1. Are you ready for the Galaxy S20? Here is everything we know so far!
Thread Status:
Not open for further replies.

Anyone got a patch for MasterKey?

Discussion in 'Archived Threads' started by JerryScript, Jul 17, 2013.

  1. JerryScript

    JerryScript Android Expert
    Thread Starter

    I'm currently telling my users to use ReKey from the market to patch the MasterKey vulnerability. I'm looking for a way to patch it in my current ROM for the Galaxy Victory, but I'm building with the Kitchens right now, not from source (haven't got device files configured properly to build from source yet). Anyone know of a way to patch core.jar with a kitchen?

    1. Download the Forums for Android™ app!


  2. Mobstergunz

    Mobstergunz Android Expert

    I'm not sure what patch this is but you can decompile a deodexed jar file and modify it with apktool. If you need help pm me.
    Brian706 likes this.
  3. dsmryder

    dsmryder Android Expert

    I only know how to do it from source. Did you decompile it yet? If so, could you upload the .smali? I think it might not be able to done unless yuo could program in smali

    https://github.com/CyanogenMod/android_libcore/commit/c52671a647d3efa7ebbb19d1fc55b5b4a4c78876 this is the commit for CM7 if you want to look.
    JerryScript likes this.
  4. JerryScript

    JerryScript Android Expert
    Thread Starter

    Thanks, I'll decompile core.jar and upload the files. I'm not too good with smali, prefer building from source and my efforts to port Lidroid via smali edits has been an experiment in frustration, so I appreciate the offer of help!

    I had to rescind my recommendation on ReKey. I had continuous issues with connecting to WiFi and 3G after installing it. Uninstalling I still had issues, so I restored the backup I made just before installing it, and all is well. Not sure what ReKey is doing (I should pull a logcat, but meh).

    I looked at the CM commit, not sure if it can be done with smali either. I thought I had read that Master Key had to do with not checking for an unsigned value on a short, perhaps that was the vulnerability they found in Asia about the same time? Or perhaps I need to stop reading articles while waiting for compilation to complete at 3:45am! ;)
  5. JerryScript

    JerryScript Android Expert
    Thread Starter

    Here's the core.java smali, I included the frameworks and associated jar files in case you wanted to mess with it on your box. Looks like the relevant area starts around line 540. I can see how easily you could change a lot of parameters, but I'm not sure how you would add a conditional statement in smali. Appreciate any pointers you can offer.

    Here's the zip containing the original core.jar and it's decompiled smali files, and frameworks:

    The zip is 36.6Mb, so here's the pastebin of just core.java.util.zip.ZipFile.smali if you don't want to download the zip:
    core.java.util.zip.ZipFile.smali - Pastebin.com
  6. dsmryder

    dsmryder Android Expert

    Ok, I think the way to handle this would be to look at what the changes were done by decompiling an updated ZipFile.smali and fudging in the code. That's because I don't think smali is meant to be read:eek:.

    I've updated the CM7 ROM for the MT so if you beat me to the punch. I haven't even sepnt a full hour on coding as my shop forman has been out and I have been working extra hours. I hope to play this weekend:rolleyes:. We'll see.
  7. JerryScript

    JerryScript Android Expert
    Thread Starter

    Good idea, I'll check out your updated ZipFile and see what it would take to merge with mine via smali. Gonna be alot of cntrl+f involved ;)
  8. dsmryder

    dsmryder Android Expert

    I tried looking, but I don't know what I'm looking at. I see that you added in some extra parts. Is that needed to decompile the core.jar properly? Also (as I'm going to bed) where is the ZipFile.smali? I glansed for it, but it didn't come up in be search of core.jar.out.

    I'm using Mobstergunz's apktool linked set. I saw that you sould add in the frameworks, but really?
  9. JerryScript

    JerryScript Android Expert
    Thread Starter

    It should be in /core.jar.out/smali/java/util/zip/ZipFile.smali

    I wasn't sure if I needed the dependencies, so I added extras just in case. As I said, I'm not real familiar with smali, I primarly use apktool to change res.

    BTW- I did post the ZipFile.smali to pastebin (see link above) just in case. ;)
  10. dsmryder

    dsmryder Android Expert

    Ok, ok ok. There are a bunch of differences on your ZipFile and mine from CM7. The one I used was way old as I had it on the Windows rig. I'm going to grab the two recent CM7 builds and work my was to the files. I think that Beyond Compare will make this damn near easy. I just downloaded it and it's going to save a ton of time on things like this.

    I'll post what I find in a couple of hours.
    There were a bunch of differences in the two CM7's. I'm going to rebuild the part without the security fix and see how it comes out.
  11. JerryScript

    JerryScript Android Expert
    Thread Starter

    What I posted is from stock goghvmu Samsung Galaxy Victory Virgin Mobile's firmware.
  12. dsmryder

    dsmryder Android Expert

    Ha! I watched a movie and went to bed. I haven't been on the computer sense. What I ment was I was going to make the changes to the one version of the file so I can have the least number of variables possible. I think that some of the compiling/decompiling process assigns variable names to the variables so that I can't make a direct comparison. I think that if I just have the file with the fix as the only difference I'll be able to work my way through it.


    You didn't want to get this done quickly, did you?
  13. dsmryder

    dsmryder Android Expert

    OK, I think I have it on our CM7 end.
    Code (Text):
    1.     .locals 22
    2.     move-object/from16 v18, v0
    3.     invoke-virtual/range {v18 .. v18}, Ljava/io/RandomAccessFile;->length()J
    4.     move-result-wide v18
    5.     const-wide/16 v20, 0x16
    6.     sub-long v13, v18, v20
    7.     .local v13, scanOffset:J
    8.     const-wide/16 v18, 0x0
    9.     cmp-long v18, v13, v18
    10.     if-gez v18, :cond_0
    11.     new-instance v18, Ljava/util/zip/ZipException;
    12.     const-string v19, "too short to be Zip"
    13.     invoke-direct/range {v18 .. v19}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    14.     throw v18
    15.     const-wide/32 v18, 0x10000
    16.     sub-long v15, v13, v18
    17.     .local v15, stopOffset:J
    18.     const-wide/16 v18, 0x0
    19.     cmp-long v18, v15, v18
    20.     if-gez v18, :cond_1
    21.     const-wide/16 v15, 0x0
    22.     move-object/from16 v18, v0
    23.     move-object/from16 v0, v18
    24.     move-wide v1, v13
    25.     move-object/from16 v18, v0
    26.     invoke-static/range {v18 .. v18}, Ljava/util/zip/ZipEntry;->readIntLE(Ljava/io/RandomAccessFile;)J
    27.     move-result-wide v18
    28.     const-wide/32 v20, 0x6054b50
    29.     cmp-long v18, v18, v20
    30.     if-nez v18, :cond_3
    31.     new-instance v12, Ljava/util/zip/ZipFile$RAFStream;
    32.     move-object/from16 v18, v0
    33.     move-object/from16 v19, v0
    34.     invoke-virtual/range {v19 .. v19}, Ljava/io/RandomAccessFile;->getFilePointer()J
    35.     move-result-wide v19
    36.     move-object v0, v12
    37.     move-object/from16 v1, v18
    38.     move-wide/from16 v2, v19
    39.     .local v12, rafs:Ljava/util/zip/ZipFile$RAFStream;
    40.     const/16 v18, 0x16
    41.     move-object v1, v12
    42.     move/from16 v2, v18
    43.     move-object/from16 v18, v0
    44.     move-object/from16 v0, v18
    45.     move-object/from16 v18, v0
    46.     move-object/from16 v0, v18
    47.     move-object/from16 v18, v0
    48.     move-object/from16 v0, v18
    49.     move-result v11
    50.     .local v11, numEntries:I
    51.     move-object/from16 v18, v0
    52.     move-object/from16 v0, v18
    53.     move-result v17
    54.     .local v17, totalNumEntries:I
    55.     move-object/from16 v18, v0
    56.     move-object/from16 v0, v18
    57.     move-object/from16 v18, v0
    58.     move-object/from16 v0, v18
    59.     move-object/from16 v18, v0
    60.     move-object/from16 v0, v18
    61.     move v0, v11
    62.     move/from16 v1, v17
    63.     new-instance v18, Ljava/util/zip/ZipException;
    64.     const-string v19, "spanned archives not supported"
