feizhi manifest
<?xml version="1.0" encoding="UTF-8"?>
<manifest android:compileSdkVersion="28" android:compileSdkVersionCodename="9" android:versionCode="2020031717" android:versionName="5.7.0.20" package="com.fdg.flashplay.farsee" platformBuildVersionCode="28" platformBuildVersionName="9" xmlns:android="http://schemas.android.com/apk/res/android">
<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="28" />
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.GET_TASKS" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.BLUETOOTH" />
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.PACKAGE_USAGE_STATS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-feature android:name="android.hardware.location.gps" />
<uses-feature android:name="android.hardware.bluetooth_le" android:required="true" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.READ_LOGS" />
<application android:allowBackup="false" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:extractNativeLibs="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:name="MyWrapperProxyApplication" android:networkSecurityConfig="@xml/network_security_config" android:resizeableActivity="true" android:supportsRtl="false" android:theme="@style/FZAppTheme">
<activity android:configChanges="0x4a0" android:exported="true" android:name="com.fdg.flashplay.farsee.wxapi.WXEntryActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar" />
<meta-data android:name="design_width_in_dp" android:value="360" />
<meta-data android:name="design_height_in_dp" android:value="640" />
<meta-data android:name="android.max_aspect" android:value="2.2" />
<meta-data android:name="notch.config" android:value="portrait|landscape" />
<provider android:authorities="com.fdg.flashplay.farsee.fileprovider" android:exported="false" android:grantUriPermissions="true" android:name="androidx.core.content.FileProvider">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/fileprovider" />
</provider>
<activity android:launchMode="1" android:name="com.game.motionelf.activity.ActivityStart" android:screenOrientation="1" android:theme="@style/FZAppTheme.Splash">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity android:launchMode="2" android:name="com.flydigi.qiji.ui.main.MainActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.qiji.ui.about_us.AboutActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.qiji.ui.license.LicenseActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.qiji.ui.contact_us.ContactUsActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.qiji.ui.about_phone.AboutPhoneActivity" android:screenOrientation="1" />
<service android:enabled="true" android:exported="false" android:name="com.flydigi.statistics.StatisticsService" />
<activity android:name="com.flydigi.login.ui.register.RegisterActivity" android:screenOrientation="1" android:windowSoftInputMode="0x10" />
<activity android:name="com.flydigi.login.ui.login.LoginActivity" android:screenOrientation="1" android:windowSoftInputMode="0x10" />
<activity android:name="com.flydigi.login.ui.reset.ResetPasswordActivity" android:screenOrientation="1" android:windowSoftInputMode="0x10" />
<activity android:configChanges="0x4a0" android:name="com.mob.tools.MobUIShell" android:theme="@android:style/Theme.Translucent.NoTitleBar" android:windowSoftInputMode="0x12" />
<activity android:name="com.flydigi.login.ui.user.NicknameEditActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.login.ui.user.ProfileNewActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.login.ui.user.CutImageActivity" android:screenOrientation="1" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.mapping_test.FullScreenDialogActivity" android:theme="@style/ThemeFullScreen_Translucent" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.remove_bond.RemoveBondActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.device_manager.ui.firmware_update.NotificationActivity" android:screenOrientation="1" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.firmware_update.DFUScanActivity" android:screenOrientation="1" android:taskAffinity="com.fdg.flashplay.farsee.firmware" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.firmware_update.FirmwareMatchActivity" android:screenOrientation="1" android:taskAffinity="com.fdg.flashplay.farsee.firmware" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.firmware_update.FirmwareHistoryActivity" android:screenOrientation="1" android:taskAffinity="com.fdg.flashplay.farsee.firmware" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.firmware_update.FirmwareUpdateActivity" android:screenOrientation="1" android:taskAffinity="com.fdg.flashplay.farsee.firmware" />
<activity android:name="com.flydigi.device_manager.ui.connection.KeyboardMouseConnectGuideActivity" android:screenOrientation="1" />
<activity android:launchMode="1" android:name="com.flydigi.device_manager.ui.device_active.DriverActivationActivity" android:screenOrientation="1" />
