This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shell@hammerhead:/ $ dd if=/dev/zero of=/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so bs=1187312 count=1 | |
1+0 records in | |
1+0 records out | |
1187312 bytes transferred in 0.016 secs (74207000 bytes/sec) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@hammerhead:/data/data/com.maxmpz.audioplayer/files # ls -l | |
-rw-rw-rw- u0_a96 u0_a96 1187312 2015-07-30 13:43 libaudioplayer_native.so | |
-rw-rw-rw- u0_a96 u0_a96 690168 2015-07-30 13:43 libpampffmpeg.so | |
root@hammerhead:/data/data/com.maxmpz.audioplayer/shared_prefs # ls -l | |
-rw-rw-rw- u0_a96 u0_a96 372 2015-07-30 12:43 PlayerService.xml | |
-rw-rw---- u0_a96 u0_a96 130 2015-07-29 16:32 _has_set_default_values.xml | |
-rw-rw-rw- u0_a96 u0_a96 8508 2015-07-29 16:32 com.maxmpz.audioplayer_preferences.xml | |
-rw-rw-rw- u0_a96 u0_a96 1103 2015-07-29 16:32 eq.xml | |
-rw-rw---- u0_a96 u0_a96 101 2015-07-29 16:32 l.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
E/art (21424): dlopen("/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so", RTLD_LAZY) failed: dlopen failed: "/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so" has bad ELF magic | |
E/LongSetup(21424): Failed to load native lib, trying to reextract | |
E/LongSetup(21424): java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so" has bad ELF magic | |
E/LongSetup(21424): at java.lang.Runtime.load(Runtime.java:331) | |
E/LongSetup(21424): at java.lang.System.load(System.java:981) | |
E/LongSetup(21424): at com.maxmpz.audioplayer.l1I.ll1l(":243) | |
E/LongSetup(21424): at com.maxmpz.audioplayer.l1I.ll1l(":194) | |
E/LongSetup(21424): at com.maxmpz.audioplayer.player.PlayerService.onCreate(":330) | |
E/LongSetup(21424): at android.app.ActivityThread.handleCreateService(ActivityThread.java:2761) | |
E/LongSetup(21424): at android.app.ActivityThread.access$1800(ActivityThread.java:151) | |
E/LongSetup(21424): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1386) | |
E/LongSetup(21424): at android.os.Handler.dispatchMessage(Handler.java:102) | |
E/LongSetup(21424): at android.os.Looper.loop(Looper.java:135) | |
E/LongSetup(21424): at android.app.ActivityThread.main(ActivityThread.java:5254) | |
E/LongSetup(21424): at java.lang.reflect.Method.invoke(Native Method) | |
E/LongSetup(21424): at java.lang.reflect.Method.invoke(Method.java:372) | |
E/LongSetup(21424): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903) | |
E/LongSetup(21424): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698) | |
W/LongSetup(21424): Extracting=libs/armeabi-v7a/libpampffmpeg.so => libpampffmpeg.so | |
W/LongSetup(21424): Extracting=libs/armeabi/libaudioplayer_native.so => libaudioplayer_native.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
W/LongSetup(20983): File size mismatch=armeabi/libaudioplayer_native.so 5 vs 1187312 | |
W/LongSetup(20983): Extracting=libs/armeabi-v7a/libpampffmpeg.so => libpampffmpeg.so | |
W/LongSetup(20983): Extracting=libs/armeabi/libaudioplayer_native.so => libaudioplayer_native.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shell@hammerhead:/ $ ls -l /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so | |
-rw-rw-rw- u0_a96 u0_a96 1187312 2015-07-30 17:31 libaudioplayer_native.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<uses-permission android:name="android.permission.WRITE_SETTINGS"/> | |
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> | |
<uses-permission android:name="android.permission.WAKE_LOCK"/> | |
<uses-permission android:name="android.permission.READ_PHONE_STATE"/> | |
<uses-permission android:name="android.permission.INTERNET"/> | |
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> | |
<uses-permission android:name="android.permission.DISABLE_KEYGUARD"/> | |
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/> | |
<uses-permission android:name="android.permission.BROADCAST_STICKY"/> | |
<uses-permission android:name="android.permission.BLUETOOTH"/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
D/getajob.pwnservice(22305): deleting files | |
D/getajob.pwnservice(22305): start poweramp | |
W/LongSetup(22702): File size mismatch=armeabi/libaudioplayer_native.so 0 vs 1187312 | |
W/LongSetup(22702): Extracting=libs/armeabi-v7a/libpampffmpeg.so => libpampffmpeg.so | |
W/LongSetup(22702): Extracting=libs/armeabi/libaudioplayer_native.so => libaudioplayer_native.so | |
W/linker (22702): libpampffmpeg.so has text relocations. This is wasting memory and prevents security hardening. Please fix. | |
D/getajob.pwnservice(22305): backup poweramp lib | |
I/art ( 773): Explicit concurrent mark sweep GC freed 26398(1448KB) AllocSpace objects, 11(252KB) LOS objects, 30% free, 36MB/52MB, paused 1.785ms total 141.651ms | |
D/getajob.pwnservice(22305): write out asset lib | |
I/ActivityManager( 773): Start proc 22770:com.maxmpz.audioplayer/u0a96 for service com.maxmpz.audioplayer/.player.PlayerService | |
W/audioplayer.Application(22770): Detected NEON support | |
I/audioplayer.Application(22770): man=LGE pro=hammerhead mod=Nexus 5 dev=hammerhead type=user board=hammerhead rel=5.1.1 osVersion=3.4.0-gbebb36b | |
W/linker (22770): libpampffmpeg.so has text relocations. This is wasting memory and prevents security hardening. Please fix. | |
D/libwoopsy(22770): JNI_OnLoad called | |
I/id (22805): uid=10096(u0_a96) gid=10096(u0_a96) groups=1015(sdcard_rw),1028(sdcard_r),3002(net_bt),3003(inet),9997(everybody),50096(all_a96) context=u:r:untrusted_app:s0 | |
D/libwoopsy(22770): calling original JNI_OnLoad… |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shell@hammerhead:/ $ ls -l /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so | |
-rw-rw-rw- u0_a96 u0_a96 1187312 2015-07-30 13:43 libaudioplayer_native.so | |
shell@hammerhead:/ $ echo fail > /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so | |
shell@hammerhead:/ $ cat /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so | |
fail | |
shell@hammerhead:/ $ ls -l /data/data/com.maxmpz.audioplayer/files/libaudioplayer_native.so | |
-rw-rw-rw- u0_a96 u0_a96 5 2015-07-30 17:25 libaudioplayer_native.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I/id (17069): uid=10098(u0_a98) gid=10098(u0_a98) groups=1015(sdcard_rw),1028(sdcard_r),3002(net_bt),3003(inet),9997(everybody),50098(all_a98) context=u:r:untrusted_app:s0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<uses-permission android:name="android.permission.INTERNET" /> | |
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> | |
<uses-permission android:name="android.permission.NFC" /> | |
<uses-permission android:name="android.permission.BLUETOOTH" /> | |
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> | |
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> | |
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" /> | |
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" /> | |
<uses-permission android:name="android.permission.ACCESS_SURFACE_FLINGER" /> | |
<uses-permission android:name="android.permission.WAKE_LOCK" /> | |
<uses-permission android:name="android.permission.CAMERA" /> | |
<uses-permission android:name="android.permission.VIBRATE" /> | |
<uses-permission android:name="android.permission.FLASHLIGHT" /> | |
<uses-permission android:name="android.permission.BATTERY_STATS" /> | |
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> | |
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> | |
<uses-permission android:name="android.permission.RECORD_AUDIO" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os; os.system("/system/bin/logwrapper /system/bin/id") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.text:000049D6 loc_49D6 ; CODE XREF: make_0777_directory+14j | |
.text:000049D6 MOVW R1, #0x1FF ; mode | |
.text:000049DA LDR R0, [SP,#0x10+path] ; path | |
.text:000049DC BLX mkdir | |
.text:000049E0 MOV R4, R0 | |
.text:000049E2 CBNZ R0, loc_49F2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.text:00004E42 loc_4E42 ; CODE XREF: Java_io_vov_vitamio_Vitamio_native_initializeLibs+3DCj | |
.text:00004E42 LDR R1, [SP,#0x4118+file] | |
.text:00004E44 ADD R0, SP, #0x4118+var_40C4 | |
.text:00004E46 BL OutFile_Open | |
.text:00004E4A MOV.W R1, #0x1B6 ; mode | |
.text:00004E4E MOV R4, R0 | |
.text:00004E50 LDR R0, [SP,#0x4118+file] ; file | |
.text:00004E52 BLX chmod | |
.text:00004E56 ADD R0, SP, #0x4118+file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
E/art (24836): dlopen("/data/data/com.zgz.supervideo/libs/libvplayer.so", RTLD_LAZY) failed: dlopen failed: "/data/data/com.zgz.supervideo/libs/libvplayer.so" is too small to be an ELF executable: only found 5 bytes | |
E/Vitamio[Player](24836): Error loading libs | |
E/Vitamio[Player](24836): java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/com.zgz.supervideo/libs/libvplayer.so" is too small to be an ELF executable: only found 5 bytes | |
E/Vitamio[Player](24836): at java.lang.Runtime.load(Runtime.java:331) | |
E/Vitamio[Player](24836): at java.lang.System.load(System.java:981) | |
E/Vitamio[Player](24836): at io.vov.vitamio.MediaPlayer.<clinit>(MediaPlayer.java:242) | |
E/Vitamio[Player](24836): at io.vov.vitamio.widget.VideoView.openVideo(VideoView.java:401) | |
E/Vitamio[Player](24836): at io.vov.vitamio.widget.VideoView.access$21(VideoView.java:389) | |
E/Vitamio[Player](24836): at io.vov.vitamio.widget.VideoView$3.surfaceCreated(VideoView.java:157) | |
E/Vitamio[Player](24836): at android.view.SurfaceView.updateWindow(SurfaceView.java:580) | |
E/Vitamio[Player](24836): at android.view.SurfaceView$3.onPreDraw(SurfaceView.java:176) | |
E/Vitamio[Player](24836): at android.view.ViewTreeObserver.dispatchOnPreDraw(ViewTreeObserver.java:944) | |
E/Vitamio[Player](24836): at android.view.ViewRootImpl.performTraversals(ViewRootImpl.java:1970) | |
E/Vitamio[Player](24836): at android.view.ViewRootImpl.doTraversal(ViewRootImpl.java:1061) | |
E/Vitamio[Player](24836): at android.view.ViewRootImpl$TraversalRunnable.run(ViewRootImpl.java:5885) | |
E/Vitamio[Player](24836): at android.view.Choreographer$CallbackRecord.run(Choreographer.java:767) | |
E/Vitamio[Player](24836): at android.view.Choreographer.doCallbacks(Choreographer.java:580) | |
E/Vitamio[Player](24836): at android.view.Choreographer.doFrame(Choreographer.java:550) | |
E/Vitamio[Player](24836): at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:753) | |
E/Vitamio[Player](24836): at android.os.Handler.handleCallback(Handler.java:739) | |
E/Vitamio[Player](24836): at android.os.Handler.dispatchMessage(Handler.java:95) | |
E/Vitamio[Player](24836): at android.os.Looper.loop(Looper.java:135) | |
E/Vitamio[Player](24836): at android.app.ActivityThread.main(ActivityThread.java:5254) | |
E/Vitamio[Player](24836): at java.lang.reflect.Method.invoke(Native Method) | |
E/Vitamio[Player](24836): at java.lang.reflect.Method.invoke(Method.java:372) | |
E/Vitamio[Player](24836): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903) | |
E/Vitamio[Player](24836): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ adb shell "echo fail > /data/data/com.zgz.supervideo/libs/libvplayer.so" | |
$ adb shell ls -l /data/data/com.zgz.supervideo/libs/libvplayer.so | |
-rw-rw-rw- u0_a101 u0_a101 5 2015-07-31 15:49 libvplayer.so | |
$ adb shell cat /data/data/com.zgz.supervideo/libs/libvplayer.so | |
fail |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <android/log.h> | |
#include <dlfcn.h> | |
#include <jni.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#define ORIGINAL_LIBRARY_NAME "/data/data/com.zgz.supervideo/libs/libvplayer_orig.so" | |
#define LOG_TAG "libwoopsy" | |
#define LOG_D(...) do{ __android_log_print( ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__); printf( __VA_ARGS__ ); }while( 0 ) | |
int JNI_OnLoad( JavaVM* vm, void* reserved ) | |
{ | |
LOG_D( "JNI_OnLoad called\n" ); | |
LOG_D( "Im running with the following uid...\n" ); | |
system( "/system/bin/logwrapper /system/bin/id" ); | |
void *handle = dlopen( ORIGINAL_LIBRARY_NAME, RTLD_NOW | RTLD_GLOBAL ); | |
if( !handle ) | |
{ | |
LOG_D( "error opening %s: %s\n", ORIGINAL_LIBRARY_NAME, dlerror() ); | |
return -1; | |
} | |
int ( *orig )( JavaVM* vm, void* reserved ) = dlsym( handle, "JNI_OnLoad" ); | |
if( !orig ) | |
{ | |
LOG_D( "no original JNI_OnLoad to worry about\n" ); | |
return JNI_VERSION_1_6; | |
} | |
LOG_D( "calling original JNI_OnLoad...\n" ); | |
return orig( vm, reserved ); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ adb shell ls -ld /data/data/com.zgz.supervideo/libs | |
drwxrwxrwx u0_a101 u0_a101 2015-07-31 15:45 libs | |
$ adb shell ls -l /data/data/com.zgz.supervideo/libs | |
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.11.so | |
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.14.so | |
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.18.so | |
-rw-rw-rw- u0_a101 u0_a101 70780 2015-07-31 15:45 libOMX.9.so | |
-rw-rw-rw- u0_a101 u0_a101 7946640 2015-07-31 15:45 libffmpeg.so | |
-rw-rw-rw- u0_a101 u0_a101 345404 2015-07-31 15:45 libstlport_shared.so | |
-rw-rw-rw- u0_a101 u0_a101 17604 2015-07-31 15:45 libvao.0.so | |
-rw-rw-rw- u0_a101 u0_a101 276816 2015-07-31 15:45 libvplayer.so | |
-rw-rw-rw- u0_a101 u0_a101 165752 2015-07-31 15:45 libvscanner.so | |
-rw-rw-rw- u0_a101 u0_a101 21756 2015-07-31 15:45 libvvo.0.so | |
-rw-rw-rw- u0_a101 u0_a101 17600 2015-07-31 15:45 libvvo.7.so | |
-rw-rw-rw- u0_a101 u0_a101 17600 2015-07-31 15:45 libvvo.8.so | |
-rw-rw-rw- u0_a101 u0_a101 13504 2015-07-31 15:45 libvvo.9.so | |
-rw-rw-rw- u0_a101 u0_a101 13504 2015-07-31 15:45 libvvo.j.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ adb shell mv /data/data/com.zgz.supervideo/libs/libvplayer{,_orig}.so | |
$ adb push libtest.so /data/local/tmp/libvplayer.so | |
629 KB/s (26364 bytes in 0.040s) | |
$ adb shell "cp /data/local/tmp/libvplayer.so /data/data/com.zgz.supervideo/libs/libvplayer.so" | |
$ adb shell ls -l /data/data/com.zgz.supervideo/libs/libvplayer* | |
-rwxrwxrwx shell shell 26364 2015-07-31 16:03 libvplayer.so | |
-rw-rw-rw- u0_a101 u0_a101 276816 2015-07-31 15:53 libvplayer_orig.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
D/libwoopsy(25627): JNI_OnLoad called | |
D/libwoopsy(25627): Im running with the following uid... | |
I/id (26523): uid=10101(u0_a101) gid=10101(u0_a101) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),9997(everybody),50101(all_a101) context=u:r:untrusted_app:s0 | |
D/libwoopsy(25627): calling original JNI_OnLoad… |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment