Detailed explanation of using Android HOOK tool Cydia Substrate

Detailed explanation of using Android HOOK tool Cydia Substrate

Cydia Substrate is a code modification platform. It can modify the code of any main process, whether it is written in Java or C/C++ (native code). Xposed only supports HOOKing java functions in app_process, so Cydia Substrate is a powerful and practical HOOK tool.

Official website: http://www.cydiasubstrate.com/

Demo address: https://github.com/zencodex/cydia-android-hook

Official tutorial: http://www.cydiasubstrate.com/id/20cf4700-6379-4a14-9bc2-853fde8cc9d1

SDK download address: http://asdk.cydiasubstrate.com/zips/cydia_substrate-r2.zip

Introduction to several important APIs of Substrate

MS.hookClassLoad

Function prototype: void hookClassLoad(String name, MS.ClassLoadHook hook);

This method implements notification when the specified class is loaded. Because a class can be loaded at any time, Substrate provides a method to detect when the class of interest to the user is loaded.

  

parameter

  		  

describe

  

name

Package name + class name, using the Java . symbol

hook

An instance of MS.ClassLoadHook. When this class is loaded, its classLoaded method will be executed.

MS.hookMethod

This API allows developers to provide a callback function to replace the original method. This callback function is an object that implements the MS.MethodHook interface and is a typical anonymous inner class. It contains an invoked function.

Function prototype:

 void hookMethod(Class _class, Member member, MS.MethodHook hook, MS.MethodPointer old); void hookMethod(Class _class, Member member, MS.MethodAlteration alteration);

Parameter Description

(one)

parameter

describe

_class

The target class to be loaded is the class parameter passed down by classLoaded

member

The method (or constructor) that needs to be hooked obtained through reflection. Note: You cannot hook fields (it will be checked at compile time).

hook

An instance of MS.MethodHook , the invoked method it contains will be called to replace the code in member

(two)

  

parameter

  		  

describe

  

_class

The target class to be loaded is the class parameter passed down by classLoaded

member

The method (or constructor) that needs to be hooked obtained through reflection. Note: You cannot hook fields (it will be checked at compile time).

alteration

An instance of MS.MethodAlteration whose boxed invoked method will be called instead of member . This instance will also be filled in using information from the original implementation, allowing you to use invoke to call the original method implementation.

Developers are advised to use the second method, which is simpler to use and less error-prone, and does not require a separate instance of the MS.MethodPointer class.

How to use

The following example uses the official website to illustrate how to use cydia substrate. This example is to change the color of multiple interface components to violet.

Need to install: http://www.cydiasubstrate.com/download/com.saurik.substrate.apk

Step 1: Create an empty Android project. Since the created project will be loaded as a plug-in, no activity is required. Copy the substrate-api.jar in the SDK to the project/libs folder.

Step 2: Configure the Manifest file

(1) Requires the specified permission: cydia.permission.SUBSTRATE

(2) Add a meta tag with name cydia.permission.SUBSTRATE and value .Main, the class name created in the next step.

  1.  < manifest   xmlns:android = "http://schemas.android.com/apk/res/android" >  
  2.  < application >  
  3.  < meta-data   android:name = "com.saurik.substrate.main"  
  4.  android:value = ".Main" />  
  5.  </ application >  
  6.  < uses-permission   android:name = "cydia.permission.SUBSTRATE" />  
  7.  </ manifest >  

Step 2: Create a class named Main. The class contains a static method initialize. When the plug-in is loaded, the code in this method will run to complete some necessary initialization work.

  1.  import com.saurik.substrate.MS; 
  2.   
  3.  public   class Main {
  4.  static   void initialize() {
  5.  // ...code to run when extension is loaded  
  6.  }
  7.  }

Step 3: In order to implement HOOK and modify the code in the target class, we need to get an instance of the target class, such as resources in the example.

  1.  public   class Main {
  2.  static   void initialize() {
  3.         MS.hookClassLoad( "android.content.res.Resources" , new MS.ClassLoadHook() {
  4.  public   void classLoaded(Class<?> resources) {
  5.  // ...code to modify the class when loaded  
  6.  }
  7.  });
  8.  }
  9.  }

Step 4: Modify the original code through the MS.MethodHook instance.

In order to call the method in the original code, we need to create an instance of the MS.MethodPointer class, which can run the original code at any time.

Here we change all green colors to violet by calling and modifying the original code of the resources object in the original code.

  1.  public   void classLoaded(Class<?> resources) {
  2.  Method getColor;
  3.  try {
  4.         getColor = resources.getMethod( "getColor" , Integer.TYPE);
  5.     } catch (NoSuchMethodException e) {
  6.  getColor = null ;
  7.  } 
  8.   
  9.  if (getColor != null ) {
  10.  final MS.MethodPointer old = new MS.MethodPointer(); 
  11.   
  12.         MS.hookMethod(resources, getColor, new MS.MethodHook() {
  13.  public Object invoked(Object resources, Object... args)
  14.  throws Throwable
  15.  {
  16.  int color = (Integer) old.invoke(resources, args);
  17.  return color & ~ 0x0000ff00 | 0x00ff0000 ;
  18.  }
  19.  }, old);
  20.  }
  21.  }

After installing and running, I found that many font colors have changed after restarting the system. As shown in the following figure:

The code of MS.hookMethod in the example can be changed to:

  1.  MS.hookMethod(resources, getColor, new MS.MethodAlteration<Resources, Integer>() {
  2.  public Integer invoked(Resources resources, Object... args)
  3.  throws Throwable
  4.  {
  5.  int color = invoke(resources, args);
  6.  return color & ~ 0x0000ff00 | 0x00ffee00 ;
  7.  }
  8.  });

SMS monitoring example

In the following example, we implement the SMS monitoring function and print out the sender, recipient, and content of the SMS:

  1.  1   import java.lang.reflect.Method;
  2.  2   import android.app.PendingIntent;
  3.  3   import android.util.Log;
  4.  4   import com.saurik.substrate.MS;
  5.  5    
  6.  6   
  7.  7   public   class Main {
  8.  8   
  9.  9       static   void initialize() {
  10.  10   
  11.  11 MS.hookClassLoad( "android.telephony.SmsManager" , new MS.ClassLoadHook() {
  12.  12              
  13.  13   
  14.  14               @Override  
  15.  15   
  16.  16               public   void classLoaded(Class<?> SmsManager) {
  17.  17   
  18.  18                   //code to modify the class when loaded  
  19.  19   
  20.  20 Method sendTextMessage;
  21.  twenty one   
  22.  twenty two               try {
  23.  twenty three   
  24.  24 sendTextMessage = SmsManager.getMethod( "sendTextMessage" ,
  25.  25   
  26.  26                               new Class[]{String. class ,String. class ,String. class ,PendingIntent. class ,PendingIntent. class });
  27.  27                      
  28.  28   
  29.  29 } catch (NoSuchMethodException e) {
  30.  30   
  31.  31 sendTextMessage = null ;
  32.  32   
  33.  33 }
  34.  34   
  35.  35 MS.hookMethod(SmsManager, sendTextMessage, new MS.MethodAlteration() {
  36.  36   
  37.  37                    public Object invoked(Object _this,Object... _args) throws Throwable{
  38.  38   
  39.  39 Log.i( "SMSHOOK" , "SEND_SMS" );
  40.  40   
  41.  41 Log.i( "SMSHOOK" , "destination:" +_args[ 0 ]);
  42.  42   
  43.  43 Log.i( "SMSHOOK" , "source:" +_args[ 1 ]);
  44.  44   
  45.  45 Log.i( "SMSHOOK" , "text:" +_args[ 2 ]);
  46.  46   
  47.  47                           return invoke(_this, _args);
  48.  48   
  49.  49 }
  50.  50   
  51.  51 });
  52.  52              
  53.  53   
  54.  54 }
  55.  55   
  56.  56 });
  57.  57   
  58.  58 }
  59.  59   
  60.  60 }

The result after running is:

<<:  How to implement Touch ID verification in iOS 8 using Swift

>>:  10 Tips to Improve the Value of Programmers in the Workplace

Recommend

Zhihu quick traffic generation skills and operation strategies!

Today I’m going to talk to my friends about Zhihu...

Demonized growth, fission and community!

If you are doing marketing or in the Internet ind...

11 common mistakes that new entrepreneurs make

[[155037]] The process of starting a business is ...

10 ways to ensure your app passes Apple review!

Recently, Apple listed the ten sins on its develo...

How to solve the low conversion rate? Here are 5 tips!

The operational goal of our service account is to...

Why the "Allow App Tracking" button is grayed out in some iOS 14.5 official versions, Apple responds

On April 28, foreign media MacRumors reported tha...

Fission 1w+, live broadcast sharing you have to do this

Nowadays, the cost of acquiring customers for onl...

2019 Spring Festival Information Flow Marketing Analysis Report!

The 2019 Spring Festival is approaching. As we al...

Getting started with Python: Write a crawler for fun

Chapter 1: Python Language Overview 1.1: About th...

Although the iPhone 6 is popular, Android sells better

In today's smartphone market, looking at mark...

Foshan WeChat Mini Program Mall Ranking, What are the factors that affect the ranking of mini programs?

Open the APP on your phone, no matter which e-com...

Regarding the knowledge point of adaptation, this article will help you master it thoroughly!

Orange's Orange: I remember when I first star...

I've been writing code for 48 years, and I think I can keep going

This is an answer from quroa to the question: Why...

The most annoying restriction between WeChat and QQ has finally been removed

WeChat and QQ have recently started to work toget...

Who helped Apple come back to life 20 years ago? It was Microsoft!

[[153644]] I'm afraid you will be surprised t...