objection

hook: objection -g “包名” explore

1. memory list modules -查看内存中加载的库
2. memory list exports so名称 - 查看库的导出函数
3. android hooking list activities -查看内存中加载的activity /android hooking list services -查看内存中加载的services
4. android intent launch_activity 类名 -启动activity或service(可以用于一些没有验证的activity,在一些简单的ctf中有时候可以出奇效)
5. 关闭ssl校验 android sslpinning disable
6. 关闭root检测 android root disable
7. 内存搜刮类实例

android heap search instances 类名(命令)
Class instance enumeration complete for com.zj.wuaipojie.Demo  
 Hashcode  Class                  toString()
---------  ---------------------  -----------------------------
215120583  com.zj.wuaipojie.Demo  com.zj.wuaipojie.Demo@cd27ac7


android heap execute “hash” getPublicInt //编译
android heap evaluate “hash”//进入编译器

调用实例的方法

android heap execute <handle> getPublicInt(实例的hashcode+方法名)
如果是带参数的方法，则需要进入编辑器环境  
android heap evaluate <handle>  
console.log(clazz.a("吾爱破解"));
按住esc+enter触发android hooking list classes -列出内存中所有的类(结果比静态分析的更准确)

android hooking list classes -列出内存中所有的类(结果比静态分析的更准确)

android hooking list classes 

tw.idv.palatis.xappdebug.MainApplication
tw.idv.palatis.xappdebug.xposed.HookMain
tw.idv.palatis.xappdebug.xposed.HookMain$a
tw.idv.palatis.xappdebug.xposed.HookMain$b
tw.idv.palatis.xappdebug.xposed.HookMain$c
tw.idv.palatis.xappdebug.xposed.HookMain$d
tw.idv.palatis.xappdebug.xposed.HookSelf
u
v
void
w
xposed.dummy.XResourcesSuperClass
xposed.dummy.XTypedArraySuperClass

Found 10798 classes

android hooking search classes 关键类名 -在内存中所有已加载的类中搜索包含特定关键词的类

android hooking search classes wuaipojie
Note that Java classes are only loaded when they are used, so if the expected class has not been found, it might not have been loaded yet.
com.zj.wuaipojie.Demo
com.zj.wuaipojie.Demo$Animal
com.zj.wuaipojie.Demo$Companion
com.zj.wuaipojie.Demo$InnerClass
com.zj.wuaipojie.Demo$test$1
com.zj.wuaipojie.MainApplication
com.zj.wuaipojie.databinding.ActivityMainBinding
... 

Found 38 classes

android hooking search methods 关键方法名 -在内存中所有已加载的类的方法中搜索包含特定关键词的方法(一般不建议使用，特别耗时，还可能崩溃)

android hooking list class_methods 类名 -内存漫游类中的所有方法

android hooking list class_methods com.zj.wuaipojie.ui.ChallengeSixth
private static final void com.zj.wuaipojie.ui.ChallengeSixth.onCreate$lambda-0(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
private static final void com.zj.wuaipojie.ui.ChallengeSixth.onCreate$lambda-1(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
private static final void com.zj.wuaipojie.ui.ChallengeSixth.onCreate$lambda-2(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
private static final void com.zj.wuaipojie.ui.ChallengeSixth.onCreate$lambda-3(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
protected void com.zj.wuaipojie.ui.ChallengeSixth.onCreate(android.os.Bundle)
public final java.lang.String com.zj.wuaipojie.ui.ChallengeSixth.hexToString(java.lang.String)
public final java.lang.String com.zj.wuaipojie.ui.ChallengeSixth.unicodeToString(java.lang.String)
public final void com.zj.wuaipojie.ui.ChallengeSixth.toastPrint(java.lang.String)
public static void com.zj.wuaipojie.ui.ChallengeSixth.$r8$lambda$1lrkrgiCEFWXZDHzLRibYURG1h8(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
public static void com.zj.wuaipojie.ui.ChallengeSixth.$r8$lambda$IUqwMqbTKaOGiTaeOmvy_GjNBso(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
public static void com.zj.wuaipojie.ui.ChallengeSixth.$r8$lambda$Kc_cRYZjjhjsTl6GYNHbgD-i6sE(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)
public static void com.zj.wuaipojie.ui.ChallengeSixth.$r8$lambda$PDKm2AfziZQo6Lv1HEFkJWkUsoE(com.zj.wuaipojie.ui.ChallengeSixth,android.view.View)

Found 12 method(s)

1. hook类的所有方法

    复制代码 隐藏代码
   android hooking watch class 类名

2. hook方法的参数、返回值和调用栈

    复制代码 隐藏代码
   android hooking watch class_method 类名.方法名 --dump-args --dump-return --dump-backtrace

3. hook 类的构造方法

    复制代码 隐藏代码
   android hooking watch class_method 类名.$init

4. hook 方法的所有重载

    复制代码 隐藏代码
   android hooking watch class_method 类名.方法名