Sunday, August 8, 2010

Android Trial Patching - Android App Cracking Tutorial #2

Collins English/French Dictionary Trial Crack

apktool - contains baksmali/smali, generally awesome. (
Android SDK installed. (
ADB Access.
An Android Device

Collins audio english french dictionary is a translation dictionary with audio capability. It was
chosen due to its method of protection and listing in the "demo" section of the market as a featured

7 day trial

I downloaded the apk from:

getting CollinsAudioMltEnFr.apk

Then I use apktool to decompress and disassemble the package:
    apktool d CollinsAudioMltEnFr.apk enfr_dict

Then I go into the newly created directory:
    cd enfr_dict

Searching the directory structure, I see:

This looks promising!

In this directory, we find enough information to determine that they store registration information in .reginfo in the files directory
sure enough:
    ben@ben-laptop:~/Downloads$ adb shell busybox ls -Al /data/data/com.mobisystems.msdict.embedded.wireless.collins.audiomltenfr/files
    -rw-rw----    1 10106    10106          25 Aug  8 07:52 .reginfo

Deleting this file will start your trial anew, but we're still going to crack this app!

Well, let's stop and look at this file a bit

hexdump -C .reginfo on my linux host results in this:

00000000  00 00 00 01 00 00 00 01  00 00 00 0a 00 00 00 92  |................|
00000010  00 00 00 01 2a 74 bb f9  dd                       |....*t...|

Looking at: /smali/com/mobisystems/msdict/viewer/engine/LicenseManagerBase.smali

search for the following "public load", this is where the filestream for the .reginfo file is read, this will provide good smali reading


.method public load(Ljava/io/InputStream;)V
    .locals 7
    iget-object v0, p0, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase;->_items:Ljava/util/Vector;
    invoke-virtual {v0}, Ljava/util/Vector;->removeAllElements()V
    new-instance v0, Ljava/io/DataInputStream;
    invoke-direct {v0, p1}, Ljava/io/DataInputStream;->(Ljava/io/InputStream;)V
    invoke-virtual {v0}, Ljava/io/DataInputStream;->readInt()I
    invoke-virtual {v0}, Ljava/io/DataInputStream;->readInt()I
    move-result v1
    const/4 v2, 0x1
    sub-int v2, v1, v2
    if-lez v1, :cond_0
    invoke-virtual {v0}, Ljava/io/DataInputStream;->readInt()I
    move-result v1
    invoke-virtual {v0}, Ljava/io/DataInputStream;->readInt()I
    move-result v3
    new-instance v4, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase$Item;
    invoke-direct {v4, v1, v3}, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase$Item;->(II)V
    invoke-virtual {v0}, Ljava/io/DataInputStream;->readBoolean()Z
    move-result v1
    iput-boolean v1, v4, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase$Item;->registered:Z
    invoke-virtual {v0}, Ljava/io/DataInputStream;->readLong()J
    move-result-wide v5
    iput-wide v5, v4, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase$Item;->expire_time:J


From looking at that file, I can tell the following:
 * It reads 4 ints (4 bytes each), 1 boolean (1 byte, although this is not guaranteed I don't think), and 1 long (8 bytes) 4x4=16 + 1x1=17 + 1x8 = 25 == MY FILESIZE
 * The last parameter is a member named "expire_time"
 * The boolean value says whether or not the application is registered.

So back to the hexdump:

00000000  00 00 00 01 00 00 00 01  00 00 00 0a 00 00 00 92  |................|
00000010  00 00 00 01 2a 74 bb f9  dd                       |....*t...|

int1 = 00 00 00 01
int2 = 00 00 00 01
int3 = 00 00 00 0a
int4 = 00 00 00 92
bool = 00
long = 00 00 01 2a 74 bb f9 dd

So for shits and giggles, I wondered what making the last parameters all F's would do:

Upon starting the app back up, I was greeted with the fact I had 3,242,983 days left on my
trail period. So I think I can make it to the rapture before my trial runs out, but I still have that annoying nag screen, so let's find a different route.

in smali/com/mobisystems/msdict/viewer/engine/LicenseManagerBase.smali I find:


.method public isRegistered(II)Z
    .locals 1
    if-nez p1, :cond_0
    const/4 v0, 0x1
    return v0
    invoke-virtual {p0, p1, p2}, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase;->getItem(II)Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase$Item;
    move-result-object v0
    iget-boolean v0, v0, Lcom/mobisystems/msdict/viewer/engine/LicenseManagerBase$Item;->registered:Z
    goto :goto_0
.end method


This is simple, if the passed parameter is NULL, it returns 0 right away. If not, it gets the base item (this piece of software) license
and checks its 'registered' member. This is too damn complex, I'm going to simplify things a bit.


.method public isRegistered(II)Z
    .locals 1
    const/4 v0, 0x1
    return v0
.end method


It now makes a variable, assigns it '1', and then returns that variable.

OK I think I'm done, let's package everything back up, I go to the directory I originally ran apktool in, and do the following:
    apktool b enfr_dict enfr_dict.apk

we need to sign this to put on most android devices, if you have the SDK installed, you should have a debug key
    jarsigner -keystore ~/.android/debug.keystore enfr_dict.apk androiddebugkey

and enter "android" as the password.

NOTE: You won't be able to "upgrade" the app on the device, you MUST uninstall it either on the device, or by typing the following:
    adb uninstall com.mobisystems.msdict.embedded.wireless.collins.audiomltenfr

You now have an installable cracked apk, which you can install by typing:
    adb install enfr_dict.apk


  1. Hi Exellent article. Very useful! But I have a question. Where i can fing that .reginfo file. I searched a lot but could not find it. Can you please tell me how & where to find it. That would be a great help!
    Thanx in advance!

  2. Prasenjit, the file should be in


    if you have busybox, try

    busybox find /data/data -name .reginfo

  3. Hi Android Reversing :). Hey thanx a lot man because of you I was able to crack 9 apps from Mob!systms. Thanx man. The only thing different in my method of cracking was instead of using .reginfo file for extending the trial period. I edited the trial period line in the same license manager...smali you used. The line had trial:0x7 so I just replaced it with 0x5f5e100. & then continued to do the final editing. after signing & installing viola!!! the app were registered products. Thanx buddy your article helped me a lot!:)

  4. Android Reversing, you are awesome. Thanks for the article. Now I can use Duden german dict.
    Thanks a lot

  5. Hi,
    i tried installing above files but i got an error .. "Could not load Java virtual machine "
    I m using Win Xp SP3
    1 GB Ram
    Celeron 1.8 Ghz
    i have downloaded all the latest files but still i got this error.. Pls help me

  6. cant find anything like this... trying 2 crack solid explorer 1.42

  7. Looks like the method was patched in subsequent updates

  8. Excellent posting, but i wasn´t able to trial-patch an app called "terRemote",i don´t understand so much in android coding,it has 30 days trial and it´s making me crazy, can u help me with this?
    Sorry for my bad english and thanks a lot from Argentina

  9. can you please upload again the .apk file for your this tutorial because your given link was dead. Thanks

  10. Could crack this dictionary?

  11. if you can send me an email.

  12. please please can you send me the modified apk you made i couldn't do it please please please please this is my e-mail:

  13. Android App Cracking Tutorial is very simple and easy to understand. thanks for this tutorial.
    latest software downloads

  14. Can you crack dummysprite.apk 2 hours trial version to full version??? Pls help me!!! Thank you sir.

  15. Can you crack dummysprite.apk 2 hours trial version to full version, I can give a 10 EUro paysafecard if you are interrested just contact me "

  16. Can You try crack DummySprite bot?

  17. yes dummy sprite apk from please.. thanks

  18. Hello sir....i dont understand how to use it... so i request to you for crack my android app "invoice simple" pls.

  19. Impressive solution! Have you tried dynamic instrumentation (with Frida)? If they detected this, do you know how?

    hide apps on android

  20. cracktaking is trusted in wellspring of all first class break programming, Serial Keys, Patches, Activators, Key gens, For each one of your contraptions Android, MAC, Windows. Cracktaking has a Great gathering of all your Daily use Cracks Devices.

  21. This comment has been removed by the author.

  22. can you hack one android app for me, please.