2023-11-20 07:42:21 +08:00
|
|
|
#include <android/log.h>
|
|
|
|
|
#include <sys/system_properties.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
|
|
#include "zygisk.hpp"
|
2023-11-26 17:51:22 +08:00
|
|
|
#include "shadowhook.h"
|
2023-11-26 00:31:37 +08:00
|
|
|
#include "json.hpp"
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-26 17:51:22 +08:00
|
|
|
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, "PIF/Native", __VA_ARGS__)
|
|
|
|
|
|
2023-11-26 00:31:37 +08:00
|
|
|
#define DEX_FILE_PATH "/data/adb/modules/playintegrityfix/classes.dex"
|
|
|
|
|
|
2023-11-27 00:02:51 +08:00
|
|
|
#define JSON_FILE_PATH "/data/adb/modules/playintegrityfix/pif.json"
|
2023-11-30 20:17:15 +08:00
|
|
|
|
2023-11-29 23:19:43 +08:00
|
|
|
#define CUSTOM_JSON_FILE_PATH "/data/adb/modules/playintegrityfix/custom.pif.json"
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-26 00:31:37 +08:00
|
|
|
static std::string FIRST_API_LEVEL, SECURITY_PATCH;
|
2023-11-24 03:14:58 +08:00
|
|
|
|
2023-11-20 07:42:21 +08:00
|
|
|
typedef void (*T_Callback)(void *, const char *, const char *, uint32_t);
|
|
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
static std::map<void *, T_Callback> callbacks;
|
2023-11-20 07:42:21 +08:00
|
|
|
|
|
|
|
|
static void modify_callback(void *cookie, const char *name, const char *value, uint32_t serial) {
|
|
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
if (cookie == nullptr || name == nullptr || value == nullptr ||
|
|
|
|
|
!callbacks.contains(cookie))
|
|
|
|
|
return;
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
std::string_view prop(name);
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-23 01:08:47 +08:00
|
|
|
if (prop.ends_with("api_level")) {
|
2023-11-29 17:10:07 +08:00
|
|
|
if (FIRST_API_LEVEL.empty()) {
|
|
|
|
|
LOGD("FIRST_API_LEVEL is empty, ignoring it...");
|
|
|
|
|
} else if (FIRST_API_LEVEL == "nullptr") {
|
2023-11-26 00:31:37 +08:00
|
|
|
value = nullptr;
|
|
|
|
|
} else {
|
|
|
|
|
value = FIRST_API_LEVEL.c_str();
|
|
|
|
|
}
|
2023-11-25 09:13:22 +08:00
|
|
|
LOGD("[%s] -> %s", name, value);
|
2023-11-23 01:08:47 +08:00
|
|
|
} else if (prop.ends_with("security_patch")) {
|
2023-11-29 17:10:07 +08:00
|
|
|
if (SECURITY_PATCH.empty()) {
|
|
|
|
|
LOGD("SECURITY_PATCH is empty, ignoring it...");
|
2023-11-26 00:31:37 +08:00
|
|
|
} else {
|
|
|
|
|
value = SECURITY_PATCH.c_str();
|
|
|
|
|
}
|
2023-11-25 09:13:22 +08:00
|
|
|
LOGD("[%s] -> %s", name, value);
|
2023-11-23 01:08:47 +08:00
|
|
|
}
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
return callbacks[cookie](cookie, name, value, serial);
|
2023-11-20 07:42:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void (*o_system_property_read_callback)(const prop_info *, T_Callback, void *);
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
my_system_property_read_callback(const prop_info *pi, T_Callback callback, void *cookie) {
|
|
|
|
|
if (pi == nullptr || callback == nullptr || cookie == nullptr) {
|
|
|
|
|
return o_system_property_read_callback(pi, callback, cookie);
|
|
|
|
|
}
|
2023-11-24 18:52:57 +08:00
|
|
|
callbacks[cookie] = callback;
|
2023-11-20 07:42:21 +08:00
|
|
|
return o_system_property_read_callback(pi, modify_callback, cookie);
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-23 07:07:43 +08:00
