1. Pre-work
Install VMware and Ubuntu18.4 image
https://blog.csdn.net/weixin_43290551/article/details/125954709
Solve cannot copy and paste
https://blog.csdn.net/qq_41940277/article/details/122610916
vscode installation
https://vscode.cdn.azure.cn/stable/5e805b79fcb6ba4c2d23712967df89a089da575b/code_1.76.1-1678294265_amd64.deb
sudo dpkg -i file
This command is enough sudo snap install code
dpkg: error: dpkg frontend is already locked by another process
sudo rm /var/lib/dpkg/lock-frontend
sudo rm /var/lib/dpkg/lock
2. Install the compilation environment
1. Install dependency packages (can be found on the official website)
sudo apt update sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++ -multilib libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa- dev libxml2-utils xsltproc unzip fontconfig
sudo apt htop jnettop Add sudo when using
sudo apt install proxychains
sudo nano /etc/proxychains.conf configuration science
proxychains curl http://httpbin.org/ip
2. Unzip package and driver
It will pause at 20%
3. Install python2.7
4. Install the driver
press enter then space
Give permission to vendor Remember that all files under this folder must be given permission
sudo chmod 777 -R vendor/
3. Modify the source code
Remove all localized settings, so that the command can be executed correctly
Find the /build/envsetup.sh file in the root directory of the Android source code, and add the following code at the end of the file
export LC_ALL=C
Add the java environment to the environment variable
Android 8.1.0 source code comes with jdk by default
The path is in /prebuilts/jdk/jdk8, I chose to add /prebuilts/jdk/jdk8/linux-x86/bin to the environment variable.
Open the .bashrc file first, and add export PATH=$PATH:/home/lingzhiyi/Documents/aosp-all/aosp-pixel810/aosp810r1/prebuilts/jdk/jdk8 at the end of the file /linux-x86/bin
4. Compile
Go back to the Android root directory
source build/envsetup.sh lunch 24 // lunch aosp_saifish-user make -j6 // 6 means 6 threads
Go to the source directory source build/envsetup.sh
lunch
aosp_sailfish-user
5. Built-in features
1. Dynamic library with built-in frida
- Place the compiled gadget library (32-bit and 64-bit)
- Configured in the source code
- Modify the
/build/make/target/product/core.mkfile, pay attention to the added place
- Modify the
Load built-in library
app = data.info.makeApplication(data.restrictedBackupMode, null);
// demoli-add start
String curPkgName = data.appInfo.packageName;
String path_for_gadget = "/sdcard/" + curPkgName + "demoligadgethook";
File path_curPkgName = new File(path_for_gadget);
if(path_curPkgName.exists()){<!-- -->
String arch = System. getProperty("os. arch");
try{<!-- -->
if (arch != null & amp; & amp; arch. contains("64")){<!-- -->
System.load("/system/lib64/demoli.so");
}else{<!-- -->
System.load("/system/lib/demoli.so");
}
Slog.e("demoli", "load gadget successful");
}
catch (Exception e) {<!-- -->
Slog.e("demoli", "demoli_failed=" + e.toString());
}
}
// demoli-add end
// demoli-add start
//String curPkgName = app.getPackageName();
String path_for_dex = "/sdcard/" + curPkgName + "demolidexhook.dex";
File file = new File(path_for_dex);
if(file.exists()){<!-- -->
try {<!-- -->
//Get the pathList field of BaseDexClassLoader
// private final DexPathList pathList;
// find("BaseDexClassLoader", "")
Field pathListField = BaseDexClassLoader. class. getDeclaredField("pathList");
//Destroy the encapsulation and set it to be callable
pathListField. setAccessible(true);
//Get the pathList object of the current ClassLoader
Object pathListObj = pathListField. get(app. getClassLoader());
//Get the bytecode file (DexPathList) of the pathList object of the current ClassLoader
Class<?> dexPathListClass = pathListObj. getClass();
//Get the dexElements field of DexPathList
// private final Element[] dexElements;
Field dexElementsField = dexPathListClass.getDeclaredField("dexElements");
//Destroy the encapsulation and set it to be callable
dexElementsField.setAccessible(true);
//Use the plugin to create a ClassLoader
DexClassLoader pathClassLoader = new DexClassLoader(file. getPath(), file. getAbsolutePath(), null, app. getClassLoader());
//Get the pathList object of the plugin's DexClassLoader
Object newPathListObj = pathListField. get(pathClassLoader);
//Get the dexElements variable of the pathList object of the plugin
Object newDexElementsObj = dexElementsField. get(newPathListObj);
//Get the dexElements variable of the current pathList object
Object dexElementsObj=dexElementsField.get(pathListObj);
int oldLength = Array. getLength(dexElementsObj);
int newLength = Array. getLength(newDexElementsObj);
//Create a dexElements object
Object concatDexElementsObject = Array.newInstance(dexElementsObj.getClass().getComponentType(), oldLength + newLength);
//First add new dex to dexElement
for (int i = 0; i < newLength; i ++ ) {<!-- -->
Array.set(concatDexElementsObject, i, Array.get(newDexElementsObj, i));
}
//Add the previous dex to dexElement
for (int i = 0; i < oldLength; i ++ ) {<!-- -->
Array.set(concatDexElementsObject, newLength + i, Array.get(dexElementsObj, i));
}
//Set the assembled object to the pathList object of the current ClassLoader
dexElementsField.set(pathListObj, concatDexElementsObject);
Slog.e("dexhook","demoli add dex successful!");
} catch (Exception e) {<!-- -->
e.printStackTrace();
}
}else{<!-- -->
Slog.e("dexhook",path_for_dex + "not exists");
}
String path_for_apk = "/sdcard/" + curPkgName + "demoliapkhook.apk";
File file_apk = new File(path_for_apk);
if(file_apk.exists()){<!-- -->
try {<!-- -->
//Get the pathList field of BaseDexClassLoader
// private final DexPathList pathList;
Field pathListField2 = BaseDexClassLoader. class. getDeclaredField("pathList");
//Destroy the encapsulation and set it to be callable
pathListField2.setAccessible(true);
//Get the pathList object of the current ClassLoader
Object pathListObj2 = pathListField2.get(app.getClassLoader());
//Get the bytecode file (DexPathList) of the pathList object of the current ClassLoader
Class<?> dexPathListClass2 = pathListObj2.getClass();
//Get the dexElements field of DexPathList
// private final Element[] dexElements;
Field dexElementsField2 = dexPathListClass2. getDeclaredField("dexElements");
//Destroy the encapsulation and set it to be callable
dexElementsField2.setAccessible(true);
//Use the plugin to create a ClassLoader
DexClassLoader pathClassLoader2 = new DexClassLoader(file_apk. getPath(), file_apk. getAbsolutePath(), null, app. getClassLoader());
//Get the pathList object of the plugin's DexClassLoader
Object newpathListObj2 = pathListField2. get(pathClassLoader2);
//Get the dexElements variable of the pathList object of the plugin
Object newDexElementsObj2 = dexElementsField2.get(newpathListObj2);
//Set the dexElements object of the plug-in to the pathList object of the current ClassLoader
dexElementsField2.set(pathListObj2, newDexElementsObj2);
Slog.e("dexhook","demoli add apk successful!");
} catch (Exception e) {<!-- -->
e.printStackTrace();
}
}else{<!-- -->
Slog.e("apkhook",path_for_apk + "not exists");
}
// demoli add end
6. General modification plan
- load this file
- In
/system/core/init/property_service.cpp
Then you need to add the modified mybuild.prop to the compilation chain. Android 8 is the following solution, but the modification path of Android 10 is different. needs to be placed at the end - Create this file yourself
1. Customize su
The computer is too rubbish, wait for me to compile it and post an effect