Wednesday, October 6, 2010

yxplayer Registration Bypass - Android App Cracking Tutorial #4

Yxplayer Pro v1.0.2

Requisites:
 apktool - contains baksmali/smali, generally awesome. 
  (http://code.google.com/p/android-apktool/)
 Android SDK installed. 
  (http://developer.android.com/sdk/index.html)
 JDK 6 or above
 ADB Access.
 An Android Device

Synopsis:
 yxplayer is a media player that is capable of playing avi files.

Protections Employed: 
 Serial Number, Nag Mechanisms

Getting the APK:
 I downloaded the apk from my phone after downloading it through the market.

 On my device, I typed the following to get the APK: 
  adb pull /data/app/kr.mobilesoft.yxplayer2-1.apk

Unpacking the APK:
 I then use apktool to decompress and disassemble the package: 
  apktool d kr.mobilesoft.yxplayer2-1.apk yxplayer

Reversing the unpacked APK:
 A fairly standard step, I go to smali where the source code is kept. Then I traverse the source code
 tree to get to the beef of the app. In this case, it's in ./smali/kr/mobilesoft/yxplayer2/

 Right off the batt, I notice the RegisterView.smali, a likely name for the nag screen. Grepping for RegisterView 
 shows the main application yxplayer.smali calling it conditionally.

   sget-object v29, Lkr/mobilesoft/yxplayer2/yxplayer2;->mMediaPlayer:Lkr/mobilesoft/yxplayer2/MediaPlayerApi;  
   invoke-virtual/range {v29 .. v29}, Lkr/mobilesoft/yxplayer2/MediaPlayerApi;->isregistered()I  
   move-result v15  
   .line 561  
   .local v15, ok:I  
   if-nez v15, :cond_9  
   .line 562  
   new-instance v29, Landroid/content/Intent;  
   const-string v30, "kr.mobilesoft.yxplayer2.RegisterView"  
   invoke-direct/range {v29 .. v30}, Landroid/content/Intent;->(Ljava/lang/String;)V  
This is putting the result of yxplayer2.MediaPlayerApi.isregistered() as a boolean into v15, and checking it. cond_9 bypasses the register window, we can modify the code here to jump unconditionally, but why not just make the isregistered() always return true? That is the goal, to fool the app, not just a superficial nag screen removal.
  .method public isregistered()I  
   .locals 1  
   .prologue  
   .line 356  
   invoke-virtual {p0}, Lkr/mobilesoft/yxplayer2/MediaPlayerApi;->mp_isregistered()I  
   move-result v0  
   return v0  
  .end method  
Looks easy enough to do, I'll use the same guts from the translation app tutorial.
  .method public isregistered()I  
   .locals 1  
   const/4 v0, 0x1  
   return v0  
  .end method  
This always returns 1 (true) when the isregistered() method is called. I am now done, time to repack. Repacking the APK: I go to the directory I originally ran apktool in, and do the following: apktool b yxplayer newyxplayer.apk I need to sign this to put it on most android devices, if you have the SDK installed, you should have a debug key: jarsigner -keystore ~/.android/debug.keystore newyxplayer.apk androiddebugkey and enter "android" as the password. NOTE: You won't be able to "upgrade" the app on the device, you MUST uninstall it either on the device, or by typing the following: adb uninstall kr.mobilesoft.yxplayer2 You now have an installable cracked apk, which you can install by typing: adb install newyxplayer.apk All Done!

3 comments:

  1. This is a brilliant few guides, thanks for the tutorials! I seem to be running into a little trouble; Once I've recompiled an app, signed it, and installed it, it force-closes on me. Any idea why that might be? Using windows 7, latest Android SDK and JDK, JRE.

    ReplyDelete
  2. I've only worked on Linux ThatGuyYouHate, but I imagine it should work fine in windows. I did have some occurrence of this when I deleted the wrong stuff, best advice I can offer is to try again, following directions to the T. I do think I use JDK 1.5 on Linux though. Best of luck, excuse the delay.

    ReplyDelete