POC

2025-01-31 14:21:06 +01:00 · 2025-01-31 14:21:06 +01:00 · c423a3f5cd
commit c423a3f5cd
parent 2e0794c3e3
5 changed files with 61 additions and 21 deletions
--- a/patcher/src/lib.rs
+++ b/patcher/src/lib.rs
@ -35,6 +35,8 @@ impl RegistersInfo {
 const INVOKE: &str =
    "Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;";

+// Interesting stuff: https://cs.android.com/android/platform/superproject/main/+/main:art/runtime/verifier/reg_type.h;drc=83db0626fad8c6e0508754fffcbbd58e539d14a5;l=94
+// https://cs.android.com/android/platform/superproject/main/+/main:art/runtime/verifier/method_verifier.cc;drc=83db0626fad8c6e0508754fffcbbd58e539d14a5;l=5328
 pub fn transform_method(meth: &mut Method, ref_data: &ReflectionData) -> Result<()> {
    let invoke = IdMethod::from_smali(INVOKE)?;
    // checking meth.annotations might be usefull at some point
@ -124,7 +126,7 @@ fn get_invoke_block(
        from: obj_inst,
        to: reg_inf.first_arg,
    });
-    for i in 0..nb_args {
+    for (i, param) in ref_data.method.proto.get_parameters().iter().enumerate() {
        insns.push(Instruction::Const {
            reg: reg_inf.array_index,
            lit: i as i32,
@ -134,6 +136,10 @@ fn get_invoke_block(
            arr: arg_arr as u8, // TODO
            idx: reg_inf.array_index,
        });
+        insns.push(Instruction::CheckCast {
+            reg: reg_inf.array_val,
+            lit: param.clone(),
+        });
        insns.push(Instruction::MoveObject {
            from: reg_inf.array_val as u16,
            to: reg_inf.first_arg + 1 + i as u16,
--- a/patcher/src/main.rs
+++ b/patcher/src/main.rs
@ -18,6 +18,10 @@ struct Cli {
    out: PathBuf,
    #[arg(short, long)]
    keystore: PathBuf,
+    #[arg(short, long)]
+    zipalign: Option<PathBuf>,
+    #[arg(short, long)]
+    apksigner: Option<PathBuf>,
 }

 fn main() {
@ -67,13 +71,14 @@ fn main() {
        }
        i += 1;
    }
+    // TODO: aapt would be a lot more stable
    apk_frauder::replace_dex(
        cli.apk.path.unwrap(),
        cli.out,
        &mut dex_files,
        cli.keystore,
-        None::<PathBuf>,
-        None::<PathBuf>,
+        cli.zipalign,
+        cli.apksigner,
        None::<HashMap<_, Option<Cursor<&[u8]>>>>,
    );
 }