Anyone got a patch for MasterKey?

[JerryScript]

I'm currently telling my users to use ReKey from the market to patch the MasterKey vulnerability. I'm looking for a way to patch it in my current ROM for the Galaxy Victory, but I'm building with the Kitchens right now, not from source (haven't got device files configured properly to build from source yet). Anyone know of a way to patch core.jar with a kitchen?

 

[Mobstergunz]

I'm not sure what patch this is but you can decompile a deodexed jar file and modify it with apktool. If you need help pm me.

 

[dsmryder]

I'm currently telling my users to use ReKey from the market to patch the MasterKey vulnerability. I'm looking for a way to patch it in my current ROM for the Galaxy Victory, but I'm building with the Kitchens right now, not from source (haven't got device files configured properly to build from source yet). Anyone know of a way to patch core.jar with a kitchen?

I only know how to do it from source. Did you decompile it yet? If so, could you upload the .smali? I think it might not be able to done unless yuo could program in smali

https://github.com/CyanogenMod/android_libcore/commit/c52671a647d3efa7ebbb19d1fc55b5b4a4c78876 this is the commit for CM7 if you want to look.

 

[JerryScript]

Thanks, I'll decompile core.jar and upload the files. I'm not too good with smali, prefer building from source and my efforts to port Lidroid via smali edits has been an experiment in frustration, so I appreciate the offer of help!

I had to rescind my recommendation on ReKey. I had continuous issues with connecting to WiFi and 3G after installing it. Uninstalling I still had issues, so I restored the backup I made just before installing it, and all is well. Not sure what ReKey is doing (I should pull a logcat, but meh).

I looked at the CM commit, not sure if it can be done with smali either. I thought I had read that Master Key had to do with not checking for an unsigned value on a short, perhaps that was the vulnerability they found in Asia about the same time? Or perhaps I need to stop reading articles while waiting for compilation to complete at 3:45am!

 

[JerryScript]

Here's the core.java smali, I included the frameworks and associated jar files in case you wanted to mess with it on your box. Looks like the relevant area starts around line 540. I can see how easily you could change a lot of parameters, but I'm not sure how you would add a conditional statement in smali. Appreciate any pointers you can offer.

Here's the zip containing the original core.jar and it's decompiled smali files, and frameworks:
core.jar.smali.zip

The zip is 36.6Mb, so here's the pastebin of just core.java.util.zip.ZipFile.smali if you don't want to download the zip:
core.java.util.zip.ZipFile.smali - Pastebin.com

 

[dsmryder]

Here's the core.java smali, I included the frameworks and associated jar files in case you wanted to mess with it on your box. Looks like the relevant area starts around line 540. I can see how easily you could change a lot of parameters, but I'm not sure how you would add a conditional statement in smali. Appreciate any pointers you can offer.

Here's the zip containing the original core.jar and it's decompiled smali files, and frameworks:
core.jar.smali.zip

The zip is 36.6Mb, so here's the pastebin of just core.java.util.zip.ZipFile.smali if you don't want to download the zip:
core.java.util.zip.ZipFile.smali - Pastebin.com

Ok, I think the way to handle this would be to look at what the changes were done by decompiling an updated ZipFile.smali and fudging in the code. That's because I don't think smali is meant to be read.

I've updated the CM7 ROM for the MT so if you beat me to the punch. I haven't even sepnt a full hour on coding as my shop forman has been out and I have been working extra hours. I hope to play this weekend. We'll see.

 

[JerryScript]

Ok, I think the way to handle this would be to look at what the changes were done by decompiling an updated ZipFile.smali and fudging in the code. That's because I don't think smali is meant to be read.

I've updated the CM7 ROM for the MT so if you beat me to the punch. I haven't even sepnt a full hour on coding as my shop forman has been out and I have been working extra hours. I hope to play this weekend. We'll see.

Good idea, I'll check out your updated ZipFile and see what it would take to merge with mine via smali. Gonna be alot of cntrl+f involved

 

[dsmryder]

I tried looking, but I don't know what I'm looking at. I see that you added in some extra parts. Is that needed to decompile the core.jar properly? Also (as I'm going to bed) where is the ZipFile.smali? I glansed for it, but it didn't come up in be search of core.jar.out.

I'm using Mobstergunz's apktool linked set. I saw that you sould add in the frameworks, but really?

 

[JerryScript]

I tried looking, but I don't know what I'm looking at. I see that you added in some extra parts. Is that needed to decompile the core.jar properly? Also (as I'm going to bed) where is the ZipFile.smali? I glansed for it, but it didn't come up in be search of core.jar.out.

I'm using Mobstergunz's apktool linked set. I saw that you sould add in the frameworks, but really?

It should be in /core.jar.out/smali/java/util/zip/ZipFile.smali

I wasn't sure if I needed the dependencies, so I added extras just in case. As I said, I'm not real familiar with smali, I primarly use apktool to change res.

BTW- I did post the ZipFile.smali to pastebin (see link above) just in case.

 

[dsmryder]

It should be in /core.jar.out/smali/java/util/zip/ZipFile.smali

I wasn't sure if I needed the dependencies, so I added extras just in case. As I said, I'm not real familiar with smali, I primarly use apktool to change res.

BTW- I did post the ZipFile.smali to pastebin (see link above) just in case.

Ok, ok ok. There are a bunch of differences on your ZipFile and mine from CM7. The one I used was way old as I had it on the Windows rig. I'm going to grab the two recent CM7 builds and work my was to the files. I think that Beyond Compare will make this damn near easy. I just downloaded it and it's going to save a ton of time on things like this.

I'll post what I find in a couple of hours.
There were a bunch of differences in the two CM7's. I'm going to rebuild the part without the security fix and see how it comes out.

 

[JerryScript]

What I posted is from stock goghvmu Samsung Galaxy Victory Virgin Mobile's firmware.

 

[dsmryder]

What I posted is from stock goghvmu Samsung Galaxy Victory Virgin Mobile's firmware.

Ha! I watched a movie and went to bed. I haven't been on the computer sense. What I ment was I was going to make the changes to the one version of the file so I can have the least number of variables possible. I think that some of the compiling/decompiling process assigns variable names to the variables so that I can't make a direct comparison. I think that if I just have the file with the fix as the only difference I'll be able to work my way through it.


Hollla

You didn't want to get this done quickly, did you?

 

[dsmryder]

OK, I think I have it on our CM7 end.

    .locals 22
    move-object/from16 v18, v0
    invoke-virtual/range {v18 .. v18}, Ljava/io/RandomAccessFile;->length()J
    move-result-wide v18
    const-wide/16 v20, 0x16
    sub-long v13, v18, v20
    .local v13, scanOffset:J
    const-wide/16 v18, 0x0
    cmp-long v18, v13, v18
    if-gez v18, :cond_0
    new-instance v18, Ljava/util/zip/ZipException;
    const-string v19, "too short to be Zip"
    invoke-direct/range {v18 .. v19}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v18
    const-wide/32 v18, 0x10000
    sub-long v15, v13, v18
    .local v15, stopOffset:J
    const-wide/16 v18, 0x0
    cmp-long v18, v15, v18
    if-gez v18, :cond_1
    const-wide/16 v15, 0x0
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-wide v1, v13
    move-object/from16 v18, v0
    invoke-static/range {v18 .. v18}, Ljava/util/zip/ZipEntry;->readIntLE(Ljava/io/RandomAccessFile;)J
    move-result-wide v18
    const-wide/32 v20, 0x6054b50
    cmp-long v18, v18, v20
    if-nez v18, :cond_3
    new-instance v12, Ljava/util/zip/ZipFile$RAFStream;
    move-object/from16 v18, v0
    move-object/from16 v19, v0
    invoke-virtual/range {v19 .. v19}, Ljava/io/RandomAccessFile;->getFilePointer()J
    move-result-wide v19
    move-object v0, v12
    move-object/from16 v1, v18
    move-wide/from16 v2, v19
    .local v12, rafs:Ljava/util/zip/ZipFile$RAFStream;
    const/16 v18, 0x16
    move-object v1, v12
    move/from16 v2, v18
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-result v11
    .local v11, numEntries:I
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-result v17
    .local v17, totalNumEntries:I
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move-object/from16 v18, v0
    move-object/from16 v0, v18
    move v0, v11
    move/from16 v1, v17
    new-instance v18, Ljava/util/zip/ZipException;
    const-string v19, "spanned archives not supported"
    invoke-direct/range {v18 .. v19}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v18
    .end local v11           #numEntries:I
    .end local v12           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    .end local v17           #totalNumEntries:I
    const-wide/16 v18, 0x1
    sub-long v13, v13, v18
    cmp-long v18, v13, v15
    if-gez v18, :cond_1
    new-instance v18, Ljava/util/zip/ZipException;
    const-string v19, "EOCD not found; not a Zip archive?"
    invoke-direct/range {v18 .. v19}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v18
    .restart local v11       #numEntries:I
    .restart local v12       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    .restart local v17       #totalNumEntries:I
    new-instance v12, Ljava/util/zip/ZipFile$RAFStream;
    .end local v12           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    move-object/from16 v18, v0
    move-object v0, v12
    move-object/from16 v1, v18
    .restart local v12       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    const/16 v18, 0x1000
    move-object v1, v12
    move/from16 v2, v18
    const/4 v9, 0x0
    .local v9, i:I
    if-ge v9, v11, :cond_5
    new-instance v10, Ljava/util/zip/ZipEntry;
    move-object/from16 v18, v0
    move-object v0, v10
    move-object/from16 v1, v18
    .local v10, newEntry:Ljava/util/zip/ZipEntry;
    move-object/from16 v18, v0
    invoke-virtual {v10}, Ljava/util/zip/ZipEntry;->getName()Ljava/lang/String;
    move-object/from16 v0, v18
    move-object/from16 v1, v19
    move-object v2, v10
    invoke-virtual {v0, v1, v2}, Ljava/util/LinkedHashMap;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    add-int/lit8 v9, v9, 0x1
    .line 383
    .end local v10           #newEntry:Ljava/util/zip/ZipEntry;
    :cond_5

