Hi me!, how are you doing, how is the future holding up?
Personal Update: It’s been a rough couple weeks since the last post, Covid-19 has shown no rate of slowing down. Nothing been around my mind lately just junk… a lot of junk I don’t want to think about. To many frequent decisions, Once a friend told me Self control over your thoughts is very important. No matter what I do, It seems I can not achieve it.. at least up-until now.
Disclaimer : Im just sharing information & not distrubuting mod files here! this is strictly for learning purposes only.
Intro & why:
This post will be an another reverse engineering/modding post. I recommend checking out last three posts. “Android Reversing”, “Android Reversing Part 2” & “Android Reversing part 3”
Today we will be looking at two apps to study on, to put it simply I did it for my friends, After I told them about the Terria experiment that I did in the last post, they asked me whether Advanced Download Manager & Printer Sharer app can be modded too, I haven’t felt this existed to work on something since a long time. I immediately started working on it. spoiler: I completed it quickly…but it was fun.
Apps one & two:
The first app is ADM (advanced download manager). this app has a premium activation, we will check whether we can exploit this feature.
The second app is Print share anywhere, this app has premium features that works by installing another app that has to be bought from google play store, for the app to work both applications should have to installed.
New:
Taking apart of “app one” and “app two” does not contain anything new, refer previous post for this section.
Before discussing the possible ways to achieve our goals, there is something we would like to know, usually when an app has premium features, during first launch the default state of the purchase flag in code will be ‘not purchased’(in code), what I mean by “first launch” is installing the app fresh from app store and launching it for the first time or it communicates with some license server for it information for the first time.
Second thing we should know about: we are getting into advanced territory here, I’ve been sharing basic modding until now, lets go advanced for a change.
Accessing data:
As mentioned the debug flag ‘android:debuggable=“true”’ must be added to manifest.xml.
as of writing this post, Google’s last stable release is android 9 and the following methond works on my devices running android 8 & 9.
make sure the device is connected and has debugging enabled.
> adb shell
shell $ run-as package_name
Interesting part:
For an application to work, consider it being android, apple, windows, space-craft software…(i.e)any piece of software that has to run and has to retain memory between launches, It has to store the state someplace.
Yes exactly the android applications work on the same principle. how do we access it? We can add the debug flag during compilation of the app and install it to the device and run it, by this we overcome the restriction imposed by the android system, (i.e) applications private data can not be accessed by us.
We can then investigate the configs, private files of the app, One common way an app retains information for example: Entering your name in the app, it remembers it by store the information inside these files(there could be other-ways but lets not over-complicate things).
Theoretically, after we find out where the config to app’s purchase state is found, we can insert new code into the app to change the ‘buy state’ of the application.
I later found out that these two apps were way-too-simple to mod, so did not bother use this, but anyway Keep this idea in the mind, we might use it in the future.
patching:
Ways to overcome app one:
So after I decompiled the app, It was way too easy, they maintain a flag and use the flag everywhere for premium option, So basically I can just change it? Yea that is what I did and recompiled whola!. You have to be carefull here since during the first launch, It will just check with server whether you have bought the app from google app store or not. if we bought the app, then it stores the status in memory, what we could do here is change the smali-code to default go to insert the premium status in memory, doing this way we could not worry about the different lifecycle problems that you might face. pause, destroy, resume states of the app.
Ways to overcome for app two:
The second app had the same logic, I made a similar patch in smali, the actual logic and smali code are as follows:
before:
// by default the license variable contains false values,
public static final Boolean[] is_prm = new Boolean[2];
after:
public static final Boolean[] is_prm = {true, true};
In smali, it translates to:
const/4 v4, 0x1
const/4 v0, 0x2
new-array v0, v0, [Ljava/lang/Boolean;
const/4 v2, 0x0
invoke-static {v4}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;
move-result-object v3
aput-object v3, v0, v2
invoke-static {v4}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;
move-result-object v2
aput-object v2, v0, v4
.line 398
sput-object v0, Lcom/dynamixsoftware/printershare/Billing;->is_prm:[Ljava/lang/Boolean;
Apart from the first app utilising pro-guard, these two apps required very little work, but I enjoyed it neverthless.
Im not gone share the apk for obvious reasons, this concludes this post, have a good day & see you next time.