diff --git a/.gitignore b/.gitignore index a1fc39c..603b140 100644 --- a/.gitignore +++ b/.gitignore @@ -1,14 +1,14 @@ +*.iml .gradle -/build/ - -# Ignore Gradle GUI config -gradle-app.setting - -# Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored) -!gradle-wrapper.jar - -# Cache of project -.gradletasknamecache - -# # Work around https://youtrack.jetbrains.com/issue/IDEA-116898 -# gradle/wrapper/gradle-wrapper.properties +/local.properties +/.idea/caches +/.idea/libraries +/.idea/modules.xml +/.idea/workspace.xml +/.idea/navEditor.xml +/.idea/assetWizardSettings.xml +.DS_Store +/build +/captures +.externalNativeBuild +.cxx diff --git a/README.md b/README.md index bf3d8c3..b849570 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,80 @@ # RestrictionBypass Android API restriction bypass for all Android Versions + +## Description + +Small library to access hidden API restricted by https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces + +## Supported Android Versions + +Android API 19 - 30 + +## Examples + +#### getDeclaredField(...) + +Original reflection call + +``` + Class.forName("android.app.ActivityThread").getDeclaredField( + "mResourcesManager" + ) +``` + +Call with RestrictionBypass + +``` + RestrictionBypass.getDeclaredField( + Class.forName("android.app.ActivityThread"), + "mResourcesManager" + + ) +``` + +#### getMethod(...) + +Original reflection call + + +``` + Class.forName("android.app.ActivityThread").getMethod( + "getPackageInfo", String::class.java, Class.forName("android.content.res.CompatibilityInfo"), Integer.TYPE + ) +``` +Call with RestrictionBypass + +``` + RestrictionBypass.getMethod( + Class.forName("android.app.ActivityThread"), + "getPackageInfo", String::class.java, Class.forName("android.content.res.CompatibilityInfo"), Integer.TYPE + ) +``` + +#### getDeclaredMethod(...) +Original reflection call + +``` + Class.forName("android.app.ActivityThread").getDeclaredMethod( + "getPackageInfo", String::class.java, Class.forName("android.content.res.CompatibilityInfo"), Integer.TYPE + ) +``` +Call with RestrictionBypass + +``` + RestrictionBypass.getDeclaredMethod( + Class.forName("android.app.ActivityThread"), + "getPackageInfo", String::class.java, Class.forName("android.content.res.CompatibilityInfo"), Integer.TYPE + ) +``` + +## Integration + +Just take the maven repository: + +``` +WIP +``` + +Or take the prebuilt aar library: [restrictionbypass.aar](prebuild/restrictionbypass.aar) + +## Troubleshooting \ No newline at end of file diff --git a/app/.gitignore b/app/.gitignore new file mode 100644 index 0000000..796b96d --- /dev/null +++ b/app/.gitignore @@ -0,0 +1 @@ +/build diff --git a/app/build.gradle b/app/build.gradle new file mode 100644 index 0000000..cd39abe --- /dev/null +++ b/app/build.gradle @@ -0,0 +1,38 @@ +apply plugin: 'com.android.application' +apply plugin: 'kotlin-android' +apply plugin: 'kotlin-android-extensions' + +android { + compileSdkVersion 29 + buildToolsVersion "29.0.3" + + defaultConfig { + applicationId "org.chickenhook.restrictionbypass.app" + minSdkVersion 19 + targetSdkVersion 30 + versionCode 1 + versionName "1.0" + + testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner" + } + + buildTypes { + release { + minifyEnabled false + proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' + } + } + +} + +dependencies { + implementation fileTree(dir: 'libs', include: ['*.jar']) + implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version" + implementation 'androidx.appcompat:appcompat:1.1.0' + implementation 'androidx.core:core-ktx:1.2.0' + implementation 'androidx.constraintlayout:constraintlayout:1.1.3' + testImplementation 'junit:junit:4.12' + androidTestImplementation 'androidx.test.ext:junit:1.1.1' + androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0' + implementation project(':restrictionbypass') +} diff --git a/app/proguard-rules.pro b/app/proguard-rules.pro new file mode 100644 index 0000000..f1b4245 --- /dev/null +++ b/app/proguard-rules.pro @@ -0,0 +1,21 @@ +# Add project specific ProGuard rules here. +# You can control the set of applied configuration files using the +# proguardFiles setting in build.gradle. +# +# For more details, see +# http://developer.android.com/guide/developing/tools/proguard.html + +# If your project uses WebView with JS, uncomment the following +# and specify the fully qualified class name to the JavaScript interface +# class: +#-keepclassmembers class fqcn.of.javascript.interface.for.webview { +# public *; +#} + +# Uncomment this to preserve the line number information for +# debugging stack traces. +#-keepattributes SourceFile,LineNumberTable + +# If you keep the line number information, uncomment this to +# hide the original source file name. +#-renamesourcefileattribute SourceFile diff --git a/app/src/androidTest/java/org/chickenhook/restrictionbypass/app/KotlinExamples.kt b/app/src/androidTest/java/org/chickenhook/restrictionbypass/app/KotlinExamples.kt new file mode 100644 index 0000000..992bac1 --- /dev/null +++ b/app/src/androidTest/java/org/chickenhook/restrictionbypass/app/KotlinExamples.kt @@ -0,0 +1,43 @@ +package org.chickenhook.restrictionbypass.app + +import junit.framework.Assert.assertNotNull +import org.chickenhook.restrictionbypass.RestrictionBypass +import org.junit.Test + +class KotlinExamples { + + @Test(expected = NoSuchFieldException::class) // will fail due to api restrictions + fun accessResourcesManagerWithoutBypass() { + Class.forName("android.app.ActivityThread").getDeclaredField( + "mResourcesManager" + ) + } + + @Test + fun accessResourcesManagerWithBypass() { + assertNotNull( + RestrictionBypass.getDeclaredField( + Class.forName("android.app.ActivityThread"), + "mResourcesManager" + + ) + ) + } + + @Test(expected = NoSuchMethodException::class) // will fail due to api restrictions + fun invokeGetPackageInfoWithoutBypass() { + Class.forName("android.app.ActivityThread").getMethod( + "getPackageInfo", String::class.java, Class.forName("android.content.res.CompatibilityInfo"), Integer.TYPE + ) + } + + @Test + fun invokeGetPackageInfoWithBypass() { + assertNotNull( + RestrictionBypass.getMethod( + Class.forName("android.app.ActivityThread"), + "getPackageInfo", String::class.java, Class.forName("android.content.res.CompatibilityInfo"), Integer.TYPE + ) + ) + } +} \ No newline at end of file diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml new file mode 100644 index 0000000..d6bf057 --- /dev/null +++ b/app/src/main/AndroidManifest.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/app/src/main/java/org/chickenhook/restrictionbypass/app/MainActivity.kt b/app/src/main/java/org/chickenhook/restrictionbypass/app/MainActivity.kt new file mode 100644 index 0000000..cd7c415 --- /dev/null +++ b/app/src/main/java/org/chickenhook/restrictionbypass/app/MainActivity.kt @@ -0,0 +1,12 @@ +package org.chickenhook.restrictionbypass.app + +import androidx.appcompat.app.AppCompatActivity +import android.os.Bundle + +class MainActivity : AppCompatActivity() { + + override fun onCreate(savedInstanceState: Bundle?) { + super.onCreate(savedInstanceState) + setContentView(R.layout.activity_main) + } +} diff --git a/app/src/main/res/drawable-v24/ic_launcher_foreground.xml b/app/src/main/res/drawable-v24/ic_launcher_foreground.xml new file mode 100644 index 0000000..2b068d1 --- /dev/null +++ b/app/src/main/res/drawable-v24/ic_launcher_foreground.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/app/src/main/res/drawable/ic_launcher_background.xml b/app/src/main/res/drawable/ic_launcher_background.xml new file mode 100644 index 0000000..07d5da9 --- /dev/null +++ b/app/src/main/res/drawable/ic_launcher_background.xml @@ -0,0 +1,170 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/app/src/main/res/layout/activity_main.xml b/app/src/main/res/layout/activity_main.xml new file mode 100644 index 0000000..4fc2444 --- /dev/null +++ b/app/src/main/res/layout/activity_main.xml @@ -0,0 +1,18 @@ + + + + + + \ No newline at end of file diff --git a/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml b/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml new file mode 100644 index 0000000..eca70cf --- /dev/null +++ b/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml @@ -0,0 +1,5 @@ + + + + + \ No newline at end of file diff --git a/app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml b/app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml new file mode 100644 index 0000000..eca70cf --- /dev/null +++ b/app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml @@ -0,0 +1,5 @@ + + + + + \ No newline at end of file diff --git a/app/src/main/res/mipmap-hdpi/ic_launcher.png b/app/src/main/res/mipmap-hdpi/ic_launcher.png new file mode 100644 index 0000000..a571e60 Binary files /dev/null and b/app/src/main/res/mipmap-hdpi/ic_launcher.png differ diff --git a/app/src/main/res/mipmap-hdpi/ic_launcher_round.png b/app/src/main/res/mipmap-hdpi/ic_launcher_round.png new file mode 100644 index 0000000..61da551 Binary files /dev/null and b/app/src/main/res/mipmap-hdpi/ic_launcher_round.png differ diff --git a/app/src/main/res/mipmap-mdpi/ic_launcher.png b/app/src/main/res/mipmap-mdpi/ic_launcher.png new file mode 100644 index 0000000..c41dd28 Binary files /dev/null and b/app/src/main/res/mipmap-mdpi/ic_launcher.png differ diff --git a/app/src/main/res/mipmap-mdpi/ic_launcher_round.png b/app/src/main/res/mipmap-mdpi/ic_launcher_round.png new file mode 100644 index 0000000..db5080a Binary files /dev/null and b/app/src/main/res/mipmap-mdpi/ic_launcher_round.png differ diff --git a/app/src/main/res/mipmap-xhdpi/ic_launcher.png b/app/src/main/res/mipmap-xhdpi/ic_launcher.png new file mode 100644 index 0000000..6dba46d Binary files /dev/null and b/app/src/main/res/mipmap-xhdpi/ic_launcher.png differ diff --git a/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png b/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png new file mode 100644 index 0000000..da31a87 Binary files /dev/null and b/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png differ diff --git a/app/src/main/res/mipmap-xxhdpi/ic_launcher.png b/app/src/main/res/mipmap-xxhdpi/ic_launcher.png new file mode 100644 index 0000000..15ac681 Binary files /dev/null and b/app/src/main/res/mipmap-xxhdpi/ic_launcher.png differ diff --git a/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png b/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png new file mode 100644 index 0000000..b216f2d Binary files /dev/null and b/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png differ diff --git a/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png b/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png new file mode 100644 index 0000000..f25a419 Binary files /dev/null and b/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png differ diff --git a/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png b/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png new file mode 100644 index 0000000..e96783c Binary files /dev/null and b/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png differ diff --git a/app/src/main/res/values/colors.xml b/app/src/main/res/values/colors.xml new file mode 100644 index 0000000..030098f --- /dev/null +++ b/app/src/main/res/values/colors.xml @@ -0,0 +1,6 @@ + + + #6200EE + #3700B3 + #03DAC5 + diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml new file mode 100644 index 0000000..ad182a4 --- /dev/null +++ b/app/src/main/res/values/strings.xml @@ -0,0 +1,3 @@ + + RestrictionBypass + diff --git a/app/src/main/res/values/styles.xml b/app/src/main/res/values/styles.xml new file mode 100644 index 0000000..5885930 --- /dev/null +++ b/app/src/main/res/values/styles.xml @@ -0,0 +1,11 @@ + + + + + + diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..9d6a26b --- /dev/null +++ b/build.gradle @@ -0,0 +1,29 @@ +// Top-level build file where you can add configuration options common to all sub-projects/modules. + +buildscript { + ext.kotlin_version = '1.3.72' + repositories { + google() + jcenter() + + } + dependencies { + classpath 'com.android.tools.build:gradle:3.6.1' + classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version" + + // NOTE: Do not place your application dependencies here; they belong + // in the individual module build.gradle files + } +} + +allprojects { + repositories { + google() + jcenter() + + } +} + +task clean(type: Delete) { + delete rootProject.buildDir +} diff --git a/gradle.properties b/gradle.properties new file mode 100644 index 0000000..23339e0 --- /dev/null +++ b/gradle.properties @@ -0,0 +1,21 @@ +# Project-wide Gradle settings. +# IDE (e.g. Android Studio) users: +# Gradle settings configured through the IDE *will override* +# any settings specified in this file. +# For more details on how to configure your build environment visit +# http://www.gradle.org/docs/current/userguide/build_environment.html +# Specifies the JVM arguments used for the daemon process. +# The setting is particularly useful for tweaking memory settings. +org.gradle.jvmargs=-Xmx1536m +# When configured, Gradle will run in incubating parallel mode. +# This option should only be used with decoupled projects. More details, visit +# http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects +# org.gradle.parallel=true +# AndroidX package structure to make it clearer which packages are bundled with the +# Android operating system, and which are packaged with your app's APK +# https://developer.android.com/topic/libraries/support-library/androidx-rn +android.useAndroidX=true +# Automatically convert third-party libraries to use AndroidX +android.enableJetifier=true +# Kotlin code style for this project: "official" or "obsolete": +kotlin.code.style=official diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..f6b961f Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..10f0a18 --- /dev/null +++ b/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,6 @@ +#Fri May 01 23:22:14 CEST 2020 +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-all.zip diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..cccdd3d --- /dev/null +++ b/gradlew @@ -0,0 +1,172 @@ +#!/usr/bin/env sh + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS="" + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin, switch paths to Windows format before running java +if $cygwin ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=$((i+1)) + done + case $i in + (0) set -- ;; + (1) set -- "$args0" ;; + (2) set -- "$args0" "$args1" ;; + (3) set -- "$args0" "$args1" "$args2" ;; + (4) set -- "$args0" "$args1" "$args2" "$args3" ;; + (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=$(save "$@") + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong +if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then + cd "$(dirname "$0")" +fi + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..f955316 --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,84 @@ +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS= + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/prebuild/restrictionbypass.aar b/prebuild/restrictionbypass.aar new file mode 100644 index 0000000..7bbc175 Binary files /dev/null and b/prebuild/restrictionbypass.aar differ diff --git a/restrictionbypass/.gitignore b/restrictionbypass/.gitignore new file mode 100644 index 0000000..796b96d --- /dev/null +++ b/restrictionbypass/.gitignore @@ -0,0 +1 @@ +/build diff --git a/restrictionbypass/CMakeLists.txt b/restrictionbypass/CMakeLists.txt new file mode 100644 index 0000000..7fffc81 --- /dev/null +++ b/restrictionbypass/CMakeLists.txt @@ -0,0 +1,48 @@ +# For more information about using CMake with Android Studio, read the +# documentation: https://d.android.com/studio/projects/add-native-code.html + +# Sets the minimum version of CMake required to build the native library. + +cmake_minimum_required(VERSION 3.4.1) + +# Creates and names a library, sets it as either STATIC +# or SHARED, and provides the relative paths to its source code. +# You can define multiple libraries, and CMake builds them for you. +# Gradle automatically packages shared libraries with your APK. + +add_library( # Sets the name of the library. + nrb + + # Sets the library as a shared library. + SHARED + + # Provides a relative path to your source file(s). + src/main/cpp/RestrictionBypass.cpp) + + +# Searches for a specified prebuilt library and stores the path as a +# variable. Because CMake includes system libraries in the search path by +# default, you only need to specify the name of the public NDK library +# you want to add. CMake verifies that the library exists before +# completing its build. + +find_library( # Sets the name of the path variable. + log-lib + + # Specifies the name of the NDK library that + # you want CMake to locate. + log) + +# Specifies libraries CMake should link to your target library. You +# can link multiple libraries, such as libraries you define in this +# build script, prebuilt third-party libraries, or system libraries. + + +target_link_libraries( # Specifies the target library. + nrb + # Links the target library to the log library + # included in the NDK. + ${log-lib}) + +target_include_directories(nrb PRIVATE + ) \ No newline at end of file diff --git a/restrictionbypass/build.gradle b/restrictionbypass/build.gradle new file mode 100644 index 0000000..8279aa0 --- /dev/null +++ b/restrictionbypass/build.gradle @@ -0,0 +1,46 @@ +apply plugin: 'com.android.library' + +android { + compileSdkVersion 29 + buildToolsVersion "29.0.3" + + defaultConfig { + minSdkVersion 19 + targetSdkVersion 30 + versionCode 1 + versionName "1.0" + + testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner" + consumerProguardFiles 'consumer-rules.pro' + externalNativeBuild { + cmake { + cppFlags "-std=c++14" + } + } + ndk { + abiFilters 'arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64' + } + } + + buildTypes { + release { + minifyEnabled false + proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' + } + } + externalNativeBuild { + cmake { + path "CMakeLists.txt" + version "3.6.0" + } + } +} + +dependencies { + implementation fileTree(dir: 'libs', include: ['*.jar']) + + implementation 'androidx.appcompat:appcompat:1.1.0' + testImplementation 'junit:junit:4.12' + androidTestImplementation 'androidx.test.ext:junit:1.1.1' + androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0' +} diff --git a/restrictionbypass/consumer-rules.pro b/restrictionbypass/consumer-rules.pro new file mode 100644 index 0000000..e69de29 diff --git a/restrictionbypass/proguard-rules.pro b/restrictionbypass/proguard-rules.pro new file mode 100644 index 0000000..f1b4245 --- /dev/null +++ b/restrictionbypass/proguard-rules.pro @@ -0,0 +1,21 @@ +# Add project specific ProGuard rules here. +# You can control the set of applied configuration files using the +# proguardFiles setting in build.gradle. +# +# For more details, see +# http://developer.android.com/guide/developing/tools/proguard.html + +# If your project uses WebView with JS, uncomment the following +# and specify the fully qualified class name to the JavaScript interface +# class: +#-keepclassmembers class fqcn.of.javascript.interface.for.webview { +# public *; +#} + +# Uncomment this to preserve the line number information for +# debugging stack traces. +#-keepattributes SourceFile,LineNumberTable + +# If you keep the line number information, uncomment this to +# hide the original source file name. +#-renamesourcefileattribute SourceFile diff --git a/restrictionbypass/src/androidTest/java/org/chickenhook/restrictionbypass/RestrictionBypassTest.java b/restrictionbypass/src/androidTest/java/org/chickenhook/restrictionbypass/RestrictionBypassTest.java new file mode 100644 index 0000000..dfa2d11 --- /dev/null +++ b/restrictionbypass/src/androidTest/java/org/chickenhook/restrictionbypass/RestrictionBypassTest.java @@ -0,0 +1,62 @@ +package org.chickenhook.restrictionbypass; + +import org.junit.Test; + +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +import static junit.framework.TestCase.