Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save wongsyrone/4f5b0562f5e4137ffa57c7596f882f4b to your computer and use it in GitHub Desktop.
Save wongsyrone/4f5b0562f5e4137ffa57c7596f882f4b to your computer and use it in GitHub Desktop.
分享解密某Android电视adb后门方法
双十一,剁手入手某电视,“根据xxx法规,禁止安装该软件...”,开机有广告,
凭经验,智能设备一般情况下都有“后门”,
系统设置,没发现有adb选选项,
nmap扫描电视开放的端口,无果
开机一段时间,电视弹出提示,系统更新,
镜像交换机,抓包,搞到ota更新包,在系统框架jar文件发现adb后门
附上后门关键代码
[Java] 纯文本查看 复制代码
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
private int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22};
private int[] mTurnONADBKeyCode2 = new int[]{10, 13, 16, 14};
private int[] mFactoryKeyCode = new int[]{24, 166, 24, 167, 82};
private void checkShortcutMode(int keycode) {
Intent intent;
if (this.mFactoryKeyCode[mFactoryIndex] == keycode) {
mFactoryIndex++;
} else {
mFactoryIndex = 0;
}
if (this.mBurnKeyCode[mBurnIndex] == keycode) {
mBurnIndex++;
} else {
mBurnIndex = 0;
}
if (this.mTurnONADBKeyCode[mTurnOnADBIndex] == keycode) {
mTurnOnADBIndex++;
} else {
mTurnOnADBIndex = 0;
}
if (this.mTurnONADBKeyCode2[mTurnOnADBIndex2] == keycode) {
mTurnOnADBIndex2++;
} else {
mTurnOnADBIndex2 = 0;
}
if (this.mStartStockAppSwitcherKeycode[mStartStockAppSwitcherIndex] == keycode) {
mStartStockAppSwitcherIndex++;
} else {
mStartStockAppSwitcherIndex = 0;
}
if (this.mCommitLogKeyCode[mCommitIndex] == keycode) {
mCommitIndex++;
} else {
mCommitIndex = 0;
}
if (mFactoryIndex == this.mFactoryKeyCode.length) {
mFactoryIndex = 0;
intent = new Intent();
intent.setComponent(new ComponentName("com.apptv.factorytest", "com.apptv.factorytest.MainActivity"));
intent.setFlags(268435456);
try {
this.mContext.startActivity(intent);
} catch (Exception e) {
Log.d(TAG, e.toString());
}
}
if (mTurnOnADBIndex == this.mTurnONADBKeyCode.length || mTurnOnADBIndex2 == this.mTurnONADBKeyCode2.length) {
mTurnOnADBIndex = 0;
Global.putInt(this.mContext.getContentResolver(), "adb_enabled", 1);
SystemProperties.set("service.adb.enable", "1");
}
}
解密相对简单,
int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22};
21, 21, 19, 22分别对应的,是 左 左 上 右 按键
在系统设置的任意地方按左 左 上 右按键,adb后门自动打开
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment