1、编译成class
javac ./com/wzh/pswcrack/LockTest.java
2、编译成dex
多class 用空格隔开
/Users/wzh/Library/Android/sdk/build-tools/29.0.3/dx --dex --output=./LockTest.dex ./com/wzh/pswcrack/LockTest.class ./com/wzh/pswcrack/Reflect.class ./com/wzh/pswcrack/Reflect\$1.class ./com/wzh/pswcrack/Reflect\$NULL.class ./com/wzh/pswcrack/Reflect\$ReflectException.class
3、push 到手机端
adb push ./src/main/java/LockTest.dex /data/local/tmp
4、运行 LockTest.main 方法
adb shell
cd /data/local/tmp
app_process64 -Djava.class.path=LockTest.dex /data/local/tmp com.wzh.pswcrack.LockTest
注:
在编译时,无 android 环境,所以要用反射调用android 方法,实际运行时是android环境。
最终运行在 shell 用户下,uid 为2000 。权限:root > systemApp > shell > application。
android.os.Process.java
/**
* Defines the root UID.
*/
public static final int ROOT_UID = 0;
/**
* Defines the UID/GID under which system code runs.
*/
public static final int SYSTEM_UID = 1000;
/**
* Defines the UID/GID under which the telephony code runs.
*/
public static final int PHONE_UID = 1001;
/**
* Defines the UID/GID for the user shell.
*/
public static final int SHELL_UID = 2000;
…………
//app 的uid
public static final int FIRST_APPLICATION_UID = 10000;