|
|
|
static void doHook() {
|
2023-11-26 17:51:22 +08:00
|
|
|
shadowhook_init(SHADOWHOOK_MODE_UNIQUE, false);
|
|
|
|
|
void *handle = shadowhook_hook_sym_name(
|
|
|
|
|
"libc.so",
|
|
|
|
|
"__system_property_read_callback",
|
|
|
|
|
reinterpret_cast<void *>(my_system_property_read_callback),
|
|
|
|
|
reinterpret_cast<void **>(&o_system_property_read_callback)
|
|
|
|
|
);
|
2023-11-23 07:07:43 +08:00
|
|
|
if (handle == nullptr) {
|
|
|
|
|
LOGD("Couldn't find '__system_property_read_callback' handle. Report to @chiteroman");
|
|
|
|
|
return;
|
2023-11-22 07:32:52 +08:00
|
|
|
}
|
2023-11-23 07:07:43 +08:00
|
|
|
LOGD("Found '__system_property_read_callback' handle at %p", handle);
|
2023-11-26 17:51:22 +08:00
|
|
|
}
|
|
|
|
|
|
2023-11-20 07:42:21 +08:00
|
|
|
class PlayIntegrityFix : public zygisk::ModuleBase {
|
|
|
|
|
public:
|
|
|
|
|
void onLoad(zygisk::Api *api, JNIEnv *env) override {
|
|
|
|
|
this->api = api;
|
|
|
|
|
this->env = env;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void preAppSpecialize(zygisk::AppSpecializeArgs *args) override {
|
2023-11-29 17:10:07 +08:00
|
|
|
bool isGms = false, isGmsUnstable = false;
|
|
|
|
|
|
2023-11-20 07:42:21 +08:00
|
|
|
auto rawProcess = env->GetStringUTFChars(args->nice_name, nullptr);
|
2023-11-28 00:25:34 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
if (rawProcess) {
|
|
|
|
|
std::string_view process(rawProcess);
|
2023-11-28 00:25:34 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
isGms = process.starts_with("com.google.android.gms");
|
|
|
|
|
isGmsUnstable = process.compare("com.google.android.gms.unstable") == 0;
|
|
|
|
|
}
|
2023-11-28 00:25:34 +08:00
|
|
|
|
2023-11-20 07:42:21 +08:00
|
|
|
env->ReleaseStringUTFChars(args->nice_name, rawProcess);
|
|
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
if (!isGms) {
|
|
|
|
|
api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2023-11-24 03:14:58 +08:00
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
api->setOption(zygisk::FORCE_DENYLIST_UNMOUNT);
|
2023-11-24 03:14:58 +08:00
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
if (!isGmsUnstable) {
|
|
|
|
|
api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
long dexSize = 0, jsonSize = 0;
|
2023-11-24 18:52:57 +08:00
|
|
|
int fd = api->connectCompanion();
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
read(fd, &dexSize, sizeof(long));
|
|
|
|
|
read(fd, &jsonSize, sizeof(long));
|
2023-11-27 00:02:51 +08:00
|
|
|
|
2023-11-28 00:25:34 +08:00
|
|
|
if (dexSize < 1) {
|
2023-11-27 00:02:51 +08:00
|
|
|
close(fd);
|
2023-11-28 00:25:34 +08:00
|
|
|
LOGD("Couldn't read classes.dex");
|
2023-11-27 00:02:51 +08:00
|
|
|
api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-28 00:25:34 +08:00
|
|
|
if (jsonSize < 1) {
|
2023-11-27 00:02:51 +08:00
|
|
|
close(fd);
|
2023-11-28 00:25:34 +08:00
|
|
|
LOGD("Couldn't read pif.json");
|
2023-11-27 00:02:51 +08:00
|
|
|
api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-28 00:25:34 +08:00
|
|
|
dexVector.resize(dexSize);
|
|
|
|
|
read(fd, dexVector.data(), dexSize);
|
2023-11-29 17:10:07 +08:00
|
|
|
|
|
|
|
|
std::vector<char> jsonVector(jsonSize);
|
2023-11-28 00:25:34 +08:00
|
|
|
read(fd, jsonVector.data(), jsonSize);
|
