hey, how ya been. so this is a another reversing post (reverse engineering android mod). So before some months, I gave some basic info to reversing android apps with a practical example(ttorrent). This post is gona build on top of that post. basically pretty advanced version of that post.


Im just sharing information & not distrubuting mod files here! this is strictly for learning purposes only.

Starting off

Let’s just continue where we left off shall we. Today the practical example that we are gona use is Spotify lite, this at the time of writing, is newly repleased, with version ‘0.13.13.6’.

why spotify? Cause i love the app, but too broke to pay for subscription and the ads are just painful, i just want to remove the ads. You could ask the question “bu..but there are always mods available in the outside market?” Yea those are available, but my simple answer is trust, especially nowadays it very easy to attach a backdoor in any app, and also the fact that I love doing this.

So we train by making the ads stop and add premium features to it, keep in-mind we converting only the client to be premium, server assisted premium features won’t work here.

so here we go

continue..d

As said this section is just a continuation of the prevous post titled ‘android reversing’, starting things up with decompiling and recompiling are in that post,

errors

Most of the errors encountered are during the decompilaton shows up only during the recompiling phase and launching app phase, hopefully there are extra options during decompilation which can fix most errors encountered.

the following options are available in decompilation


when to use -r option,
  if launch causes crashes in relation to resources
    you can find this out in logcat and try this option

when to use --no-assets option,
  the same reason as -r option

when to use -d flag,
  debug flag, adds debug to manifest enabling debug output
    utilize logcat

when to use customFranework/update framework,
  would not build or recompile, so install new framework with
    apktool.jar -if framework-file.apk

framework files from android device:
   usually inside /system/framework.
    adb pull to get the apk then do if framework

more about frameworks

In some cases there may be recompiling and rebuilding errors from apktool, this can be either fixed by -r param while decompiling(keep resources intact) or by installing latest framework with the command, multiple frameworks can be used too, or even pull a framework file from your Android device, more about it here, so if you are using miui like me, use the command below.


ex:(current device miui)
    adb pull /system/framework/framework-res.apk
    adb pull /system/framework/framework-ext-res/framework-ext-res.apk

Lastet framework files can be taken from Android build tools. At the time of writing this Android api 29 is out.

the above will fix about 90% of the problems.

working with practical example

Install the latest version of spotify lite from playstore and extract the apk from the device and decompile it using the guide from part 1, solve the problems you face by the above methods. after decompile take some time to go through the app structure and keep note of key parts of the application.

also launch jadx_gui side by side to get a better idea. (you can find this in part 1)

Launch the app on your device and check the app structure (always keep notes on interesting places) for example (hint) the settings has a section called account type. This practical example wont be simple as changing the return value of a function like previous post, we has an attack vector specific to that app, but here its a different story, analysing the app structure and finding potential spots is the key step.

hints

smali modifications I use this site a lot dalvik_opcodes , as mentioned in the part 1. Here we want to replace section’s of byte code, thus make use of this, here to I wont say the exact-way to mod since that would be illegal, you can find this out on your own, ill just share the gist of the byte code necessary to do the trick and show code sample’s for it.

While you browse through the decompiled files you might stumble upon a enumerator that is referenced everywhere, yeah, of course this can be exploited indeed.

Im gona explain with Java code instead of the dalvik opcodes, since that is much more easier to unserstand


enum Account{
  PREMIUM,
  FREE
}


The trick

When the app launches (MainActivity), app makes an api call to get the type of user and save’s it as a local reference,


# sudocode

AnnonymousCall_to_apiToRetreiveUserType(...){
  //make the call
  //parse the call
  return Account (response);
}

check the sudocode, if you are able to change the response of the annoymous call to always send use PREMIUM,then we can call it a day!.

In Java you use enumerator.valueOf(“fname_here”) to get the value of the enum. so we change the above code to something like


# sudocode

AnnonymousCall_to_apiToRetreiveUserType(...){
  //make the call EVEN THIS ARE NOT NECESSARY HERE
  //parse the call EVEN THIS ARE NOT NECESSARY HERE
  return Account.valueOf("PREMIUM");
}

here is the dalvik opcode equivalent for the above


//storage
const-string p2, "PREMIUM"

//valueOf from storage
invoke-static {p2}, Lcom/spotify/lite/productstate/Product;->valueOf(Ljava/lang/String;)Lcom/spotify/lite/productstate/Product;

//move the result object into p2
move-result-object p2

//move the same into class object
iput-object p2, p0, Ldlc;->b:Lcom/spotify/lite/productstate/Product;

//return the object
return-object Ldlc;->b:Lcom/spotify/lite/productstate/Product;

the same but for lambda functins

original: api_call -> retrun cast(response)


.method public final apply(Ljava/lang/Object;)Ljava/lang/Object;
.locals 0

check-cast p1, Lcjl;

invoke-virtual {p1}, Lcjl;->b()Lcom/spotify/lite/productstate/Product;

move-result-object p1

return-object p1

patched:


.registers 2

.line 47
const-string p1, "PREMIUM"

invoke-static {p1}, Lcom/spotify/lite/productstate/Product;->valueOf(Ljava/lang/String;)Lcom/spotify/lite/productstate/Product;

move-result-object p1

return-object p1

some additional interesting patch sections, go through this too, latest verisons of the app need this.


player util

player restriction

resolve player

skipToFutureTrack


with the given patch work, it is all that you will need to enable premium features, just recompile, sign and install the app. follow part 1 for recompiling, sign and installing.

End

I hope this helps some one else other than me, I’m not gona share the recompiled apk for obvious reasons(legal), But I feel you should be able to do so, with the information you have now. peace! seeya next time.