1. Pre-work
Install VMware and Ubuntu18.4 image
https://blog.csdn.net/weixin_43290551/article/details/125954709
Solve cannot copy and paste
https://blog.csdn.net/qq_41940277/article/details/122610916
vscode installation
https://vscode.cdn.azure.cn/stable/5e805b79fcb6ba4c2d23712967df89a089da575b/code_1.76.1-1678294265_amd64.deb
sudo dpkg -i file
This command is enough sudo snap install code
dpkg: error: dpkg frontend is already locked by another process
sudo rm /var/lib/dpkg/lock-frontend
sudo rm /var/lib/dpkg/lock
2. Install the compilation environment
1. Install dependency packages (can be found on the official website)
sudo apt update sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++ -multilib libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa- dev libxml2-utils xsltproc unzip fontconfig
sudo apt htop jnettop
Add sudo when using
sudo apt install proxychains
sudo nano /etc/proxychains.conf configuration science
proxychains curl http://httpbin.org/ip
2. Unzip package and driver
It will pause at 20%
3. Install python2.7
4. Install the driver
press enter then space
Give permission to vendor Remember that all files under this folder must be given permission
sudo chmod 777 -R vendor/
3. Modify the source code
Remove all localized settings, so that the command can be executed correctly
Find the /build/envsetup.sh
file in the root directory of the Android source code, and add the following code at the end of the file
export LC_ALL=C
Add the java environment to the environment variable
Android 8.1.0 source code comes with jdk by default
The path is in /prebuilts/jdk/jdk8
, I chose to add /prebuilts/jdk/jdk8/linux-x86/bin
to the environment variable.
Open the .bashrc
file first, and add export PATH=$PATH:/home/lingzhiyi/Documents/aosp-all/aosp-pixel810/aosp810r1/prebuilts/jdk/jdk8 at the end of the file /linux-x86/bin
4. Compile
Go back to the Android root directory
source build/envsetup.sh lunch 24 // lunch aosp_saifish-user make -j6 // 6 means 6 threads
Go to the source directory source build/envsetup.sh
lunch
aosp_sailfish-user
5. Built-in features
1. Dynamic library with built-in frida
- Place the compiled gadget library (32-bit and 64-bit)
- Configured in the source code
- Modify the
/build/make/target/product/core.mk
file, pay attention to the added place
- Modify the
Load built-in library
app = data.info.makeApplication(data.restrictedBackupMode, null); // demoli-add start String curPkgName = data.appInfo.packageName; String path_for_gadget = "/sdcard/" + curPkgName + "demoligadgethook"; File path_curPkgName = new File(path_for_gadget); if(path_curPkgName.exists()){<!-- --> String arch = System. getProperty("os. arch"); try{<!-- --> if (arch != null & amp; & amp; arch. contains("64")){<!-- --> System.load("/system/lib64/demoli.so"); }else{<!-- --> System.load("/system/lib/demoli.so"); } Slog.e("demoli", "load gadget successful"); } catch (Exception e) {<!-- --> Slog.e("demoli", "demoli_failed=" + e.toString()); } } // demoli-add end // demoli-add start //String curPkgName = app.getPackageName(); String path_for_dex = "/sdcard/" + curPkgName + "demolidexhook.dex"; File file = new File(path_for_dex); if(file.exists()){<!-- --> try {<!-- --> //Get the pathList field of BaseDexClassLoader // private final DexPathList pathList; // find("BaseDexClassLoader", "") Field pathListField = BaseDexClassLoader. class. getDeclaredField("pathList"); //Destroy the encapsulation and set it to be callable pathListField. setAccessible(true); //Get the pathList object of the current ClassLoader Object pathListObj = pathListField. get(app. getClassLoader()); //Get the bytecode file (DexPathList) of the pathList object of the current ClassLoader Class<?> dexPathListClass = pathListObj. getClass(); //Get the dexElements field of DexPathList // private final Element[] dexElements; Field dexElementsField = dexPathListClass.getDeclaredField("dexElements"); //Destroy the encapsulation and set it to be callable dexElementsField.setAccessible(true); //Use the plugin to create a ClassLoader DexClassLoader pathClassLoader = new DexClassLoader(file. getPath(), file. getAbsolutePath(), null, app. getClassLoader()); //Get the pathList object of the plugin's DexClassLoader Object newPathListObj = pathListField. get(pathClassLoader); //Get the dexElements variable of the pathList object of the plugin Object newDexElementsObj = dexElementsField. get(newPathListObj); //Get the dexElements variable of the current pathList object Object dexElementsObj=dexElementsField.get(pathListObj); int oldLength = Array. getLength(dexElementsObj); int newLength = Array. getLength(newDexElementsObj); //Create a dexElements object Object concatDexElementsObject = Array.newInstance(dexElementsObj.getClass().getComponentType(), oldLength + newLength); //First add new dex to dexElement for (int i = 0; i < newLength; i ++ ) {<!-- --> Array.set(concatDexElementsObject, i, Array.get(newDexElementsObj, i)); } //Add the previous dex to dexElement for (int i = 0; i < oldLength; i ++ ) {<!-- --> Array.set(concatDexElementsObject, newLength + i, Array.get(dexElementsObj, i)); } //Set the assembled object to the pathList object of the current ClassLoader dexElementsField.set(pathListObj, concatDexElementsObject); Slog.e("dexhook","demoli add dex successful!"); } catch (Exception e) {<!-- --> e.printStackTrace(); } }else{<!-- --> Slog.e("dexhook",path_for_dex + "not exists"); } String path_for_apk = "/sdcard/" + curPkgName + "demoliapkhook.apk"; File file_apk = new File(path_for_apk); if(file_apk.exists()){<!-- --> try {<!-- --> //Get the pathList field of BaseDexClassLoader // private final DexPathList pathList; Field pathListField2 = BaseDexClassLoader. class. getDeclaredField("pathList"); //Destroy the encapsulation and set it to be callable pathListField2.setAccessible(true); //Get the pathList object of the current ClassLoader Object pathListObj2 = pathListField2.get(app.getClassLoader()); //Get the bytecode file (DexPathList) of the pathList object of the current ClassLoader Class<?> dexPathListClass2 = pathListObj2.getClass(); //Get the dexElements field of DexPathList // private final Element[] dexElements; Field dexElementsField2 = dexPathListClass2. getDeclaredField("dexElements"); //Destroy the encapsulation and set it to be callable dexElementsField2.setAccessible(true); //Use the plugin to create a ClassLoader DexClassLoader pathClassLoader2 = new DexClassLoader(file_apk. getPath(), file_apk. getAbsolutePath(), null, app. getClassLoader()); //Get the pathList object of the plugin's DexClassLoader Object newpathListObj2 = pathListField2. get(pathClassLoader2); //Get the dexElements variable of the pathList object of the plugin Object newDexElementsObj2 = dexElementsField2.get(newpathListObj2); //Set the dexElements object of the plug-in to the pathList object of the current ClassLoader dexElementsField2.set(pathListObj2, newDexElementsObj2); Slog.e("dexhook","demoli add apk successful!"); } catch (Exception e) {<!-- --> e.printStackTrace(); } }else{<!-- --> Slog.e("apkhook",path_for_apk + "not exists"); } // demoli add end
6. General modification plan
- load this file
- In
/system/core/init/property_service.cpp
Then you need to add the modified mybuild.prop to the compilation chain. Android 8 is the following solution, but the modification path of Android 10 is different. needs to be placed at the end - Create this file yourself
1. Customize su
The computer is too rubbish, wait for me to compile it and post an effect