双十一,剁手入手某电视,“根据xxx法规,克制安装该软件...”,开机有广告,
凭经验,智能设备一样平常情况下都有“后门”,
系统设置,没发现有adb选选项,
nmap扫描电视开放的端口,无果
开机一段时间,电视弹出提示,系统更新,
镜像互换机,抓包,搞到ota更新包,在系统框架jar文件发现adb后门
附上后门关键代码
[Java] 纯文本检察 复制代码 private int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22}; private int[] mTurnONADBKeyCode2 = new int[]{10, 13, 16, 14}; private int[] mFactoryKeyCode = new int[]{24, 166, 24, 167, 82};private void checkShortcutMode(int keycode) { Intent intent; if (this.mFactoryKeyCode[mFactoryIndex] == keycode) { mFactoryIndex++; } else { mFactoryIndex = 0; } if (this.mBurnKeyCode[mBurnIndex] == keycode) { mBurnIndex++; } else { mBurnIndex = 0; } if (this.mTurnONADBKeyCode[mTurnOnADBIndex] == keycode) { mTurnOnADBIndex++; } else { mTurnOnADBIndex = 0; } if (this.mTurnONADBKeyCode2[mTurnOnADBIndex2] == keycode) { mTurnOnADBIndex2++; } else { mTurnOnADBIndex2 = 0; } if (this.mStartStockAppSwitcherKeycode[mStartStockAppSwitcherIndex] == keycode) { mStartStockAppSwitcherIndex++; } else { mStartStockAppSwitcherIndex = 0; } if (this.mCommitLogKeyCode[mCommitIndex] == keycode) { mCommitIndex++; } else { mCommitIndex = 0; } if (mFactoryIndex == this.mFactoryKeyCode.length) { mFactoryIndex = 0; intent = new Intent(); intent.setComponent(new ComponentName("com.apptv.factorytest", "com.apptv.factorytest.MainActivity")); intent.setFlags(268435456); try { this.mContext.startActivity(intent); } catch (Exception e) { Log.d(TAG, e.toString()); } } if (mTurnOnADBIndex == this.mTurnONADBKeyCode.length || mTurnOnADBIndex2 == this.mTurnONADBKeyCode2.length) { mTurnOnADBIndex = 0; Global.putInt(this.mContext.getContentResolver(), "adb_enabled", 1); SystemProperties.set("service.adb.enable", "1"); }}
解密相对简单,
int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22};
21, 21, 19, 22分别对应的,是 左 左 上 右 按键
在系统设置的任意地方按左 左 上 右按键,adb后门主动打开
来源:http://www.12558.net
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |