Created
May 4, 2020 22:13
-
-
Save wongsyrone/4f5b0562f5e4137ffa57c7596f882f4b to your computer and use it in GitHub Desktop.
分享解密某Android电视adb后门方法
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
双十一,剁手入手某电视,“根据xxx法规,禁止安装该软件...”,开机有广告, | |
凭经验,智能设备一般情况下都有“后门”, | |
系统设置,没发现有adb选选项, | |
nmap扫描电视开放的端口,无果 | |
开机一段时间,电视弹出提示,系统更新, | |
镜像交换机,抓包,搞到ota更新包,在系统框架jar文件发现adb后门 | |
附上后门关键代码 | |
[Java] 纯文本查看 复制代码 | |
? | |
01 | |
02 | |
03 | |
04 | |
05 | |
06 | |
07 | |
08 | |
09 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | |
32 | |
33 | |
34 | |
35 | |
36 | |
37 | |
38 | |
39 | |
40 | |
41 | |
42 | |
43 | |
44 | |
45 | |
46 | |
47 | |
48 | |
49 | |
50 | |
51 | |
52 | |
53 | |
54 | |
55 | |
56 | |
57 | |
private int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22}; | |
private int[] mTurnONADBKeyCode2 = new int[]{10, 13, 16, 14}; | |
private int[] mFactoryKeyCode = new int[]{24, 166, 24, 167, 82}; | |
private void checkShortcutMode(int keycode) { | |
Intent intent; | |
if (this.mFactoryKeyCode[mFactoryIndex] == keycode) { | |
mFactoryIndex++; | |
} else { | |
mFactoryIndex = 0; | |
} | |
if (this.mBurnKeyCode[mBurnIndex] == keycode) { | |
mBurnIndex++; | |
} else { | |
mBurnIndex = 0; | |
} | |
if (this.mTurnONADBKeyCode[mTurnOnADBIndex] == keycode) { | |
mTurnOnADBIndex++; | |
} else { | |
mTurnOnADBIndex = 0; | |
} | |
if (this.mTurnONADBKeyCode2[mTurnOnADBIndex2] == keycode) { | |
mTurnOnADBIndex2++; | |
} else { | |
mTurnOnADBIndex2 = 0; | |
} | |
if (this.mStartStockAppSwitcherKeycode[mStartStockAppSwitcherIndex] == keycode) { | |
mStartStockAppSwitcherIndex++; | |
} else { | |
mStartStockAppSwitcherIndex = 0; | |
} | |
if (this.mCommitLogKeyCode[mCommitIndex] == keycode) { | |
mCommitIndex++; | |
} else { | |
mCommitIndex = 0; | |
} | |
if (mFactoryIndex == this.mFactoryKeyCode.length) { | |
mFactoryIndex = 0; | |
intent = new Intent(); | |
intent.setComponent(new ComponentName("com.apptv.factorytest", "com.apptv.factorytest.MainActivity")); | |
intent.setFlags(268435456); | |
try { | |
this.mContext.startActivity(intent); | |
} catch (Exception e) { | |
Log.d(TAG, e.toString()); | |
} | |
} | |
if (mTurnOnADBIndex == this.mTurnONADBKeyCode.length || mTurnOnADBIndex2 == this.mTurnONADBKeyCode2.length) { | |
mTurnOnADBIndex = 0; | |
Global.putInt(this.mContext.getContentResolver(), "adb_enabled", 1); | |
SystemProperties.set("service.adb.enable", "1"); | |
} | |
} | |
解密相对简单, | |
int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22}; | |
21, 21, 19, 22分别对应的,是 左 左 上 右 按键 | |
在系统设置的任意地方按左 左 上 右按键,adb后门自动打开 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment