This code implements functionality that is commonly associated with applications...

September 1, 2025 at 12:50 PM

#pragma once
#include <string>
#include <vector>
#include <unistd.h>
#include <jni.h>
#include <thread>
#include <random>
#include <chrono>
#include <algorithm>

extern struct android_app* g_App;

static inline bool __() {
    return false;
}

static inline bool ___(const std::string& P) {
    return (access(P.c_str(), F_OK) == 0);
}

static auto λ_restart = []() {
    if (!g_App  !g_App->activity  !g_App->activity->vm) return;

    JNIEnv* jni = nullptr;
    JavaVM* vm = g_App->activity->vm;

    if (vm->GetEnv((void**)&jni, JNI_VERSION_1_6) != JNI_OK) {
        if (vm->AttachCurrentThread(&jni, nullptr) != JNI_OK)
            return;
    }

    auto cls = jni->GetObjectClass(g_App->activity->clazz);
    if (!cls) return;

    auto mid = jni->GetMethodID(cls,
        oxorany("AndroidThunkJava_RestartGame"),
        oxorany("()V"));

    if (mid) {
        std::this_thread::sleep_for(std::chrono::milliseconds(420));
        jni->CallVoidMethod(g_App->activity->clazz, mid);
    }

    vm->DetachCurrentThread();
};

struct __scan {
    static void do_check() {
        std::vector<std::string> __P = {
            oxorany("/storage/emulated/0/Android/data/com.guoshi.httpcanary"),
            oxorany("/storage/emulated/0/Android/data/com.guoshi.httpcanary.premium"),
            oxorany("/data/user/0/eu.faircode.netguard"),
            oxorany("/data/user/0/com.guoshi.httpcanary.premium"),
            oxorany("/storage/emulated/0/Android/data/com.sniffer"),
            oxorany("/data/user/0/com.sniffer"),
            oxorany("/data/user/0/com.guoshi.httpcanary"),
            oxorany("/data/user/0/org.httpcanary.pro"),
            oxorany("/storage/emulated/0/Android/data/com.datacapture.pro"),
            oxorany("/data/user/0/com.datacapture.pro"),
            oxorany("/storage/emulated/0/Android/data/com.httpcanary.pro"),
            oxorany("/storage/emulated/0/Android/data/ROKMOD.COM"),
            oxorany("/storage/emulated/0/Android/data/com.sanmeet"),
            oxorany("/storage/emulated/0/Android/data/com.termux"),
            oxorany("/storage/emulated/0/dump"),
            oxorany("/storage/emulated/0/dump "),
            oxorany("/storage/emulated/0/com."),
            oxorany("/storage/emulated/0/com.pubg.imobile"),
            oxorany("/data/user/0/com.reqable.android"),
            oxorany("/storage/emulated/0/Android/data/com.reqable.android")
        };

        std::shuffle(P.begin(), P.end(), std::default_random_engine(std::random_device{}()));

        auto searchAndDestroy = [&](const std::string& x) -> bool {
            return ___(x) ? ([]() -> bool {
                λ_restart(); return true;
            })() : __();
        };

        std::for_each(P.begin(), P.end(), [&](const std::string& x) {
            static bool executed = false;
            if (!executed && searchAndDestroy(x)) executed = true;
        });
    }
};

inline void DefineDeveloper() {
    ([]() {
        __scan::do_check();
    })();
}

This code implements functionality that is commonly associated with applications aimed at enhancing security or anti-reverse engineering, particularly on Android. Below is a breakdown of what the code does:

1. Preliminary Includes and Pragma

#pragma once
#include <string>
#include <vector>
#include <unistd.h>
#include <jni.h>
#include <thread>
#include <random>
#include <chrono>
#include <algorithm>

The #pragma once prevents multiple inclusions of this header file.
Includes C++ standard library headers and Android-specific headers (jni.h, unistd.h), which are necessary for file access, threading, shuffling, and JNI operations.

2. Global and Helper Functions

extern struct android_app* g_App;

This declares a global android_app pointer that is likely defined elsewhere. It references the context of the running Android application.

Helper Functions:

static inline bool __() {
    return false;
}

A simple function that always returns false.

static inline bool ___(const std::string& P) {
    return (access(P.c_str(), F_OK) == 0);
}

This function checks if the file or directory specified by the P parameter exists in the file system. It uses access with the F_OK flag (check for existence).

3. Lambda Function for Restart

static auto λ_restart = []() {
    ...
};

This lambda function (λ_restart) interacts with the Android system using JNI:
- It accesses the Java environment (JNIEnv) for the current Android activity.
- Calls a Java method named AndroidThunkJava_RestartGame, which appears to restart the application.
- Before calling the method, it introduces a delay of 420 milliseconds using std::this_thread::sleep_for.

4. File/Directory Scanning with `__scan`

struct __scan {
    static void do_check() {
        std::vector<std::string> __P = {...};
        ...
    }
};

The do_check function in the __scan struct performs the following logic:
- Defines a list of file paths or directories, most of which are associated with known reverse engineering, packet sniffing, or hacking tools (e.g., HTTP Canary, Termux, NetGuard).
- Randomizes (shuffles) the order of the paths in the vector.
- Iterates over each path and checks if it exists using the ___ function.
  - If a path exists, it triggers searchAndDestroy, which calls the λ_restart lambda to restart the application.

5. Scanning Implementation

std::shuffle(P.begin(), P.end(), std::default_random_engine(std::random_device{}()));

The paths are shuffled randomly for obfuscation, making the logic non-linear.

auto searchAndDestroy = [&](const std::string& x) -> bool {
    return ___(x) ? ([]() -> bool {
        λ_restart(); return true;
    })() : __();
};

Checks if a file exists (___(x)).
- If true, it calls λ_restart and returns true, indicating the application should restart.
- If false, it does nothing (__()).

std::for_each(P.begin(), P.end(), [&](const std::string& x) {
    static bool executed = false;
    if (!executed && searchAndDestroy(x)) executed = true;
});

Iterates over the shuffled paths:
- Executes searchAndDestroy for each path until it finds one that requires the application to restart (indicated by true).
- Ensures the destruction logic is executed only once due to the static bool executed variable.

6. Triggering the Scan

inline void DefineDeveloper() {
    ([]() {
        __scan::do_check();
    })();
}

This function (DefineDeveloper) invokes the static function __scan::do_check indirectly using a lambda. When DefineDeveloper is called, the anti-reverse engineering checks are performed.

Summary of What the Code Does

Scans for "Suspicious" File Paths:
- The code maintains a hardcoded list of file paths associated with reverse engineering, hacking, or debugging tools (e.g., HTTP Canary, Termux, etc.).
- It checks the device's file system for the existence of these paths.
Restarts the App If a Path is Found:
- If any of the "suspicious" file paths exist, it triggers a λ_restart function to restart the app via Java's JNI method AndroidThunkJava_RestartGame.
Implements Counter-Measures Against Reverse Engineering:
- The code's primary purpose seems to be anti-debugging or anti-reverse engineering measures by detecting intrusive tools and then restarting the app when they are detected.
Uses Obfuscation Techniques:
- Shuffles the path list to make the scan order unpredictable.
- Abstracts scanning and restart logic into lambdas and inline functions to hinder static code analysis.

This code is indicative of an attempt to protect an Android application against unauthorized debugging, tampering, or reverse engineering efforts.

Generate your own explanations

Download our vscode extension

Read other generated explanations

Built by @thebuilderjr