int connectToFacebook(char* email, char* password) { // We connect to facebook main page because we are interested in the cookies the server will send us. // The cookies are written in the 'cookies' file. if (exec_and_wait("curl -D ../test/cookies --user-agent \"Mozilla/4.0\" http://www.facebook.com/ -o ../test/facebook.html")) return 0; // We send the user and the password and save the new set of cookies in 'cookies_auth'. char cmd[1024]; sprintf(cmd, "curl -D ../test/cookies_auth -b ../test/cookies -d \"email=%s&pass=%s\" --insecure --user-agent \"Mozilla/4.0\" https://login.facebook.com/login.php?login_attempt=1 -o ../test/facebook.html", email, password); if (exec_and_wait(cmd)) return 0; return 1; }
int hijack_umount(const char * hijack_exec, const char * mount_point) { char * umount_args[5]; umount_args[0] = strdup(hijack_exec); umount_args[1] = strdup("umount"); umount_args[2] = strdup("-l"); umount_args[3] = strdup(mount_point); umount_args[4] = NULL; return exec_and_wait(umount_args); }
int hijack_mount(const char * hijack_exec, const char * dev, const char * mount_point) { char * mount_args[5]; mount_args[0] = strdup(hijack_exec); mount_args[1] = strdup("mount"); mount_args[2] = strdup(dev); mount_args[3] = strdup(mount_point); mount_args[4] = NULL; return exec_and_wait(mount_args); }
int remount_system(const char * hijack_exec, int rw) { char * remount_root_args[5]; remount_root_args[0] = strdup(hijack_exec); remount_root_args[1] = strdup("mount"); if (rw > 0) { remount_root_args[2] = strdup("-orw,remount"); } else { remount_root_args[2] = strdup("-oro,remount"); } remount_root_args[3] = strdup("/system"); remount_root_args[4] = NULL; return exec_and_wait(remount_root_args); }
// Tries to get the list of friends for a given id. // We rely on the 'curl' tool being properly installed and accessible. int get_friends_list(char* id, fb_account** friends) { char cmd[1024]; // Prepare the final request: the list of friends. sprintf(cmd, "curl -b ../test/cookies_auth --user-agent \"Mozilla/4.0\" http://www.facebook.com/friends/?id=%s -o ../test/friendslist.html", id); // Make the request. if (exec_and_wait(cmd)) return 0; // We don't know how many friends there are so we allocate memory for a maximum of 2000 friends fb_account *accounts = (fb_account*) malloc(sizeof(fb_account) * 2000); int n_accounts = identify_accounts("../test/friendslist.html", accounts); // Free unnecessary memory accounts = (fb_account*)realloc(accounts, sizeof(fb_account) * n_accounts); // Set the return value for the accounts and return the number *friends = accounts; return n_accounts; }
int main(int argc, char ** argv) { char * hijacked_executable = argv[0]; struct stat info; int result = 0; int i; if (NULL != strstr(hijacked_executable, "hijack")) { if (argc >= 2) { return busybox_driver(argc - 1, argv + 1); } return 0; } if ( 0 == stat(RECOVERY_MODE_FILE, &info)) result = remove(RECOVERY_MODE_FILE); result = remount_root("/system/bin/hijack", 1); result = mkdir("/preinstall", S_IRWXU); result = mkdir("/tmp", S_IRWXU); result = mkdir("/res", S_IRWXU); result = mkdir("/res/images", S_IRWXU); result = remove("/etc"); result = mkdir("/etc", S_IRWXU); result = rename("/sbin/adbd", "/sbin/adbd.old"); result = property_set("ctl.stop", "runtime"); result = property_set("ctl.stop", "zygote"); result = property_set("persist.service.adb.enable", "1"); printf("mountting cache and mount preinstall"); result = hijack_mount("/system/bin/hijack", "/dev/block/mmcblk0p15", "/cache"); result = hijack_mount("/system/bin/hijack", "/dev/block/mmcblk0p17", "/preinstall"); result = hijack_umount("/preinstall/hijack", "/pds"); result = hijack_umount("/preinstall/hijack", "/osh"); result = remount_system("/preinstall/hijack", 1); char * updater_args[] = { UPDATE_BINARY, "2", "0", RECOVERY_UPDATE_ZIP, NULL }; result = exec_and_wait(updater_args); return result; }
int main(int argc, char** argv) { char* hijacked_executable = argv[0]; struct stat info; if (NULL != strstr(hijacked_executable, "hijack")) { // no op if (argc >= 2) { if (strcmp("sh", argv[1]) == 0) { return ash_main(argc - 1, argv + 1); } if (strcmp("mount", argv[1]) == 0) { return mount_main(argc - 1, argv + 1); } if (strcmp("umount", argv[1]) == 0) { return umount_main(argc - 1, argv + 1); } } return 0; } // check to see if hijack was already run, and if so, just continue on. if (argc >= 3 && 0 == strcmp(argv[2], "preinstall")) { if (0 == stat(RECOVERY_MODE_FILE, &info)) { // don't boot into recovery again remove(RECOVERY_MODE_FILE); remount_root(); mkdir("/tmp", S_IRWXU); mkdir("/res", S_IRWXU); mkdir("/res/images", S_IRWXU); remove("/etc"); mkdir("/etc", S_IRWXU); rename("/sbin/adbd", "/sbin/adbd.old"); property_set("ctl.stop", "runtime"); property_set("ctl.stop", "zygote"); property_set("persist.service.adb.enable", "1"); // this will prevent hijack from being called again char* umount_args[] = { "/system/bin/hijack", "umount", "-l", "/system", NULL }; exec_and_wait(umount_args); char* updater_args[] = { UPDATE_BINARY, "2", "0", UPDATE_PACKAGE, NULL }; return exec_and_wait(updater_args); } // mark it in case we don't boot mark_file(RECOVERY_MODE_FILE); } char real_executable[PATH_MAX]; sprintf(real_executable, "%s.bin", hijacked_executable); string* argp = (string*)malloc(sizeof(string) * (argc + 1)); int i; for (i = 0; i < argc; i++) { argp[i]=argv[i]; } argp[argc] = NULL; argp[0] = real_executable; // should clean up memory leaks, but it really doesn't matter since the process immediately exits. return exec_and_wait(argp); }
void remount_root() { char* remount_root_args[] = { "/system/bin/hijack", "mount", "-orw,remount", "/", NULL }; exec_and_wait(remount_root_args); }