    65.     invoke-direct/range {v18 .. v19}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    66.     throw v18
    67.     .end local v11           #numEntries:I
    68.     .end local v12           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    69.     .end local v17           #totalNumEntries:I
    70.     const-wide/16 v18, 0x1
    71.     sub-long v13, v13, v18
    72.     cmp-long v18, v13, v15
    73.     if-gez v18, :cond_1
    74.     new-instance v18, Ljava/util/zip/ZipException;
    75.     const-string v19, "EOCD not found; not a Zip archive?"
    76.     invoke-direct/range {v18 .. v19}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    77.     throw v18
    78.     .restart local v11       #numEntries:I
    79.     .restart local v12       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    80.     .restart local v17       #totalNumEntries:I
    81.     new-instance v12, Ljava/util/zip/ZipFile$RAFStream;
    82.     .end local v12           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    83.     move-object/from16 v18, v0
    84.     move-object v0, v12
    85.     move-object/from16 v1, v18
    86.     .restart local v12       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    87.     const/16 v18, 0x1000
    88.     move-object v1, v12
    89.     move/from16 v2, v18
    90.     const/4 v9, 0x0
    91.     .local v9, i:I
    92.     if-ge v9, v11, :cond_5
    93.     new-instance v10, Ljava/util/zip/ZipEntry;
    94.     move-object/from16 v18, v0
    95.     move-object v0, v10
    96.     move-object/from16 v1, v18
    97.     .local v10, newEntry:Ljava/util/zip/ZipEntry;
    98.     move-object/from16 v18, v0
    99.     invoke-virtual {v10}, Ljava/util/zip/ZipEntry;->getName()Ljava/lang/String;
    100.     move-object/from16 v0, v18
    101.     move-object/from16 v1, v19
    102.     move-object v2, v10
    103.     invoke-virtual {v0, v1, v2}, Ljava/util/LinkedHashMap;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    104.     add-int/lit8 v9, v9, 0x1
    105.     .line 383
    106.     .end local v10           #newEntry:Ljava/util/zip/ZipEntry;
    107.     :cond_5
    Code (Text):
    1.     .locals 23
    2.     move-object/from16 v19, v0
    3.     invoke-virtual/range {v19 .. v19}, Ljava/io/RandomAccessFile;->length()J
    4.     move-result-wide v19
    5.     const-wide/16 v21, 0x16
    6.     sub-long v14, v19, v21
    7.     .local v14, scanOffset:J
    8.     const-wide/16 v19, 0x0
    9.     cmp-long v19, v14, v19
    10.     if-gez v19, :cond_0
    11.     new-instance v19, Ljava/util/zip/ZipException;
    12.     const-string v20, "too short to be Zip"
    13.     invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    14.     throw v19
    15.     const-wide/32 v19, 0x10000
    16.     sub-long v16, v14, v19
    17.     .local v16, stopOffset:J
    18.     const-wide/16 v19, 0x0
    19.     cmp-long v19, v16, v19
    20.     if-gez v19, :cond_1
    21.     const-wide/16 v16, 0x0
    22.     move-object/from16 v19, v0
    23.     move-object/from16 v0, v19
    24.     move-wide v1, v14
    25.     move-object/from16 v19, v0
    26.     invoke-static/range {v19 .. v19}, Ljava/util/zip/ZipEntry;->readIntLE(Ljava/io/RandomAccessFile;)J
    27.     move-result-wide v19
    28.     const-wide/32 v21, 0x6054b50
    29.     cmp-long v19, v19, v21
    30.     if-nez v19, :cond_3
    31.     new-instance v13, Ljava/util/zip/ZipFile$RAFStream;
    32.     move-object/from16 v19, v0
    33.     move-object/from16 v20, v0
    34.     invoke-virtual/range {v20 .. v20}, Ljava/io/RandomAccessFile;->getFilePointer()J
    35.     move-result-wide v20
    36.     move-object v0, v13
    37.     move-object/from16 v1, v19
    38.     move-wide/from16 v2, v20
    39.     .local v13, rafs:Ljava/util/zip/ZipFile$RAFStream;
    40.     const/16 v19, 0x16
    41.     move-object v1, v13
    42.     move/from16 v2, v19
    43.     move-object/from16 v19, v0
    44.     move-object/from16 v0, v19
    45.     move-object/from16 v19, v0
    46.     move-object/from16 v0, v19
    47.     move-object/from16 v19, v0
