Android APK Reverse Engineering

[alien4u]

Hello.
Im trying to modify an Android APK to jump a key file verification.
I want to do that in order to learn smali and Baksmali and to improve protection of future Apps or APK files.

What i done so far:
1-Decompile APK to smali files
2-Look in to AndroidManifest.xml to locate Activity:
<activity android:name=".ReparadorReceiver" android:screenOrientation="portrait" />
<activity android:name=".ShutdownReceiver" android:screenOrientation="portrait" />
<activity android:name=".AcercaDe" android:screenOrientation="portrait" />
So the main activity is AcercaDe.
3- On AcercaDe.smali there is a call to a funtion with return boolean value:
invoke-virtual {v2, v3}, Landroid/os/Bundle;->containsKey(Ljava/lang/StringZ
I try to change conditional if-eqz or if-nez but i cant figure out how to skip or jump this check.
I will attach the APK file just in case anyone want to try it.
http://docsile.com/WifiFix.apk

Any help or ligth will be apreciate.

[dest]

I don't understand exactly what you want to do. You want to skip the function call? Why not just deleted and anything that comes after invoke-virtual?

[alien4u]

Quote:

Originally Posted by dest

I don't understand exactly what you want to do. You want to skip the function call? Why not just deleted and anything that comes after invoke-virtual?

Is not that simple, even if i delete that function call the App still do another checking, beside if you delete that the App dont open...

What i want to do is avoid the licence check...
If you decompile the Apk you will notice lot of checking and function that check the key also the app load a library libutiles.so that have lot of C code with another functions... getValue() getLlave()

Kind Regards
Alien.

[unLGcked]

alien4u i libe in Cuba too, and also tried to crack unsuccesfully the app...what i do its use sqlitemanager apk, and modify table global, to set the variable wifi_country_code to a valor diferent to cu, lets say US or EU

[alien4u]

Quote:

Originally Posted by unLGcked

alien4u i libe in Cuba too, and also tried to crack unsuccesfully the app...what i do its use sqlitemanager apk, and modify table global, to set the variable wifi_country_code to a valor diferent to cu, lets say US or EU

You can create an script and run it with Script Manager, with this inside the script:

#!/bin/sh
sleep 20
sqlite3 /data/data/com.android.providers.settings/databases/settings.db "INSERT INTO global (name, value) VALUES ('wifi_country_code', 'EU');"
svc wifi disable
sleep 20
svc wifi enable

That will work, but the App do it in a better way, because they use an android receiver that work better.

The rigth way to go is to decompile the apk and modify smali code but until now i dont find a good way into the smali code.

[dest]

Quote:

Originally Posted by alien4u

Is not that simple, even if i delete that function call the App still do another checking, beside if you delete that the App dont open...

What i want to do is avoid the licence check...
If you decompile the Apk you will notice lot of checking and function that check the key also the app load a library libutiles.so that have lot of C code with another functions... getValue() getLlave()

Kind Regards
Alien.

Are you deleting this function call:
invoke-virtual {v2, v3}, Landroid/os/Bundle;->containsKey
That is the call used by findViewById to get the ID from R.class. It doesn't have anything to do with security.

[alien4u]

Quote:

Originally Posted by dest

Are you deleting this function call:
invoke-virtual {v2, v3}, Landroid/os/Bundle;->containsKey
That is the call used by findViewById to get the ID from R.class. It doesn't have anything to do with security.

Hi Dest, thanks for your time and your help.

If i delete that function call and I compile the apk again the App crash.
Here you can see it:

[dest]

Quote:

Originally Posted by alien4u

Hi Dest, thanks for your time and your help.

If i delete that function call and I compile the apk again the App crash.
Here you can see it:

It crashes because your deleting something that is needed run the app. It has NOTHING to do with security at all.

[alien4u]

Quote:

Originally Posted by dest

It crashes because your deleting something that is needed run the app. It has NOTHING to do with security at all.

Hi Dest, thanks once again for your time and your help.
I delete that function call as many others i already try, but the app still crash or still do the licence check.

I dont know what you mean with: "It has NOTHING to do with security at all."?

I want to bypass this licence check so i can figure out another way to protect APKs files in new project. This apk is protectect with proguard and also load an object library that implements another functions.

So is sophisticated enough to try it and see how secure could be an APK project.

If you look in \lib\armeabi\libutiles.so
You will find some functions:
-getDireccionLlave (in english: getKeyAddress)
-getLlave1 (in english: getKey1)
-getLlave2
Also u will notice the App copy something to system partition:
uid=0 cp rm chmod 755 /system/xbin/ cu.adoble.wifi.fix cu.adoble.wifi.fix.AcercaDe mount -r -o remount /system
And modify this sqlite db what is the whole point of the app:
/data/data/com.android.providers.settings/databases/settings.db "INSERT INTO global (name, value) VALUES ('wifi_country_code', 'EU');" mount -o rw,remount /system

Also look that there is a estado var(status var) with this posible values:
estado Versión registrada. Versión NO registrada, llave NO válida, contáctenos. Versión NO registrada, necesita la llave.

I also think about use the LD_PRELOAD tricks to override some function on the \lib\armeabi\libutiles.so library, as you can see here a simple example:
A Simple LD_PRELOAD Tutorial - good coders code, great reuse

But in order to do that i need to know exactly how the function work and im not able to decompile properly that library.

So here you have more details about what i found...
Thanks.

[alien4u]

Here you got more info about the APK...

Inside libutiles.so:
Functions:

getDireccionLlave(_JNIEnv *):

Vars on this function:
aAndroidOsEnvir = "android/os/Environment"
aGetexternalsto = "getExternalStorageDirectory"
aGetabsolutepat = "getAbsolutePath"
aAdobleWififix_ = "/adoble/wififix.key"
aGetsystemservi DCB "getSystemService"

getLlave1(_JNIEnv *):
-Call to ---- getDireccionLlave(_JNIEnv *)

Java_cu_adoble_wifi_fix_GeneralUtil_getValue()
-Call to ---- getYear(void)
-Call to ---- getLlave2(_JNIEnv *)
-Call to ---- getCodigo(_JNIEnv *,_jobject *)

Here the Entire decompile function:
Java_cu_adoble_wifi_fix_GeneralUtil_getValue
.text:00005B20
.text:00005B20 var_1C = -0x1C
.text:00005B20
.text:00005B20 PUSH {R0-R2,R4-R7,LR}
.text:00005B22 MOVS R4, R0
.text:00005B24 MOVS R5, R2
.text:00005B26 MOVS R6, R3
.text:00005B28 CMP R2, #0x14
.text:00005B2A BLE loc_5B84
.text:00005B2C BL _Z7getYearv ; getYear(void)
.text:00005B30 LDR R3, =0x7E1
.text:00005B32 CMP R0, R3
.text:00005B34 BGT loc_5B7E
.text:00005B36 MOVS R0, R4
.text:00005B38 BL _Z9getLlave2P7_JNIEnv ; getLlave2(_JNIEnv *)
.text:00005B3C MOVS R1, R6
.text:00005B3E MOVS R7, R0
.text:00005B40 MOVS R0, R4
.text:00005B42 BL _Z9getCodigoP7_JNIEnvP8_jobject ; getCodigo(_JNIEnv *,_jobject *)
.text:00005B46 LDR R2, [R4]
.text:00005B48 MOVS R3, #0x2A4
.text:00005B4C LDR R3, [R2,R3]
.text:00005B4E MOVS R1, R0
.text:00005B50 MOVS R2, #0
.text:00005B52 MOVS R0, R4
.text:00005B54 BLX R3
.text:00005B56 MOVS R6, R0
.text:00005B58 BLX strlen
.text:00005B5C MOVS R3, #1
.text:00005B5E SUBS R0, #1
.text:00005B60 MOVS R2, #0
.text:00005B62
.text:00005B62 loc_5B62 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+54j
.text:00005B62 CMP R0, #0
.text:00005B64 BLT loc_5B76
.text:00005B66 CMP R3, #5
.text:00005B68 BEQ loc_5B76
.text:00005B6A LDRB R1, [R6,R0]
.text:00005B6C ADDS R3, #1
.text:00005B6E SUBS R0, #1
.text:00005B70 MULS R1, R3
.text:00005B72 ADDS R2, R2, R1
.text:00005B74 B loc_5B62
.text:00005B76 ; ---------------------------------------------------------------------------
.text:00005B76
.text:00005B76 loc_5B76 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+44j
.text:00005B76 ; Java_cu_adoble_wifi_fix_GeneralUtil_getValue+48j
.text:00005B76 MOVS R3, #0xAD
.text:00005B78 MULS R2, R3
.text:00005B7A CMP R7, R2
.text:00005B7C BEQ loc_5B84
.text:00005B7E
.text:00005B7E loc_5B7E ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+14j
.text:00005B7E MOVS R0, #1 ; status
.text:00005B80 BLX exit
.text:00005B84 ; ---------------------------------------------------------------------------
.text:00005B84
.text:00005B84 loc_5B84 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+Aj
.text:00005B84 ; Java_cu_adoble_wifi_fix_GeneralUtil_getValue+5Cj
.text:00005B84 LDR R1, =(unk_16D34 - 0x5B8E)
.text:00005B86 ADD R0, SP, #0x20+var_1C
.text:00005B88 MOV R2, SP
.text:00005B8A ADD R1, PC ; unk_16D34
.text:00005B8C BLX sub_81E8
.text:00005B90 CMP R5, #0x19 ; switch 26 cases
.text:00005B92 BHI loc_5C54 ; jumptable 00005B96 default case
.text:00005B94 MOVS R0, R5
.text:00005B96 BL __gnu_thumb1_case_uqi ; switch jump
.text:00005B96 ; ---------------------------------------------------------------------------
.text:00005B9A jpt_5B96 DCB 0xD ; jump table for switch statement
.text:00005B9B DCB 0x10
.text:00005B9C DCB 0x13
.text:00005B9D DCB 0x16
.text:00005B9E DCB 0x19
.text:00005B9F DCB 0x1C
.text:00005BA0 DCB 0x1F
.text:00005BA1 DCB 0x22
.text:00005BA2 DCB 0x25
.text:00005BA3 DCB 0x28
.text:00005BA4 DCB 0x2B
.text:00005BA5 DCB 0x2E
.text:00005BA6 DCB 0x31
.text:00005BA7 DCB 0x34
.text:00005BA8 DCB 0x37
.text:00005BA9 DCB 0x3A
.text:00005BAA DCB 0x3D
.text:00005BAB DCB 0x40
.text:00005BAC DCB 0x43
.text:00005BAD DCB 0x46
.text:00005BAE DCB 0x49
.text:00005BAF DCB 0x4C
.text:00005BB0 DCB 0x4F
.text:00005BB1 DCB 0x52
.text:00005BB2 DCB 0x55
.text:00005BB3 DCB 0x58
.text:00005BB4 ; ---------------------------------------------------------------------------
.text:00005BB4
.text:00005BB4 loc_5BB4 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BB4 LDR R1, =(aWifiFixByAdobl - 0x5BBA) ; jumptable 00005B96 case 0
.text:00005BB6 ADD R1, PC ; "Wifi Fix by ADOBLE 4.4.2"
.text:00005BB8 B loc_5C4E
.text:00005BBA ; ---------------------------------------------------------------------------
.text:00005BBA
.text:00005BBA loc_5BBA ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BBA LDR R1, =(aParaObtenerLaL - 0x5BC0) ; jumptable 00005B96 case 1
.text:00005BBC ADD R1, PC ; "Para obtener la +¦ltima versi+¦n de est"...
.text:00005BBE B loc_5C4E
.text:00005BC0 ; ---------------------------------------------------------------------------
.text:00005BC0
.text:00005BC0 loc_5BC0 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BC0 LDR R1, =(aEstado - 0x5BC6) ; jumptable 00005B96 case 2
.text:00005BC2 ADD R1, PC ; "estado"
.text:00005BC4 B loc_5C4E
.text:00005BC6 ; ---------------------------------------------------------------------------
.text:00005BC6
.text:00005BC6 loc_5BC6 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BC6 LDR R1, =(aVersiNRegistra - 0x5BCC) ; jumptable 00005B96 case 3
.text:00005BC8 ADD R1, PC ; "Versi+¦n registrada."
.text:00005BCA B loc_5C4E
.text:00005BCC ; ---------------------------------------------------------------------------
.text:00005BCC
.text:00005BCC loc_5BCC ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BCC LDR R1, =(aVersiNNoRegist - 0x5BD2) ; jumptable 00005B96 case 4
.text:00005BCE ADD R1, PC ; "Versi+¦n NO registrada, llave NO v+ílid"...
.text:00005BD0 B loc_5C4E
.text:00005BD2 ; ---------------------------------------------------------------------------
.text:00005BD2
.text:00005BD2 loc_5BD2 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BD2 LDR R1, =(aVersiNNoRegi_0 - 0x5BD8)
.text:00005BD4 ADD R1, PC ; "Versi+¦n NO registrada, necesita la lla"...
.text:00005BD6 B loc_5C4E
.text:00005BD8 ; ---------------------------------------------------------------------------
.text:00005BD8
.text:00005BD8 loc_5BD8 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BD8 LDR R1, =(aLaFechaDelCelu - 0x5BDE) ; jumptable 00005B96 case 6
.text:00005BDA ADD R1, PC ; "La fecha del Celular es incorrecta, aju"...
.text:00005BDC B loc_5C4E
.text:00005BDE ; ---------------------------------------------------------------------------
.text:00005BDE
.text:00005BDE loc_5BDE ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BDE LDR R4, [R5,#0x74]
.text:00005BE0 LDRSH R3, [R4,R5]
.text:00005BE2 TST R5, R6
.text:00005BE4
.text:00005BE4 loc_5BE4 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BE4 ADDS R6, #0x43
.text:00005BE6 ADD R1, PC ; "La Wifi fue reparada correctamente."
.text:00005BE8 B loc_5C4E
.text:00005BEA ; ---------------------------------------------------------------------------
.text:00005BEA
.text:00005BEA loc_5BEA ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BEA LDR R1, =(aProblemasAlRep - 0x5BF0) ; jumptable 00005B96 case 9
.text:00005BEC ADD R1, PC ; "Problemas al reparar la Wifi."
.text:00005BEE B loc_5C4E
.text:00005BF0 ; ---------------------------------------------------------------------------
.text:00005BF0
.text:00005BF0 loc_5BF0 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BF0 LDR R1, =(aSu - 0x5BF6) ; jumptable 00005B96 case 10
.text:00005BF2 ADD R1, PC ; "su"
.text:00005BF4 B loc_5C4E
.text:00005BF6 ; ---------------------------------------------------------------------------
.text:00005BF6
.text:00005BF6 loc_5BF6 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BF6 LDR R1, =(aSuDump - 0x5BFC) ; jumptable 00005B96 case 11
.text:00005BF8 ADD R1, PC ; "su-dump"
.text:00005BFA B loc_5C4E
.text:00005BFC ; ---------------------------------------------------------------------------
.text:00005BFC
.text:00005BFC loc_5BFC ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005BFC LDR R1, =(aExit - 0x5C02) ; jumptable 00005B96 case 12
.text:00005BFE ADD R1, PC ; "exit\n"
.text:00005C00 B loc_5C4E
.text:00005C02 ; ---------------------------------------------------------------------------
.text:00005C02
.text:00005C02 loc_5C02 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C02 LDR R1, =(aId - 0x5C08) ; jumptable 00005B96 case 13
.text:00005C04 ADD R1, PC ; "id\n"
.text:00005C06 B loc_5C4E
.text:00005C08 ; ---------------------------------------------------------------------------
.text:00005C08
.text:00005C08 loc_5C08 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C08 LDR R1, =(aUid0 - 0x5C0E) ; jumptable 00005B96 case 14
.text:00005C0A ADD R1, PC ; "uid=0"
.text:00005C0C B loc_5C4E
.text:00005C0E ; ---------------------------------------------------------------------------
.text:00005C0E
.text:00005C0E loc_5C0E ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C0E LDR R1, =(aCp - 0x5C14) ; jumptable 00005B96 case 15
.text:00005C10 ADD R1, PC ; "cp "
.text:00005C12 B loc_5C4E
.text:00005C14 ; ---------------------------------------------------------------------------
.text:00005C14
.text:00005C14 loc_5C14 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C14 LDR R1, =(aRm - 0x5C1A) ; jumptable 00005B96 case 16
.text:00005C16 ADD R1, PC ; "rm "
.text:00005C18 B loc_5C4E
.text:00005C1A ; ---------------------------------------------------------------------------
.text:00005C1A
.text:00005C1A loc_5C1A ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C1A LDR R1, =(aChmod755System - 0x5C20) ; jumptable 00005B96 case 17
.text:00005C1C ADD R1, PC ; "chmod 755 /system/xbin/"
.text:00005C1E B loc_5C4E
.text:00005C20 ; ---------------------------------------------------------------------------
.text:00005C20
.text:00005C20 loc_5C20 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C20 LDR R1, =(aCu_adoble_wifi - 0x5C26) ; jumptable 00005B96 case 18
.text:00005C22 ADD R1, PC ; "cu.adoble.wifi.fix"
.text:00005C24 B loc_5C4E
.text:00005C26 ; ---------------------------------------------------------------------------
.text:00005C26
.text:00005C26 loc_5C26 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C26 LDR R1, =(aCu_adoble_wi_0 - 0x5C2C) ; jumptable 00005B96 case 19
.text:00005C28 ADD R1, PC ; "cu.adoble.wifi.fix.AcercaDe"
.text:00005C2A B loc_5C4E
.text:00005C2C ; ---------------------------------------------------------------------------
.text:00005C2C
.text:00005C2C loc_5C2C ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C2C LDR R1, =(aMountRORemount - 0x5C32) ; jumptable 00005B96 case 20
.text:00005C2E ADD R1, PC ; "mount -r -o remount /system\n"
.text:00005C30 B loc_5C4E
.text:00005C32 ; ---------------------------------------------------------------------------
.text:00005C32
.text:00005C32 loc_5C32 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C32 LDR R1, =(aReboot - 0x5C38) ; jumptable 00005B96 case 21
.text:00005C34 ADD R1, PC ; "reboot\n"
.text:00005C36 B loc_5C4E
.text:00005C38 ; ---------------------------------------------------------------------------
.text:00005C38
.text:00005C38 loc_5C38 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C38 LDR R1, =(aNoTienePermiso - 0x5C3E) ; jumptable 00005B96 case 22
.text:00005C3A ADD R1, PC ; "*** No tiene permiso de Super Usuario *"...
.text:00005C3C B loc_5C4E
.text:00005C3E ; ---------------------------------------------------------------------------
.text:00005C3E
.text:00005C3E loc_5C3E ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C3E LDR R1, =(aDataDataCom_an - 0x5C44) ; jumptable 00005B96 case 23
.text:00005C40 ADD R1, PC ; " /data/data/com.android.providers.setti"...
.text:00005C42 B loc_5C4E
.text:00005C44 ; ---------------------------------------------------------------------------
.text:00005C44
.text:00005C44 loc_5C44 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C44 LDR R1, =(aMountORwRemoun - 0x5C4A) ; jumptable 00005B96 case 24
.text:00005C46 ADD R1, PC ; "mount -o rw,remount /system\n"
.text:00005C48 B loc_5C4E
.text:00005C4A ; ---------------------------------------------------------------------------
.text:00005C4A
.text:00005C4A loc_5C4A ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+76j
.text:00005C4A LDR R1, =(aSystemXbin - 0x5C50) ; jumptable 00005B96 case 25
.text:00005C4C ADD R1, PC ; " /system/xbin/"
.text:00005C4E
.text:00005C4E loc_5C4E ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+98j
.text:00005C4E ; Java_cu_adoble_wifi_fix_GeneralUtil_getValue+9Ej ...
.text:00005C4E ADD R0, SP, #0x20+var_1C
.text:00005C50 BLX sub_6DE0
.text:00005C54
.text:00005C54 loc_5C54 ; CODE XREF: Java_cu_adoble_wifi_fix_GeneralUtil_getValue+72j
.text:00005C54 LDR R2, [R4] ; jumptable 00005B96 default case
.text:00005C56 MOVS R3, #0x29C
.text:00005C5A LDR R3, [R2,R3]
.text:00005C5C LDR R1, [SP,#0x20+var_1C]
.text:00005C5E MOVS R0, R4
.text:00005C60 BLX R3
.text:00005C62 MOVS R4, R0
.text:00005C64 ADD R0, SP, #0x20+var_1C
.text:00005C66 BLX sub_6ABC
.text:00005C6A MOVS R0, R4
.text:00005C6C POP {R1-R7,PC}
.text:00005C6C ; End of function Java_cu_adoble_wifi_fix_GeneralUtil_getValue