README.md
Rendering markdown...
#include "utils.h"
const uint16_t svcmgr_id[] = {
'a','n','d','r','o','i','d','.',
'o','s','.', 'I','S','e','r','v',
'i','c','e', 'M','a','n','a','g',
'e','r'};
void print_binder_string16(const uint16_t *str16, size_t len) {
if (str16 == NULL) {
printf("(null)\n");
return;
}
for (size_t i = 0; i < len; i++) {
uint16_t c = str16[i];
// 仅处理ASCII字符(0-127)
if (c <= 0x7F) {
putchar((char)c);
} else {
putchar('?'); // 非ASCII字符替换为问号
}
}
putchar('\n');
}
uint32_t binder_parse_log(
BYTE* rbuffer,
size_t rsize
){
uint32_t result = 0;
size_t end_addr = (size_t)rbuffer + rsize;
for (size_t ptr = (size_t)rbuffer; ptr < end_addr; ){
uint32_t cmd = *((uint32_t*)ptr);
ptr += sizeof(uint32_t);
switch (cmd) {
case BR_NOOP:
puts("BR_NOOP");
result = cmd;
break;
case BR_TRANSACTION_COMPLETE:
puts("BR_TRANSACTION_COMPLETE");
result = cmd;
break;
case BR_INCREFS:
puts("BR_INCREFS");
ptr += sizeof(struct binder_ptr_cookie);
result = cmd;
break;
case BR_ACQUIRE:
puts("BR_ACQUIRE");
ptr += sizeof(struct binder_ptr_cookie);
result = cmd;
break;
case BR_RELEASE:
puts("BR_RELEASE");
ptr += sizeof(struct binder_ptr_cookie);
result = cmd;
break;
case BR_DECREFS:
puts("BR_DECREFS");
ptr += sizeof(struct binder_ptr_cookie);
result = cmd;
break;
case BR_TRANSACTION_SEC_CTX:
case BR_TRANSACTION:{
puts("BR_TRANSACTION");
BOOL is_sec_ctx = FALSE;
struct binder_transaction_data_secctx tds;
size_t surplus_size = end_addr-ptr;
binder_uintptr_t secctx = 0;
memset(&tds, 0, sizeof(tds));
if(cmd == BR_TRANSACTION){
CHECK(surplus_size > sizeof(
struct binder_transaction_data));
ptr += sizeof(struct binder_transaction_data);
}else{
CHECK(surplus_size > sizeof(
struct binder_transaction_data));
is_sec_ctx = TRUE;
memcpy(
&tds.transaction_data,
(const void*)ptr, sizeof(tds.transaction_data));
secctx = tds.secctx;
ptr += sizeof(tds.transaction_data);
}
result = cmd;
break;
}
case BR_REPLY:{
puts("BR_REPLY");
result = cmd;
CHECK(
(end_addr - ptr) >=
sizeof(struct binder_transaction_data));
struct binder_transaction_data* tr =
(struct binder_transaction_data*)ptr;
ptr += sizeof(*tr);
break;
}
case BR_FAILED_REPLY:
puts("BR_FAILED_REPLY");
result = cmd;
break;
case BR_DEAD_BINDER:
puts("BR_DEAD_BINDER");
result = cmd;
CHECK(
(end_addr - ptr) >= sizeof(binder_uintptr_t));
ptr += sizeof(binder_uintptr_t);
break;
case BR_DEAD_REPLY:
puts("BR_DEAD_REPLY");
result = cmd;
break;
case BR_ONEWAY_SPAM_SUSPECT:
puts("BR_ONEWAY_SPAM_SUSPECT");
result = cmd;
break;
case BR_SPAWN_LOOPER:
puts("BR_SPAWN_LOOPER");
result = cmd;
break;
default:
printf("default: %x\n", cmd);
result = cmd;
return cmd;
}
}
return result;
}
pthread_t create_thread(PTHREAD_FUNC func, void* args){
pthread_t tpid = 0;
if(pthread_create(&tpid, NULL, func, args) == -1){
return 0;
}
return tpid;
}
void print_hex(BYTE* buffer, size_t len){
uint32_t* na = (uint32_t*)buffer;
for(size_t i=0; i<(len/sizeof(uint32_t)); i++){
printf("%x ", na[i]);
}
puts("\n");
}
void delay_ms(unsigned int milliseconds) {
usleep(milliseconds * 1000); // 1ms = 1000μs
}
void heap_spray(size_t num, size_t count, const void* src){
}