    48.     move-object/from16 v0, v19
    49.     move-result v12
    50.     .local v12, numEntries:I
    51.     move-object/from16 v19, v0
    52.     move-object/from16 v0, v19
    53.     move-result v18
    54.     .local v18, totalNumEntries:I
    55.     move-object/from16 v19, v0
    56.     move-object/from16 v0, v19
    57.     move-object/from16 v19, v0
    58.     move-object/from16 v0, v19
    59.     move-object/from16 v19, v0
    60.     move-object/from16 v0, v19
    61.     move v0, v12
    62.     move/from16 v1, v18
    63.     new-instance v19, Ljava/util/zip/ZipException;
    64.     const-string v20, "spanned archives not supported"
    65.     invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    66.     throw v19
    67.     .end local v12           #numEntries:I
    68.     .end local v13           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    69.     .end local v18           #totalNumEntries:I
    70.     const-wide/16 v19, 0x1
    71.     sub-long v14, v14, v19
    72.     cmp-long v19, v14, v16
    73.     if-gez v19, :cond_1
    74.     new-instance v19, Ljava/util/zip/ZipException;
    75.     const-string v20, "EOCD not found; not a Zip archive?"
    76.     invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    77.     throw v19
    78.     .restart local v12       #numEntries:I
    79.     .restart local v13       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    80.     .restart local v18       #totalNumEntries:I
    81.     new-instance v13, Ljava/util/zip/ZipFile$RAFStream;
    82.     .end local v13           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    83.     move-object/from16 v19, v0
    84.     move-object v0, v13
    85.     move-object/from16 v1, v19
    86.     .restart local v13       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    87.     const/16 v19, 0x1000
    88.     move-object v1, v13
    89.     move/from16 v2, v19
    90.     const/4 v10, 0x0
    91.     .local v10, i:I
    92.     if-ge v10, v12, :cond_6
    93.     new-instance v11, Ljava/util/zip/ZipEntry;
    94.     move-object/from16 v19, v0
    95.     move-object v0, v11
    96.     move-object/from16 v1, v19
    97.     .local v11, newEntry:Ljava/util/zip/ZipEntry;
    98.     invoke-virtual {v11}, Ljava/util/zip/ZipEntry;->getName()Ljava/lang/String;
    99.     move-result-object v9
    100.     .line 382
    101.     .local v9, entryName:Ljava/lang/String;
    102.     move-object/from16 v19, v0
    103.     move-object/from16 v0, v19
    104.     move-object v1, v9
    105.     move-object v2, v11
    106.     invoke-virtual {v0, v1, v2}, Ljava/util/LinkedHashMap;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    107.     if-eqz v19, :cond_5
    108.     .line 383
    109.     new-instance v19, Ljava/util/zip/ZipException;
    110.     new-instance v20, Ljava/lang/StringBuilder;
    111.     invoke-direct/range {v20 .. v20}, Ljava/lang/StringBuilder;-><init>()V
    112.     const-string v21, "Duplicate entry name: "
    113.     invoke-virtual/range {v20 .. v21}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
    114.     move-result-object v20
    115.     move-object/from16 v0, v20
    116.     move-object v1, v9
    117.     invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
    118.     move-result-object v20
    119.     invoke-virtual/range {v20 .. v20}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
    120.     move-result-object v20
    121.     invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    122.     throw v19
    123.     :cond_5
    124.     add-int/lit8 v10, v10, 0x1
    125.     .line 386
    126.     .end local v9           #entryName:Ljava/lang/String;
    127.     .end local v11           #newEntry:Ljava/util/zip/ZipEntry;
    128.     :cond_6
    There are some differences around the files. According to Beyond Compare every line is different. It seems like mostly internal pointing. I think what you want is about 2/3s of the way down. I'm still looking at it, but I have to go to bed.

    Damn real life getting in the way.

    I hope this gives you an idea.

Share This Page