Android Tutorial Bypass crc check in smali (cyclic redundancy check)

Ted2 · April 16, 2017

Hey there,

A few days ago, I figured out how a game I've been hacking for years added protection to their game.

Their protection compared stored values with the original values in classes.dex (smali files)

What does crc do?

The crc protection will detect if the game files has been modified. For example you change a simple coin value from 0x9 to 0xfff, the game will notice the original code is changed and it will probably crash the game. crc protection has it's own value/key which is stored somewhere in resources as a string.

Example: 0x7f050017

How do we bypass it?

I've never seen this kind of protection in any game before, but that might be because I don't really hack that much anymore. Anyways, I've read somewhere that this kind of protection gets more popular, so that's why I'll teach you how we bypass it.

As I said, this protection compares using .classes.dex

Open up a text editor which can read .smali files, go to 'find in files' and locate your decompiled apk.

Search for: classes.dex. I'm not sure how much hits you get, I got 2 hits.

1:

.method private static a(Ljava/util/zip/ZipFile;Ljava/util/zip/ZipEntry;Ljava/io/File;Ljava/lang/String;)V
    .locals 6

    .prologue
    .line 308
    invoke-virtual {p0, p1}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;

    move-result-object v1

    .line 310
    const-string v0, ".zip"

    invoke-virtual {p2}, Ljava/io/File;->getParentFile()Ljava/io/File;

    move-result-object v2

    invoke-static {p3, v0, v2}, Ljava/io/File;->createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File;

    move-result-object v2

    .line 312
    const-string v0, "MultiDex"

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "Extracting "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v2}, Ljava/io/File;->getPath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 314
    :try_start_0
    new-instance v3, Ljava/util/zip/ZipOutputStream;

    new-instance v0, Ljava/io/BufferedOutputStream;

    new-instance v4, Ljava/io/FileOutputStream;

    invoke-direct {v4, v2}, Ljava/io/FileOutputStream;-><init>(Ljava/io/File;)V

    invoke-direct {v0, v4}, Ljava/io/BufferedOutputStream;-><init>(Ljava/io/OutputStream;)V

    invoke-direct {v3, v0}, Ljava/util/zip/ZipOutputStream;-><init>(Ljava/io/OutputStream;)V
    :try_end_0
    .catchall {:try_start_0 .. :try_end_0} :catchall_0

    .line 316
    :try_start_1
    new-instance v0, Ljava/util/zip/ZipEntry;

    const-string v4, "classes.dex" <----->

    invoke-direct {v0, v4}, Ljava/util/zip/ZipEntry;-><init>(Ljava/lang/String;)V

    .line 318
    invoke-virtual {p1}, Ljava/util/zip/ZipEntry;->getTime()J

    move-result-wide v4

    invoke-virtual {v0, v4, v5}, Ljava/util/zip/ZipEntry;->setTime(J)V

    .line 319
    invoke-virtual {v3, v0}, Ljava/util/zip/ZipOutputStream;->putNextEntry(Ljava/util/zip/ZipEntry;)V

    .line 321
    const/16 v0, 0x4000

    new-array v4, v0, [B

    .line 322
    invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I

    move-result v0

    .line 323
    :goto_0
    const/4 v5, -0x1

    if-eq v0, v5, :cond_0

    .line 324
    const/4 v5, 0x0

    invoke-virtual {v3, v4, v5, v0}, Ljava/util/zip/ZipOutputStream;->write([BII)V

    .line 325
    invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I

    move-result v0

    goto :goto_0

    .line 327
    :cond_0
    invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->closeEntry()V
    :try_end_1
    .catchall {:try_start_1 .. :try_end_1} :catchall_1

    .line 329
    :try_start_2
    invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V

    .line 331
    const-string v0, "MultiDex"

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "Renaming to "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {p2}, Ljava/io/File;->getPath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 332
    invoke-virtual {v2, p2}, Ljava/io/File;->renameTo(Ljava/io/File;)Z

    move-result v0

    if-nez v0, :cond_1

    .line 333
    new-instance v0, Ljava/io/IOException;

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "Failed to rename \""

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    const-string v4, "\" to \""

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {p2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    const-string v4, "\""

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-direct {v0, v3}, Ljava/io/IOException;-><init>(Ljava/lang/String;)V

    throw v0
    :try_end_2
    .catchall {:try_start_2 .. :try_end_2} :catchall_0

    .line 337
    :catchall_0
    move-exception v0

    invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V

    .line 338
    invoke-virtual {v2}, Ljava/io/File;->delete()Z

    throw v0

    .line 329
    :catchall_1
    move-exception v0

    :try_start_3
    invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V

    throw v0
    :try_end_3
    .catchall {:try_start_3 .. :try_end_3} :catchall_0

    .line 337
    :cond_1
    invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V

    .line 338
    invoke-virtual {v2}, Ljava/io/File;->delete()Z

    .line 340
    return-void
.end method

this method is long as hell, doesn't seem to have any value or key like 0x7f050017 etc. Also, it didn't seem any intresting to me cause it didn't got any intresting .smali places like com/gamecreators/gamename, just android/support.

Let's look at hit 2 first.

.method public a()Z
    .locals 6

    .prologue
    const/4 v1, 0x0

    .line 34
    new-instance v0, Ljava/util/zip/ZipFile;

    iget-object v2, p0, Lcom/companyname/test/e;->a:Landroid/content/Context;

    invoke-virtual {v2}, Landroid/content/Context;->getPackageCodePath()Ljava/lang/String;

    move-result-object v2

    invoke-direct {v0, v2}, Ljava/util/zip/ZipFile;-><init>(Ljava/lang/String;)V

    .line 35
    const-string v2, "classes.dex" <----->

    invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry;

    move-result-object v2

    .line 36
    const-string v3, "classes2.dex" <------>

    invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry;

    move-result-object v3

    .line 38
    invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;

    move-result-object v2

    .line 39
    invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;

    move-result-object v0

    .line 41
    invoke-direct {p0, v2}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String;

    move-result-object v3

    .line 42
    invoke-direct {p0, v0}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String;

    move-result-object v0

    .line 47
    :try_start_0
    invoke-direct {p0}, Lcom/companyname/test/e;->b()Ljava/security/PublicKey;

    move-result-object v2

    .line 48
    const v4, 0x7f050017   ###

    invoke-direct {p0, v4}, Lcom/companyname/test/e;->a(I)[B

    move-result-object v4

    .line 49
    const v5, 0x7f050016   ###

    invoke-direct {p0, v5, v4, v2}, Lcom/companyname/test/e;->a(I[BLjava/security/PublicKey;)Z
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    move-result v2

    .line 51
    if-eqz v2, :cond_1

    .line 52
    const v4, 0x7f050016   ###

    :try_start_1
    invoke-direct {p0, v4, v3, v0}, Lcom/companyname/test/e;->a(ILjava/lang/String;Ljava/lang/String;)Z
    :try_end_1
    .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1

    move-result v0

    .line 58
    :goto_0
    if-eqz v2, :cond_0

    if-eqz v0, :cond_0

    const/4 v1, 0x1

    :cond_0
    return v1

    .line 55
    :catch_0
    move-exception v0

    move v0, v1

    :goto_1
    move v2, v0

    move v0, v1

    goto :goto_0

    :catch_1
    move-exception v0

    move v0, v2

    goto :goto_1

    :cond_1
    move v0, v1

    goto :goto_0
.end method

This one gets intresting. Values are in this function marked with ### + the location (which I did rename) are intresting. com/companyname/test/e.

Okay, I believe there are like 5 ways to bypass the check.

I'm gonna tell you the most simple one.

The function name, what does it say? (the beginning of code I added)

.method public a()Z

Z = BOOLEAN in smali.

Let's look under the function name:

.method public a()Z
    .locals 6

    .prologue
    const/4 v1, 0x0

0x0 = false

0x1 = true

Since we're pretty sure the method is the crc protection, change 0x0 to 0x1.

Recompile - sign & test.

Why?

.Method public a()Z

translated should me something like: isOrignalClasses.Dex or hasNotBeenModified etc

it automaticly returns to false, but we want it to true.

Hope I explained it a bit well, it's complicated so hard to explain.

Credit: @Ted2

Updated April 16, 2017 by Ted2

Nerdstomper · September 17, 2017

Good find man. I found a game that used classes.dex to store all the game values. where did you learn smali code?

Ted2 · September 17, 2017

5 hours ago, Nerdstomper said:

Good find man. I found a game that used classes.dex to store all the game values. where did you learn smali code?

Teached myself

Sign In

Android Tutorial Bypass crc check in smali (cyclic redundancy check)

3 posts in this topic

Recommended Posts

Ted2 38.9k Donor

Nerdstomper 0 Galaxy S7 7.0

Ted2 38.9k Donor

Create an account or sign in to comment

Create an account

Sign in

Our picks

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Important Information

Ted2 38.9k

Donor

Nerdstomper 0
Galaxy S7

7.0

Ted2 38.9k

Donor