hey, how ya been. so this is a another reversing post (reverse engineering android mod). So before some months, I gave some basic info to reversing android apps with a practical example(ttorrent). This post is gona build on top of that post. basically pretty advanced version of that post.
Im just sharing information & not distrubuting mod files here! this is strictly for learning purposes only.
Starting off
Let’s just continue where we left off shall we. Today the practical example that we are gona use is Spotify lite, this at the time of writing, is newly repleased, with version ‘0.13.13.6’.
why spotify? Cause i love the app, but too broke to pay for subscription and the ads are just painful, i just want to remove the ads. You could ask the question “bu..but there are always mods available in the outside market?” Yea those are available, but my simple answer is trust, especially nowadays it very easy to attach a backdoor in any app, and also the fact that I love doing this.
So we train by making the ads stop and add premium features to it, keep in-mind we converting only the client to be premium, server assisted premium features won’t work here.
so here we go
continue..d
As said this section is just a continuation of the prevous post titled ‘android reversing’, starting things up with decompiling and recompiling are in that post,
errors
Most of the errors encountered are during the decompilaton shows up only during the recompiling phase and launching app phase, hopefully there are extra options during decompilation which can fix most errors encountered.
the following options are available in decompilation
when to use -r option,
if launch causes crashes in relation to resources
you can find this out in logcat and try this option
when to use --no-assets option,
the same reason as -r option
when to use -d flag,
debug flag, adds debug to manifest enabling debug output
utilize logcat
when to use customFranework/update framework,
would not build or recompile, so install new framework with
apktool.jar -if framework-file.apk
framework files from android device:
usually inside /system/framework.
adb pull to get the apk then do if framework
more about frameworks
In some cases there may be recompiling and rebuilding errors from apktool, this can be either fixed by -r param while decompiling(keep resources intact) or by installing latest framework with the command, multiple frameworks can be used too, or even pull a framework file from your Android device, more about it here, so if you are using miui like me, use the command below.
ex:(current device miui)
adb pull /system/framework/framework-res.apk
adb pull /system/framework/framework-ext-res/framework-ext-res.apk
Lastet framework files can be taken from Android build tools. At the time of writing this Android api 29 is out.
the above will fix about 90% of the problems.
working with practical example
Install the latest version of spotify lite from playstore and extract the apk from the device and decompile it using the guide from part 1, solve the problems you face by the above methods. after decompile take some time to go through the app structure and keep note of key parts of the application.
also launch jadx_gui side by side to get a better idea. (you can find this in part 1)
Launch the app on your device and check the app structure (always keep notes on interesting places) for example (hint) the settings has a section called account type. This practical example wont be simple as changing the return value of a function like previous post, we has an attack vector specific to that app, but here its a different story, analysing the app structure and finding potential spots is the key step.
hints
smali modifications I use this site a lot dalvik_opcodes , as mentioned in the part 1. Here we want to replace section’s of byte code, thus make use of this, here to I wont say the exact-way to mod since that would be illegal, you can find this out on your own, ill just share the gist of the byte code necessary to do the trick and show code sample’s for it.
While you browse through the decompiled files you might stumble upon a enumerator that is referenced everywhere, yeah, of course this can be exploited indeed.
Im gona explain with Java code instead of the dalvik opcodes, since that is much more easier to unserstand
enum Account{
PREMIUM,
FREE
}
The trick
When the app launches (MainActivity), app makes an api call to get the type of user and save’s it as a local reference,
# sudocode
AnnonymousCall_to_apiToRetreiveUserType(...){
//make the call
//parse the call
return Account (response);
}
check the sudocode, if you are able to change the response of the annoymous call to always send use PREMIUM,then we can call it a day!.
In Java you use enumerator.valueOf(“fname_here”) to get the value of the enum. so we change the above code to something like
# sudocode
AnnonymousCall_to_apiToRetreiveUserType(...){
//make the call EVEN THIS ARE NOT NECESSARY HERE
//parse the call EVEN THIS ARE NOT NECESSARY HERE
return Account.valueOf("PREMIUM");
}
here is the dalvik opcode equivalent for the above
//storage
const-string p2, "PREMIUM"
//valueOf from storage
invoke-static {p2}, Lcom/spotify/lite/productstate/Product;->valueOf(Ljava/lang/String;)Lcom/spotify/lite/productstate/Product;
//move the result object into p2
move-result-object p2
//move the same into class object
iput-object p2, p0, Ldlc;->b:Lcom/spotify/lite/productstate/Product;
//return the object
return-object Ldlc;->b:Lcom/spotify/lite/productstate/Product;
the same but for lambda functins
original: api_call -> retrun cast(response)
.method public final apply(Ljava/lang/Object;)Ljava/lang/Object;
.locals 0
check-cast p1, Lcjl;
invoke-virtual {p1}, Lcjl;->b()Lcom/spotify/lite/productstate/Product;
move-result-object p1
return-object p1
patched:
.registers 2
.line 47
const-string p1, "PREMIUM"
invoke-static {p1}, Lcom/spotify/lite/productstate/Product;->valueOf(Ljava/lang/String;)Lcom/spotify/lite/productstate/Product;
move-result-object p1
return-object p1
some additional interesting patch sections, go through this too, latest verisons of the app need this.
player util
player restriction
resolve player
skipToFutureTrack
with the given patch work, it is all that you will need to enable premium features, just recompile, sign and install the app. follow part 1 for recompiling, sign and installing.
End
I hope this helps some one else other than me, I’m not gona share the recompiled apk for obvious reasons(legal), But I feel you should be able to do so, with the information you have now. peace! seeya next time.