z4root源代码阅读笔记一
来源:互联网 发布:手机电脑连接软件 编辑:程序博客网 时间:2024/04/30 18:46
1、首先从manifest.xml文件中定位主要的java类。文件主要代码如下:
<application android:icon="@drawable/z4small" android:label="@string/z4root"> <activity android:name="z4root" android:theme="@style/Theme" android:launchMode="singleInstance" android:label="z4root" android:finishOnTaskLaunch="true" android:multiprocess="true" android:process=":three" android:screenOrientation="portrait"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <activity android:name="Phase1" android:theme="@style/Theme" android:launchMode="singleInstance" android:label="Phase1" android:finishOnTaskLaunch="true" android:multiprocess="true" android:process=":three" android:screenOrientation="portrait"> </activity> <activity android:name="Phase2" android:theme="@style/Theme" android:launchMode="singleInstance" android:label="Phase2" android:finishOnTaskLaunch="true" android:multiprocess="true" android:process=":two" android:screenOrientation="portrait"> </activity> <activity android:name="PhaseRemove" android:theme="@style/Theme" android:launchMode="singleInstance" android:label="PhaseRemove" android:finishOnTaskLaunch="true" android:multiprocess="true" android:process=":four" android:screenOrientation="portrait"> </activity>主类为z4root.java,Phase1.java,Phase2.java用来实现,一次性root和永久root功能。
2、进入z4root.java。
onCreate()方法中定义了3个按钮的监听器方法:rootbutton.setOnClickListener(new OnClickListener() ,temprootbutton.setOnClickListener(new OnClickListener() ,unrootbutton.setOnClickListener(new OnClickListener()。这三个按钮对应程序运行界面的一次root、永久root和取消root。我只关心root过程,也就是前两个方法,从代码中可以看到它们都调用了Intent i = new Intent(z4root.this, Phase1.class);startActivity(i);加载Phase1这个activity。
区别在于SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);
SharedPreferences.Editor editor = settings.edit();
editor.putInt(PREFS_MODE, MODE_PERMROOT);
传入的参数不同,用以区别暂时root、永久root和取消root(MODE_TEMPROOT=1, MODE_PERMROOT=0, MODE_UNROOT=2)。
上面三行代码的解释:sharedPreferences用于存取和修改软件配置参数数据的接口,
1、getSharedPreferences(PREFS_NAME, 0);返回SharedPreferences属性值,PREFS_NAME=“z4rootprefs”,一个文件的应用,如果没有该文件则创建。
2、edit()修改SharedPreferences属性值,在提交后生效。PREFS_MODE=“rootmode”
protected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);boolean AdsEnabled = settings.getBoolean(PREFS_ADS, true);if (AdsEnabled) {setContentView(R.layout.z4rootwadd);} else {setContentView(R.layout.z4root);}rootbutton = (Button) findViewById(R.id.rootbutton);unrootbutton = (Button) findViewById(R.id.unrootbutton);detailtext = (TextView) findViewById(R.id.detailtext);temprootbutton = (Button) findViewById(R.id.temprootbutton);rootbutton.setOnClickListener(new OnClickListener() {@Overridepublic void onClick(View v) {if (disabled)return;disabled = true;Intent i = new Intent(z4root.this, Phase1.class);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);SharedPreferences.Editor editor = settings.edit();editor.putInt(PREFS_MODE, MODE_PERMROOT);editor.commit();startActivity(i);finish();}});temprootbutton.setOnClickListener(new OnClickListener() {@Overridepublic void onClick(View v) {if (disabled)return;disabled = true;Intent i = new Intent(z4root.this, Phase1.class);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);SharedPreferences.Editor editor = settings.edit();editor.putInt(PREFS_MODE, MODE_TEMPROOT);editor.commit();startActivity(i);finish();}});unrootbutton.setOnClickListener(new OnClickListener() {@Overridepublic void onClick(View v) {if (disabled)return;disabled = true;Intent i;if (forceunroot) {i = new Intent(z4root.this, Phase1.class);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);SharedPreferences.Editor editor = settings.edit();editor.putInt(PREFS_MODE, MODE_UNROOT);editor.commit();} else {i = new Intent(z4root.this, PhaseRemove.class);}startActivity(i);finish();}});new Thread() {public void run() {dostuff();};}.start();}
