Xposed Rpc remote call to achieve

Some App encryption and decrypt algorithm, analysis is very laborious, analysis down is also very time-consuming, based on Xposed word, you can know the code call process, we just need to pass in, hook corresponding method or call a function inside, you can get encryption after the sign, key, cookie and so on

I. Build the Android Server

1, NanoHTTPD introduction

Official Introduction: NanoHTTPD is a light-weight HTTP server designed for embedding in other applications, NanoHTTPD is a lightweight HTTP server designed to embed other applications, released under a Modified BSD licence.

Github: github.com/NanoHttpd/n…

2. Import code

There are two ways. The first way is to clone the code from the official website and copy it to the project. The second uses libraries that others have adapted. The blogger here uses the second method, which is much faster.

Add dependencies to Gradle

Implementation 'org. Nanohttpd: nanohttpd: 2.2.0'Copy the code

3. Start the service

Public Class AndroidWebServer extends NanoHTTPD {public AndroidWebServer(int Port) throws IOException { super(port); } @Override public Response serve(IHTTPSession session) { String msg = "<html><body><h1>Hello AutoPy</h1>\n"; Map<String, String> parms = session.getParms(); if (parms.get("code") == null) { msg += "<form action='? ' method='get'>\n <p>Your code: <input type='text' name='code'></p>\n" + "</form>\n"; } else { msg += "<p>Hello, " + parms.get("code") + "! </p>"; return newFixedLengthResponse(msg + "</body></html>\n"); } return newFixedLengthResponse(msg + "</body></html>\n"); }}Copy the code

New AndroidWebServer().start();Copy the code

Two, with Xposed plug-in use

1. Hook time

In the onCreate method of Application, do the injection and start the service at the same time

XposedHelpers.findAndHookMethod(Application.class, "onCreate", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { super.beforeHookedMethod(param); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); String currentProcessName = ProcessUtil.getCurrentProcessName(Ct); Log (" process: "+ currentProcessName); If ("com.xxx. XXX ".equals(currentProcessName)) {// listen to new AndroidWebServer(8000); } else {// for multiple processes, listen for Process ID new AndroidWebServer(process.mypid ()); }}});Copy the code

2, the adb forward

After the plug-in is installed on the phone, make sure the phone is usb connected to the computer (wifi mode can not be connected), and then verify that the phone is connected to the computer by executing the following ADB command:

adb devices
Copy the code

Run the adb forward command

The adb forward detail: blog.csdn.net/u013553529/…

Below, copy the article above

adb forward tcp:8000 tcp:8000
Copy the code

3. Verify the Server

When the mobile phone and computer are on the same LAN, open http://127.0.0.1:8000/. If a web page is displayed, the configuration is successful

Three, with the Intranet penetration of peanut shell

With Intranet penetration of peanut shell, to achieve access to the Internet (that is, other computers can access your interface), remember to choose the HTTP mapping type, at this time, you need to give 6 Rmb authentication fee, other free. For my simple needs, the current test is still completely sufficient.

Once configured, you will be given an Extranet domain name so you can access your interface

Verify the Internet domain name