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertSame; + +public class RestrictionBypassTest { + + Object testField1 = new Object(); + Object testField2 = null; + + Object getTestField1() { + return testField1; + } + + public int add(int a, int b) { + return a + b; + } + + @Test + public void getDeclaredMethod() throws Exception { + Method m = RestrictionBypass.getDeclaredMethod(this.getClass(), "getTestField1"); + assertSame(testField1, m.invoke(this)); + } + + @Test + public void getDeclaredMethodAdd() throws Exception { + Method m = RestrictionBypass.getDeclaredMethod(this.getClass(), "add", int.class, int.class); + assertSame(5, m.invoke(this, 1,4)); + } + + + @Test + public void getMethod() throws Exception { + Method m = RestrictionBypass.getMethod(this.getClass(), "getTestField1"); + assertNull(m); + } + @Test + public void getMethodAdd() throws Exception { + Method m = RestrictionBypass.getMethod(this.getClass(), "add", int.class, int.class); + assertSame(5, m.invoke(this, 1,4)); + } + @Test + public void getDeclaredField() throws NoSuchMethodException, IllegalAccessException, InvocationTargetException { + Field f = RestrictionBypass.getDeclaredField(this.getClass(), "testField1"); + assertNotNull(f); + assertSame(f.get(this), testField1); + } + + @Test + public void getDeclaredNullField() throws NoSuchMethodException, IllegalAccessException, InvocationTargetException { + Field f = RestrictionBypass.getDeclaredField(this.getClass(), "testField2"); + assertNotNull(f); + assertSame(f.get(this), testField2); + } +} \ No newline at end of file diff --git a/restrictionbypass/src/main/AndroidManifest.xml b/restrictionbypass/src/main/AndroidManifest.xml new file mode 100644 index 0000000..a6d5e22 --- /dev/null +++ b/restrictionbypass/src/main/AndroidManifest.xml @@ -0,0 +1,2 @@ + diff --git a/restrictionbypass/src/main/cpp/RestrictionBypass.cpp b/restrictionbypass/src/main/cpp/RestrictionBypass.cpp new file mode 100644 index 0000000..b6b8374 --- /dev/null +++ b/restrictionbypass/src/main/cpp/RestrictionBypass.cpp @@ -0,0 +1,246 @@ +#include +#include +#include +#include + +/////////////////// HELPERS +JavaVM *_vm; + +JNIEnv *attachCurrentThread() { + JNIEnv *env; + + int res = _vm->AttachCurrentThread(&env, nullptr); + __android_log_print(ANDROID_LOG_DEBUG, "native", "Found attached %d", res); + return env; +} + +void detachCurrentThread() { + _vm->DetachCurrentThread(); +} + +void printClassName(jobject obj, JNIEnv *env) { + jclass cls = env->GetObjectClass(obj); + +// First get the class object + jmethodID mid = env->GetMethodID(cls, "getClass", "()Ljava/lang/Class;"); + jobject clsObj = env->CallObjectMethod(obj, mid); + +// Now get the class object's class descriptor + cls = env->GetObjectClass(clsObj); + +// Find the getName() method on the class object + mid = env->GetMethodID(cls, "getName", "()Ljava/lang/String;"); + +// Call the getName() to get a jstring object back + jstring strObj = (jstring) env->CallObjectMethod(clsObj, mid); + +// Now get the c string from the java jstring object + const char *str = env->GetStringUTFChars(strObj, NULL); + +// Print the class name + __android_log_print(ANDROID_LOG_DEBUG, "native", "Calling class is: %s\n", str); +// Release the memory pinned char array + env->ReleaseStringUTFChars(strObj, str); +} +/////////////////////////////////////////////////////////////////////// +///////////////////////////// THE EXPLOIT ///////////////////////////// +/////////////////////////////////////////////////////////////////////// + +/////////////// GET DECLARED METHOD /////////////// +static jobject getDeclaredMethod_internal( + jobject clazz, + jstring method_name, + jobjectArray params) { + JNIEnv *env = attachCurrentThread(); + printClassName(clazz, env); + jclass clazz_class = env->GetObjectClass(clazz); + jmethodID get_declared_method_id = env->GetMethodID(clazz_class, "getDeclaredMethod", + "(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;"); + + jobject res = env->CallObjectMethod(clazz, get_declared_method_id, + method_name, params); + if (env->ExceptionCheck()) { + env->ExceptionDescribe(); + env->ExceptionClear(); + } + jobject global_res = nullptr; + if (res != nullptr) { + global_res = env->NewGlobalRef(res); + } + detachCurrentThread(); + return global_res; +} + +static jobject Java_getDeclaredMethod( + JNIEnv *env, + jclass interface, + jobject clazz, + jstring method_name, + jobjectArray params) { + auto global_clazz = env->NewGlobalRef(clazz); + jstring global_method_name = (jstring) env->NewGlobalRef(method_name); + int arg_length = env->GetArrayLength(params); + jobjectArray global_params = nullptr; + if (params != nullptr) { + for (int i = 0; i < arg_length; i++) { + jobject element = (jobject) env->GetObjectArrayElement(params, i); + jobject global_element = env->NewGlobalRef(element); + env->SetObjectArrayElement(params, i, global_element); + } + global_params = (jobjectArray) env->NewGlobalRef(params); + } + + auto future = std::async(&getDeclaredMethod_internal, global_clazz, + global_method_name, + global_params); + auto result = future.get(); + if (env->ExceptionCheck()) { + env->ExceptionDescribe(); + env->ExceptionClear(); + } + return result; +} + +/////////////// GET METHOD /////////////// +static jobject getMethod_internal( + jobject clazz, + jstring method_name, + jobjectArray params) { + JNIEnv *env = attachCurrentThread(); + printClassName(clazz, env); + jclass clazz_class = env->GetObjectClass(clazz); + jmethodID get_declared_method_id = env->GetMethodID(clazz_class, "getMethod", + "(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;"); + jobject res = env->CallObjectMethod(clazz, get_declared_method_id, + method_name, params); + if (env->ExceptionCheck()) { + env->ExceptionDescribe(); + env->ExceptionClear(); + } + jobject global_res = nullptr; + if (res != nullptr) { + global_res = env->NewGlobalRef(res); + } + + detachCurrentThread(); + return global_res; +} + +static jobject Java_getMethod( + JNIEnv *env, + jclass interface, + jobject clazz, + jstring method_name, + jobjectArray params) { + auto global_clazz = env->NewGlobalRef(clazz); + jstring global_method_name = (jstring) env->NewGlobalRef(method_name); + int arg_length = env->GetArrayLength(params); + jobjectArray global_params = nullptr; + if (params != nullptr) { + for (int i = 0; i < arg_length; i++) { + jobject element = (jobject) env->GetObjectArrayElement(params, i); + jobject global_element = env->NewGlobalRef(element); + env->SetObjectArrayElement(params, i, global_element); + } + global_params = (jobjectArray) env->NewGlobalRef(params); + } + auto future = std::async(&getMethod_internal, global_clazz, + global_method_name, + global_params); + auto result = future.get(); + if (env->ExceptionCheck()) { + env->ExceptionDescribe(); + env->ExceptionClear(); + } + return result; +} + +/////////////// GET DECLARED FIELD /////////////// +static jobject getDeclaredField_internal( + jobject object, + jstring field_name) { + + JNIEnv *env = attachCurrentThread(); + + + printClassName(object, env); + jclass clazz_class = env->GetObjectClass(object); + jmethodID methodId = env->GetMethodID(clazz_class, "getDeclaredField", + "(Ljava/lang/String;)Ljava/lang/reflect/Field;"); + jobject res = env->CallObjectMethod(object, methodId, field_name); + if (env->ExceptionCheck()) { + env->ExceptionDescribe(); + env->ExceptionClear(); + } + jobject global_res = nullptr; + if (res != nullptr) { + global_res = env->NewGlobalRef(res); + } + + detachCurrentThread(); + return global_res; +} + +static jobject Java_getDeclaredField( + JNIEnv *env, + jclass interface, + jobject object, + jstring field_name) { + auto global_object = env->NewGlobalRef(object); + jstring global_field_name = (jstring) env->NewGlobalRef(field_name); + auto future = std::async(&getDeclaredField_internal, global_object, + global_field_name); + auto result = future.get(); + if (env->ExceptionCheck()) { + env->ExceptionDescribe(); + env->ExceptionClear(); + } + return result; +} + + + + +////////// JNI STUFF + + +static const JNINativeMethod gMethods[] = { + {"getDeclaredMethod", "(Ljava/lang/Object;Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;", (void *) Java_getDeclaredMethod}, + {"getMethod", "(Ljava/lang/Object;Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;", (void *) Java_getMethod}, + {"getDeclaredField", "(Ljava/lang/Object;Ljava/lang/String;)Ljava/lang/reflect/Field;", (void *) Java_getDeclaredField}, +}; +static const char *classPathName = "org/chickenhook/restrictionbypass/NativeReflectionBypass"; + +static int registerNativeMethods(JNIEnv *env, const char *className, + JNINativeMethod *gMethods, int numMethods) { + jclass clazz; + clazz = env->FindClass(className); + if (clazz == nullptr) { + __android_log_print(ANDROID_LOG_DEBUG, "registerNativeMethods", + "Native registration unable to find class '%s'", className); + return JNI_FALSE; + } + if (env->RegisterNatives(clazz, gMethods, numMethods) < 0) { + __android_log_print(ANDROID_LOG_DEBUG, "registerNativeMethods", + "Native registration unable to register natives..."); + return JNI_FALSE; + } + return JNI_TRUE; +} + +jint JNI_OnLoad(JavaVM *vm, void * /*reserved*/) { + _vm = vm; + JNIEnv *env = nullptr; + if (vm->GetEnv((void **) (&env), JNI_VERSION_1_4) != JNI_OK) { + return -1; + } + + + if (!registerNativeMethods(env, classPathName, + (JNINativeMethod *) gMethods, + sizeof(gMethods) / sizeof(gMethods[0]))) { + return -1; + } + + return JNI_VERSION_1_4; +} \ No newline at end of file diff --git a/restrictionbypass/src/main/java/org/chickenhook/restrictionbypass/NativeReflectionBypass.java b/restrictionbypass/src/main/java/org/chickenhook/restrictionbypass/NativeReflectionBypass.java new file mode 100644 index 0000000..808e539 --- /dev/null +++ b/restrictionbypass/src/main/java/org/chickenhook/restrictionbypass/NativeReflectionBypass.java @@ -0,0 +1,15 @@ +package org.chickenhook.restrictionbypass; + +import java.lang.reflect.Field; +import java.lang.reflect.Method; + +class NativeReflectionBypass { + + public static native Method getDeclaredMethod(Object recv, String name, Class[] parameterTypes); + public static native Method getMethod(Object recv, String name, Class[] parameterTypes); + public static native Field getDeclaredField(Object recv, String name); + + static { + System.loadLibrary("nrb"); + } +} diff --git a/restrictionbypass/src/main/java/org/chickenhook/restrictionbypass/RestrictionBypass.java b/restrictionbypass/src/main/java/org/chickenhook/restrictionbypass/RestrictionBypass.java new file mode 100644 index 0000000..bb580cc --- /dev/null +++ b/restrictionbypass/src/main/java/org/chickenhook/restrictionbypass/RestrictionBypass.java @@ -0,0 +1,43 @@ +package org.chickenhook.restrictionbypass; + +import android.os.Build; + +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +public class RestrictionBypass { + public static Method getDeclaredMethod(Object clazz, String name, Class... args) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + return NativeReflectionBypass.getDeclaredMethod(clazz, name, args); + } else { + Method getDeclaredMethod = Class.class.getMethod( + "getDeclaredMethod", + String.class, Class[].class + ); + return (Method) getDeclaredMethod.invoke(clazz, name, args); + } + } + + public static Method getMethod(Object clazz, String name, Class... args) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + return NativeReflectionBypass.getMethod(clazz, name, args); + } else { + Method getDeclaredMethod = Class.class.getMethod( + "getMethod", + String.class, Class[].class + ); + return (Method) getDeclaredMethod.invoke(clazz, name, args); + } + } + + + public static Field getDeclaredField(Class obj, String name) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + return NativeReflectionBypass.getDeclaredField(obj, name); + } else { + Method getDeclaredField = Class.class.getMethod("getDeclaredField", String.class); + return (Field) getDeclaredField.invoke(obj, name); + } + } +} diff --git a/restrictionbypass/src/test/java/org/chickenhook/restrictionbypass/ExampleUnitTest.java b/restrictionbypass/src/test/java/org/chickenhook/restrictionbypass/ExampleUnitTest.java new file mode 100644 index 0000000..7386d6b --- /dev/null +++ b/restrictionbypass/src/test/java/org/chickenhook/restrictionbypass/ExampleUnitTest.java @@ -0,0 +1,17 @@ +package org.chickenhook.restrictionbypass; + +import org.junit.Test; + +import static org.junit.Assert.*; + +/** + * Example local unit test, which will execute on the development machine (host). + * + * @see Testing documentation + */ +public class ExampleUnitTest { + @Test + public void addition_isCorrect() { + assertEquals(4, 2 + 2); + } +} \ No newline at end of file diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000..20c8e78 --- /dev/null +++ b/settings.gradle @@ -0,0 +1,3 @@ +rootProject.name='RestrictionBypass' +include ':app' +include ':restrictionbypass'