基于xposed Hook框架实现个人免签支付方案(支付宝)

这个有点非常复杂的，关键点在于如何逆向微信支付宝云闪付这些App，找到核心函数钩子

 

反编译apk稍微提一下

方法：使用jadx反编译（推荐，简单方便）

首先下载jadx，下载地址：https://github.com/skylot/jadx

修改bin\jadx-gui.bat和bin\jadx.bat文件下对"maximum java heap size"的配置，如果不修改，对反编译大一点的apk可能会出现卡死，修改如下：

jadx-gui.bat文件中

@rem Add default JVM options here. You can also use JAVA_OPTS and JADX_GUI_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-d64" "-Xms4g" "-Xmx8g"
jadx.bat文件中

@rem Add default JVM options here. You can also use JAVA_OPTS and JADX_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xms4g" "-Xmx8g"
然后就可以直接在cmd中运行jadx-gui.bat了，会打开jadx的图像界面，然后打开对应的apk即可完成反编译。

 

仅放上hook支付宝代码

            // 获得二维码url
            findAndHookMethod("com.alipay.mobile.payee.ui.PayeeQRSetMoneyActivity", lpparam.classLoader, "a",
                    findClass("com.alipay.transferprod.rpc.result.ConsultSetAmountRes", lpparam.classLoader), new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    log("com.alipay.mobile.payee.ui.PayeeQRSetMoneyActivity a" + "\n");
                    String cookieStr = getCookieStr();
                    Object consultSetAmountRes = param.args[0];
                    String consultSetAmountResString = "";
                    if (consultSetAmountRes != null) {
                        consultSetAmountResString = (String) callMethod(consultSetAmountRes, "toString");
                    }
                   // {codeId='1804106465231431',qrCodeUrl='HTTPS://QR.ALIPAY.COM/FKX007021VPOLKNEMJRV5C',printQrCodeUrl='HTTPS: //QR.ALIPAY.COM/FKX024385RNIN3NEYG3MDD'
}
                    log("consultSetAmountResString:" + consultSetAmountResString + "\n");
                    log("cookieStr:" + cookieStr + "\n");

                         Field moneyField = XposedHelpers.findField(param.thisObject.getClass(), "g");
                        String money = (String) moneyField.get(param.thisObject);

                        Field markField = XposedHelpers.findField(param.thisObject.getClass(), "c");
                        Object markObject = markField.get(param.thisObject);
                        String mark = (String) XposedHelpers.callMethod(markObject, "getUbbStr");

                        Object consultSetAmountRes = param.args[0];
                        Field consultField = XposedHelpers.findField(consultSetAmountRes.getClass(), "qrCodeUrl");
                        String payurl = (String) consultField.get(consultSetAmountRes);

                        Field consultField2 = XposedHelpers.findField(consultSetAmountRes
                                .getClass(), "printQrCodeUrl");
                        String payurloffline = (String) consultField2.get(consultSetAmountRes);
                }
            });

大家有需要可以加我QQ：553772553；