObject r=new JSONObject(result.toString()); if (r.getInt("r")==0){ getdetail( mtdata, uid, uuid, ver, roomname, sengname, msg,starttime); } else { toast("没抢到"); } // int start=r.indexOf("{"); // int end=r.indexOf(";"); // json=r.substring(start,end); }catch (Exception e) { XposedBridge.log(e); } }4.红包详情
private void getdetail(String mtdata,String uid,String uuid,String ver,String roomname,String sengname,String msg,Long starttime){ String datail_url = new StringBuffer("https://api.liaobe.cn/csh/hb?") .append("data").append("=").append(mtdata) .append("&").append("cpt").append("=").append("1566733373002") .append("&").append("uid").append("=").append(uid) .append("&").append("uuid").append("=").append(uuid) .append("&").append("ver").append("=").append(ver) .toString(); try { URL Datail_url = new URL(datail_url); HttpURLConnection connection2 = (HttpURLConnection) Datail_url.openConnection(); connection2.setDoOutput(true); // 设置该连接是可以输出的 connection2.setRequestMethod("GET"); // 设置请求方式 connection2.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8"); BufferedReader br2 = new BufferedReader(new InputStreamReader(connection2.getInputStream(), "utf-8")); String line2 = null; StringBuilder result2 = new StringBuilder(); while ((line2 = br2.readLine()) != null) { // 读取数据 result2.append(line2 + "\n"); } connection2.disconnect(); long endtime = new Date().getTime(); Long time = (endtime - starttime); //JSONObject r2 = new JSONObject( new String(result2.toString().getBytes("UTF-8"), "gbk")); JSONObject r2 = new JSONObject( result2.toString()); //{"data":{ // "hb":{ // "hbid":2004201913224065181, // "tno":"302004201913224065181", // "rid":184385545, // "tp":1, // "tuid":0, // "sts":1, // "msg":"580", // "tkncnt":8, // "cnt":9, // "tknamt":288.19, // "amt":300, // "tmlngth":0, // "ise":1, // "rmny":12.94, // "ct":1587381202000, // "rcvrs":[{"hbrid":2004201913224095240,"uid":1045755620,"unk":"赵先生","mny":1.28,"ismxmny":0,"tm":1587381203000},{"hbrid":2004201913224015203,"uid":1082831766,"unk":"秒7","mny":61.4,"ismxmny":1,"tm":1587381203000},{"hbrid":2004201913224075230,"uid":1098543977,"unk":"中了","mny":55.01,"ismxmny":0,"tm":1587381203000},{"hbrid":2004201913224055220,"uid":1082602970,"unk":"秒4","mny":25.23,"ismxmny":0,"tm":1587381203000},{"hbrid":2004201913224085196,"uid":1052538681,"unk":"根号③","mny":12.94,"ismxmny":0,"tm":1587381203000},{"hbrid":2004201913224075234,"uid":1098502204,"unk":"惜念星空","mny":53.95,"ismxmny":0,"tm":1587381203000},{"hbrid":2004201913224055226,"uid":1097491545,"unk":"王大少爷","mny":44.58,"ismxmny":0,"tm":1587381203000}]}}, // "m":"","r":"0"} JSONObject hb1 = r2.getJSONObject("data"); JSONObject hb2 = hb1.getJSONObject("hb"); Double rmny = hb2.getDouble("rmny"); if(rmny>0){ Qiang_flang =true; } String from = "抢到:"+ rmny + "元\n" +"群名:" + roomname + "\n" +"来自:" + sengname+ "\n" +"留言:" + msg + "\n" + "耗时:" +time + "ms"; toast(from); XposedBridge.log(r2.toString()); }catch (Exception e) { XposedBridge.log(e); } }界面
