autojs打包的app的入口类是
com.stardust.autojs.inrt.SplashActivity
我们看看入口类的方法调用, 此处使用objection,
objection是封装的frida, 用起来更简单
01 hook类SplashActivity的所有方法
// 查看app的进程名字, 有的是包名, 有的是app名字 frida-ps -U // 开启objection, aaaxxx是进程名字 objection -g aaaxxx explore // hook类SplashActivity的所有方法 android hooking watch class com.stardust.autojs.inrt.SplashActivity
图片不清晰, 还是直接用文字吧
Agent injected and responds ok! _ _ _ _ ___| |_|_|___ ___| |_|_|___ ___ | . | . | | -_| _| _| | . | | |___|___| |___|___|_| |_|___|_|_| |___|(object)inject(ion) v1.11.0 Runtime Mobile Exploration by: @leonjza from @sensepost [tab] for command suggestions ...om.example.script1631687221234 on (smartisan: 7.1.2) [usb] # android hooking watch class com.stardust.autojs.inrt.SplashActivity (agent) Hooking com.stardust.autojs.inrt.SplashActivity._$_clearFindViewByIdCache() (agent) Hooking com.stardust.autojs.inrt.SplashActivity._$_findCachedViewById(int) (agent) Hooking com.stardust.autojs.inrt.SplashActivity.a() (agent) Hooking com.stardust.autojs.inrt.SplashActivity.b() (agent) Hooking com.stardust.autojs.inrt.SplashActivity.c() (agent) Hooking com.stardust.autojs.inrt.SplashActivity.d() (agent) Hooking com.stardust.autojs.inrt.SplashActivity.getRunScriptOnCreate() (agent) Hooking com.stardust.autojs.inrt.SplashActivity.onCreate(android.os.Bundle) (agent) Hooking com.stardust.autojs.inrt.SplashActivity.onNewIntent(android.content.Intent) (agent) Hooking com.stardust.autojs.inrt.SplashActivity.onRequestPermissionsResult(int, [Ljava.lang.String;, [I) (agent) Hooking com.stardust.autojs.inrt.SplashActivity.runScript() (agent) Hooking com.stardust.autojs.inrt.SplashActivity.setContentView(android.view.View) (agent) Registering job 522727. Type: watch-class for: com.stardust.autojs.inrt.SplashActivity ...om.example.script1631687221234 on (smartisan: 7.1.2) [usb] #
我们按返回键回到桌面, 再次打开app
(agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.onCreate(android.os.Bundle) (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.getRunScriptOnCreate() (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.c() (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.b() (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.runScript() (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.d() (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity._$_findCachedViewById(int) (agent) [522727] Called com.stardust.autojs.inrt.SplashActivity.a()
入口类, 用mt管理器查看
// // Decompiled by Jadx - 867ms // package com.stardust.autojs.inrt; import android.content.Intent; import android.content.SharedPreferences; import android.graphics.Typeface; import android.os.Build; import android.os.Bundle; import android.os.Handler; import android.view.View; import android.view.ViewGroup; import android.view.ViewStub; import android.view.Window; import android.view.WindowManager; import android.widget.TextView; import androidx.annotation.NonNull; import androidx.annotation.Nullable; import androidx.core.content.res.ResourcesCompat; import androidx.fragment.app.FragmentTransaction; import com.stardust.autojs.AutoJs; import com.stardust.autojs.core.ui.inflater.DynamicLayoutInflater; import com.stardust.autojs.core.ui.inflater.ResourceParser; import com.stardust.autojs.core.ui.inflater.inflaters.JsImageViewInflater; import com.stardust.autojs.core.ui.widget.JsImageView; import com.stardust.autojs.execution.ScriptExecuteActivity; import com.stardust.autojs.project.PermissionConfig; import com.stardust.pio.PFiles; import d.b.b.h.f; import d.g.c.o.a; import d.g.c.o.b; import d.g.c.o.d; import d.g.c.o.h.c; import d.g.c.o.h.e; import h.q.c.j; import java.io.InputStream; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Objects; public final class SplashActivity extends ScriptExecuteActivity { public static final /* synthetic */ int d = 0; public boolean e = true; public int f; public HashMap g; public SplashActivity() { } public void _$_clearFindViewByIdCache() { HashMap hashMap = this.g; if (hashMap != null) { hashMap.clear(); } } public View _$_findCachedViewById(int i) { if (this.g == null) { this.g = new HashMap(); } View view = (View) this.g.get(Integer.valueOf(i)); if (view != null) { return view; } View findViewById = findViewById(i); this.g.put(Integer.valueOf(i), findViewById); return findViewById; } /* * JADX WARNING: type inference failed for: r4v0, types: * [com.stardust.autojs.inrt.SplashActivity, android.app.Activity] */ public final void a() { getWindow().clearFlags(1024); if (Build.VERSION.SDK_INT >= 28) { Window window = getWindow(); j.d(window, "window"); Window window2 = getWindow(); j.d(window2, "window"); WindowManager.LayoutParams attributes = window2.getAttributes(); attributes.layoutInDisplayCutoutMode = 0; window.setAttributes(attributes); } Window window3 = getWindow(); j.d(window3, "window"); View decorView = window3.getDecorView(); j.d(decorView, "window.decorView"); decorView.setSystemUiVisibility(this.f); } /* * JADX WARNING: Code restructure failed: missing block: B:2:0x000a, code lost: * r0 = r0.requestListOnStartup; */ public final List<String> b() { ArrayList arrayList; PermissionConfig permissionConfig = c.d.a().permissionConfig; return (permissionConfig == null || arrayList == null) ? f.H0("android.permission.WRITE_EXTERNAL_STORAGE") : arrayList; } /* * JADX WARNING: type inference failed for: r5v0, types: * [com.stardust.autojs.inrt.SplashActivity, android.app.Activity] */ public final void c() { List<String> b = b(); if (Build.VERSION.SDK_INT >= 23) { ArrayList arrayList = new ArrayList(); for (String next : b) { if (checkSelfPermission(next) == -1) { arrayList.add(next); } } boolean z = false; Object[] array = arrayList.toArray(new String[0]); Objects.requireNonNull(array, "null cannot be cast to non-null type kotlin.Array<T>"); String[] strArr = (String[]) array; if (strArr.length == 0) { z = true; } if (!z) { requestPermissions(strArr, 11186); return; } } runScript(); } /* * JADX WARNING: type inference failed for: r3v0, types: * [android.content.Context, com.stardust.autojs.inrt.SplashActivity, * android.app.Activity] */ public final void d() { try { e.g.a(this); } catch (Exception e2) { e2.printStackTrace(); f.J0(this, e2.getMessage(), 1).b.show(); startActivity(new Intent(this, a.class).addFlags(0x10000000)); AutoJs instance = AutoJs.getInstance(); j.d(instance, "AutoJs.getInstance()"); instance.getGlobalConsole().printAllStackTrace(e2); } } public boolean getRunScriptOnCreate() { return false; } /* * JADX WARNING: type inference failed for: r9v0, types: * [android.content.Context, com.stardust.autojs.inrt.SplashActivity, * com.stardust.autojs.execution.ScriptExecuteActivity, * androidx.appcompat.app.AppCompatActivity, android.app.Activity] */ /* * JADX WARNING: Code restructure failed: missing block: B:51:0x0133, code lost: * r4 = move-exception; */ /* * JADX WARNING: Code restructure failed: missing block: B:53:?, code lost: * d.b.b.h.f.u(r0, r3); */ /* * JADX WARNING: Code restructure failed: missing block: B:54:0x0137, code lost: * throw r4; */ /* * JADX WARNING: Code restructure failed: missing block: B:57:0x0152, code lost: * if (r10 == true) goto L_0x0193; */ public void onCreate(@Nullable Bundle bundle) { long j; boolean z; boolean z2; SplashActivity.super.onCreate(bundle); SharedPreferences sharedPreferences = d.g.c.o.c.a; if (sharedPreferences == null) { sharedPreferences = (SharedPreferences) b.d.invoke(); } boolean z3 = true; boolean z4 = sharedPreferences.getBoolean("key_first_using", true); if (z4) { SharedPreferences sharedPreferences2 = d.g.c.o.c.a; if (sharedPreferences2 == null) { sharedPreferences2 = (SharedPreferences) b.d.invoke(); } sharedPreferences2.edit().putBoolean("key_first_using", false).apply(); } if (z4 || c.d.a().launchConfig.displaySplash) { j = 1000; } else { if (Build.VERSION.SDK_INT >= 23) { List<String> b = b(); if (!b.isEmpty()) { Iterator<T> it = b.iterator(); while (true) { if (it.hasNext()) { if (shouldShowRequestPermissionRationale((String) it.next())) { z2 = true; break; } } else { break; } } } } z2 = false; j = z2 ? 200 : 0; } int i = (j > 0 ? 1 : (j == 0 ? 0 : -1)); if (i != 0) { getWindow().addFlags(1024); if (Build.VERSION.SDK_INT >= 28) { Window window = getWindow(); j.d(window, "window"); Window window2 = getWindow(); j.d(window2, "window"); WindowManager.LayoutParams attributes = window2.getAttributes(); attributes.layoutInDisplayCutoutMode = 1; window.setAttributes(attributes); } Window window3 = getWindow(); j.d(window3, "window"); View decorView = window3.getDecorView(); j.d(decorView, "window.decorView"); this.f = decorView.getSystemUiVisibility(); Window window4 = getWindow(); j.d(window4, "window"); View decorView2 = window4.getDecorView(); j.d(decorView2, "window.decorView"); decorView2.setSystemUiVisibility(1024); } View inflate = View.inflate(this, 0x7f0c001f, (ViewGroup) null); j.d(inflate, "View.inflate(this, R.layout.activity_splash, null)"); SplashActivity.super.setContentView(inflate); if (i != 0) { String str = c.d.a().launchConfig.splashLayoutXml; String join = str != null ? PFiles.join("project", new String[] { str }) : null; if (join != null) { try { ResourceParser resourceParser = new ResourceParser(new d.g.c.o.f(this)); DynamicLayoutInflater dynamicLayoutInflater = new DynamicLayoutInflater(resourceParser); dynamicLayoutInflater.setContext(this); dynamicLayoutInflater.registerViewAttrSetter(JsImageView.class.getName(), new JsImageViewInflater(resourceParser)); InputStream open = getAssets().open(join); dynamicLayoutInflater.inflate(PFiles.read(open), _$_findCachedViewById(d.container)); f.u(open, (Throwable) null); z = true; } catch (Exception e2) { d.g.c.j jVar = d.g.c.j.c; j.d(jVar, "ScriptEngineService.getInstance()"); jVar.f.error(d.b.c.a.a.x("error occurs when inflating splash layout ", join, ": "), new Object[] { e2 }); z = false; } } ((ViewStub) findViewById(d.defaultSplash)).inflate(); TextView textView = (TextView) findViewById(0x7f090183); j.d(textView, "slug"); textView.setTypeface(Typeface.createFromAsset(getAssets(), "roboto_medium.ttf")); String str2 = c.d.a().launchConfig.splashText; if (!(str2 == null || str2.length() == 0)) { z3 = false; } if (!z3) { textView.setText(str2); } new Handler().postDelayed(new a(this), j); return; } c(); } public void onNewIntent(Intent intent) { j.e(intent, "intent"); SplashActivity.super.onNewIntent(intent); ScriptExecuteActivity.handleIntent$default(this, intent, (Bundle) null, 2, (Object) null); } public void onRequestPermissionsResult(int i, @NonNull String[] strArr, @NonNull int[] iArr) { j.e(strArr, "permissions"); j.e(iArr, "grantResults"); runScript(); } public final void runScript() { boolean z = (e.g.d.c() & 1) != 0; d(); if (!z) { if (!c.d.a().launchConfig.hideLogs) { SharedPreferences sharedPreferences = d.g.c.o.c.a; if (sharedPreferences == null) { sharedPreferences = (SharedPreferences) b.d.invoke(); } String string = d.g.b.b.f.a().getString(0x7f100071); j.d(string, "get().getString(resId)"); if (!sharedPreferences.getBoolean(string, false)) { _$_findCachedViewById(d.container).removeAllViews(); a(); setStatusBarColor(ResourcesCompat.getColor(getResources(), 0x7f0600cd, getTheme())); FragmentTransaction beginTransaction = getSupportFragmentManager().beginTransaction(); a aVar = new a(); Bundle bundle = new Bundle(); bundle.putBoolean("hide_back", true); aVar.setArguments(bundle); beginTransaction.replace(0x7f09007a, aVar).commit(); return; } } finish(); } } public void setContentView(View view) { j.e(view, "view"); if (this.e) { a(); if (!getStatusBarColorSet()) { setStatusBarColor(ResourcesCompat.getColor(getResources(), 0x7f0600cd, getTheme())); } } this.e = false; SplashActivity.super.setContentView(view); } }
未完待续