2023-11-24 03:14:58 +08:00
|
|
|
|
2023-11-25 03:34:31 +08:00
|
|
|
close(fd);
|
2023-11-25 09:13:22 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
LOGD("Read from file descriptor file 'classes.dex' -> %ld bytes", dexSize);
|
|
|
|
|
LOGD("Read from file descriptor file 'pif.json' -> %ld bytes", jsonSize);
|
|
|
|
|
|
|
|
|
|
std::string data(jsonVector.cbegin(), jsonVector.cend());
|
|
|
|
|
json = nlohmann::json::parse(data, nullptr, false, true);
|
|
|
|
|
|
|
|
|
|
jsonVector.clear();
|
|
|
|
|
data.clear();
|
2023-11-20 07:42:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void postAppSpecialize(const zygisk::AppSpecializeArgs *args) override {
|
2023-11-29 17:10:07 +08:00
|
|
|
if (dexVector.empty() || json.empty()) return;
|
2023-11-22 01:25:33 +08:00
|
|
|
|
2023-11-26 00:31:37 +08:00
|
|
|
readJson();
|
|
|
|
|
|
2023-11-24 18:52:57 +08:00
|
|
|
doHook();
|
2023-11-26 17:51:22 +08:00
|
|
|
|
2023-11-28 00:25:34 +08:00
|
|
|
inject();
|
|
|
|
|
|
2023-11-26 17:51:22 +08:00
|
|
|
dexVector.clear();
|
2023-11-29 17:10:07 +08:00
|
|
|
json.clear();
|
2023-11-20 07:42:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void preServerSpecialize(zygisk::ServerSpecializeArgs *args) override {
|
|
|
|
|
api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
zygisk::Api *api = nullptr;
|
|
|
|
|
JNIEnv *env = nullptr;
|
2023-11-29 17:10:07 +08:00
|
|
|
std::vector<char> dexVector;
|
|
|
|
|
nlohmann::json json;
|
2023-11-26 00:31:37 +08:00
|
|
|
|
|
|
|
|
void readJson() {
|
2023-11-27 05:22:56 +08:00
|
|
|
if (json.contains("SECURITY_PATCH")) {
|
|
|
|
|
if (json["SECURITY_PATCH"].is_null()) {
|
2023-11-29 17:10:07 +08:00
|
|
|
LOGD("Key SECURITY_PATCH is null!");
|
2023-11-27 05:22:56 +08:00
|
|
|
} else if (json["SECURITY_PATCH"].is_string()) {
|
|
|
|
|
SECURITY_PATCH = json["SECURITY_PATCH"].get<std::string>();
|
|
|
|
|
} else {
|
|
|
|
|
LOGD("Error parsing SECURITY_PATCH!");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
LOGD("Key SECURITY_PATCH doesn't exist in JSON file!");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (json.contains("FIRST_API_LEVEL")) {
|
|
|
|
|
if (json["FIRST_API_LEVEL"].is_null()) {
|
2023-11-29 17:10:07 +08:00
|
|
|
LOGD("Key FIRST_API_LEVEL is null!");
|
2023-11-27 21:18:58 +08:00
|
|
|
FIRST_API_LEVEL = "nullptr";
|
2023-11-27 05:22:56 +08:00
|
|
|
} else if (json["FIRST_API_LEVEL"].is_string()) {
|
|
|
|
|
FIRST_API_LEVEL = json["FIRST_API_LEVEL"].get<std::string>();
|
|
|
|
|
} else {
|
|
|
|
|
LOGD("Error parsing FIRST_API_LEVEL!");
|
|
|
|
|
}
|
2023-11-29 17:10:07 +08:00
|
|
|
json.erase("FIRST_API_LEVEL");
|
2023-11-27 05:22:56 +08:00
|
|
|
} else {
|
|
|
|
|
LOGD("Key FIRST_API_LEVEL doesn't exist in JSON file!");
|
|
|
|
|
}
|
2023-11-26 00:31:37 +08:00
|
|
|
}
|
2023-11-20 07:42:21 +08:00
|
|
|
|
2023-11-23 07:07:43 +08:00
|
|
|
void inject() {
|
2023-11-20 07:42:21 +08:00
|
|
|
LOGD("get system classloader");
|
|
|
|
|
auto clClass = env->FindClass("java/lang/ClassLoader");
|
|
|
|
|
auto getSystemClassLoader = env->GetStaticMethodID(clClass, "getSystemClassLoader",
|
|
|
|
|
"()Ljava/lang/ClassLoader;");
|
|
|
|
|
auto systemClassLoader = env->CallStaticObjectMethod(clClass, getSystemClassLoader);
|
|
|
|
|
|
|
|
|
|
LOGD("create class loader");
|
2023-11-25 09:13:22 +08:00
