Remove All Ads from XDA

Hooking android class results in java.lang.NoSuchMethodError

3 posts
Thanks Meter: 1
 
By jostomp, Junior Member on 9th August 2017, 05:23 PM
Post Reply Email Thread
I've been able to hook static methods using Xposed but can not figure out how to hook android classes such as android.bluetooth.BluetoothGatt. My goal is to log bluetooth payloads and then trace the static method within the given app responsible for said payload. I can access the desired payload using the JDB debugger as follows:

Code:
> stop in android.bluetooth.BluetoothGatt.writeCharacteristic
Set breakpoint android.bluetooth.BluetoothGatt.writeCharacteristic
> 
Breakpoint hit: "thread=main", 
android.bluetooth.BluetoothGatt.writeCharacteristic(), line=926 bci=0

main[1] dump characteristic.mValue
 characteristic.mValue = {
 116, 101, 115, 116, 49, 51, 51
 }
This is my code for attempting to hook the android.bluetooth.BluetoothGatt.writeCharacteristi c method:

Code:
package com.example.test.xposed3;

import java.lang.reflect.Method;

import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import static de.robv.android.xposed.XposedHelpers.findClass;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

public class Xposed3 implements IXposedHookLoadPackage {
    public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {
        if (!lpparam.packageName.equals("com.macdom.ble.blescanner"))
            return;

        XposedBridge.log("Loaded app: " + lpparam.packageName);

        findAndHookMethod("com.macdom.ble.blescanner.a", lpparam.classLoader, "onStart", new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                XposedBridge.log("Calling com.macdom.ble.blescanner.a onStart()");
            }
        });

        Class<?> BluetoothGatt = findClass("android.bluetooth.BluetoothGatt", lpparam.classLoader);
        Method writeCharacteristic = XposedHelpers.findMethodBestMatch(BluetoothGatt, "writeCharacteristic");
        XposedBridge.hookMethod(writeCharacteristic, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                XposedBridge.log("Calling android.bluetooth.BluetoothGatt writeCharacteristic()");
            }
        });
The logs show I'm successfully hooking the static method com.macdom.ble.blescanner.a onStart() but outputs a java.lang.NoSuchMethodError when attempting to hook android.bluetooth.BluetoothGatt writeCharacteristic()

Code:
I/Xposed  (11661): Loaded app: com.macdom.ble.blescanner
E/Xposed  (11661): java.lang.NoSuchMethodError: android.bluetooth.BluetoothGatt#writeCharacteristic()#bestmatch
E/Xposed  (11661):  at de.robv.android.xposed.XposedHelpers.findMethodBestMatch(XposedHelpers.java:440)
E/Xposed  (11661):  at com.example.test.xposed3.Xposed3.handleLoadPackage(Xposed3.java:34)
E/Xposed  (11661):  at de.robv.android.xposed.IXposedHookLoadPackage$Wrapper.handleLoadPackage(IXposedHookLoadPackage.java:34)
E/Xposed  (11661):  at de.robv.android.xposed.callbacks.XC_LoadPackage.call(XC_LoadPackage.java:61)
E/Xposed  (11661):  at de.robv.android.xposed.callbacks.XCallback.callAll(XCallback.java:106)
E/Xposed  (11661):  at de.robv.android.xposed.XposedInit$2.beforeHookedMethod(XposedInit.java:116)
E/Xposed  (11661):  at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:314)
E/Xposed  (11661):  at android.app.ActivityThread.handleBindApplication(<Xposed>)
E/Xposed  (11661):  at android.app.ActivityThread.access$1500(ActivityThread.java:151)
E/Xposed  (11661):  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1364)
E/Xposed  (11661):  at android.os.Handler.dispatchMessage(Handler.java:102)
E/Xposed  (11661):  at android.os.Looper.loop(Looper.java:135)
E/Xposed  (11661):  at android.app.ActivityThread.main(ActivityThread.java:5254)
E/Xposed  (11661):  at java.lang.reflect.Method.invoke(Native Method)
E/Xposed  (11661):  at java.lang.reflect.Method.invoke(Method.java:372)
E/Xposed  (11661):  at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
E/Xposed  (11661):  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
E/Xposed  (11661):  at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:102)
I/Xposed  (11661): Calling com.macdom.ble.blescanner.a onStart()




The module should be usable for any given app that uses bluetooth BLE. I'm not sure if this is the best approach or if there is a way to dynamically discover the the app's instance of BluetoothGatt and hook it.
 
 
9th August 2017, 11:28 PM |#2  
Massi-X's Avatar
Senior Member
Thanks Meter: 282
 
More
Quote:
Originally Posted by jostomp

I've been able to hook static methods using Xposed but can not figure out how to hook android classes such as android.bluetooth.BluetoothGatt. My goal is to log bluetooth payloads and then trace the static method within the given app responsible for said payload. I can access the desired payload using the JDB debugger as follows:

Code:
> stop in android.bluetooth.BluetoothGatt.writeCharacteristic
Set breakpoint android.bluetooth.BluetoothGatt.writeCharacteristic
> 
Breakpoint hit: "thread=main", 
android.bluetooth.BluetoothGatt.writeCharacteristic(), line=926 bci=0

main[1] dump characteristic.mValue
 characteristic.mValue = {
 116, 101, 115, 116, 49, 51, 51
 }
This is my code for attempting to hook the android.bluetooth.BluetoothGatt.writeCharacteristi c method:

Code:
package com.example.test.xposed3;

import java.lang.reflect.Method;

import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import static de.robv.android.xposed.XposedHelpers.findClass;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

public class Xposed3 implements IXposedHookLoadPackage {
    public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {
        if (!lpparam.packageName.equals("com.macdom.ble.blescanner"))
            return;

        XposedBridge.log("Loaded app: " + lpparam.packageName);

        findAndHookMethod("com.macdom.ble.blescanner.a", lpparam.classLoader, "onStart", new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                XposedBridge.log("Calling com.macdom.ble.blescanner.a onStart()");
            }
        });

        Class<?> BluetoothGatt = findClass("android.bluetooth.BluetoothGatt", lpparam.classLoader);
        Method writeCharacteristic = XposedHelpers.findMethodBestMatch(BluetoothGatt, "writeCharacteristic");
        XposedBridge.hookMethod(writeCharacteristic, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                XposedBridge.log("Calling android.bluetooth.BluetoothGatt writeCharacteristic()");
            }
        });
The logs show I'm successfully hooking the static method com.macdom.ble.blescanner.a onStart() but outputs a java.lang.NoSuchMethodError when attempting to hook android.bluetooth.BluetoothGatt writeCharacteristic()

Code:
I/Xposed  (11661): Loaded app: com.macdom.ble.blescanner
E/Xposed  (11661): java.lang.NoSuchMethodError: android.bluetooth.BluetoothGatt#writeCharacteristic()#bestmatch
E/Xposed  (11661):  at de.robv.android.xposed.XposedHelpers.findMethodBestMatch(XposedHelpers.java:440)
E/Xposed  (11661):  at com.example.test.xposed3.Xposed3.handleLoadPackage(Xposed3.java:34)
E/Xposed  (11661):  at de.robv.android.xposed.IXposedHookLoadPackage$Wrapper.handleLoadPackage(IXposedHookLoadPackage.java:34)
E/Xposed  (11661):  at de.robv.android.xposed.callbacks.XC_LoadPackage.call(XC_LoadPackage.java:61)
E/Xposed  (11661):  at de.robv.android.xposed.callbacks.XCallback.callAll(XCallback.java:106)
E/Xposed  (11661):  at de.robv.android.xposed.XposedInit$2.beforeHookedMethod(XposedInit.java:116)
E/Xposed  (11661):  at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:314)
E/Xposed  (11661):  at android.app.ActivityThread.handleBindApplication(<Xposed>)
E/Xposed  (11661):  at android.app.ActivityThread.access$1500(ActivityThread.java:151)
E/Xposed  (11661):  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1364)
E/Xposed  (11661):  at android.os.Handler.dispatchMessage(Handler.java:102)
E/Xposed  (11661):  at android.os.Looper.loop(Looper.java:135)
E/Xposed  (11661):  at android.app.ActivityThread.main(ActivityThread.java:5254)
E/Xposed  (11661):  at java.lang.reflect.Method.invoke(Native Method)
E/Xposed  (11661):  at java.lang.reflect.Method.invoke(Method.java:372)
E/Xposed  (11661):  at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
E/Xposed  (11661):  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
E/Xposed  (11661):  at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:102)
I/Xposed  (11661): Calling com.macdom.ble.blescanner.a onStart()




The module should be usable for any given app that uses bluetooth BLE. I'm not sure if this is the best approach or if there is a way to dynamically discover the the app's instance of BluetoothGatt and hook it.

If the method have some args, Xposed won't find it. Can you share the source? And why you didn't use findandhookmethod?
9th August 2017, 11:59 PM |#3  
OP Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by Massi-X

If the method have some args, Xposed won't find it. Can you share the source? And why you didn't use findandhookmethod?

Thanks for the reply. This method does not take any arguments - https:[//]developer.android.com/reference/android/bluetooth/BluetoothGatt.html#writeCharacteristic(android.blu etooth.BluetoothGattCharacteristic)

Using the findandhookmethod returns a similar error:

Code:
java.lang.NoSuchMethodError: android.bluetooth.BluetoothGatt#writeCharacteristic()#exact
The application I'm testing on is called BLE Scanner - I do not have the source for this.
10th August 2017, 12:03 AM |#4  
Massi-X's Avatar
Senior Member
Thanks Meter: 282
 
More
Quote:
Originally Posted by jostomp

Thanks for the reply. This method does not take any arguments - https:[//]developer.android.com/reference/android/bluetooth/BluetoothGatt.html#writeCharacteristic(android.blu etooth.BluetoothGattCharacteristic)

Using the findandhookmethod returns a similar error:

Code:
java.lang.NoSuchMethodError: android.bluetooth.BluetoothGatt#writeCharacteristic()#exact
The application I'm testing on is called BLE Scanner - I do not have the source for this.

Uhm from the page you share it says the method wants an argument of BluetoothGattCharacteristic type .
So, this is the problem!
10th August 2017, 12:40 AM |#5  
OP Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by Massi-X

Uhm from the page you share it says the method wants an argument of BluetoothGattCharacteristic type .
So, this is the problem!

Ahh yes you are completely right! Thanks

Here's the working code:

Code:
package com.example.djason.xposed3;

import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

import android.bluetooth.BluetoothGattCharacteristic;

public class Xposed3 implements IXposedHookLoadPackage {
    public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {
        if (!lpparam.packageName.equals("com.macdom.ble.blescanner"))
            return;

        XposedBridge.log("Loaded app: " + lpparam.packageName);
        
        findAndHookMethod("android.bluetooth.BluetoothGatt", lpparam.classLoader, "writeCharacteristic", BluetoothGattCharacteristic.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                XposedBridge.log("Calling android.bluetooth.BluetoothGatt writeCharacteristic()");
            }
        });

    }
}
The Following User Says Thank You to jostomp For This Useful Post: [ View ] Gift jostomp Ad-Free
10th August 2017, 12:58 AM |#6  
Massi-X's Avatar
Senior Member
Thanks Meter: 282
 
More
Glad to help!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes