仅供学习研究,请勿用于非法用途。
原理:小说VIP校验逻辑在本地
效果:不登录VIP可使用,VIP听书、跳过下载需要观看的广告。
定位的时候很麻烦,涉及到接口类,HOOK时,需要找到实现接口的类。找到就比较简单。
setTimeout(function (){
Java.perform(function (){
let C24499tb = Java.use("tb");
C24499tb["isVipUser"].implementation = function (context) {
console.log(`C24499tb.isVipUser is called: context=${context}`);
let result = true;
console.log(`C24499tb.isVipUser result=${result}`);
return result;
};
});
});
package com.secbug.fake_vip;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class FAKE implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
// 判断是否是目标app
if (lpparam.packageName.equals("com.qz.freader")) {
hook(lpparam, "tb");
} else if (lpparam.packageName.equals("com.kmxs.reader")) {
hook(lpparam, "nh");
}
}
// hook 目标函数
private void hook(XC_LoadPackage.LoadPackageParam lpparam, String className) {
XposedHelpers.findAndHookMethod(className, lpparam.classLoader, "isVipUser", android.content.Context.class, new XC_MethodHook() {
/*
这里有两个重载函数,一个是beforeHookedMethod,一个afterHookedMethod
beforeHookedMethod: 函数开始,传参结束,开始运行下一行代码时
afterHookedMethod: 函数结束,即将返回返回值时
*/
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// 设置返回值
param.setResult(true);
}
});
}
}