<activity android:configChanges="0x4a0" android:name="com.flydigi.device_manager.ui.mapping_test.KeyMappingTestActivity" android:screenOrientation="6" android:theme="@style/ThemeFullScreen" />
<activity android:name="com.flydigi.device_manager.ui.device_list.DeviceListActivity" android:screenOrientation="1" />
<activity android:configChanges="0x4a0" android:name="com.flydigi.device_manager.ui.mapping_test.StingerTestActivity" android:screenOrientation="6" android:theme="@style/ThemeFullScreen" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.Activity_CJZC" android:screenOrientation="1" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.Activity_CJZC_Config_Manage" android:screenOrientation="1" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.Activity_CJZC_Listen" android:theme="@style/ThemeFullScreen_CJZC" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.Activity_CJZC_Listen_Special" android:theme="@style/ThemeFullScreen_CJZC" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.Activity_Dialog_CreateName" android:theme="@style/ThemeFullScreen_CJZC" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.Activity_Dialog_Vertical" android:theme="@style/ThemeFullScreen_CJZC" />
<activity android:name="com.flydigi.cooperate.cjzc.ui.SetCJZCKeyActivity" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceSettingKeyActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceSettingLedActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeNoLineSettingActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceSettingKeyListImportActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceSettingSaveActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeNoLineSettingSelectPopActivity" android:screenOrientation="1" android:theme="@style/ThemeFullScreen_Translucent" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeSettingMakeMacroListActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeSettingMakeMacroDetailActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeSettingLedColorActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeMyDialogKeyGuideActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.apex_space.ui.SpaceHomeSettingMakeMacroDetailSaveActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.device_manager.ui.OpenFloatWindowNoticeActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.device_manager.ui.setting.GameSettingActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.device_manager.ui.device_active.XiaoyouHelpActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.device_manager.ui.sync.SyncConfigActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.cyberfox.ui.upgrade.UpgradeActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.cyberfox.ui.connect.ConnectActivity" android:screenOrientation="1" />
<activity android:excludeFromRecents="true" android:launchMode="2" android:name="com.flydigi.device_manager.ui.detail.DetailActivity" android:screenOrientation="1" />
<service android:exported="false" android:name="com.flydigi.cyberfox.services.GAIAGATTBLEService" />
<service android:exported="false" android:name="com.flydigi.cyberfox.services.GAIABREDRService" />
<service android:exported="false" android:name="com.flydigi.device_manager.service.GameScanIntentService" />
<service android:enabled="true" android:exported="false" android:name="com.flydigi.device_manager.ui.firmware_update.DfuService" />
<activity android:configChanges="0x4a0" android:name="com.flydigi.community.ui.article.ArticleDetailActivity" android:screenOrientation="1" />
<activity android:configChanges="0x4a0" android:name="com.flydigi.community.ui.comment.detail.CommentDetailActivity" android:screenOrientation="1" android:windowSoftInputMode="0x10" />
<activity android:name="com.flydigi.community.ui.message.CommunityMyMessageActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.community.ui.prize.CommunityMyZanMessageActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.community.ui.CommunityAddMessageActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.community.ui.detail.CommunityGameDetailActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.community.ui.send.SendConfigActivity" android:screenOrientation="1" />
<activity android:configChanges="0x4a0" android:name="com.flydigi.community.ui.config.ConfigViewActivity" android:screenOrientation="1" />
<activity android:configChanges="0x4a0" android:launchMode="1" android:name="com.flydigi.community.ui.search.SearchActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.community.ui.config.manage.MySharedConfigActivity" android:screenOrientation="1" />
<activity android:launchMode="1" android:name="com.flydigi.game.ui.search.SearchActivity" android:screenOrientation="1" android:windowSoftInputMode="0x14" />
<activity android:launchMode="1" android:name="com.flydigi.game.ui.download.DownloadStatusActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.game.ui.game_cat_detail.GameCatDetailActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.game.ui.game_detail.GameDetailActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.game.ui.download.DownloadSettingActivity" android:screenOrientation="1" />
<activity android:name="com.flydigi.game.ui.game_cat_detail.GameCatActivity" android:screenOrientation="1" />
<service android:enabled="true" android:exported="true" android:name="com.android.motionelf.FloatingWindow" android:process=":remote" />
<meta-data android:name="design_width" android:value="720" />
<meta-data android:name="design_height" android:value="1280" />
<activity android:configChanges="0x4a0" android:launchMode="1" android:name="com.flydigi.base.ui.web.WebActivity" android:screenOrientation="1" android:windowSoftInputMode="0x12" />
<activity android:launchMode="1" android:name="com.flydigi.base.ui.image_preview.ImagePreviewActivity" android:theme="@style/ImagePreviewTheme" />
<activity android:configChanges="0x4a4" android:name="com.tencent.bugly.beta.ui.BetaActivity" android:theme="@android:style/Theme.Translucent" />
<provider android:authorities="com.fdg.flashplay.farsee.fileProvider" android:exported="false" android:grantUriPermissions="true" android:name="com.tencent.bugly.beta.utils.BuglyFileProvider">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/provider_paths" />
</provider>
<service android:exported="false" android:name="com.tencent.bugly.beta.tinker.TinkerResultService" android:permission="android.permission.BIND_JOB_SERVICE" />
<meta-data android:name="com.bumptech.glide.integration.okhttp3.OkHttpGlideModule" android:value="GlideModule" />
<service android:name="xiaofei.library.hermeseventbus.HermesEventBus$Service" />
<activity android:name="com.zhihu.matisse.ui.MatisseActivity" />
<activity android:name="com.zhihu.matisse.internal.ui.AlbumPreviewActivity" />
<activity android:name="com.zhihu.matisse.internal.ui.SelectedPreviewActivity" />
<activity android:configChanges="0x4a0" android:multiprocess="true" android:name="com.blankj.utilcode.util.PermissionUtils$PermissionActivity" android:theme="@style/ActivityTranslucent" android:windowSoftInputMode="0x3" />
<provider android:authorities="com.fdg.flashplay.farsee.utilcode.provider" android:exported="false" android:grantUriPermissions="true" android:multiprocess="true" android:name="com.blankj.utilcode.util.Utils$FileProvider4UtilCode">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/util_code_provider_paths" />
</provider>
<service android:name="com.blankj.utilcode.util.MessengerUtils$ServerService">
<intent-filter>
<action android:name="com.fdg.flashplay.farsee.messenger" />
</intent-filter>
</service>
<activity android:configChanges="0x4a0" android:name="rx_activity_result2.HolderActivity" android:theme="@style/Theme.Transparent" />
<receiver android:name="com.just.agentweb.download.NotificationCancelReceiver" />
<provider android:authorities="com.fdg.flashplay.farsee.AgentWebFileProvider" android:exported="false" android:grantUriPermissions="true" android:name="com.just.agentweb.AgentWebFileProvider">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/web_files_paths" />
</provider>
<activity android:configChanges="0x4a0" android:exported="false" android:launchMode="0" android:name="com.just.agentweb.ActionActivity" android:theme="@style/actionActivity" android:windowSoftInputMode="0x3" />
</application>
</manifest>
启动feizhi的motionelf_server 打出日志 对照libmotionelf_server.so 分析
1|OnePlus7Pro:/data/local/tmp $ /data/local/tmp/motionelf_server startapp&
[1] 6130
OnePlus7Pro:/data/local/tmp $ Server has been run!
runcmd_and_checkres command:cp /sdcard/Android/data/com.android.motionelf/server/FZToolHelperAndroid.jar /data/local/tmp/ 2>&1
runcmd_and_checkres command:cp /sdcard/Android/data/com.android.motionelf/server/libmotionelf_server.so /data/local/tmp/ 2>&1
argc: 2,argv:startapp
startservice_inputevent qiji: versionCode=2020031717 minSdk=21 targetSdk=28
Starting: Intent { cmp=com.fdg.flashplay.farsee/com.game.motionelf.activity.ActivityStart (has extras) }
start activity!!
width :@1440@
height:@3120@
wm size:width=1440,height=3120
jni JNI_OnLoad!
Java run start.
jni has been run!
File open error!
/dev/input/event5: open, touch_fd = 34
Flydigi_socket, comm_init
Flydigi_socket, init socket udp=35
utils_get_rotation_init: Device 6:
so loop!
100-Flydigi: socket_client_check_udp
100-Flydigi: dirver connet check gamepad
X9e_detect
testX9eProp half hand isAxisMatch=0x1f0
FlashPlay_detect
FlashPlay_detect
so loop!
FlashPlay_detect
so loop!
so loop!
X9e_detect
testX9eProp half hand isAxisMatch=0x1f0
FlashPlay_detect
so loop!
X9e_detect
testX9eProp half hand isAxisMatch=0x1f0
so loop!
so loop!
X9e_detect
testX9eProp half hand isAxisMatch=0x1f0
fd_update_mapping_mode: 2
=================thread_read_x9e_new start 0=================
screen state: 0
//最后表示连接上蓝牙设备,收到蓝牙设备的信息,
可以wifi连接调试
motionelf_server中使用到了
setprop service.adb.tcp.port 5555
https://www.jianshu.com/p/dc6898380e38
使用app_process 去启动
export CLASSPATH=/data/local/tmp/classes.dex && app_process32 /data/local/tmp com.qxtool.QXToolMain&!
