Android Tutorial Smali Hacking Tutorial #2 (Boolean)

Ted2 · January 12, 2017

Hey!

Long time ago, I made a Smali Hacking tutorial!

Find it here: https://iosgods.com/topic/30729-simple-smali-hacking/

Today, I wanna create a new one.

This one is about boolean hacking

boolean = FALSE/TRUE

Can be written in diffrent ways:

FALSE --> '0x0' or just '0' (smali only 0x0, atleast for what I've worked on)

TRUE --> '0x1' or just '1' (smali also only 0x1, again atleast for what I've worked on)

The game in this tutorial:

https://play.google.com/store/apps/details?id=com.fungamesforfree.snipershooter.free&hl=nl

Download the game on your pc & decompile it, how?

- https://iosgods.com/topic/43411-decompile-recompile-apk-without-a-tool-like-advancedapktool-etc/

or use a tool:

- https://iosgods.com/topic/30893-advanced-apktool-windows-download-link/

Once decompiled, it will look like this:

Open up Sublime Text, Notepad++ or something like that.

We're gonna search for functions in ALL smali files.

How we do that is simple, once you opened Sublime Text you have a option 'Find'

Go to 'Find' - 'Find in files', now locate the smali folder from the decompiled apk

Will look like this:

So, for what kind of functions do we need to search?

Well, every game is diffrent, in some you won't even success.

Some example functions:

-hasUnlocked

-isUnlocked

-isLocked

-hasUpgraded

-isUpgraded

-has'itemofgame'

-hasPurchased'itemofgame'

-is'itemofgame'Purchased'

-is'itemofgame'locked

-is'itemofgame'unlocked

etc etc.

The game we have, includes weapons.

We will try 'hasUnlocked' first:

0 matches.

We will try 'isUnlocked' & 'isLocked'

0 matches for both

We will try 'has'itemofgame' = 'hasWeapon'

0 matches

We will try 'hasPurchased'itemofgame'' = 'hasPurchasedWeapon'

0 matches

We will try 'isWeaponPurchased'

14 Matches in 6 files.

So, we got which matches in the files. This does NOT mean, it's the right one. Let's have a look

This is what we got:

Searching 3204 files for "isWeaponPurchased"

~ /Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/d/a.smali:
  823      move-result v3
  824  
  825:     invoke-virtual {v2, v3}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  826  
  827      move-result v3
  ...
  850      move-result v3
  851  
  852:     invoke-virtual {v2, v3}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  853  
  854      move-result v3
  ...
  875      move-result v3
  876  
  877:     invoke-virtual {v2, v3}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  878  
  879      move-result v3
  ...
  900      move-result v3
  901  
  902:     invoke-virtual {v2, v3}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  903  
  904      move-result v2


~ /Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/data/GameData.smali:
 1972  .end method
 1973  
 1974: .method public isWeaponPurchased(I)Z
 1975      .locals 5
 1976  


~ /Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/k.smali:
  189      aget v4, v4, v0
  190  
  191:     invoke-virtual {p0, v4}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  192  
  193      move-result v4


~ /Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/l/dv.smali:
  837      move-result v4
  838  
  839:     invoke-virtual {v5, v4}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  840  
  841      move-result v4
  ...
 1095      move-result v4
 1096  
 1097:     invoke-virtual {v3, v4}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
 1098  
 1099      move-result v3
 ....
 1330      move-result v4
 1331  
 1332:     invoke-virtual {v3, v4}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
 1333  
 1334      move-result v3


~ /Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/l/i.smali:
  426      move-result v5
  427  
  428:     invoke-virtual {v4, v5}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  429  
  430      move-result v4
  ...
  732      aget v3, v3, v0
  733  
  734:     invoke-virtual {v2, v3}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  735  
  736      move-result v3


~ /Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/o/d.smali:
  356      iget-object v7, p0, Lcom/fungamesforfree/snipershooter/o/d;->b:Lcom/fungamesforfree/snipershooter/data/GameData;
  357  
  358:     invoke-virtual {v7, v4}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  359  
  360      move-result v4
  ...
  364      iget-object v4, p0, Lcom/fungamesforfree/snipershooter/o/d;->b:Lcom/fungamesforfree/snipershooter/data/GameData;
  365  
  366:     invoke-virtual {v4, v5}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  367  
  368      move-result v4
  ...
  372      iget-object v4, p0, Lcom/fungamesforfree/snipershooter/o/d;->b:Lcom/fungamesforfree/snipershooter/data/GameData;
  373  
  374:     invoke-virtual {v4, v6}, Lcom/fungamesforfree/snipershooter/data/GameData;->isWeaponPurchased(I)Z
  375  
  376      move-result v4


14 matches across 6 files

You see what we got?

The one marked with '~' is the location of the .smali where our matches has been found.

you'll see the most do locate to GameData.smali (under '~' they locate to

com/fungamesforfree/snipershooter/data/GameData.smali:

OUR SECOND match IS GameData.smali, so we REALLY need to check this one out, also the name of it is intresting!

So let's open the second one (double click on it in your text viewer (sublime text in my case)

/Users/Joey/Desktop/apktool/ssf/smali/com/fungamesforfree/snipershooter/data/GameData.smali:

The whole code until the function is ended, is pretty long. It's like this:

method public isWeaponPurchased(I)Z    .locals 5   --> Start of function, the 'Z' means boolean.


    .prologue
    const/4 v1, 0x0


    .line 435
    invoke-static {}, Lcom/fungamesforfree/snipershooter/d/a;->l()Ljava/util/List;


    move-result-object v0


    .line 436
    invoke-virtual {p0}, Lcom/fungamesforfree/snipershooter/data/GameData;->getPurchasedWeapons()[Z


    move-result-object v2


    .line 438
    invoke-interface {v0}, Ljava/util/List;->iterator()Ljava/util/Iterator;


    move-result-object v3


    :cond_0
    invoke-interface {v3}, Ljava/util/Iterator;->hasNext()Z


    move-result v0


    if-nez v0, :cond_1


    .line 444
    array-length v0, v2


    if-ge p1, v0, :cond_2


    .line 445
    aget-boolean v0, v2, p1


    .line 448
    :goto_0
    return v0


    .line 438
    :cond_1
    invoke-interface {v3}, Ljava/util/Iterator;->next()Ljava/lang/Object;


    move-result-object v0


    check-cast v0, Lcom/fungamesforfree/snipershooter/d/a;


    .line 439
    invoke-virtual {v0}, Lcom/fungamesforfree/snipershooter/d/a;->r()I


    move-result v4


    if-ne v4, p1, :cond_0


    .line 440
    iget-object v2, p0, Lcom/fungamesforfree/snipershooter/data/GameData;->cryptoPreferences:Landroid/content/SharedPreferences;


    invoke-virtual {v0}, Lcom/fungamesforfree/snipershooter/d/a;->A()Ljava/lang/String;


    move-result-object v0


    invoke-interface {v2, v0, v1}, Landroid/content/SharedPreferences;->getBoolean(Ljava/lang/String;Z)Z


    move-result v0


    goto :goto_0


    :cond_2
    move v0, v1


    .line 448
    goto :goto_0.end method

It's a long one, but actually not, the function is: 'isWeaponPurchased' & right after that we get the boolean code.

This is the code we'll work with:

.method public isWeaponPurchased(I)Z  --> Function, the 'Z' is boolean
    .locals 5

    .prologue
    const/4 v1, 0x0   --> earlier explained: 0x0 means false

What do we do?

Functions is:

isWeaponPurchased, the code under it says NO IT IS NOT (0x0)

SOOOOO, WE CHANGE IT TO: 0x1, because that means TRUE.

.method public isWeaponPurchased(I)Z
    .locals 5

    .prologue
    const/4 v1, 0x1  --> changed to true

Recompile it to a apk, sign it & test it!

When you tested your .apk, you see only the last 3 weapons are unlocked, the ones you needed to purchase with real money.

I couldn't figure out how to hack the other weapons by code, maybe I missed something.

Luckily the money can be hacked with eyes closed

Coins are written in the same smali as the weapons, search for 'getMoney'

You'll get two matches

- invoke-virtual {p0}, Lcom/fungamesforfree/snipershooter/data/GameData;->getMoney()I

- .method public getMoney()I

it's the second one, because under the second one you'll find this code:

.method public getMoney()I
    .locals 3

    .prologue
    .line 351
    iget-object v0, p0, Lcom/fungamesforfree/snipershooter/data/GameData;->preferences:Landroid/content/SharedPreferences;

    const-string v1, "e"

    const/4 v2, 0x0 ---> remove the /4 + add your own value (in hex)

    invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getInt(Ljava/lang/String;I)I

    move-result v0

    return v0
.end method

This is how I'll code it:

.method public getMoney()I
    .locals 3

    .prologue
    .line 351
    iget-object v0, p0, Lcom/fungamesforfree/snipershooter/data/GameData;->preferences:Landroid/content/SharedPreferences;

    const-string v1, "e"

    const v2, 0xfffffff

    invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getInt(Ljava/lang/String;I)I

    move-result v0

    return v0
.end method

Recompile, sign it & test it.

Proof:

Video Tutorial:

Hope you learned something, might make a video tutorial for it too.

Credits: @Ted2

PS: I'm not hiding this tutorial because I want everyone be able to check it without giving me a like or reply, but if it helps. Please, hit the thanks &/or rep button

Updated January 12, 2017 by Ted2

Rook · January 11, 2017

Wow!

Nice one buddy! Very detailed and informative. Keep it up!

Ted2 · January 11, 2017

Wow!

Nice one buddy! Very detailed and informative. Keep it up!

Thanks man.. but I screwed up the spoilers & at the end the credits..

You know how to do them right?

Rook · January 11, 2017

Thanks man.. but I screwed up the spoilers & at the end the credits..

You know how to do them right?

Seems like the spoiler and credits tag was copy pasted. That's likely why it's not working.

Try typing them manually and remove formatting from the

tags.

Ted2 · January 11, 2017

Seems like the spoiler and credits tag was copy pasted. That's likely why it's not working.

Try typing them manually and remove formatting from the

tags.

Oh yea, I did. Thanks