    .locals 23
    move-object/from16 v19, v0
    invoke-virtual/range {v19 .. v19}, Ljava/io/RandomAccessFile;->length()J
    move-result-wide v19
    const-wide/16 v21, 0x16
    sub-long v14, v19, v21
    .local v14, scanOffset:J
    const-wide/16 v19, 0x0
    cmp-long v19, v14, v19
    if-gez v19, :cond_0
    new-instance v19, Ljava/util/zip/ZipException;
    const-string v20, "too short to be Zip"
    invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v19
    const-wide/32 v19, 0x10000
    sub-long v16, v14, v19
    .local v16, stopOffset:J
    const-wide/16 v19, 0x0
    cmp-long v19, v16, v19
    if-gez v19, :cond_1
    const-wide/16 v16, 0x0
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-wide v1, v14
    move-object/from16 v19, v0
    invoke-static/range {v19 .. v19}, Ljava/util/zip/ZipEntry;->readIntLE(Ljava/io/RandomAccessFile;)J
    move-result-wide v19
    const-wide/32 v21, 0x6054b50
    cmp-long v19, v19, v21
    if-nez v19, :cond_3
    new-instance v13, Ljava/util/zip/ZipFile$RAFStream;
    move-object/from16 v19, v0
    move-object/from16 v20, v0
    invoke-virtual/range {v20 .. v20}, Ljava/io/RandomAccessFile;->getFilePointer()J
    move-result-wide v20
    move-object v0, v13
    move-object/from16 v1, v19
    move-wide/from16 v2, v20
    .local v13, rafs:Ljava/util/zip/ZipFile$RAFStream;
    const/16 v19, 0x16
    move-object v1, v13
    move/from16 v2, v19
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-result v12
    .local v12, numEntries:I
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-result v18
    .local v18, totalNumEntries:I
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move v0, v12
    move/from16 v1, v18
    new-instance v19, Ljava/util/zip/ZipException;
    const-string v20, "spanned archives not supported"
    invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v19
    .end local v12           #numEntries:I
    .end local v13           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    .end local v18           #totalNumEntries:I
    const-wide/16 v19, 0x1
    sub-long v14, v14, v19
    cmp-long v19, v14, v16
    if-gez v19, :cond_1
    new-instance v19, Ljava/util/zip/ZipException;
    const-string v20, "EOCD not found; not a Zip archive?"
    invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v19
    .restart local v12       #numEntries:I
    .restart local v13       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    .restart local v18       #totalNumEntries:I
    new-instance v13, Ljava/util/zip/ZipFile$RAFStream;
    .end local v13           #rafs:Ljava/util/zip/ZipFile$RAFStream;
    move-object/from16 v19, v0
    move-object v0, v13
    move-object/from16 v1, v19
    .restart local v13       #rafs:Ljava/util/zip/ZipFile$RAFStream;
    const/16 v19, 0x1000
    move-object v1, v13
    move/from16 v2, v19
    const/4 v10, 0x0
    .local v10, i:I
    if-ge v10, v12, :cond_6
    new-instance v11, Ljava/util/zip/ZipEntry;
    move-object/from16 v19, v0
    move-object v0, v11
    move-object/from16 v1, v19
    .local v11, newEntry:Ljava/util/zip/ZipEntry;
    invoke-virtual {v11}, Ljava/util/zip/ZipEntry;->getName()Ljava/lang/String;
    move-result-object v9
    .line 382
    .local v9, entryName:Ljava/lang/String;
    move-object/from16 v19, v0
    move-object/from16 v0, v19
    move-object v1, v9
    move-object v2, v11
    invoke-virtual {v0, v1, v2}, Ljava/util/LinkedHashMap;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
    if-eqz v19, :cond_5
    .line 383
    new-instance v19, Ljava/util/zip/ZipException;
    new-instance v20, Ljava/lang/StringBuilder;
    invoke-direct/range {v20 .. v20}, Ljava/lang/StringBuilder;-><init>()V
    const-string v21, "Duplicate entry name: "
    invoke-virtual/range {v20 .. v21}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
    move-result-object v20
    move-object/from16 v0, v20
    move-object v1, v9
    invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
    move-result-object v20
    invoke-virtual/range {v20 .. v20}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
    move-result-object v20
    invoke-direct/range {v19 .. v20}, Ljava/util/zip/ZipException;-><init>(Ljava/lang/String;)V
    throw v19
    :cond_5
    add-int/lit8 v10, v10, 0x1
    .line 386
    .end local v9           #entryName:Ljava/lang/String;
    .end local v11           #newEntry:Ljava/util/zip/ZipEntry;
    :cond_6

There are some differences around the files. According to Beyond Compare every line is different. It seems like mostly internal pointing. I think what you want is about 2/3s of the way down. I'm still looking at it, but I have to go to bed.

Damn real life getting in the way.

I hope this gives you an idea.