|
|
|
auto dexClClass = env->FindClass("dalvik/system/InMemoryDexClassLoader");
|
|
|
|
|
auto dexClInit = env->GetMethodID(dexClClass, "<init>",
|
|
|
|
|
"(Ljava/nio/ByteBuffer;Ljava/lang/ClassLoader;)V");
|
2023-11-26 17:51:22 +08:00
|
|
|
auto buffer = env->NewDirectByteBuffer(dexVector.data(),
|
|
|
|
|
static_cast<jlong>(dexVector.size()));
|
2023-11-25 09:13:22 +08:00
|
|
|
auto dexCl = env->NewObject(dexClClass, dexClInit, buffer, systemClassLoader);
|
2023-11-20 07:42:21 +08:00
|
|
|
|
|
|
|
|
LOGD("load class");
|
|
|
|
|
auto loadClass = env->GetMethodID(clClass, "loadClass",
|
|
|
|
|
"(Ljava/lang/String;)Ljava/lang/Class;");
|
|
|
|
|
auto entryClassName = env->NewStringUTF("es.chiteroman.playintegrityfix.EntryPoint");
|
|
|
|
|
auto entryClassObj = env->CallObjectMethod(dexCl, loadClass, entryClassName);
|
|
|
|
|
|
|
|
|
|
auto entryClass = (jclass) entryClassObj;
|
2023-11-23 07:07:43 +08:00
|
|
|
|
2023-11-26 00:31:37 +08:00
|
|
|
LOGD("read json");
|
|
|
|
|
auto readProps = env->GetStaticMethodID(entryClass, "readJson",
|
|
|
|
|
"(Ljava/lang/String;)V");
|
2023-11-29 17:10:07 +08:00
|
|
|
auto javaStr = env->NewStringUTF(json.dump().c_str());
|
2023-11-26 00:31:37 +08:00
|
|
|
env->CallStaticVoidMethod(entryClass, readProps, javaStr);
|
|
|
|
|
|
2023-11-23 07:07:43 +08:00
|
|
|
LOGD("call init");
|
2023-11-20 07:42:21 +08:00
|
|
|
auto entryInit = env->GetStaticMethodID(entryClass, "init", "()V");
|
|
|
|
|
env->CallStaticVoidMethod(entryClass, entryInit);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2023-11-24 03:14:58 +08:00
|
|
|
static void companion(int fd) {
|
2023-11-29 17:10:07 +08:00
|
|
|
long dexSize = 0, jsonSize = 0;
|
|
|
|
|
std::vector<char> dexVector, jsonVector;
|
2023-11-26 17:51:22 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
FILE *dex = fopen(DEX_FILE_PATH, "rb");
|
2023-11-27 00:02:51 +08:00
|
|
|
|
2023-11-29 17:10:07 +08:00
|
|
|
if (dex) {
|
|
|
|
|
fseek(dex, 0, SEEK_END);
|
|
|
|
|
dexSize = ftell(dex);
|
|
|
|
|
fseek(dex, 0, SEEK_SET);
|
|
|
|
|
|
|
|
|
|
dexVector.resize(dexSize);
|
|
|
|
|
fread(dexVector.data(), 1, dexSize, dex);
|
|
|
|
|
|
|
|
|
|
fclose(dex);
|
|
|
|
|
}
|
2023-11-27 00:02:51 +08:00
|
|
|
|
2023-11-30 20:17:15 +08:00
|
|
|
FILE *json = fopen(CUSTOM_JSON_FILE_PATH, "r");
|
|
|
|
|
if (!json)
|
2023-11-29 23:19:43 +08:00
|
|
|
FILE *json = fopen(JSON_FILE_PATH, "r");
|
2023-11-29 17:10:07 +08:00
|
|
|
|
|
|
|
|
if (json) {
|
|
|
|
|
fseek(json, 0, SEEK_END);
|
|
|
|
|
jsonSize = ftell(json);
|
|
|
|
|
fseek(json, 0, SEEK_SET);
|
|
|
|
|
|
|
|
|
|
jsonVector.resize(jsonSize);
|
|
|
|
|
fread(jsonVector.data(), 1, jsonSize, json);
|
|
|
|
|
|
|
|
|
|
fclose(json);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
write(fd, &dexSize, sizeof(long));
|
|
|
|
|
write(fd, &jsonSize, sizeof(long));
|
2023-11-27 01:32:01 +08:00
|
|
|
|
2023-11-28 00:25:34 +08:00
|
|
|
write(fd, dexVector.data(), dexSize);
|
|
|
|
|
write(fd, jsonVector.data(), jsonSize);
|
2023-11-29 17:10:07 +08:00
|
|
|
|
|
|
|
|
dexVector.clear();
|
|
|
|
|
jsonVector.clear();
|
2023-11-20 07:42:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
REGISTER_ZYGISK_MODULE(PlayIntegrityFix)
|
|
|
|
|
|
2023-11-27 05:22:56 +08:00
|
|
|
REGISTER_ZYGISK_COMPANION(companion)
|
