Jump to content

3 posts in this topic

Recommended Posts

Updated (edited)

Hey there,

 

A few days ago, I figured out how a game I've been hacking for years added protection to their game.

Their protection compared stored values with the original values in classes.dex (smali files)

 

What does crc do?

The crc protection will detect if the game files has been modified. For example you change a simple coin value from 0x9 to 0xfff, the game will notice the original code is changed and it will probably crash the game. crc protection has it's own value/key which is stored somewhere in resources as a string. 

Example: 0x7f050017

 

How do we bypass it?

I've never seen this kind of protection in any game before, but that might be because I don't really hack that much anymore. Anyways, I've read somewhere that this kind of protection gets more popular, so that's why I'll teach you how we bypass it.

 

As I said, this protection compares using .classes.dex

 

Open up a text editor which can read .smali files, go to 'find in files' and locate your decompiled apk.

Search for: classes.dex. I'm not sure how much hits you get, I got 2 hits.

 

1:

.method private static a(Ljava/util/zip/ZipFile;Ljava/util/zip/ZipEntry;Ljava/io/File;Ljava/lang/String;)V
    .locals 6

    .prologue
    .line 308
    invoke-virtual {p0, p1}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;

    move-result-object v1

    .line 310
    const-string v0, ".zip"

    invoke-virtual {p2}, Ljava/io/File;->getParentFile()Ljava/io/File;

    move-result-object v2

    invoke-static {p3, v0, v2}, Ljava/io/File;->createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File;

    move-result-object v2

    .line 312
    const-string v0, "MultiDex"

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "Extracting "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v2}, Ljava/io/File;->getPath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 314
    :try_start_0
    new-instance v3, Ljava/util/zip/ZipOutputStream;

    new-instance v0, Ljava/io/BufferedOutputStream;

    new-instance v4, Ljava/io/FileOutputStream;

    invoke-direct {v4, v2}, Ljava/io/FileOutputStream;-><init>(Ljava/io/File;)V

    invoke-direct {v0, v4}, Ljava/io/BufferedOutputStream;-><init>(Ljava/io/OutputStream;)V

    invoke-direct {v3, v0}, Ljava/util/zip/ZipOutputStream;-><init>(Ljava/io/OutputStream;)V
    :try_end_0
    .catchall {:try_start_0 .. :try_end_0} :catchall_0

    .line 316
    :try_start_1
    new-instance v0, Ljava/util/zip/ZipEntry;

    const-string v4, "classes.dex" <----->

    invoke-direct {v0, v4}, Ljava/util/zip/ZipEntry;-><init>(Ljava/lang/String;)V

    .line 318
    invoke-virtual {p1}, Ljava/util/zip/ZipEntry;->getTime()J

    move-result-wide v4

    invoke-virtual {v0, v4, v5}, Ljava/util/zip/ZipEntry;->setTime(J)V

    .line 319
    invoke-virtual {v3, v0}, Ljava/util/zip/ZipOutputStream;->putNextEntry(Ljava/util/zip/ZipEntry;)V

    .line 321
    const/16 v0, 0x4000

    new-array v4, v0, [B

    .line 322
    invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I

    move-result v0

    .line 323
    :goto_0
    const/4 v5, -0x1

    if-eq v0, v5, :cond_0

    .line 324
    const/4 v5, 0x0

    invoke-virtual {v3, v4, v5, v0}, Ljava/util/zip/ZipOutputStream;->write([BII)V

    .line 325
    invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I

    move-result v0

    goto :goto_0

    .line 327
    :cond_0
    invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->closeEntry()V
    :try_end_1
    .catchall {:try_start_1 .. :try_end_1} :catchall_1

    .line 329
    :try_start_2
    invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V

    .line 331
    const-string v0, "MultiDex"

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "Renaming to "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {p2}, Ljava/io/File;->getPath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 332
    invoke-virtual {v2, p2}, Ljava/io/File;->renameTo(Ljava/io/File;)Z

    move-result v0

    if-nez v0, :cond_1

    .line 333
    new-instance v0, Ljava/io/IOException;

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    const-string v4, "Failed to rename \""

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    const-string v4, "\" to \""

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {p2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    const-string v4, "\""

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-direct {v0, v3}, Ljava/io/IOException;-><init>(Ljava/lang/String;)V

    throw v0
    :try_end_2
    .catchall {:try_start_2 .. :try_end_2} :catchall_0

    .line 337
    :catchall_0
    move-exception v0

    invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V

    .line 338
    invoke-virtual {v2}, Ljava/io/File;->delete()Z

    throw v0

    .line 329
    :catchall_1
    move-exception v0

    :try_start_3
    invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V

    throw v0
    :try_end_3
    .catchall {:try_start_3 .. :try_end_3} :catchall_0

    .line 337
    :cond_1
    invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V

    .line 338
    invoke-virtual {v2}, Ljava/io/File;->delete()Z

    .line 340
    return-void
.end method

this method is long as hell, doesn't seem to have any value or key like 0x7f050017 etc. Also, it didn't seem any intresting to me cause it didn't got any intresting .smali places like com/gamecreators/gamename, just android/support.

Let's look at hit 2 first.

.method public a()Z
    .locals 6

    .prologue
    const/4 v1, 0x0

    .line 34
    new-instance v0, Ljava/util/zip/ZipFile;

    iget-object v2, p0, Lcom/companyname/test/e;->a:Landroid/content/Context;

    invoke-virtual {v2}, Landroid/content/Context;->getPackageCodePath()Ljava/lang/String;

    move-result-object v2

    invoke-direct {v0, v2}, Ljava/util/zip/ZipFile;-><init>(Ljava/lang/String;)V

    .line 35
    const-string v2, "classes.dex" <----->

    invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry;

    move-result-object v2

    .line 36
    const-string v3, "classes2.dex" <------>

    invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry;

    move-result-object v3

    .line 38
    invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;

    move-result-object v2

    .line 39
    invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;

    move-result-object v0

    .line 41
    invoke-direct {p0, v2}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String;

    move-result-object v3

    .line 42
    invoke-direct {p0, v0}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String;

    move-result-object v0

    .line 47
    :try_start_0
    invoke-direct {p0}, Lcom/companyname/test/e;->b()Ljava/security/PublicKey;

    move-result-object v2

    .line 48
    const v4, 0x7f050017   ###

    invoke-direct {p0, v4}, Lcom/companyname/test/e;->a(I)[B

    move-result-object v4

    .line 49
    const v5, 0x7f050016   ###

    invoke-direct {p0, v5, v4, v2}, Lcom/companyname/test/e;->a(I[BLjava/security/PublicKey;)Z
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    move-result v2

    .line 51
    if-eqz v2, :cond_1

    .line 52
    const v4, 0x7f050016   ###

    :try_start_1
    invoke-direct {p0, v4, v3, v0}, Lcom/companyname/test/e;->a(ILjava/lang/String;Ljava/lang/String;)Z
    :try_end_1
    .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1

    move-result v0

    .line 58
    :goto_0
    if-eqz v2, :cond_0

    if-eqz v0, :cond_0

    const/4 v1, 0x1

    :cond_0
    return v1

    .line 55
    :catch_0
    move-exception v0

    move v0, v1

    :goto_1
    move v2, v0

    move v0, v1

    goto :goto_0

    :catch_1
    move-exception v0

    move v0, v2

    goto :goto_1

    :cond_1
    move v0, v1

    goto :goto_0
.end method

This one gets intresting. Values are in this function marked with ### + the location (which I did rename) are intresting. com/companyname/test/e.

 

Okay, I believe there are like 5 ways to bypass the check.

I'm gonna tell you the most simple one.

 

The function name, what does it say? (the beginning of code I added)

.method public a()Z

Z = BOOLEAN in smali.

 

Let's look under the function name:

.method public a()Z
    .locals 6

    .prologue
    const/4 v1, 0x0

0x0 = false

0x1 = true

 

Since we're pretty sure the method is the crc protection, change 0x0 to 0x1.

Recompile - sign & test.

 

Why?

.Method public a()Z

translated should me something like: isOrignalClasses.Dex or hasNotBeenModified etc

it automaticly returns to false, but we want it to true.

 

Hope I explained it a bit well, it's complicated so hard to explain.

 

Credit: @Ted2

 

Updated by Ted2
  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Our picks

    • Wittle Defender v1.1.4.10 [+2 Cheats]
      Modded/Hacked App: Wittle Defender By HABBY PTE. LTD.
      Bundle ID: com.game.kingrush
      App Store Link: https://apps.apple.com/us/app/wittle-defender/id6502815032?uo=4

       

      Important


      Do not Abuse. Not responsible for any bans.

      Visual damage not represent real damage

       

      🤩 Hack Features

      - Damage Multiplier
      - Defense Multiplier

      • 28 replies
    • Wittle Defender v1.1.4.10 [+2 Jailed Cheats]
      Modded/Hacked App: Wittle Defender By HABBY PTE. LTD.
      Bundle ID: com.game.kingrush
      App Store Link: https://apps.apple.com/us/app/wittle-defender/id6502815032?uo=4


       

      🤩 Hack Features

      - Damage Multiplier
      - Defense Multiplier
       
      • 90 replies
    • Wasteland Survival TD v0.6.1 [ +5 Cheats ] Currency Max
      Modded/Hacked App: Wasteland Survival TD By Mildmania Oyun Sistemleri Anonim Sirketi
      Bundle ID: com.mildmania.wasteland
      App Store Link: https://apps.apple.com/ca/app/wasteland-survival-td/id6749257865?uo=4

      🤩 Hack Features

      - Unlimited Currency
      - Unlimited Resources
      - Unlimited Battle Coins
      - Always Last Wave
      - DMG
      • 1 reply
    • Wasteland Survival TD v0.6.1 [ +5 Jailed ] Currency Max
      Modded/Hacked App: Wasteland Survival TD By Mildmania Oyun Sistemleri Anonim Sirketi
      Bundle ID: com.mildmania.wasteland
      App Store Link: https://apps.apple.com/ca/app/wasteland-survival-td/id6749257865?uo=4

      🤩 Hack Features

      - Unlimited Currency
      - Unlimited Resources
      - Unlimited Battle Coins
      - Always Last Wave
      - DMG
      • 2 replies
    • Royal Match v31110 +10 Jailed Cheats [ Coins + More ]
      Modded/Hacked App: Royal Match By Dream Games Teknoloji Anonim Sirketi
      Bundle ID: com.dreamgames.royalmatch
      iTunes Store Link: https://apps.apple.com/us/app/royal-match/id1482155847?uo=4


      Mod Requirements:
      - Non-Jailbroken/Jailed or Jailbroken iPhone/iPad/iPod Touch.
      - Sideloadly / Cydia Impactor or alternatives.
      - A Computer Running Windows/macOS/Linux with iTunes installed.


      Hack Features:
      - Freeze Coins
      - Freeze Lives
      - Freeze Stars
      - Freeze Boosters
      - Freeze Time
      - Freeze Moves
      - Unlock VIP Badges
      - Unlock VIP Name Styles
      - Unlock VIP Frames
      - Auto Win -> Quit the level.


      Jailbreak required hack(s): [Mod Menu Hack] Royal Match v26455 +11 Cheats [ Unlimited Coins + More ] - Free Jailbroken Cydia Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 426 replies
    • Royal Match v31110 +10 Cheats [ Coins + More ]
      Modded/Hacked App: Royal Match By Dream Games Teknoloji Anonim Sirketi
      Bundle ID: com.dreamgames.royalmatch
      iTunes Store Link: https://apps.apple.com/us/app/royal-match/id1482155847?uo=4


      Mod Requirements:
      - Jailbroken iPhone/iPad/iPod Touch.
      - iGameGod / Filza / iMazing or any other file managers for iOS.
      - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak.
      - PreferenceLoader (from Cydia, Sileo or Zebra).


      Hack Features:
      - Freeze Coins
      - Freeze Lives
      - Freeze Stars
      - Freeze Boosters
      - Freeze Time
      - Freeze Moves
      - Unlock VIP Badges
      - Unlock VIP Name Styles
      - Unlock VIP Frames
      - Auto Win -> Quit the level.


      Non-Jailbroken & No Jailbreak required hack(s): [IPA Mod Menu] Royal Match v26455 +11 Jailed Cheats [ Unlimited Coins + More ] - Free Non-Jailbroken IPA Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 544 replies
    • Dynasty Warriors ( 真・三國無双 覇 ) v1.0.19 +3 Cheats [ Damage & Defence ]
      Modded/Hacked App: 真・三國無双 覇 By SUPERNOVA OVERSEAS LIMITED
      Bundle ID: com.supernova.ssgms.jp.ios
      App Store Link: https://apps.apple.com/jp/app/%E7%9C%9F-%E4%B8%89%E5%9C%8B%E7%84%A1%E5%8F%8C-%E8%A6%87/id6461309538?uo=4

       


      🤩 Hack Features

      - Damage Multiplier
      - Defence Multiplier
      - God Mode
      • 3 replies
    • Ape Rampage v1.1 [ +2 Cheats ] Currency Max
      Modded/Hacked App: Ape Rampage By Vritank Yadav
      Bundle ID: com.hyperpixelgames.apeevolution
      App Store Link: https://apps.apple.com/ca/app/ape-rampage/id6748993588?uo=4

      🤩 Hack Features

      - Unlimited Currency / Earn
      - Unlimited Resources / Earn
      • 0 replies
    • Ape Rampage v1.1 [ +2 Jailed ] Currency Max
      Modded/Hacked App: Ape Rampage By Vritank Yadav
      Bundle ID: com.hyperpixelgames.apeevolution
      App Store Link: https://apps.apple.com/ca/app/ape-rampage/id6748993588?uo=4

      🤩 Hack Features

      - Unlimited Currency / Earn
      - Unlimited Resources / Earn
      • 0 replies
    • MU: Pocket Knights v1.4.8 +3 Jailed Cheats [ Damage + More ]
      Modded/Hacked App: MU: Pocket Knights By WEBZEN INC.
      Bundle ID: com.webzen.muidle.ios
      App Store Link: https://apps.apple.com/ph/app/mu-pocket-knights/id6742208743?uo=4

       
       

      🤩 Hack Features

      - Damage Multiplier
      - God Mode
      - Speed Multiplier
      • 40 replies
    • MU: Pocket Knights v1.4.8 +3 Cheats [ Damage + More ]
      Modded/Hacked App: MU: Pocket Knights By WEBZEN INC.
      Bundle ID: com.webzen.muidle.ios
      App Store Link: https://apps.apple.com/ph/app/mu-pocket-knights/id6742208743?uo=4

       
       

      🤩 Hack Features

      - Damage Multiplier
      - God Mode
      - Speed Multiplier
      • 18 replies
    • Good Coffee, Great Coffee v1.5.3 +8 Jailed Cheats [ Unlimited Currencies ]
      Modded/Hacked App: Good Coffee, Great Coffee By TAPBLAZE, LLC
      Bundle ID: com.tapblaze.coffeebusiness
      iTunes Store Link: https://apps.apple.com/us/app/good-coffee-great-coffee/id1603584945?uo=4
       


      🤩 Hack Features

      - Unlimited Cash
      - Unlimited Gems
      - Unlimited Energy
      - Unlimited Brew Points
      - Unlimited Daily Rewards
      - All Decor Unlocked
      - All Equipment Unlocked
      - All Equipment Upgrades Unlocked
      - All Shop Upgrades Unlocked
      - Perfect Drinks
      • 114 replies
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines