{"id":853,"date":"2013-12-05T21:36:06","date_gmt":"2013-12-05T13:36:06","guid":{"rendered":"http:\/\/www.yeetrack.com\/?p=853"},"modified":"2013-12-05T21:36:06","modified_gmt":"2013-12-05T13:36:06","slug":"%e5%a6%82%e4%bd%95%e5%9c%a8root%e7%9a%84%e6%89%8b%e6%9c%ba%e4%b8%8a%e5%bc%80%e5%90%afviewserver%ef%bc%8c%e4%bd%bf%e5%be%97hierachyviewer%e8%83%bd%e5%a4%9f%e8%bf%9e%e6%8e%a5","status":"publish","type":"post","link":"https:\/\/www.yeetrack.com\/?p=853","title":{"rendered":"\u5982\u4f55\u5728Root\u7684\u624b\u673a\u4e0a\u5f00\u542fViewServer\uff0c\u4f7f\u5f97HierachyViewer\u80fd\u591f\u8fde\u63a5"},"content":{"rendered":"<p>\u5173\u4e8e\u4ec0\u4e48\u662fHierarchy Viewer\uff0c\u8bf7\u67e5\u770b\u5b98\u65b9\u6587\u6863\uff1a<a href=\"http:\/\/developer.android.com\/tools\/debugging\/debugging-ui.html\" target=\"_blank\" rel=\"nofollow\">http:\/\/developer.android.com\/tools\/debugging\/debugging-ui.html<\/a>\u3002\u4e2a\u4eba\u7406\u89e3\uff1aHierarchy Viewer\u80fd\u83b7\u5f97\u5f53\u524d\u624b\u673a\u5b9e\u65f6\u7684UI\u4fe1\u606f\uff0c\u7ed9\u754c\u9762\u8bbe\u8ba1\u4eba\u5458\u548c\u81ea\u52a8\u5316\u6d4b\u8bd5\u4eba\u5458\u5e26\u6765\u6781\u5927\u7684\u4fbf\u5229\u3002\u5199android\u81ea\u52a8\u5316\u7684\u65f6\u5019\uff0c\u80fd\u591f\u83b7\u53d6\u63a7\u4ef6\u7684id\u5c5e\u6027\u3002<\/p>\n<div><\/div>\n<div>\u5728Android\u7684\u5b98\u65b9\u6587\u6863\u4e2d\u63d0\u5230\uff1a<\/div>\n<div>To preserve security, Hierarchy Viewer can only connect to devices running a developer version of the Android system.<\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u5373\uff1a\u51fa\u4e8e\u5b89\u5168\u8003\u8651\uff0cHierarchy Viewer\u53ea\u80fd\u8fde\u63a5Android\u5f00\u53d1\u7248\u624b\u673a\u6216\u662f\u6a21\u62df\u5668(\u51c6\u786e\u5730\u8bf4\uff0c\u53ea\u6709<b>ro.secure\u53c2\u6570<\/b>\u7b49\u4e8e0\u4e14<b>ro.debuggable<\/b>\u7b49\u4e8e1\u7684android\u7cfb\u7edf)\u3002Hierarchy Viewer\u5728\u8fde\u63a5\u624b\u673a\u65f6\uff0c\u624b\u673a\u4e0a\u5fc5\u987b\u542f\u52a8\u4e00\u4e2a\u53ebView Server\u7684\u5ba2\u6237\u7aef\u4e0e\u5176\u8fdb\u884csocket\u901a\u4fe1\u3002\u800c\u5728\u5546\u4e1a\u624b\u673a\u4e0a\uff0c\u662f\u65e0\u6cd5\u5f00\u542fView Server\u7684\uff0c\u6545Hierarchy Viewer\u662f\u65e0\u6cd5\u8fde\u63a5\u5230\u666e\u901a\u7684\u5546\u4e1a\u624b\u673a\u3002<!--more--><\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u00a0<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">Android\u6e90\u7801\u5b9e\u73b0\u8fd9\u4e00\u9650\u5236\u7684\u5730\u65b9\u5728:<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">ANDROID\u6e90\u7801\u6839\u76ee\u5f55\\frameworks\\base\\services\\java\\com\\android\\server\\wm\\WindowManageService.java<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u4e2d\u7684\u4e00\u6bb5\uff1a<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">=====================================================================================<\/span><\/div>\n<div>public\u00a0boolean\u00a0startViewServer(int\u00a0port)\u00a0{<br \/>\nif\u00a0(isSystemSecure())\u00a0{<br \/>\nreturn\u00a0false;<br \/>\n}<\/p>\n<p>if\u00a0(!checkCallingPermission(Manifest.permission.DUMP,\u00a0\"startViewServer\"))\u00a0{<br \/>\nreturn\u00a0false;<br \/>\n}<\/p><\/div>\n<div>....<\/div>\n<div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">=====================================================================================<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u00a0<\/span><\/div>\n<\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u68c0\u9a8c\u4e00\u53f0\u624b\u673a\u662f\u5426\u5f00\u542f\u4e86View Server\u7684\u529e\u6cd5\u4e3a\uff1a<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">adb shell service call window 3<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u82e5\u8fd4\u56de\u503c\u662f\uff1a<\/span>Result: Parcel(00000000 00000000 '........')\" \u8bf4\u660eView Server\u5904\u4e8e\u5173\u95ed\u72b6\u6001<\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u82e5\u8fd4\u56de\u503c\u662f\uff1a<\/span>Result: Parcel(00000000 00000001 '........')\" \u8bf4\u660eView Server\u5904\u4e8e\u5f00\u542f\u72b6\u6001<\/div>\n<div><\/div>\n<div>\u82e5\u662f\u4e00\u53f0\u53ef\u4ee5\u6253\u5f00View Server\u7684\u624b\u673a\uff08Android\u5f00\u53d1\u7248\u624b\u673a \u3001\u6a21\u62df\u5668or \u6309\u7167\u672c\u5e16\u6b65\u9aa4\u7ed9\u7cfb\u7edf\u6253\u8865\u4e01\u7684\u624b\u673a\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u6253\u5f00View Server\uff1a<\/div>\n<div>adb shell service call window 1 i32 4939<\/div>\n<div>\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5173\u95edView Server\uff1a<\/div>\n<div>adb shell service call window 2 i32 4939<\/div>\n<div><\/div>\n<div><\/div>\n<div><\/div>\n<div>\n<div><b><span style=\"font-size: x-large;\">\u5b9e\u73b0\u6b65\u9aa4\uff1a<\/span><\/b><\/div>\n<\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u7ecf\u8fc7\u4e00\u756a\u8c03\u67e5\u548c\u5b9e\u8df5\uff0c\u6211\u53d1\u73b0\u5176\u5b9e\u53ea\u8981\u662froot\uff0c\u5e76\u4e14\u88c5\u6709busybox\u7684\u624b\u673a\uff0c\u901a\u8fc7\u4fee\u6539\u624b\u673a\u4e0a\/system\/framework\u4e2d\u7684\u67d0\u4e9b\u6587\u4ef6\uff0c\u5c31\u53ef\u4ee5\u5f00\u542f\u3002\u672c\u6587\u53c2\u8003\u4e86<\/span><a href=\"http:\/\/blog.apkudo.com\/tag\/viewserver\/\" target=\"_blank\" rel=\"nofollow\">http:\/\/blog.apkudo.com\/tag\/viewserver\/<\/a><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\uff0c<\/span>\u4ee5\u4e0b\u662f\u5177\u4f53\u6b65\u9aa4\uff08\u672c\u4eba\u57fa\u4e8eWindows\uff0c\u82e5\u4f60\u662fLinux\u7684\u64cd\u4f5c\u7cfb\u7edf\uff0c\u76f4\u63a5\u770b\u539f\u5e16\u5427\uff09\uff1a<\/div>\n<div><b>\u524d\u63d0\u662f\uff1a\u4f60\u7684\u624b\u673a\u5df2\u7ecf\u83b7\u5f97ROOT\u6743\u9650\uff0c\u4e14\u6709BUSYBOX<\/b><\/div>\n<div><span style=\"color: #ff0000; font-family: Roboto, sans-serif;\"><b>\u53e6\u5916\uff1a\u8bf7\u4ed4\u7ec6\u9605\u8bfb\u672c\u5e16\u7684\u8bc4\u8bba\uff0c\u6216\u8bb8\u4f60\u4f1a\u6709\u65b0\u7684\u6536\u83b7\u3002<\/b><\/span><\/div>\n<div><b>\u00a0<\/b><\/div>\n<div>1.\u5c06\u5546\u4e1a\u624b\u673a\u901a\u8fc7USB\u8fde\u63a5PC\uff0c\u786e\u4fddadb\u670d\u52a1\u8fd0\u884c\u6b63\u5e38<\/div>\n<div><\/div>\n<div>2.\u5907\u4efd\u624b\u673a\u4e0a\/system\/framework\/\u4e2d\u7684\u6587\u4ef6\u81f3PC\u3002\u5907\u4efd\u7684\u65f6\u5019\u8bf7\u786e\u4fddPC\u4e0a\u4fdd\u5b58\u5907\u4efd\u6587\u4ef6\u7684\u6587\u4ef6\u5939\u7ed3\u6784\u4e0e\u624b\u673a\u4e2d\u7684\/system\/framework\u76f8\u540c<\/div>\n<div>\u4f8b\u5982\uff1a\u65b0\u5efa ANDROID_SDK_ROOT\\system\\framework\u6587\u4ef6\u5939 (<span style=\"color: #ff0000;\">\u672c\u6587\u51fa\u73b0\u7684ANDROID_SDK_ROOT\u6307\u4f60\u5b89\u88c5Android SDK\u7684\u6839\u76ee\u5f55<\/span>\uff09<\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u63a5\u7740\u5728cmd\u4e2d\u8df3\u8f6c\u81f3ANDROID_SDK_ROOT\\platform-tools\u6587\u4ef6\u5939\u4e0b\uff0c\u8f93\u5165\u4ee5\u4e0b\u4ee3\u7801\u8fdb\u884c\u5907\u4efd\uff1a<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">adb pull \/system\/framework\u00a0<\/span>\u00a0ANDROID_SDK_ROOT\\system\\framework<\/div>\n<div><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">3.\u8fdb\u5165adb shell\uff0c\u8f93\u51faBOOTCLASSPATH\uff1a<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u63a8\u8350\u7684\u505a\u6cd5\uff1a<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">1. \u5728adb shell\u4e2decho $BOOTCLASSPATH &gt; \/sdcard\/bootclasspath.txt<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">2. \u9000\u56de\u5230windows cmd\u4e2d\uff0c\u8f93\u5165adb pull \/sdcard\/bootclasspath.txt<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">3. bootclasspath.txt\u5c06\u4f1a\u4fdd\u5b58\u5728<\/span><span style=\"color: #222222; font-family: Roboto, sans-serif;\">C:\\Users\\\u4f60\u7684\u7528\u6237\u540d \u6587\u4ef6\u5939\u4e0b<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u5728\u7b2c\u5341\u4e94\u6b65\u4e2d\u5c06\u4f1a\u7528\u5230\u8fd9\u4e2atxt\u4e2d\u7684\u5185\u5bb9\u3002<\/span><\/div>\n<div><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">4.\u4e0b\u8f7dbaksmali \u548csmali\u5de5\u5177\u3002\u8fd9\u4e24\u4e2a\u5de5\u5177\u662f\u7528\u6765\u53cd\u7f16\u8bd1\u548c\u7f16\u8bd1odex\u6587\u4ef6\u7684\u3002<\/span><\/div>\n<div><span style=\"color: #222222; font-family: Roboto, sans-serif;\">\u4e0b\u8f7d\u5730\u5740\uff1a<\/span><\/div>\n<div><a href=\"https:\/\/dl.dropboxusercontent.com\/u\/5055823\/baksmali-1.4.2.jar\" target=\"_blank\" rel=\"nofollow\">https:\/\/dl.dropboxusercontent.com\/u\/5055823\/baksmali-1.4.2.jar<\/a><\/div>\n<div><a href=\"https:\/\/dl.dropboxusercontent.com\/u\/5055823\/smali-1.4.2.jar\" target=\"_blank\" rel=\"nofollow\">https:\/\/dl.dropboxusercontent.com\/u\/5055823\/smali-1.4.2.jar<\/a><\/div>\n<div><span style=\"color: #ff0000;\">\u5047\u8bbe\u6211\u5c06\u8fd9\u4e24\u4e2ajar\u90fd\u4e0b\u8f7d\u5230\u4e86ANDROID SDK\u6839\u76ee\u5f55\u4e0b\u3002<\/span><\/div>\n<div><span style=\"color: #ff0000;\">\u00a0<\/span><\/div>\n<div><span style=\"color: #222222;\"><span style=\"font-family: Roboto, sans-serif;\">5.<\/span><span style=\"font-family: Verdana;\">\u8fd0\u884cbaksmali\u53cd\u7f16\u8bd1\\system\\framework\u4e0b\u7684services.odex\u6587\u4ef6\uff1a<\/span><\/span><\/div>\n<div><span style=\"font-family: Verdana; font-size: small;\">java -jar ANDROID_SDK_ROOT\\baksmali-1.4.2.jar -a 17 -x\u00a0ANDROID_SDK_ROOT\\system\\framework\\services.odex -d ANDROID_SDK_ROOT\\system\\framework<\/span><\/div>\n<div><span style=\"font-family: Verdana; font-size: small;\">\u53c2\u6570\u89e3\u91ca\uff1a<\/span><a href=\"https:\/\/code.google.com\/p\/smali\/wiki\/DeodexInstructions\" target=\"_blank\" rel=\"nofollow\">https:\/\/code.google.com\/p\/smali\/wiki\/DeodexInstructions<\/a><\/div>\n<div>\u60f3\u7279\u522b\u8bf4\u660e\u7684\u662f\u201c-a\u201d\u540e\u8ddf\u7684\u6570\u5b57\uff0c\u8868\u793a\u4f60\u7cfb\u7edf\u7684API Level\uff08\u4e0e\u4f60\u7684\u7cfb\u7edf\u7248\u672c\u6709\u5173\uff09\u3002\u7cfb\u7edf\u7248\u672c\u548cAPI Level\u7684\u5bf9\u7167\u5173\u7cfb\u5982\u4e0b\uff1a<\/div>\n<div><img decoding=\"async\" alt=\"\" src=\"http:\/\/1852.img.pp.sohu.com.cn\/images\/blog\/2013\/4\/2\/7\/15\/c51683636_13e8bdcaf93g85_blog.png\" border=\"0\" \/><\/div>\n<div><span style=\"font-family: Verdana;\">(<\/span>\u53e6\u5916\uff0c\u4f60\u4e0d\u4f1a\u8fdejava -jar\u90fd\u4e0d\u80fd\u8fd0\u884c\u5427?\u5feb\u53bb\u88c5jdk!)<\/div>\n<div><span style=\"font-family: Verdana;\">\u6b64\u6b65\u6210\u529f\u7684\u8bdd,\u5728\u540c\u6587\u4ef6\u5939\u4e0b(\u5bf9\u4e8e\u6211,\u5c31\u662fANDROID_SDK_ROOT)\uff0c\u4f1a\u6709\u4e2aout\u6587\u4ef6\u5939\u751f\u6210<\/span><\/div>\n<div><span style=\"font-family: Verdana;\">\u00a0<\/span><\/div>\n<div><span style=\"font-family: Verdana;\">\u8fd9\u91cc\u987a\u4fbf\u89e3\u91ca\u4e00\u4e0bodex\u6587\u4ef6\u548cdex\u6587\u4ef6\u3002<\/span><\/div>\n<div><span style=\"font-family: Verdana;\"><b>dex\u6587\u4ef6<\/b>\uff1a<\/span>Dex\u662fDalvik VM executes\u7684\u5168\u79f0\uff0c\u5373Android Dalvik\u6267\u884c\u7a0b\u5e8f\uff0c\u5e76\u975eJava\u7684\u5b57\u8282\u7801\u800c\u662fDalvik\u5b57\u8282\u7801\uff0c16\u8fdb\u5236\u673a\u5668\u6307\u4ee4\u3002<\/div>\n<div><b>odex\u6587\u4ef6<\/b>\uff1a\u5c06dex\u6587\u4ef6\u4f9d\u636e\u5177\u4f53\u673a\u578b\u800c\u4f18\u5316\uff0c\u5f62\u6210\u7684optimized dex\u6587\u4ef6\uff0c\u63d0\u9ad8\u8f6f\u4ef6\u8fd0\u884c\u901f\u5ea6\uff0c\u51cf\u5c11\u8f6f\u4ef6\u8fd0\u884c\u65f6\u5bf9RAM\u7684\u5360\u7528\u3002<\/div>\n<div><span style=\"font-family: Verdana;\"><b>smali\u6587\u4ef6\uff1a<\/b>\u5c06dex\u6587\u4ef6\u53d8\u4e3a\u53ef\u8bfb\u6613\u61c2\u7684\u4ee3\u7801\u5f62\u5f0f\uff0c\u53cd\u7f16\u8bd1\u51fa\u6587\u4ef6\u7684\u4e00\u822c\u683c\u5f0f\u3002<\/span><\/div>\n<div><span style=\"font-family: Verdana;\">\u00a0<\/span><\/div>\n<div>6.\u7528Eclipse\u6253\u5f00out\\com\\android\\server\\wm\\WindowManagerService.smali\u6587\u4ef6<\/div>\n<div><span style=\"font-family: Verdana; font-size: small;\">\u67e5\u627e.method private isSystemSecure()Z\u8fd9\u4e2a\u51fd\u6570<\/span><\/div>\n<div><span style=\"font-family: Verdana; font-size: small;\">================================================================<\/span><\/div>\n<div>\n<div>.method private isSystemSecure()Z<\/div>\n<div>\u00a0 \u00a0 .registers 4<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 .prologue<\/div>\n<div>\u00a0 \u00a0 .line 5965<\/div>\n<div>\u00a0 \u00a0 const-string v0, \"1\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v1, \"ro.secure\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v2, \"1\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-static {v1, v2}, Landroid\/os\/SystemProperties;-&gt;get(Ljava\/lang\/String;Ljava\/lang\/String;)Ljava\/lang\/String;<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result-object v1<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-virtual {v0, v1}, Ljava\/lang\/String;-&gt;equals(Ljava\/lang\/Object;)Z<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result v0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 if-eqz v0, :cond_22<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v0, \"0\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v1, \"ro.debuggable\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v2, \"0\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-static {v1, v2}, Landroid\/os\/SystemProperties;-&gt;get(Ljava\/lang\/String;Ljava\/lang\/String;)Ljava\/lang\/String;<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result-object v1<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-virtual {v0, v1}, Ljava\/lang\/String;-&gt;equals(Ljava\/lang\/Object;)Z<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result v0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 if-eqz v0, :cond_22<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const\/4 v0, 0x1<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 :goto_21<\/div>\n<div>\u00a0 \u00a0 return v0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 :cond_22<\/div>\n<div>\u00a0 \u00a0 const\/4 v0, 0x0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 goto :goto_21<\/div>\n<div>.end method<\/div>\n<div>================================================================<\/div>\n<\/div>\n<div><span style=\"font-family: Verdana; font-size: small;\"><span>\u5728\u8fd9\u6bb5\u4ee3\u7801\u7684\u5012\u65707,8\u884c\u201c:goto_21\u201d\u548c\u201creturn v0\u201d\u4e4b\u95f4\u52a0\u5165<\/span>\"const\/4 v0, 0x0\"<span>\u4e00\u884c.\u8fd9\u6837\uff0c\u5c31\u4f7f\u5f97v0\u8fd4\u56de\u7684\u503c\u6c38\u8fdc\u4e3a0x0\uff0c\u5373false\uff0c\u8fd9\u6837\u5c31\u8df3\u8fc7\u4e86WindowManagerService.java\u91cc\u5bf9isSystemSecure\u7684\u5224\u65ad\u3002<\/span><\/span><\/div>\n<div>.method private isSystemSecure()Z\u51fd\u6570\u6700\u540e\u53d8\u4e3a:<\/div>\n<div>\n<div>================================================================<\/div>\n<div>\n<div>\n<div>.method private isSystemSecure()Z<\/div>\n<div>\u00a0 \u00a0 .registers 4<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 .prologue<\/div>\n<div>\u00a0 \u00a0 .line 6276<\/div>\n<div>\u00a0 \u00a0 const-string v0, \"1\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v1, \"ro.secure\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v2, \"1\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-static {v1, v2}, Landroid\/os\/SystemProperties;-&gt;get(Ljava\/lang\/String;Ljava\/lang\/String;)Ljava\/lang\/String;<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result-object v1<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-virtual {v0, v1}, Ljava\/lang\/String;-&gt;equals(Ljava\/lang\/Object;)Z<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result v0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 if-eqz v0, :cond_22<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v0, \"0\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v1, \"ro.debuggable\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const-string v2, \"0\"<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-static {v1, v2}, Landroid\/os\/SystemProperties;-&gt;get(Ljava\/lang\/String;Ljava\/lang\/String;)Ljava\/lang\/String;<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result-object v1<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 invoke-virtual {v0, v1}, Ljava\/lang\/String;-&gt;equals(Ljava\/lang\/Object;)Z<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 move-result v0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 if-eqz v0, :cond_22<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 const\/4 v0, 0x1<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 :goto_21<\/div>\n<div>\u00a0 \u00a0<span style=\"color: #ff0000;\">\u00a0const\/4 v0, 0x0<\/span><\/div>\n<div>\u00a0 \u00a0 return v0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 :cond_22<\/div>\n<div>\u00a0 \u00a0 const\/4 v0, 0x0<\/div>\n<div><\/div>\n<div>\u00a0 \u00a0 goto :goto_21<\/div>\n<div>.end method<\/div>\n<\/div>\n<div>=====================================================================================<\/div>\n<div><\/div>\n<div>7. \u73b0\u5728\u8fd0\u884csmali\uff0c\u91cd\u65b0\u7f16\u8bd1\uff1a<\/div>\n<div>java -jar\u00a0smali-1.4.2.jar -o classes.dex<\/div>\n<div>\u8fd9\u65f6\u5019\uff0c\u5e94\u8be5\u5728ANDROID_SDK_ROOT\u6587\u4ef6\u5939\u4e2d\u51fa\u73b0\u4e86classes.dex\u6587\u4ef6<\/div>\n<div><\/div>\n<div>8. \u4e0b\u8f7dwindows\u4e0b\u7684zip\u5de5\u5177\uff1a<\/div>\n<div><a href=\"https:\/\/dl.dropboxusercontent.com\/u\/5055823\/zip.exe\" target=\"_blank\" rel=\"nofollow\">https:\/\/dl.dropboxusercontent.com\/u\/5055823\/zip.exe<\/a><\/div>\n<div>\u5047\u8bbe\uff0c\u6211\u4e5f\u628azip.exe\u653e\u8fdb\u4e86ANDROID_SDK_ROOT\u6587\u4ef6\u5939<\/div>\n<div><\/div>\n<div>9.\u786e\u8ba4\u5f53\u524dcmd\u547d\u4ee4\u884c\u8fd0\u884c\u76ee\u5f55\u4e3aANDROID_SDK_ROOT,\u8fd0\u884c\uff1a<\/div>\n<div>zip.exe services_hacked.jar .\/classes.dex<\/div>\n<div>\u8fd9\u65f6\u5019\u5728ANDROID_SDK_ROOT\u6587\u4ef6\u5939\u4e0b\uff0c\u51fa\u73b0\u4e86\u6253\u5305\u597d\u7684services_hacked.jar<\/div>\n<div><\/div>\n<div>10.\u8fdb\u5165adb shell\uff0c\u8f93\u5165su\u83b7\u5f97ROOT\u6743\u9650<\/div>\n<div><\/div>\n<div>11.\u63a5\u7740\u8f93\u5165mount\uff0c\u67e5\u770b\u54ea\u4e2a\u5206\u533a\u6302\u8f7d\u4e86\/system,\u4f8b\u5982\u6211\u7684\u662f\uff1a<\/div>\n<div><img decoding=\"async\" alt=\"\" src=\"http:\/\/1874.img.pp.sohu.com.cn\/images\/blog\/2013\/2\/21\/1\/6\/c51683636_13dbc705f49g86_blog.png\" border=\"0\" \/><\/div>\n<div>\u00a0 \u63a5\u7740\uff0c\u8f93\u5165\u4ee5\u4e0b\u547d\u4ee4\u91cd\u65b0\u6302\u8f7d\/system\uff0c\u5e76\u66f4\u6539\/system\u6743\u9650\uff08\u8bf7\u5c06\u201c\/dev\/block\/mmcblk0p25\u201d\u66ff\u6362\u6210\u4f60\u7684\/system\u6302\u8f7d\u5206\u533a\uff09\uff1a<\/div>\n<div>\u00a0 \u00a0mount -o rw,remount -t yaffs2\u00a0\/dev\/block\/mmcblk0p25<\/div>\n<div>\u00a0 \u00a0chmod -R 777 \/system \u4f7f\u5f97\/system \u53ef\u4ee5\u88ab\u6211\u4eec\u4efb\u610f\u4fee\u6539<\/div>\n<div><\/div>\n<div>\u8fd9\u4e00\u6b65\u7684\u4f5c\u7528\uff0c\u4e3b\u8981\u662f\u4e3a\u4e86\u7b2c17\u6b65\u80fd\u591f\u5c06\/system\/framework\u91cc\u7684services.odex\u66ff\u6362\u6389\u3002\u8fd9\u4e00\u6b65\u82e5\u4e0d\u6210\u529f\uff0c\u5728\u7b2c17\u6b65\u7684\u65f6\u5019\u53ef\u80fd\u51fa\u73b0\u6743\u9650\u4e0d\u591f\uff0c\u65e0\u6cd5\u66ff\u6362\u7684\u9519\u8bef\uff08Read-Only File System\uff09<\/div>\n<div><\/div>\n<div>12.\u4e0b\u8f7ddexopt-wrapper\u6587\u4ef6<\/div>\n<div><a href=\"https:\/\/dl.dropboxusercontent.com\/u\/5055823\/dexopt-wrapper\" target=\"_blank\" rel=\"nofollow\">https:\/\/dl.dropboxusercontent.com\/u\/5055823\/dexopt-wrapper<\/a><\/div>\n<div>\u6211\u4eec\u4e5f\u5c06dexopt-wrapper\u6587\u4ef6\u653e\u5728ANDROID_SDK_ROOT\u6587\u4ef6\u5939\u4e2d<\/div>\n<div><\/div>\n<div>13.\u5c06services_hacked.jar\u548cdexopt-wrapper\u590d\u5236\u5230\u624b\u673a\u7684\/data\/local\/tmp\u6587\u4ef6\u5939\u4e2d<\/div>\n<div>adb push ANDROID_SDK_ROOT\/services_hacked.jar \/data\/local\/tmp<\/div>\n<div>adb push ANDROID_SDK_ROOT\/dexopt-wrapper \/data\/local\/tmp<\/div>\n<\/div>\n<div><\/div>\n<div>14.\u8fdb\u5165adb shell\uff0c\u8f93\u5165su\u540e\uff0c\u5c06dexopt-wrapper\u7684\u6743\u9650\u6539\u4e3a777<\/div>\n<div>chmod 777 \/data\/local\/tmp\/dexopt-wrapper<\/div>\n<div><\/div>\n<div>15.\u5728adb shell\u4e2dcd\u5230\/data\/local\/tmp\u6587\u4ef6\u5939\u4e0b\uff0c\u8fd0\u884c\uff1a<\/div>\n<div>.\/dexopt-wrapper .\/services_hacked.jar .\/services_hacked.odex &lt;\u672c\u5e16\u7b2c\u4e09\u6b65\u5b58\u7684\u5730\u5740\uff0c\u4f46\u662f\u8981\u5220\u9664\u5176\u4e2d\u7684\":\/system\/framework\/services.jar\"&gt;<\/div>\n<div>\u8fd9\u4e00\u6b65\u5c31\u662f\u5c06\u7b2c\u4e03\u90e8\u751f\u6210dex\u6587\u4ef6\u6700\u7ec8\u4f18\u5316\u6210\u4e86odex\u6587\u4ef6\u3002<\/div>\n<div>===================================================================================================<\/div>\n<div>\u4f8b\u5982\u6211\u7684\u547d\u4ee4\u662f\uff1a.\/dexopt-wrapper .\/services_hacked.jar .\/services_hacked.odex \/system\/framework\/core.jar:\/system\/framework\/core-junit.jar:\/system\/framework\/bouncycastle.jar:\/system\/framework\/ext.jar:\/system\/framework\/<\/div>\n<div>framework.jar:\/system\/framework\/framework2.jar:\/system\/framework\/android.policy.jar:\/system\/<\/div>\n<div>framework\/apache-xml.jar:\/system\/framework\/HTCDev.jar:\/system\/framework\/HTCExtension.jar:\/system\/<\/div>\n<div>framework\/filterfw.jar:\/system\/framework\/com.htc.android.bluetooth.jar:\/system\/framework\/wimax.jar:<\/div>\n<div>\/system\/framework\/usbnet.jar:\/system\/framework\/com.orange.authentication.simcard.jar<\/div>\n<div>===================================================================================================<\/div>\n<div><\/div>\n<div>\u8fd9\u6837\uff0c\u4fbf\u5728\/data\/local\/tmp\u6587\u4ef6\u5939\u4e2d\u751f\u6210\u4e86\u6211\u4eec\u81ea\u5df1\u7684odex\uff1aservices_hacked.odex<\/div>\n<div><img decoding=\"async\" alt=\"\" src=\"http:\/\/1852.img.pp.sohu.com.cn\/images\/blog\/2013\/2\/21\/8\/8\/c51683636_13dbe0dd42eg2_blog.png\" border=\"0\" \/><\/div>\n<div><\/div>\n<div>16.