dev: add a hook to curl to bypass certificate pinning

WorldObservationLog · WorldObservationLog · commit 38b124b8dc31 · 2025-06-26T19:01:42.000+08:00
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "subhook"]
+	path = subhook
+	url = https://github.com/savushkin-r-d/subhook
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -35,13 +35,15 @@ find_library(ANDROIDAPPMUSIC_LIB androidappmusic PATHS ${CMAKE_SOURCE_DIR}/rootf
 find_library(STORESERVICESCORE_LIB storeservicescore PATHS ${CMAKE_SOURCE_DIR}/rootfs/system/lib64)
 find_library(MEDIAPLATFORM_LIB mediaplatform PATHS ${CMAKE_SOURCE_DIR}/rootfs/system/lib64)
 find_library(CXX_SHARED_LIB c++_shared PATHS ${CMAKE_SOURCE_DIR}/rootfs/system/lib64)
+find_library(CURL_SHARED_LIB curl PATHS ${CMAKE_SOURCE_DIR}/rootfs/system/lib64)
 
 # Link libraries
 target_link_libraries(main
     ${CXX_SHARED_LIB}
     ${ANDROIDAPPMUSIC_LIB}
     ${STORESERVICESCORE_LIB}
     ${MEDIAPLATFORM_LIB}
+    ${CURL_SHARED_LIB}
 )
 
 link_directories(${CMAKE_SOURCE_DIR}/rootfs/system/lib64)
diff --git a/import.h b/import.h
@@ -57,6 +57,8 @@ static inline const char *std_string_data(union std_string *str) {
 	return str->data;
 }
 
+extern void curl_easy_setopt(void *, int32_t, long);
+
 extern void _ZN20androidstoreservices30SVSubscriptionStatusMgrFactory6createEv(struct shared_ptr *);
 extern void
 _ZN20androidstoreservices27SVSubscriptionStatusMgrImpl33checkSubscriptionStatusFromSourceERKNSt6__ndk110shared_ptrIN17storeservicescore14RequestContextEEERKNS_23SVSubscriptionStatusMgr26SVSubscriptionStatusSourceE(
diff --git a/main.c b/main.c
@@ -16,13 +16,38 @@
 #include "cmdline.h"
 #ifndef MyRelease
 #include "subhook/subhook.c"
+#include "subhook/subhook.h"
 #endif
 
 static struct shared_ptr apInf;
 static uint8_t leaseMgr[16];
 struct gengetopt_args_info args_info;
 char *amUsername, *amPassword;
 
+#ifndef MyRelease
+int32_t CURLOPT_SSL_VERIFYPEER = 64;
+int32_t CURLOPT_SSL_VERIFYHOST = 81;
+int32_t CURLOPT_PINNEDPUBLICKEY = 10230;
+
+int32_t CURLOPT_CUSTOMREQUEST = 10036;
+int32_t CURLOPT_URL = 10002;
+int32_t CURLOPT_POSTFIELDS = 10015;
+
+subhook_t curl_hook;
+
+void curl_easy_setopt_hook(void *curl, int32_t option, long param) {
+    subhook_remove(curl_hook);
+
+    if (option == CURLOPT_SSL_VERIFYPEER || option == CURLOPT_SSL_VERIFYHOST || option == CURLOPT_PINNEDPUBLICKEY) {
+        curl_easy_setopt(curl, option, 0);
+        printf("[+] hooked curl_easy_setopt %d\n", option);
+    } else {
+        curl_easy_setopt(curl, option, param);
+    }
+    subhook_install(curl_hook);
+}
+#endif
+
 int file_exists(char *filename) {
   struct stat buffer;   
   return (stat (filename, &buffer) == 0);
@@ -623,6 +648,11 @@ void write_storefront_id(struct shared_ptr reqCtx) {
 int main(int argc, char *argv[]) {
     cmdline_parser(argc, argv, &args_info);
 
+    #ifndef MyRelease
+    curl_hook = subhook_new(curl_easy_setopt, curl_easy_setopt_hook, SUBHOOK_64BIT_OFFSET);
+    subhook_install(curl_hook);
+    #endif
+
     init();
     const struct shared_ptr ctx = init_ctx();
     if (args_info.login_given) {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[submodule "subhook"]`
	`2`	`+ path = subhook`
	`3`	`+ url = https://github.com/savushkin-r-d/subhook`
Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ static inline const char std_string_data(union std_string str) {`
`57`	`57`	`return str->data;`
`58`	`58`	`}`
`59`	`59`
	`60`	`+extern void curl_easy_setopt(void *, int32_t, long);`
	`61`	`+`
`60`	`62`	`extern void _ZN20androidstoreservices30SVSubscriptionStatusMgrFactory6createEv(struct shared_ptr *);`
`61`	`63`	`extern void`
`62`	`64`	`_ZN20androidstoreservices27SVSubscriptionStatusMgrImpl33checkSubscriptionStatusFromSourceERKNSt6__ndk110shared_ptrIN17storeservicescore14RequestContextEEERKNS_23SVSubscriptionStatusMgr26SVSubscriptionStatusSourceE(`