APP 测试 - LSPosed 绕过 SSL 证书抓包

本文转自LuckySec 并作补充

前言

前面介绍了通过《VirtualXposed 绕过 SSL 证书抓包》，这个方法有些局限性，比如不能在电脑上的《夜神模拟器》、《雷电模拟器》运行，需要一部测试手机等因素，对于部分人来说可能不太方便，还是更喜欢都在电脑上完成这系列操作，可以尝试用 LSPosed 绕过 SSL 证书抓包。

0x01 工具简介

LSPosed 是一个基于 Riru/Zygisk 的 ART Hook 框架，该框架利用 LSPlant 挂钩框架提供与 OG Xposed 一致的 API, 支持 Android 8.1 ~ 13。

Xposed 是一个模块框架，可以在不接触任何 APK 的情况下改变系统和应用程序的行为。利用 Xposed 的 TrustMeAlready 模块插件，可以防止软件检测抓包，绕过大部分 ssl-pinning，保证 APP 抓包的可续性能。

0x02 下载安装

特别提示：在安装之前需要注意以下几点：

• LSPosed 项目地址：https://github.com/LSPosed/LSPosed/releases
• TrustMeAlready 项目地址：https://github.com/ViRb3/TrustMeAlready/releases
• 系统： Android 8.1 ~ 13
• 安装 Magisk v23+ (Riru) / v24+ (Zygisk)
• （针对 Riru 风格）从 Magisk 库安装Riru v25+
• 在 Magisk 应用程序中下载并安装LSPosed
• 重启

0x03 抓包教程

注意：如果用雷电模拟器请使用 9.0.19 或之前的版本，避免不必要的问题发生。

以夜神模拟器为例，添加并运行一个 Android 9 的虚拟机。

在模拟器设置里将虚拟机设置为网络桥接模式、开启 ROOT（默认开启），设置好后重启虚拟机。

在夜神模拟器虚拟机里安装 Magisk.apk、Magisk Terminal Emulato.apk、app-debug.apk（安装成功不显示在主界面）、LSPosed-manager.apk。

打开 Magisk Terminal Emulator.apk，按照如下步骤操作：输入 m 按回车 > 再输入 y 按回车 > 超级用户授权允许 > 再输入 1 按回车 > 输入 a 按回车 > 再输入 1 按回车 > 完毕。

上述步骤完成后，重启模拟器，打开 Magisk.apk 可以发现 Magisk 安装成功。

打开 Magisk.apk > 点击右上角齿轮按钮 > 界面往下滑动，找到 Zygisk 选项打开并重启模拟器虚拟机。

接着将 LSPosed-v1.8.6-6712-zygisk-release.zip 复制到模拟器文件夹里面。打开 Magisk.apk > 底部模块选项 > 从本地安装 > 选择模拟器文件夹内的 LSPosed-v1.8.6-6712-zygisk-release.zip 卡刷包。

重启模拟器虚拟机后，打开 LSPosed-manager.apk，可以发现 LSPosed 安装成功了。

然后在夜神模拟器虚拟机里安装 TrustMeAlready-v1.11.apk，安装这个 apk 主界面图标可能会卡在安装的动画，不必在意，忽略即可。

接着打开 LSPosed-manager.apk 的底部模块选项，点击 TrustMeAlready，启动模块，选择要测试的 APP。

使用 BurpSuite 工具开启代理抓包，设置监听地址为同一局域网 IP 地址，端口自定义，不与电脑其他端口冲突使用即可。

在夜神模拟器手机系统设置中将 WiFi 的代理设置为 BurpSuite 监听器的地址。

最后，打开要测试的 APP，刷新功能页面，在 BurpSuite 中即可看到抓取的 HTTP/HTTPS 网络数据包。

参考文章

• https://www.52pojie.cn/forum.php?mod=viewthread&tid=1688786

How to install Xposed/EdXposed/LSPosed + Magisk with Genymotion Desktop?

本文转自Genymotion Help Center 并作补充

Warning

GENYMOBILE assumes no liability whatsoever resulting from the download, install and use of Xposed, EdXposed, LSPosed and Magisk. Use at your own risk.

Note

Because Xposed and EdXposed are no longer maintained, we strongly recommend not using them anymore.

Android 5.0 - 7.1

Prerequisites

• Xposed framework
• Xposed installer

Installation

1. Drag’n drop the Xposed framework zip file (xposed-vXX-sdkXX-x86.zip) to your virtual device display to flash the device.
2. Drag’n drop Xposed Installer APK (XposedInstaller_*.apk). This should install and launch Xposed Installer application. At this stage, it will display that the Xposed framework is installed but disabled:

3. Reboot the device with adb reboot command. Do not reboot from *Xposed Installer* as this will freeze the device.

4. Launch Xposed installer. It should display “Xposed Framework version XX is active”:

Android 8.0

Xposed only works with Android 5.0 to 7.1. For Android 8.0, you need to use Magisk + Edxposed instead.

Prerequisites

• Magisk Manager (Magisk-v23.0.apk)
• Magisk framework for x86
• Riru Magisk module v.25.4.4
• Edxposed Manager 4.6.2

Installation

Step 1: Install Magisk

1. Drag’n Drop Magisk Manager apk: Magisk-v23.0.apk. Magisk Manager will install and open. Close it for now.
2. Drag’n Drop Magisk_rebuilt_1c8ebfac_x86.zip and flash it.
3. When flashing is complete, reboot the device.
4. Launch Magisk Manager. It will request ROOT access, select “Remember choice forever” and click Allow:

It is possible that the popup opens in the background and is covered by Magisk Manager main window. If so press back to access the popup and allow ROOT:

5. You will then be prompted with an update to apply, accept it:

6. The device will reboot one more time. Launch Magisk Manager again, you should now be informed that Magisk is now installed in 1c8ebfac(23015) version:

Step 2: Install Riru

Important

Do not install the Riru version available in the Magisk Manager app. Use the old Riru v25 version provided in this article (see prerequisite).

1. Drag’n drop the Riru archive onto the instance display: riru-v25.4.4-release.zip. Do not flash it! The archive must be installed from Magisk Manager.
2. Launch Magisk Manager app and click on the last icon in the bottom toolbar to go to the module section:

3. Click “install from storage”:

4. Go to the Download folder from the menu:

5. Select the Riru archive, riru-v25.4.4-release.zip
6. Reboot the device

Riru version 25 should now be present in the installed modules list in Magisk Manager:

Important

Make sure NOT to update to Riru v26 as it does not work with EdXposed right now.

Step 3: Install EdXposed

1. You can install EdXposed framework from Magisk Manager. Go to Magisk Manager module manager:

2. Open the search widget and input “Edxposed”. Select Riru - EdXposed:

3. Install the module:

4. Reboot the device.

5. Drag’n drop Edxposed manager APK file (EdXposedManager-4.5.7-45700-org.meowcat.edxposed.manager-release.apk) to the device display.

6. Reboot the device

Edxposed manager should launch and display “Edxposed framework is active”:

Android 8.1 and above

Edxposed and Xposed are no longer maintained and there are no builds for Android 12 and above.

Instead, we will use LSPosed and Magisk for Android 8.1 and above.

Prerequisite

• Magisk Manager APK (v23.0)
• Magisk framework for x86 for Android 8.1 - 10
• Magisk framework for x86_64 for Android 11 and above (PC or Mac Intel)
• Magisk framework for arm64 for mac M1/M2
• LSPosed archive
• LSPosed manager APK

Installation

Step 1: Install Magisk

1. Drag’n Drop Magisk Manager apk: Magisk-v23.0.apk. Magisk Manager will install and open. Close it for now.
2. Drag’n Drop the flashable archive:
   • Magisk_rebuilt_1c8ebfac_x86.zip if you use Android 8.1 - 10
   • Magisk_rebuilt_1c8ebfac_x86_64.zip if you use Android 11 and above on a PC or an old Mac Intel
   • Magisk_rebuilt_1c8ebfac_arm64.zip if you use a mac M1/M2
3. When flashing is complete, reboot the device.
4. Launch Magisk Manager. It will request ROOT access, select “Remember choice forever” and click Allow:

It is possible that the popup opens in the background and is covered by Magisk Manager main window. If so press back to access the popup and allow ROOT:

5. You will then be prompted with an update to apply, accept it:

6. The device will reboot one more time. Launch Magisk Manager again, you should now be informed that Magisk is now installed in 1c8ebfac(23015) version:

Step 2: Install Riru

Important

Do not install the Riru version available in the Magisk Manager app. Use the old Riru v25 version provided in this article (see prerequisite).

1. Drag’n drop the Riru archive onto the instance display: riru-v25.4.4-release.zip. The flashing process will fail, but this is normal. The archive must be installed from Magisk Manager.
2. Launch Magisk Manager app and click on the last icon in the bottom toolbar to go to the module section:

3. Click “install from storage”:

4. Go to the Download folder from the menu:

5. Select the Riru archive, riru-v25.4.4-release.zip

6. Reboot the device

Riru version 25 should now be present in the installed modules list in Magisk Manager:

Step 3: Install Riru - LSPosed

1. Drag and drop the LSPosed archive to the device. Do not flash it!
2. Open Magisk Manager, go to the plugin manager page:

3. click Install from storage and select LSPosed-v1.8.6-6712-riru-release.zip:

4. Reboot the device when prompted

5. Drag’n Drop LSPosed_manager.apk, LSPosed manager should open: