Hello! me and others reading this from the future. Status Update:So, this month I have lost a companion that was with me for the past 4 years, he is not entirely dead but let’s say is not the same person he once was….wait wait wait! I am talking about my laptop. I was doing an all-nighter & I think it was about 4 a.m. or so I was planning to go to sleep, so so while I was cleaning up & I dropped the laptop from my waist height, I was one of the tallest persons in my class so that explains a lot. I should have cleaned everything in the morning. Anyway after that I couldn’t work on my projects for sometime, but I fixed it to a point where it is somewhat workable, bit its not the same, I have to buy a new one. Next time when I make a post it will be on a new laptop.
Goal
I have been away from reversing, ctf and modding, basically my hobbies from my University days. but occasionally I do some reversing and CTF’s, because of course I don’t want to forget everything. I was busy with my office work but in the back of my mind there was always thoughts about reversing apps again usually to find bugs and exploit in myself for fun. That is the GOAL!.
Motivaation
The next thing that Lead me to writing this post is that I use torrents sometimes and i mostly do it in my phone. Out of all the Torrent clients I used, ttorrent is the best(phone). I use it but not to the point of im going to buy it(the premium app without adds).
Lately ads are just awefull, full-blown full screen ads with full audio and you cannot even skip the video. So in one weekend I decided to reverse it, because at this point you cannot use it.
Question
Why not use mods/cracks from the internet,
answer: easy, since I’m also in the security community I know for a fact that almost every other mod has some Trojan linked with it and the other reason is I am paranoid.
WARNING OR NOTICE WHATEVER YOU WANT TO CALL IT
What I am going to share below is purely for myself to remind me(future me) that at some point in life I did this and is purely for learning purposes for anyone else that might stumbled upon this.
Decompiling
Fun part
Note: I have already done this before and I have a personal preference of tools that I use.
First thing that you need is the decompiler, at the time of writing this post I have seen around 15 or so decompilers online and offline for android ofcourse personally i have been fan of APK tool its just perfect.
Some of the Honorable mentions
- cfr decompiler
- jd-gui
- jadx
Apktool usage
its simple. apktool d(for decompile) -o(outputdirectory)
java -jar apktook_2.4.0.jar d -o output_dir/ apkfile.apk
after you decompile the APK. Explore the decompiled folder for some time. If you want to to change the app flow or know its secrets, you have to to change those files so you need a text editor with find in files feature. My personal preference for this is Sublime course you can use anything you like.
So Android apps are basically written in Java and kotlin from native app standpoint. So the files that you saw in those folders are just the compiled versions of the source. For seeing the source code of apps, you cannot see the exact source code from Java everything will be obfuscated and a lot of it will not make any sense to you if you don’t have any experience at first so don’t be afraid of it. Be very vigilant here I am talking about two things one is the Java source files and the other is the compiled .smali files.
.smali modifications are the most imporatant one, that matters in this post. since that will be used to change the app flow.
Modding
smali modifications
This is the tough spot. I have previous experience with assembly(x86 and dex) but for other people you have to learn to understand it.
viewing logic and instructions
personally, i use jadx for viewing the java code(obfuscated and confusing) and viewing the smali code at the same time and make changes with text editors on .smali files.
for smali modifications to understand the instructions.i’ve found this to be useful than the google one.
Understanding structure and finding things to be changed to suit our needs
So with the command form the apktool part, you would have decompiled the apk, with the help of tools provided above you can also now just view the source and hopefully understand the logic. I am going to tell what i changed after analysing it.
hint: ttorrent lite can be converted to premium if you have a code, that might be exploitable.
.locals 0
.line 1
iput-object p1, p0, Lhu/tagsoft/ttorrent/serial/a;->c:Lhu/tagsoft/ttorrent/serial/SerialActivity;
iput-boolean p2, p0, Lhu/tagsoft/ttorrent/serial/a;->a:Z
>.local 0, means no extra variables will be included,
to make conditions true, set variable true,
basically what u have to do in terms of java code is below this is one of the common modding pattern
public Boolean isLicenseVerified{
this.licenseCheck = getLicenseCheck();
return this.licecseCheck //true if bought the license.
}
public Boolean isLicenseVerified{
this.licenseCheck = true;
return this.licecseCheck //always true.
}
in smali code that would translate to, actual change made in code.
ex:
.local 1 //now one extra variable can be created.
const/4 v0, 0x1
iput-boolean v0, p0, Lhu/tagsoft/ttorrent/serial/a;->a:Z //the variable was set to true.
!imp calling to check if serial registered, always return true. successful patch!.
NOTE: this is not an easy to do at the begining, I was at that point myself so just dont give up.
Recompiling
After that you have to recompile the app, There are several ways to do this, I am gonna go with removing the original signature of the app creating a new key and then signing the app with your key.
removemeta inf folder to remove original signatures
java -jar apktool b -o outputdir/filename.apk decompiledDirectory/
Resigning
creating key and signing with it
keytool -genkey -v -keystore ck-release-key.keystore -alias ck -keyalg RSA -keysize 2048 -validity 10000
//resign the apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ck-release-key.keystore my_application.apk ck
//be sure to verify it there might be some errors.
jarsigner -verify -verbose recompiledApk.apk
there is also another way of disabling ads simpler(very much simpler) by disabling the activity from manifest but what is the fun in that
Now got rid of the pesky fullScreen ads, I am not gona share the apk here, cuz reasons duh… but I taught u the necessary stuff to do so, you should do fine on your own