From 52ff4a14e9af0d890d4fcb1b373ff2469e971280 Mon Sep 17 00:00:00 2001
From: arm64v8a <48624112+arm64v8a@users.noreply.github.com>
Date: Wed, 29 Mar 2023 17:38:14 +0900
Subject: [PATCH] update core

---
 libcore/box.go   |  3 +++
 libcore/build.sh |  2 +-
 libcore/go.mod   |  2 ++
 libcore/go.sum   | 17 +++++++++++++
 libcore/nb4a.go  | 62 +++++++++++++++++++++++++++++++++++++++++++++---
 5 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/libcore/box.go b/libcore/box.go
index f25c304..f418e49 100644
--- a/libcore/box.go
+++ b/libcore/box.go
@@ -127,6 +127,9 @@ func NewSingBoxInstance(config string) (b *BoxInstance, err error) {
 }
 
 func (b *BoxInstance) Start() error {
+	if outdated != "" {
+		return errors.New(outdated)
+	}
 	if b.state == 0 {
 		b.state = 1
 		return b.Box.Start()
diff --git a/libcore/build.sh b/libcore/build.sh
index 8fd0dd7..ceff41b 100755
--- a/libcore/build.sh
+++ b/libcore/build.sh
@@ -11,7 +11,7 @@ rm -rf $BUILD/android \
   $BUILD/javac-output \
   $BUILD/src
 
-gomobile bind -v -androidapi 21 -cache $(realpath $BUILD) -trimpath -ldflags='-s -w' -tags='with_conntrack,with_gvisor,with_quic,with_wireguard,with_utls,with_v2ray_api,with_clash_api' . || exit 1
+gomobile bind -v -androidapi 21 -cache $(realpath $BUILD) -trimpath -ldflags='-s -w' -tags='with_conntrack,with_gvisor,with_quic,with_wireguard,with_utls,with_v2ray_api,with_clash_api,with_grpc' . || exit 1
 rm -r libcore-sources.jar
 
 proj=../app/libs
diff --git a/libcore/go.mod b/libcore/go.mod
index 75a7dc1..bb1456d 100644
--- a/libcore/go.mod
+++ b/libcore/go.mod
@@ -3,6 +3,7 @@ module libcore
 go 1.18
 
 require (
+	github.com/avast/apkverifier v0.0.0-20221110131049-7720fc1ebef0
 	github.com/codeclysm/extract v2.2.0+incompatible
 	github.com/matsuridayo/libneko v0.0.0-20230315005352-9d7e3f3a79d1
 	github.com/matsuridayo/sing-box-extra v0.0.0-20230327081452-742054d97340
@@ -20,6 +21,7 @@ require (
 	github.com/Dreamacro/clash v1.14.0 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/avast/apkparser v0.0.0-20221012080151-bfc57d4d0502 // indirect
 	github.com/caddyserver/certmagic v0.17.2 // indirect
 	github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c // indirect
 	github.com/cretz/bine v0.2.0 // indirect
diff --git a/libcore/go.sum b/libcore/go.sum
index caf4327..3b195de 100644
--- a/libcore/go.sum
+++ b/libcore/go.sum
@@ -7,6 +7,20 @@ github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/avast/apkparser v0.0.0-20190516101250-3b8c5efcb6a9/go.mod h1:c0733VBXm1we9M1zCtoOspplSwOYebS3hpDkJyMORRU=
+github.com/avast/apkparser v0.0.0-20200102113521-69bcdd9c2403/go.mod h1:eZzHNfZWA1eeKPQE3LVmfRw32lhrH351jDCsma9qxOc=
+github.com/avast/apkparser v0.0.0-20200402131724-9fd46d5c4749/go.mod h1:CSBdDZNEsGRYPiDt9QcGrIy8iWQ9YzB1rcuxn44+0jc=
+github.com/avast/apkparser v0.0.0-20200924103028-30471fa5618f/go.mod h1:SKNzWGFyNJji/Z+iXjPCpmpFPvenFuhLjrSLCwCM/cM=
+github.com/avast/apkparser v0.0.0-20210223100516-186f320f9bfc/go.mod h1:98WPhH/r8MbKpffuuDCAGtPyzSI2IVwXBcWAlXhMVC4=
+github.com/avast/apkparser v0.0.0-20221012080151-bfc57d4d0502 h1:Ka3itfe3khrY1wBEgwaBXMCEhWRd9SG6rnAT8eOFXZQ=
+github.com/avast/apkparser v0.0.0-20221012080151-bfc57d4d0502/go.mod h1:+p/TgE5RkPjTZkzIeZ1Ut/xlKcxsdJtNOuT33v8DKQU=
+github.com/avast/apkverifier v0.0.0-20190808142831-dbbe53a24744/go.mod h1:mhWRoMg0KhvWt8SX7B2v2E3VfWt5jWfHfD9PtWAN+qM=
+github.com/avast/apkverifier v0.0.0-20200217135742-aa28c80b82ae/go.mod h1:SV58cyAAN+SzX8GIBhizatMJNGcDyfQUj/xZUlKRW+I=
+github.com/avast/apkverifier v0.0.0-20200416105355-97c5338f32f0/go.mod h1:HskRSJJJbP3poUkDRAyRAdDVSsh5J1mz8cRc2/B4kbc=
+github.com/avast/apkverifier v0.0.0-20210219091843-33631264c352/go.mod h1:uhY/I/3Vh3V6ZFgLm/EFX/j5//MdoXpvcULTtzRW3YA=
+github.com/avast/apkverifier v0.0.0-20210916093748-2146ff7c4b7f/go.mod h1:APQFx11UQTdbLKlZVJQFddZcJZxoHl6NnJfHN7foLD8=
+github.com/avast/apkverifier v0.0.0-20221110131049-7720fc1ebef0 h1:x9HVJYrutJsTbfgN+Fg1mIn9moi8t1oSxvNIY3qhjks=
+github.com/avast/apkverifier v0.0.0-20221110131049-7720fc1ebef0/go.mod h1:fnZDjIhf6G9k2Qr2f9IZcXctjGmzOK3y2II9gdG1GP8=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/caddyserver/certmagic v0.17.2 h1:o30seC1T/dBqBCNNGNHWwj2i5/I/FMjBbTAhjADP3nE=
 github.com/caddyserver/certmagic v0.17.2/go.mod h1:ouWUuC490GOLJzkyN35eXfV8bSbwMwSf4bdhkIxtdQE=
@@ -60,6 +74,9 @@ github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtL
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/juju/errors v1.0.0 h1:yiq7kjCLll1BiaRuNY53MGI0+EQ3rF6GB+wvboZDefM=
 github.com/juju/errors v1.0.0/go.mod h1:B5x9thDqx0wIMH3+aLIMP9HjItInYWObRovoCFM5Qe8=
+github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/klauspost/compress v1.11.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/klauspost/compress v1.11.8/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
 github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
diff --git a/libcore/nb4a.go b/libcore/nb4a.go
index f99ab6f..f3fa462 100644
--- a/libcore/nb4a.go
+++ b/libcore/nb4a.go
@@ -1,6 +1,10 @@
 package libcore
 
 import (
+	"bufio"
+	"bytes"
+	"crypto/sha256"
+	"fmt"
 	"libcore/device"
 	"os"
 	"path/filepath"
@@ -11,6 +15,7 @@ import (
 
 	"log"
 
+	"github.com/avast/apkverifier"
 	"github.com/matsuridayo/libneko/neko_common"
 	"github.com/matsuridayo/libneko/neko_log"
 )
@@ -74,13 +79,64 @@ func InitCore(process, cachePath, internalAssets, externalAssets string,
 
 		if time.Now().Unix() >= GetExpireTime() {
 			outdated = "Your version is too old! Please update!! 版本太旧，请升级！"
-		} else if time.Now().Unix() < (GetBuildTime() - 86400) {
-			outdated = "Wrong system time! 系统时间错误！"
 		}
 
-		// Extract assets
+		// bg
 		if isBgProcess {
+			go verifyAPK()
 			extractAssets()
 		}
 	}()
 }
+
+var apkSignerSHA256 = [][]byte{
+	{0x35, 0x76, 0x27, 0x58, 0xce, 0x86, 0xa6, 0xec, 0x29, 0x7d, 0x9c, 0xca, 0xc6, 0x89, 0x46, 0x9b, 0xc4, 0x3b, 0x9f, 0xed, 0x8a, 0xe1, 0xb2, 0x7f, 0x10, 0x0a, 0x86, 0xbb, 0xac, 0x00, 0xa0, 0x55},
+}
+
+func verifyAPK() {
+	var apkPath string
+	f, err := os.Open("/proc/self/maps")
+	if err != nil {
+		outdated = fmt.Sprintf("verifyAPK: open maps: %v", err)
+		return
+	}
+	defer f.Close()
+	sc := bufio.NewScanner(f)
+	for sc.Scan() {
+		line := sc.Text()
+		if strings.HasSuffix(line, "/base.apk") {
+			apkPath = line[strings.Index(line, "/data/"):]
+			break
+		}
+	}
+	//
+	certs, err := apkverifier.ExtractCerts(apkPath, nil)
+	if certs == nil || err != nil {
+		outdated = fmt.Sprintf("verifyAPK: no certificate: %v", err)
+		return
+	}
+
+	var ok = false
+	for _, cert := range certs {
+		for _, c := range cert {
+			var s = sha256.Sum256(c.Raw)
+			if isGoodSigner(s[:]) {
+				ok = true
+				break
+			}
+		}
+	}
+
+	if !ok {
+		outdated = fmt.Sprintf("verifyAPK: unknown signer")
+	}
+}
+
+func isGoodSigner(sha256 []byte) bool {
+	for _, hash := range apkSignerSHA256 {
+		if bytes.Equal(sha256, hash) {
+			return true
+		}
+	}
+	return false
+}