Hi!, Its nice to post weekely for a change, I never posted weekely before, anyway this might be a one time thing(posting weekely).
Disclaimer : Im just sharing information & not distrubuting mod files here! this is strictly for learning purposes only.
Let’s start & why
If you forgot for some reason, this is part-3 of android reversing/modding, I recommend checking out the previous post “Android Reversing” & “Android Reversing Part 2” in ‘reversing category’.
Our test subject for today will be Terria, Its a game costing “410 rupees” or “5.38” usd,
Its not a huge sum for a one time fee, but its some amount, and why pay if you have alternatives.
why this game?
I saw this game on trending, after checking it out, I came to know it was a popular game with a large fanbase. Watching some gameplay made me hooked up to this game. I wanted to try it. (but not pay for it.)
How to get it for free?, google search and download it?
As you know me I don’t trust the any sources other than google-play, since it is very easy to attach a backdoor to any apk, I do not want that..
So how?
Incase you do not know, google has a 30 min window(atleast at the time of writing) (i.e.) if you buy anything on google-play store, within 30 minutes you can choose refund, refund will be provided no questions asked and app will be uninstalled.
The trick here is to take a backup of the app before clicking the refund button.
The main problem with this method is that, some apps verify (license with google-play) whether if you have really bought the app. So when we try to install the app and open it, the app will not work.
so lets see how we can overcome this..
continue..d
As said this section is just a continuation of the prevous posts titled ‘Android Reversing Part 2’ and ‘android reversing’. The basics, installations, decompiling, recompiling and other stuff are in those post, check them out.
Patching
So license verification is a library provided by google that comes packged with the app, using our tools, we can decompile and search the files for weak spots.
You say license patching? Why not use lucky patcher, I dont want trust it/installn it/ risk being hit by malware.
By analysing the files we find the following lines, they reveal the different codes used for mainting the license check, using these we can proceed.
# static fields
...
.field private static final LICENSED:I = 0x0
.field private static final LICENSED_OLD_KEY:I = 0x2
.field private static final NOT_LICENSED:I = 0x1
.field private static final SIGNATURE_ALGORITHM:Ljava/lang/String; = "SHA1withRSA"
...
by digging deeper, we come across an interesting method called “allowAccess”,
invoke-interface {p2}, Lcom/google/android/vending/licensing/Policy;->allowAccess()Z
move-result p2
by checking the source of the file github link, we can verify that this function does the magic work.
/**
* Policy used by {@link LicenseChecker} to determine whether a user should have
* access to the application.
*/
public interface Policy {
...
/**
* Provide results from contact with the license server. Retry counts are
* incremented if the current value of response is RETRY. Results will be
* used for any future policy decisions.
*
* @param response the result from validating the server response
* @param rawData the raw server response data, can be null for RETRY
*/
void processServerResponse(int response, ResponseData rawData);
/**
* Check if the user should be allowed access to the application.
*/
boolean allowAccess();
...
}
Override
the java logic of our override is pretty simple.
original code
if(mPolicyInterface.allowAccess()){
unlockApp();
} else{
lockApp();
}
patched code
if(true){ // we make this always true
unlockApp();
} else{
lockApp();
}
the equivalent smali code will be
original smali code
invoke-interface {p2}, Lcom/google/android/vending/licensing/Policy;->allowAccess()Z
move-result p2
modified smali code
const p2, 1
that is it, recompile, resign and install the app/game.
End
Im not gona share the apk here, but I believe that I have shared the knowledge to do so. bye, see ya next time.