Detailed explanation of using Android HOOK tool Cydia Substrate

Cydia Substrate is a code modification platform. It can modify the code of any main process, whether it is written in Java or C/C++ (native code). Xposed only supports HOOKing java functions in app_process, so Cydia Substrate is a powerful and practical HOOK tool.

Official website: http://www.cydiasubstrate.com/

Demo address: https://github.com/zencodex/cydia-android-hook

Official tutorial: http://www.cydiasubstrate.com/id/20cf4700-6379-4a14-9bc2-853fde8cc9d1

SDK download address: http://asdk.cydiasubstrate.com/zips/cydia_substrate-r2.zip

Introduction to several important APIs of Substrate

MS.hookClassLoad

Function prototype: void hookClassLoad(String name, MS.ClassLoadHook hook);

This method implements notification when the specified class is loaded. Because a class can be loaded at any time, Substrate provides a method to detect when the class of interest to the user is loaded.

MS.hookMethod

This API allows developers to provide a callback function to replace the original method. This callback function is an object that implements the MS.MethodHook interface and is a typical anonymous inner class. It contains an invoked function.

Function prototype:

 void hookMethod(Class _class, Member member, MS.MethodHook hook, MS.MethodPointer old); void hookMethod(Class _class, Member member, MS.MethodAlteration alteration);

Parameter Description

(one)

(two)

Developers are advised to use the second method, which is simpler to use and less error-prone, and does not require a separate instance of the MS.MethodPointer class.

How to use

The following example uses the official website to illustrate how to use cydia substrate. This example is to change the color of multiple interface components to violet.

Need to install: http://www.cydiasubstrate.com/download/com.saurik.substrate.apk

Step 1: Create an empty Android project. Since the created project will be loaded as a plug-in, no activity is required. Copy the substrate-api.jar in the SDK to the project/libs folder.

Step 2: Configure the Manifest file

(1) Requires the specified permission: cydia.permission.SUBSTRATE

(2) Add a meta tag with name cydia.permission.SUBSTRATE and value .Main, the class name created in the next step.

 < manifest   xmlns:android = "http://schemas.android.com/apk/res/android" >  
 < application >  
 < meta-data   android:name = "com.saurik.substrate.main"  
 android:value = ".Main" />  
 </ application >  
 < uses-permission   android:name = "cydia.permission.SUBSTRATE" />  
 </ manifest >  

Step 2: Create a class named Main. The class contains a static method initialize. When the plug-in is loaded, the code in this method will run to complete some necessary initialization work.

 import com.saurik.substrate.MS; 
  
 public   class Main {
 static   void initialize() {
 // ...code to run when extension is loaded  
 }
 }

Step 3: In order to implement HOOK and modify the code in the target class, we need to get an instance of the target class, such as resources in the example.

 public   class Main {
 static   void initialize() {
        MS.hookClassLoad( "android.content.res.Resources" , new MS.ClassLoadHook() {
 public   void classLoaded(Class<?> resources) {
 // ...code to modify the class when loaded  
 }
 });
 }
 }

Step 4: Modify the original code through the MS.MethodHook instance.

In order to call the method in the original code, we need to create an instance of the MS.MethodPointer class, which can run the original code at any time.

Here we change all green colors to violet by calling and modifying the original code of the resources object in the original code.

 public   void classLoaded(Class<?> resources) {
 Method getColor;
 try {
        getColor = resources.getMethod( "getColor" , Integer.TYPE);
    } catch (NoSuchMethodException e) {
 getColor = null ;
 } 
  
 if (getColor != null ) {
 final MS.MethodPointer old = new MS.MethodPointer(); 
  
        MS.hookMethod(resources, getColor, new MS.MethodHook() {
 public Object invoked(Object resources, Object... args)
 throws Throwable
 {
 int color = (Integer) old.invoke(resources, args);
 return color & ~ 0x0000ff00 | 0x00ff0000 ;
 }
 }, old);
 }
 }

After installing and running, I found that many font colors have changed after restarting the system. As shown in the following figure:

The code of MS.hookMethod in the example can be changed to:

 MS.hookMethod(resources, getColor, new MS.MethodAlteration<Resources, Integer>() {
 public Integer invoked(Resources resources, Object... args)
 throws Throwable
 {
 int color = invoke(resources, args);
 return color & ~ 0x0000ff00 | 0x00ffee00 ;
 }
 });

SMS monitoring example

In the following example, we implement the SMS monitoring function and print out the sender, recipient, and content of the SMS:

 1   import java.lang.reflect.Method;
 2   import android.app.PendingIntent;
 3   import android.util.Log;
 4   import com.saurik.substrate.MS;
 5    
 6   
 7   public   class Main {
 8   
 9       static   void initialize() {
 10   
 11 MS.hookClassLoad( "android.telephony.SmsManager" , new MS.ClassLoadHook() {
 12              
 13   
 14               @Override  
 15   
 16               public   void classLoaded(Class<?> SmsManager) {
 17   
 18                   //code to modify the class when loaded  
 19   
 20 Method sendTextMessage;
 twenty one   
 twenty two               try {
 twenty three   
 24 sendTextMessage = SmsManager.getMethod( "sendTextMessage" ,
 25   
 26                               new Class[]{String. class ,String. class ,String. class ,PendingIntent. class ,PendingIntent. class });
 27                      
 28   
 29 } catch (NoSuchMethodException e) {
 30   
 31 sendTextMessage = null ;
 32   
 33 }
 34   
 35 MS.hookMethod(SmsManager, sendTextMessage, new MS.MethodAlteration() {
 36   
 37                    public Object invoked(Object _this,Object... _args) throws Throwable{
 38   
 39 Log.i( "SMSHOOK" , "SEND_SMS" );
 40   
 41 Log.i( "SMSHOOK" , "destination:" +_args[ 0 ]);
 42   
 43 Log.i( "SMSHOOK" , "source:" +_args[ 1 ]);
 44   
 45 Log.i( "SMSHOOK" , "text:" +_args[ 2 ]);
 46   
 47                           return invoke(_this, _args);
 48   
 49 }
 50   
 51 });
 52              
 53   
 54 }
 55   
 56 });
 57   
 58 }
 59   
 60 }

The result after running is: