Skip to content

Instantly share code, notes, and snippets.

@giantpune
Created August 10, 2015 16:03
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save giantpune/812a6dd48dd40fc758bd to your computer and use it in GitHub Desktop.
shell@hammerhead:/ $ dd if=/dev/zero of=/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so bs=1187312 count=1
1+0 records in
1+0 records out
1187312 bytes transferred in 0.016 secs (74207000 bytes/sec)
root@hammerhead:/data/data/com.maxmpz.audioplayer/files # ls -l
-rw-rw-rw- u0_a96 u0_a96 1187312 2015-07-30 13:43 libaudioplayer_native.so
-rw-rw-rw- u0_a96 u0_a96 690168 2015-07-30 13:43 libpampffmpeg.so
root@hammerhead:/data/data/com.maxmpz.audioplayer/shared_prefs # ls -l
-rw-rw-rw- u0_a96 u0_a96 372 2015-07-30 12:43 PlayerService.xml
-rw-rw---- u0_a96 u0_a96 130 2015-07-29 16:32 _has_set_default_values.xml
-rw-rw-rw- u0_a96 u0_a96 8508 2015-07-29 16:32 com.maxmpz.audioplayer_preferences.xml
-rw-rw-rw- u0_a96 u0_a96 1103 2015-07-29 16:32 eq.xml
-rw-rw---- u0_a96 u0_a96 101 2015-07-29 16:32 l.xml
E/art (21424): dlopen("/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so", RTLD_LAZY) failed: dlopen failed: "/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so" has bad ELF magic
E/LongSetup(21424): Failed to load native lib, trying to reextract
E/LongSetup(21424): java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so" has bad ELF magic
E/LongSetup(21424): at java.lang.Runtime.load(Runtime.java:331)
E/LongSetup(21424): at java.lang.System.load(System.java:981)
E/LongSetup(21424): at com.maxmpz.audioplayer.l1I.ll1l(":243)
E/LongSetup(21424): at com.maxmpz.audioplayer.l1I.ll1l(":194)
E/LongSetup(21424): at com.maxmpz.audioplayer.player.PlayerService.onCreate(":330)
E/LongSetup(21424): at android.app.ActivityThread.handleCreateService(ActivityThread.java:2761)
E/LongSetup(21424): at android.app.ActivityThread.access$1800(ActivityThread.java:151)
E/LongSetup(21424): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1386)
E/LongSetup(21424): at android.os.Handler.dispatchMessage(Handler.java:102)
E/LongSetup(21424): at android.os.Looper.loop(Looper.java:135)
E/LongSetup(21424): at android.app.ActivityThread.main(ActivityThread.java:5254)
E/LongSetup(21424): at java.lang.reflect.Method.invoke(Native Method)
E/LongSetup(21424): at java.lang.reflect.Method.invoke(Method.java:372)
E/LongSetup(21424): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
E/LongSetup(21424): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
W/LongSetup(21424): Extracting=libs/armeabi-v7a/libpampffmpeg.so => libpampffmpeg.so
W/LongSetup(21424): Extracting=libs/armeabi/libaudioplayer_native.so => libaudioplayer_native.so
W/LongSetup(20983): File size mismatch=armeabi/libaudioplayer_native.so 5 vs 1187312
W/LongSetup(20983): Extracting=libs/armeabi-v7a/libpampffmpeg.so => libpampffmpeg.so
W/LongSetup(20983): Extracting=libs/armeabi/libaudioplayer_native.so => libaudioplayer_native.so
shell@hammerhead:/ $ ls -l /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so
-rw-rw-rw- u0_a96 u0_a96 1187312 2015-07-30 17:31 libaudioplayer_native.so
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.DISABLE_KEYGUARD"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.BROADCAST_STICKY"/>
<uses-permission android:name="android.permission.BLUETOOTH"/>
D/getajob.pwnservice(22305): deleting files
D/getajob.pwnservice(22305): start poweramp
W/LongSetup(22702): File size mismatch=armeabi/libaudioplayer_native.so 0 vs 1187312
W/LongSetup(22702): Extracting=libs/armeabi-v7a/libpampffmpeg.so => libpampffmpeg.so
W/LongSetup(22702): Extracting=libs/armeabi/libaudioplayer_native.so => libaudioplayer_native.so
W/linker (22702): libpampffmpeg.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
D/getajob.pwnservice(22305): backup poweramp lib
I/art ( 773): Explicit concurrent mark sweep GC freed 26398(1448KB) AllocSpace objects, 11(252KB) LOS objects, 30% free, 36MB/52MB, paused 1.785ms total 141.651ms
D/getajob.pwnservice(22305): write out asset lib
I/ActivityManager( 773): Start proc 22770:com.maxmpz.audioplayer/u0a96 for service com.maxmpz.audioplayer/.player.PlayerService
W/audioplayer.Application(22770): Detected NEON support
I/audioplayer.Application(22770): man=LGE pro=hammerhead mod=Nexus 5 dev=hammerhead type=user board=hammerhead rel=5.1.1 osVersion=3.4.0-gbebb36b
W/linker (22770): libpampffmpeg.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
D/libwoopsy(22770): JNI_OnLoad called
I/id (22805): uid=10096(u0_a96) gid=10096(u0_a96) groups=1015(sdcard_rw),1028(sdcard_r),3002(net_bt),3003(inet),9997(everybody),50096(all_a96) context=u:r:untrusted_app:s0
D/libwoopsy(22770): calling original JNI_OnLoad…
shell@hammerhead:/ $ ls -l /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so
-rw-rw-rw- u0_a96 u0_a96 1187312 2015-07-30 13:43 libaudioplayer_native.so
shell@hammerhead:/ $ echo fail > /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so
shell@hammerhead:/ $ cat /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so
fail
shell@hammerhead:/ $ ls -l /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so
-rw-rw-rw- u0_a96 u0_a96 5 2015-07-30 17:25 libaudioplayer_native.so
I/id (17069): uid=10098(u0_a98) gid=10098(u0_a98) groups=1015(sdcard_rw),1028(sdcard_r),3002(net_bt),3003(inet),9997(everybody),50098(all_a98) context=u:r:untrusted_app:s0
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.NFC" />
<uses-permission android:name="android.permission.BLUETOOTH" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<uses-permission android:name="android.permission.ACCESS_SURFACE_FLINGER" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.VIBRATE" />
<uses-permission android:name="android.permission.FLASHLIGHT" />
<uses-permission android:name="android.permission.BATTERY_STATS" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
import os; os.system("/system/bin/logwrapper /system/bin/id")
.text:000049D6 loc_49D6 ; CODE XREF: make_0777_directory+14j
.text:000049D6 MOVW R1, #0x1FF ; mode
.text:000049DA LDR R0, [SP,#0x10+path] ; path
.text:000049DC BLX mkdir
.text:000049E0 MOV R4, R0
.text:000049E2 CBNZ R0, loc_49F2
.text:00004E42 loc_4E42 ; CODE XREF: Java_io_vov_vitamio_Vitamio_native_initializeLibs+3DCj
.text:00004E42 LDR R1, [SP,#0x4118+file]
.text:00004E44 ADD R0, SP, #0x4118+var_40C4
.text:00004E46 BL OutFile_Open
.text:00004E4A MOV.W R1, #0x1B6 ; mode
.text:00004E4E MOV R4, R0
.text:00004E50 LDR R0, [SP,#0x4118+file] ; file
.text:00004E52 BLX chmod
.text:00004E56 ADD R0, SP, #0x4118+file
E/art (24836): dlopen("/data/data/com.zgz.supervideo/libs/libvplayer.so", RTLD_LAZY) failed: dlopen failed: "/data/data/com.zgz.supervideo/libs/libvplayer.so" is too small to be an ELF executable: only found 5 bytes
E/Vitamio[Player](24836): Error loading libs
E/Vitamio[Player](24836): java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/com.zgz.supervideo/libs/libvplayer.so" is too small to be an ELF executable: only found 5 bytes
E/Vitamio[Player](24836): at java.lang.Runtime.load(Runtime.java:331)
E/Vitamio[Player](24836): at java.lang.System.load(System.java:981)
E/Vitamio[Player](24836): at io.vov.vitamio.MediaPlayer.<clinit>(MediaPlayer.java:242)
E/Vitamio[Player](24836): at io.vov.vitamio.widget.VideoView.openVideo(VideoView.java:401)
E/Vitamio[Player](24836): at io.vov.vitamio.widget.VideoView.access$21(VideoView.java:389)
E/Vitamio[Player](24836): at io.vov.vitamio.widget.VideoView$3.surfaceCreated(VideoView.java:157)
E/Vitamio[Player](24836): at android.view.SurfaceView.updateWindow(SurfaceView.java:580)
E/Vitamio[Player](24836): at android.view.SurfaceView$3.onPreDraw(SurfaceView.java:176)
E/Vitamio[Player](24836): at android.view.ViewTreeObserver.dispatchOnPreDraw(ViewTreeObserver.java:944)
E/Vitamio[Player](24836): at android.view.ViewRootImpl.performTraversals(ViewRootImpl.java:1970)
E/Vitamio[Player](24836): at android.view.ViewRootImpl.doTraversal(ViewRootImpl.java:1061)
E/Vitamio[Player](24836): at android.view.ViewRootImpl$TraversalRunnable.run(ViewRootImpl.java:5885)
