[lohan]

Cracking is a strange skill. It's not taught formally, and there aren't many good references. I remember how much it sucks not knowing anyone that can answer questions. I don't know everything, but I want to see if there are people out there with questions and try to save them some time. I reverse stuff pretty much all day, and have seen a lot of shit, and when I'm not reversing I'm writing reversing tools.

If you have any questions about anything cracking related, post it here and I'll try and answer or help you figure it out. Of course, please don't ask me to crack an entire app.

Categories of shit I feel confident talking about:

• dalvik vm & strange errors (type 4 unexpected, expecting ref? wtf does that mean?)
• smali (why wont this shit compile, run, do what i want?)
• protection methods (how the fuck does it know i changed it?)
• antilvl (general solutions to protection problems)
• obfuscation + deobfuscation (why is every method a giant byte array?)
• android malware (that's even a thing?)
• cracking tools (what I use)
• some native code (how do i even get started?)

[(GL)MetaApks]

I would like to know why smali doesn't compile.sometimes it gives me error.
also do write some native codes as well.thanks

[lohan]

@(GL)MetalloideApks, you'll need to show me the exact code and error message for me to help.

@Mods, would it be possible to move this thread to Device-dependent » Android » Discussion » General Talk ?

[(GL)MetaApks]

@lohan I figured it out.but I have one more question.
can we change the package name of an apk?

[lohan]

sure, top result of searching: https://www.google.com/search?q=apktool+change+package+name

gives this as top result: http://forum.xda-developers.com/showthread.php?t=1772839

#6 post goes into good detail: http://forum.xda-developers.com/showpost.php?p=28796479&postcount=6

[(GL)MetaApks]

I know that it is poosible.I wanted to know if "pakage name" can be changed?

pakage name of Xprivacy: =biz.bokhorst.xprivacy.pro

[lohan]

package name means multiple things.

1.) the name of the android package as it is installed on the system. this is what you're asking, and the technique is demonstrated in the link i gave earlier. instead of changing the app name, you change the package name.

Code: Select all<manifest android:versionCode="1" android:versionName="1.0" package="com.example.google.services"
  xmlns:android="http://schemas.android.com/apk/res/android">

change "com.example.google.services" to "com.poopsmith.homestar" and rebuild with apktool

2.) the name of the class paths of the code within the app. these can be changed as easily, but not without the danger of breaking things like reflection. there's almost no reason to do this, so i'm fairly certain you're not asking.

[(GL)MetaApks]

I ask this because I think by changing the package name(com.xxxxxx.xxxx) we can bypass the LVL verification.I think that playstore only verify those apps whose package name is in there servers.so by changing it we can easily bypass it.I once tried to change the package name by while compiling it gave me a error.

[lohan]

the lvl code is open source. you can read it yourself: https://code.google.com/p/marketlicensi ... Flicensing

i don't think just changing the package will work. there is a check to see if the app is licensed. even if your hypothesis is correct, it stands to reason that an unknown app would get a not_licensed status response, and the app will shut down as if it were unlicensed.

Hello lohan, do you know how to deobfuscate the below code(byte array) to normal smali code?

.class public final Lo/＿;
.super Ljava/lang/Object;
.source ""


# static fields
.field private static final ･:[B


# direct methods
.method static constructor <clinit>()V
.locals 1

const/16 v0, 0x17

new-array v0, v0, [B

fill-array-data v0, :array_0

sput-object v0, Lo/＿;->･:[B

return-void

:array_0
.array-data 1
0x3ft
-0x5dt
0x4at
-0x41t
-0x13t
-0x6t
-0xft
0xat
-0x14t
-0x9t
0x2ct
-0x2ct
-0x15t
0x8t
-0x14t
0x28t
-0x25t
-0x12t
-0x7t
0x15t
-0x29t
0x6t
-0x8t
.end array-data
.end method

.method public constructor <init>()V
.locals 0

.line 0
invoke-direct {p0}, Ljava/lang/Object;-><init>()V

return-void
.end method

.method public static ･()I
.locals 10

.line 0
invoke-static {}, Lcom/skvalex/callrecorder/CallRecorderApp;->･()Landroid/content/Context;

move-result-object v0

.line 16
move-object v5, v0

invoke-static {v0}, Landroid/preference/PreferenceManager;->getDefaultSharedPreferences(Landroid/content/Context;)Landroid/content/SharedPreferences;

move-result-object v0

.line 17
const/4 v7, 0x3

new-instance v1, Ljava/lang/String;

const/4 v9, 0x0

sget-object v8, Lo/＿;->･:[B

const/16 v6, 0x63

const/16 v2, 0x14

new-array v2, v2, [B

goto :goto_1

:goto_0
sub-int v3, v6, v3

add-int/lit8 v6, v3, -0x7

:goto_1
int-to-byte v3, v6

aput-byte v3, v2, v9

const/16 v3, 0x13

if-ne v9, v3, :cond_0

const/4 v3, 0x0

invoke-direct {v1, v2, v3}, Ljava/lang/String;-><init>([BI)V

goto :goto_2

:cond_0
add-int/lit8 v7, v7, 0x1

add-int/lit8 v9, v9, 0x1

aget-byte v3, v8, v7

goto :goto_0

:goto_2
invoke-virtual {v5}, Landroid/content/Context;->getResources()Landroid/content/res/Resources;

move-result-object v2

const v3, 0x7f060016

invoke-virtual {v2, v3}, Landroid/content/res/Resources;->getString(I)Ljava/lang/String;

move-result-object v2

invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

move-result-object v0

invoke-static {v0}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I

move-result v0

return v0
.end method

Any tips or methods please? Could you please guide me, Thank you very much.

[lohan]

just fyi, i wouldn't call this code obfuscated. that's when transformations are applied to an entire app or class. what we have here is simply an encrypted string. there are a few ways to attack this.

1.) easy, no learning:
just print the string out right before it's used.

Code: Select all# adding this log stuff
invoke-static {v1, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

2.) harder, learning, eventually easy:
convert the smali to java or use jadx to decompile the smali to something a little less verbose and easy to understand. once in that form, clean up the code to only the essentials.

Code: Select allpublic final class someClass {
    private static final byte[] someArr = new byte[] { 63, -93, 74, -65, -19, -6, -15, 10, -20, -9, 44, -44, -21, 8,
                    -20, 40, -37, -18, -7, 21, -41, 6, -8, 0 };

    public static void main(String[] argv) {
        someMethod();
    }

    public static void someMethod() {
        int index = 3;
        int charVal = 99;
        byte[] cipher = someArr;
        byte[] decrypted = new byte[20];

        for (int i = 0; i < 20; i++) {
            decrypted[i] = (byte) charVal;
            index++;
            charVal -= cipher[index] + 7;
        }

        System.out.println("Decrypted: " + new String(decrypted));
    }
}

Output:

Code: Select allDecrypted: convertAfterCallPref

And of course, there's always option #3: understand the smali as you read it

[Morthis]

You killed them all with explanation