3

I want to delete the 580th and 581th line in the java code below. this file is in system/framework/services.jar in android devices, so the steps I did are:

  1. decompile jar to smali

  2. change the smali file

  3. recompile the smali file to dex file

  4. pack it into services.jar.

  5. push services.jar into android mobile phone

    The question is in step2, how to change the smali file, I tried to delete :line580 and the code below it, but it doesn't work, when compiling, a nullPointerExecption was thrown...and I can see /error/ in jd-gui tool Somebody please give me some advices, I'm totally new to smali, thanks in advance.

The java code is:

568    public void registerUiTestAutomationService(IBinder owner,
569            IAccessibilityServiceClient serviceClient,
570            AccessibilityServiceInfo accessibilityServiceInfo) {
571            mSecurityPolicy.enforceCallingPermission(Manifest.permission.RETRIEVE_WINDOW_CONTENT,
572                FUNCTION_REGISTER_UI_TEST_AUTOMATION_SERVICE);
573
574        accessibilityServiceInfo.setComponentName(sFakeAccessibilityServiceComponentName);
575
576        synchronized (mLock) {
577            UserState userState = getCurrentUserStateLocked();
578
579            if (userState.mUiAutomationService != null) {
580                throw new IllegalStateException("UiAutomationService " + serviceClient
581                        + "already registered!");
582            }
583
584            try {
585                owner.linkToDeath(userState.mUiAutomationSerivceOnwerDeathRecipient, 0);
586            } catch (RemoteException re) {
587                Slog.e(LOG_TAG, "Couldn't register for the death of a"
588                        + " UiTestAutomationService!", re);
589                return;
590            }
591
592            userState.mUiAutomationServiceOwner = owner;
593            userState.mUiAutomationServiceClient = serviceClient;
594
595            // Set the temporary state.
596            userState.mIsAccessibilityEnabled = true;
597            userState.mIsTouchExplorationEnabled = false;
598            userState.mIsEnhancedWebAccessibilityEnabled = false;
599            userState.mIsDisplayMagnificationEnabled = false;
600            userState.mInstalledServices.add(accessibilityServiceInfo);
601            userState.mEnabledServices.clear();
602            userState.mEnabledServices.add(sFakeAccessibilityServiceComponentName);
603            userState.mTouchExplorationGrantedServices.add(sFakeAccessibilityServiceComponentName);
604
605            // Use the new state instead of settings.
606            onUserStateChangedLocked(userState);
607        }
608    }

The smali code after decompiling:

.line 579
.local v1, "userState":Lcom/android/server/accessibility/AccessibilityManagerService$UserState;
# getter for: Lcom/android/server/accessibility/AccessibilityManagerService$UserState;->mUiAutomationService:Lcom/android/server/accessibility/AccessibilityManagerService$Service;
invoke-static {v1}, Lcom/android/server/accessibility/AccessibilityManagerService$UserState;->access$300(Lcom/android/server/accessibility/AccessibilityManagerService$UserState;)Lcom/android/server/accessibility/AccessibilityManagerService$Service;

move-result-object v2

if-eqz v2, :cond_3d

.line 580
new-instance v2, Ljava/lang/IllegalStateException;

new-instance v4, Ljava/lang/StringBuilder;

invoke-direct {v4}, Ljava/lang/StringBuilder;-><init>()V

const-string v5, "UiAutomationService "

invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

move-result-object v4

invoke-virtual {v4, p2}, Ljava/lang/StringBuilder;->append(Ljava/lang/Object;)Ljava/lang/StringBuilder;

move-result-object v4

const-string v5, "already registered!"

invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

move-result-object v4

invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

move-result-object v4

invoke-direct {v2, v4}, Ljava/lang/IllegalStateException;-><init>(Ljava/lang/String;)V

throw v2

.line 607
.end local v1    # "userState":Lcom/android/server/accessibility/AccessibilityManagerService$UserState;
:catchall_3a
move-exception v2

monitor-exit v3
:try_end_3c
.catchall {:try_start_11 .. :try_end_3c} :catchall_3a

throw v2

.line 585
.restart local v1    # "userState":Lcom/android/server/accessibility/AccessibilityManagerService$UserState;
:cond_3d
:try_start_3d
# getter for: Lcom/android/server/accessibility/AccessibilityManagerService$UserState;->mUiAutomationSerivceOnwerDeathRecipient:Landroid/os/IBinder$DeathRecipient;
invoke-static {v1}, Lcom/android/server/accessibility/AccessibilityManagerService$UserState;->access$1200(Lcom/android/server/accessibility/AccessibilityManagerService$UserState;)Landroid/os/IBinder$DeathRecipient;

move-result-object v2

const/4 v4, 0x0

invoke-interface {p1, v2, v4}, Landroid/os/IBinder;->linkToDeath(Landroid/os/IBinder$DeathRecipient;I)V
:try_end_45
.catch Landroid/os/RemoteException; {:try_start_3d .. :try_end_45} :catch_74
.catchall {:try_start_3d .. :try_end_45} :catchall_3a
Community
  • 1
  • 1
ChrisLv
  • 33
  • 1
  • 3

1 Answers1

1

Try to Remove

.line 580
new-instance v2, Ljava/lang/IllegalStateException;

new-instance v4, Ljava/lang/StringBuilder;

invoke-direct {v4}, Ljava/lang/StringBuilder;-><init>()V

const-string v5, "UiAutomationService "

invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

move-result-object v4

invoke-virtual {v4, p2}, Ljava/lang/StringBuilder;->append(Ljava/lang/Object;)Ljava/lang/StringBuilder;

move-result-object v4

const-string v5, "already registered!"

invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

move-result-object v4

invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

move-result-object v4

invoke-direct {v2, v4}, Ljava/lang/IllegalStateException;-><init>(Ljava/lang/String;)V

throw v2

I am not sure. But AFAIK this should remove line 580 and 581. Please try it and let me know.

Kalpesh Patel
  • 1,638
  • 1
  • 20
  • 35
  • i've tried, and this time i delete :line 579 and :line 580 in smali code, after compiling, check the code by jd-gui, got the error below.
    /* Error */ public void registerUiTestAutomationService(IBinder paramIBinder, IAccessibilityServiceClient paramIAccessibilityServiceClient, AccessibilityServiceInfo paramAccessibilityServiceInfo) { // Exception table: // from to target type // 28 33 36 finally // 36 37 36 finally // 39 42 36 finally }     – ChrisLv Aug 26 '14 at 10:02
  • Try `.line 580` `nop` – Kalpesh Patel Aug 26 '14 at 10:16
  • still got an error=.= "// Exception table: // from to target type // 28 42 45 finally // 45 46 45 finally // 48 51 45 finally // 54 66 45 finally // 66 163 45 finally // 166 180 45 finally // 54 66 164 android/os/RemoteException", is there any other way to fix it? – ChrisLv Aug 26 '14 at 12:14
  • Extract Source code from jar using JD GUI. And and then remove desired line, compile it, make jar file of it and then make smali files of it. Now compare original smali with new smali. you will get solution/clue. – Kalpesh Patel Aug 26 '14 at 13:18
  • That's a good idea, but actually there're many dependancy needed and i don't have the source code, so can't compile it...any other way? – ChrisLv Aug 27 '14 at 02:11
  • Sorry, I also dont have much knowledge about smali. But you can do one thing you can make simple class with similar structure i.e checking for nullness of a file and throw exception in that condition and have a try catch block after if cndition. and try to make smali of it. It will look similar. now make another class with same structure but without throws statement and make smali of it. and check difference. – Kalpesh Patel Aug 28 '14 at 08:01
  • http://androidcracking.blogspot.in/2011/01/example-structuressmali.html Check this page. they have some good smali reference. – Kalpesh Patel Aug 28 '14 at 08:03