investigate

2025-09-06 06:37:07 +00:00 · 2024-07-17 20:03:39 +08:00
parent 49554a8bbd
commit ebdaf87061
7 changed files with 275 additions and 7 deletions
--- a/service/src/main/java/io/github/a13e300/tricky_store/KeystoreInterceptor.kt
+++ b/service/src/main/java/io/github/a13e300/tricky_store/KeystoreInterceptor.kt
@@ -88,12 +88,18 @@ object KeystoreInterceptor : BinderInterceptor() {
        return Skip
    }

+    private var tried = false
+
    fun tryRunKeystoreInterceptor(): Boolean {
        Logger.i("trying to register keystore interceptor ...")
        val b = ServiceManager.getService("android.system.keystore2.IKeystoreService/default") ?: return false
        val bd = getBinderBackdoor(b)
        if (bd == null) {
            // no binder hook, try inject
+            if (tried) {
+                Logger.e("inject tried but still has no backdoor, exit")
+                exitProcess(1)
+            }
            Logger.i("trying to inject keystore ...")
            val p = Runtime.getRuntime().exec(
                arrayOf(
@@ -108,6 +114,7 @@ object KeystoreInterceptor : BinderInterceptor() {
                Logger.e("failed to inject! daemon exit")
                exitProcess(1)
            }
+            tried = true
            return false
        }
        val ks = IKeystoreService.Stub.asInterface(b)
--- a/service/src/main/java/io/github/a13e300/tricky_store/binder/BinderInterceptor.kt
+++ b/service/src/main/java/io/github/a13e300/tricky_store/binder/BinderInterceptor.kt
@@ -3,6 +3,7 @@ package io.github.a13e300.tricky_store.binder
 import android.os.Binder
 import android.os.IBinder
 import android.os.Parcel
+import io.github.a13e300.tricky_store.Logger

 open class BinderInterceptor : Binder() {
    sealed class Result
@@ -16,9 +17,14 @@ open class BinderInterceptor : Binder() {
            val data = Parcel.obtain()
            val reply = Parcel.obtain()
            try {
-                b.transact(0xdeadbeef.toInt(), data, reply, 0)
+                if (!b.transact(0xadbeef, data, reply, 0)) {
+                    Logger.e("remote return false!")
+                    return null
+                }
+                Logger.d("remote return true!")
                return reply.readStrongBinder()
-            } catch (ignored: Throwable) {
+            } catch (t: Throwable) {
+                Logger.e("failed to read binder", t)
                return null
            } finally {
                data.recycle()