3、Phase1.java
Phase1 这个Activity中主要的类是Phase1。onCreate()方法中通过run()方法调用都stuff()方法。这应该是实现root的关键方法。
public void dostuff() {PowerManager pm = (PowerManager) getSystemService(POWER_SERVICE);wl = pm.newWakeLock(PowerManager.FULL_WAKE_LOCK | PowerManager.ACQUIRE_CAUSES_WAKEUP | PowerManager.ON_AFTER_RELEASE, "z4root");wl.acquire();saystuff("Saving required file...");try {SaveIncludedFileIntoFilesFolder(R.raw.rageagainstthecage, "rageagainstthecage", getApplicationContext());} catch (Exception e1) {// TODO Auto-generated catch blocke1.printStackTrace();}final int[] processId = new int[1];final FileDescriptor fd = Exec.createSubprocess("/system/bin/sh", "-", null, processId);Log.i("AAA", "Got processid: " + processId[0]);final FileOutputStream out = new FileOutputStream(fd);final FileInputStream in = new FileInputStream(fd);// final int[] processId_t = new int[1];// final FileDescriptor fd_t = Exec.createSubprocess("/system/bin/sh",// "-", null, processId_t);// Log.i("AAA", "Got processid_t: " + processId_t[0]);//// final FileOutputStream out_t = new FileOutputStream(fd_t);// final FileInputStream in_t = new FileInputStream(fd_t);new Thread() {public void run() {byte[] mBuffer = new byte[4096];// byte[] mBuffer_t = new byte[4096];int read = 0;while (read >= 0) {try {read = in.read(mBuffer);String str = new String(mBuffer, 0, read);Log.i("AAA", str);if (str.contains("Forked")) {Log.i("BBB", "FORKED FOUND!");saystuff("Forking completed");Intent intent = new Intent(getApplicationContext(), AlarmReceiver.class);PendingIntent sender = PendingIntent.getBroadcast(getApplicationContext(), 0, intent, 0);// Get the AlarmManager serviceAlarmManager am = (AlarmManager) getSystemService(ALARM_SERVICE);// for (int i=5;i<120;i+=15) {Calendar cal = Calendar.getInstance();cal.add(Calendar.SECOND, 5);am.set(AlarmManager.RTC_WAKEUP, cal.getTimeInMillis(), sender);// }// Get the AlarmManager servicesaystuff("Aquiring root shell...");wl.release();Thread.sleep(20000);finish();return;}if (str.contains("Cannot find adb")) {runOnUiThread(new Runnable() {@Overridepublic void run() {showDialog(SHOW_SETTINGS_DIALOG);}});}} catch (Exception e) {read = -1;e.printStackTrace();}}};}.start();try {String command = "chmod 777 " + getFilesDir() + "/rageagainstthecage\n";out.write(command.getBytes());out.flush();command = getFilesDir() + "/rageagainstthecage\n";out.write(command.getBytes());out.flush();saystuff("Running exploit in order to obtain root access...");} catch (Exception ex) {ex.printStackTrace();}}
- z4root源代码阅读笔记一
- Mantle源代码阅读笔记 一
- flask源代码阅读笔记(一)
- Robot Framework 源代码阅读笔记 之 一
- Lua源代码阅读(一)
- SDWebImage源代码阅读(一)
- Mysql源代码阅读笔记(一) 代码流程
- Mysql源代码阅读笔记(一) 命令行参数
- JDK源代码阅读笔记(一)------容器篇
- Cassandra源代码阅读笔记
- mesa3d源代码阅读笔记
- Cassandra源代码阅读笔记
- kmemcache源代码阅读笔记
- mesa3d源代码阅读笔记
- openJDK源代码阅读笔记
- ConcurrentHashMap源代码阅读笔记
- 阅读Service源代码笔记
- qlwm源代码阅读(一)
- HDU 2063 过山车(匈牙利算法模板)
- Win下自动备份MySql数据库
- mysql 插入中文乱码解决方案 转
- Ordered Fractions(二叉搜索树)
- N皇后问题,回溯法
- z4root源代码阅读笔记一
- 最长公子序列
- ios6中文键盘按右上角锁屏后crash解决办法
- 触发器
- 快速排序
- N后问题(拉斯维加斯算法)
- 简单修改Hibernate源码,增加使用原生SQL查询时动态addEntity和addScalar功能
- 2012-11-18
- ARM MOV和 LDR指令关系