&!
自己的
使用app_process 启动的程序
https://blog.csdn.net/u010651541/article/details/53163542
https://www.jianshu.com/p/86253b2c49f3
export CLASSPATH=/data/local/tmp/FZToolHelperAndroid.jar && app_process32 /data/local/tmp com.flydigi.tool.FZToolMain&
export CLASSPATH=/data/local/tmp/FZToolHelperAndroid.jar && app_process32 /data/local/tmp com.flydigi.tool.FZToolMain&
[1] 7188
width :@1440@
height:@3120@
wm size:width=1440,height=3120
jni JNI_OnLoad!
Java run start.
jni has been run!
/dev/input/event5: open, touch_fd = 36
Flydigi_socket, comm_init
Flydigi_socket, init socket udp=37
Failed to write while dumping service input: Broken pipe
utils_get_rotation_init: Device 2:
so loop!
100-Flydigi: socket_client_check_udp
so loop!
so loop!
so loop!
查看进程 杀死进程
ps -A | grep 'process'
kill -9 xxxx
OnePlus7Pro:/ # ps -A | grep 'shell'
USER PID PPID VSZ RSS WCHAN ADDR S NAME
shell 8865 1 172920 6276 do_sys_poll 0 S adbd
shell 14668 8865 27332 3704 SyS_rt_sigsuspend 0 S sh
shell 14670 14668 61320 2656 wait_woken 0 S su
shell 20407 8865 27332 3572 SyS_rt_sigsuspend 0 S sh
shell 20419 20407 61320 2804 wait_woken 0 R su
shell 31458 1 27332 636 SyS_rt_sigsuspend 0 S sh
shell 31459 31458 1496572 75816 compat_SyS_nanosleep 0 S app_process32
执行激活引导文件
adb shell dd if=/sdcard/Android/data/com.qx.joymap/files/andservice of=/data/local/tmp/andservice
adb shell chown shell andservice
adb shell chmod 777 andservice
./andservice & exit
tx加固,先整个root 手机把frida-DEXDump
libs目录
objectbox https://www.jianshu.com/p/e4ebaa433ae7
IDA分析 libmotionelf_server.so
会读到自己的设备
CwMcuSensor 传感器的相关
sys_touchscreen_param 是index
touch_fd 是
event_touch 是 input_event
IDA分析motionelf_server_40.so
获取/dev/input/eventX 中的输入信息,写一个可执行的elf 协商main 函数,然后放在android手机 data/local/tmp 的目录下,执行
int getTouchEventNum() //判断触摸框事件是哪一个event
{
char name[64]; /* RATS: Use ok, but could be better */
char buf[256] = { 0, }; /* RATS: Use ok */
int fd = 0;
int i;
for (i = 0; i < 32; i++)
{
sprintf(name, "/dev/input/event%d", i);
fd = open(name, O_RDONLY, 0);
LOGD("%s %d",name,fd);
if (fd >= 0)
{
ioctl(fd, EVIOCGNAME(sizeof(buf)), buf);
if(strstr(buf, "MTOUC Touch"))
{
close(fd);
return i;
}
LOGD("%s",name);
LOGD("%s",buf);
//printf("%s\n", name);
//printf("name: %s\n", buf);
close(fd);
}
}
return -1;
}
/dev/input/event0
name: qpnp_pon
/dev/input/event1
name: STM VL53L0 proximity sensor
/dev/input/event2
name: gpio-keys
/dev/input/event3
name: touchscreen
/dev/input/event4
name: uinput-fpc
/dev/input/event5
name: uinput-folio
外设驱动数据拦截
实现外设和手机屏幕触摸数据同时触摸到设备上的关键方法;
read: 0xa 0xe8d7bd1c 0x400
read: 0xa 0xe8d7bd1c 0x400
ioctl: 0xa 0x40044590 0x1
ioctl: 0x7 0x40044590 0x1
read: 0x7 0xe8f52d1c 0x400
read: 0x7 0xe8f52d1c 0x400
read: 0x7 0xe8f52d1c 0x400
read: 0x7 0xe8f52d1c 0x400
....
read: 0xa 0xe8d7bd1c 0x400
ioctl: 0xa 0x40044590 0x0
ioctl: 0x7 0x40044590 0x0
rawm
injectInput:rewmtech
server: rawmtech_server
beitong神游
包名:com.zuoyou.center
server: knife_server
injectInputEvent:com.zuoyou.inject
网友评论