\u7ed9\u6211\u4eec\u81ea\u5df1\u751f\u6210\u7684services_hacked.odex\u7b7e\u540d\uff1a<\/div>\n<div>busybox dd if=\/system\/framework\/services.odex of=\/data\/local\/tmp\/services_hacked.odex bs=1 count=20 skip=52 seek=52 conv=notrunc<\/div>\n<\/div>\n<div><span style=\"font-family: Verdana; font-size: small;\">\u53c2\u6570\u89e3\u91ca\uff1a<\/span><\/div>\n<div>\n<div>if = input file<\/div>\n<div>of = output file<\/div>\n<div>bs = block size (1 byte)<\/div>\n<div>count = number of blocks<\/div>\n<div>skip = input file offset<\/div>\n<div>seek = output file offset<\/div>\n<div>conv=notrunc \u2013 don\u2019t truncate the output file.<\/div>\n<div><\/div>\n<div>17.\u5c06\/system\/framework\u91cc\u7684services.odex\u66ff\u6362\u6210\u6211\u4eec\u81ea\u5df1\u5236\u4f5c\u7684services_hacked.odex\u5427\uff01<\/div>\n<div>dd if=\/data\/local\/tmp\/services_hacked.odex of=\/system\/framework\/services.odex<\/div>\n<\/div>\n<div><span style=\"font-size: small;\">\u8fd9\u4e00\u6b65\u8fd0\u884c\u540e\uff0c\u8fc7\u4e00\u5c0f\u4f1a\u513f<\/span>(1\u5206\u949f\u4ee5\u5185)\u624b\u673a\u5c31\u81ea\u52a8\u91cd\u542f\u4e86\uff01\u7a0d\u7b49\u7247\u523b\u5427\uff01<\/div>\n<div><span style=\"font-size: small;\">\u00a0<\/span><\/div>\n<div><span style=\"font-size: small;\">18.\u6210\u529f\u91cd\u542f\u540e\uff0c\u7528\u4ee5\u4e0b\u547d\u4ee4\u6253\u5f00View Server\uff1a<\/span><\/div>\n<div>adb shell service call window 1 i32 4939<\/div>\n<div>\u7528\u4ee5\u4e0b\u547d\u4ee4\u67e5\u770bView Server\u662f\u5426\u6253\u5f00\uff1a<\/div>\n<div><span style=\"font-size: small;\">adb shell service call window 3<\/span><\/div>\n<div><span style=\"font-size: small;\">\u8fd4\u56de\u7684\u503c\u82e5\u662f<\/span><span style=\"font-size: small;\">Result: Parcel(00000000 00000001 \u00a0 '........'),\u90a3\u4e48\u4f60\u5c31\u8d77\u4e86\uff01<\/span><\/div>\n<div><\/div>\n<div>\u539f\u6587\u94fe\u63a5\uff1a<a href=\"http:\/\/maider.blog.sohu.com\/255448342.html\">http:\/\/maider.blog.sohu.com\/255448342.html<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u5173\u4e8e\u4ec0\u4e48\u662fHierarchy Viewer\uff0c\u8bf7\u67e5\u770b\u5b98\u65b9\u6587\u6863\uff1ahttp:\/\/developer.android.com\/tools\/debugging\/debugging-ui.html\u3002\u4e2a\u4eba\u7406\u89e3\uff1aHi&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"pgc_sgb_lightbox_settings":"","footnotes":""},"categories":[34],"tags":[43,8,7,42,13],"class_list":["post-853","post","type-post","status-publish","format-standard","hentry","category-software","tag-android","tag-java","tag-7","tag-42","tag-13"],"views":3680,"_links":{"self":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts\/853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=853"}],"version-history":[{"count":1,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts\/853\/revisions"}],"predecessor-version":[{"id":854,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts\/853\/revisions\/854"}],"wp:attachment":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}