E/Vitamio[Player](24836): at android.view.Choreographer$CallbackRecord.run(Choreographer.java:767)
E/Vitamio[Player](24836): at android.view.Choreographer.doCallbacks(Choreographer.java:580)
E/Vitamio[Player](24836): at android.view.Choreographer.doFrame(Choreographer.java:550)
E/Vitamio[Player](24836): at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:753)
E/Vitamio[Player](24836): at android.os.Handler.handleCallback(Handler.java:739)
E/Vitamio[Player](24836): at android.os.Handler.dispatchMessage(Handler.java:95)
E/Vitamio[Player](24836): at android.os.Looper.loop(Looper.java:135)
E/Vitamio[Player](24836): at android.app.ActivityThread.main(ActivityThread.java:5254)
E/Vitamio[Player](24836): at java.lang.reflect.Method.invoke(Native Method)
E/Vitamio[Player](24836): at java.lang.reflect.Method.invoke(Method.java:372)
E/Vitamio[Player](24836): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
E/Vitamio[Player](24836): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
$ adb shell "echo fail > /data/data/com.zgz.supervideo/libs/libvplayer.so"
$ adb shell ls -l /data/data/com.zgz.supervideo/libs/libvplayer.so
-rw-rw-rw- u0_a101 u0_a101 5 2015-07-31 15:49 libvplayer.so
$ adb shell cat /data/data/com.zgz.supervideo/libs/libvplayer.so
fail
#include <android/log.h>
#include <dlfcn.h>
#include <jni.h>
#include <stdio.h>
#include <stdlib.h>
#define ORIGINAL_LIBRARY_NAME "/data/data/com.zgz.supervideo/libs/libvplayer_orig.so"
#define LOG_TAG "libwoopsy"
#define LOG_D(...) do{ __android_log_print( ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__); printf( __VA_ARGS__ ); }while( 0 )
int JNI_OnLoad( JavaVM* vm, void* reserved )
{
LOG_D( "JNI_OnLoad called\n" );
LOG_D( "Im running with the following uid...\n" );
system( "/system/bin/logwrapper /system/bin/id" );
void *handle = dlopen( ORIGINAL_LIBRARY_NAME, RTLD_NOW | RTLD_GLOBAL );
if( !handle )
{
LOG_D( "error opening %s: %s\n", ORIGINAL_LIBRARY_NAME, dlerror() );
return -1;
}
int ( *orig )( JavaVM* vm, void* reserved ) = dlsym( handle, "JNI_OnLoad" );
if( !orig )
{
LOG_D( "no original JNI_OnLoad to worry about\n" );
return JNI_VERSION_1_6;
}
LOG_D( "calling original JNI_OnLoad...\n" );
return orig( vm, reserved );
}
$ adb shell ls -ld /data/data/com.zgz.supervideo/libs
drwxrwxrwx u0_a101 u0_a101 2015-07-31 15:45 libs
$ adb shell ls -l /data/data/com.zgz.supervideo/libs
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.11.so
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.14.so
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.18.so
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.9.so
-rw-rw-rw- u0_a101 u0_a101 7946640 2015-07-31 15:45 libffmpeg.so
-rw-rw-rw- u0_a101 u0_a101 345404 2015-07-31 15:45 libstlport_shared.so
-rw-rw-rw- u0_a101 u0_a101 17604 2015-07-31 15:45 libvao.0.so
-rw-rw-rw- u0_a101 u0_a101 276816 2015-07-31 15:45 libvplayer.so
-rw-rw-rw- u0_a101 u0_a101 165752 2015-07-31 15:45 libvscanner.so
-rw-rw-rw- u0_a101 u0_a101 21756 2015-07-31 15:45 libvvo.0.so
-rw-rw-rw- u0_a101 u0_a101 17600 2015-07-31 15:45 libvvo.7.so
-rw-rw-rw- u0_a101 u0_a101 17600 2015-07-31 15:45 libvvo.8.so
-rw-rw-rw- u0_a101 u0_a101 13504 2015-07-31 15:45 libvvo.9.so
-rw-rw-rw- u0_a101 u0_a101 13504 2015-07-31 15:45 libvvo.j.so
$ adb shell mv /data/data/com.zgz.supervideo/libs/libvplayer{,_orig}.so
$ adb push libtest.so /data/local/tmp/libvplayer.so
629 KB/s (26364 bytes in 0.040s)
$ adb shell "cp /data/local/tmp/libvplayer.so /data/data/com.zgz.supervideo/libs/libvplayer.so"
$ adb shell ls -l /data/data/com.zgz.supervideo/libs/libvplayer*
-rwxrwxrwx shell shell 26364 2015-07-31 16:03 libvplayer.so
-rw-rw-rw- u0_a101 u0_a101 276816 2015-07-31 15:53 libvplayer_orig.so
D/libwoopsy(25627): JNI_OnLoad called
D/libwoopsy(25627): Im running with the following uid...
I/id (26523): uid=10101(u0_a101) gid=10101(u0_a101) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),9997(everybody),50101(all_a101) context=u:r:untrusted_app:s0
D/libwoopsy(25627): calling original JNI_OnLoad…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment