PDA

View Full Version : Reversing Android APK

LaBBa
January 1st, 2012, 07:51
Hi,
I have taken a target called WidgetLocker 2.2.3 that can be found easily on 4shared with google.

i have started doing the standart APK reversing:
1. changed the .apk to a zip and extracted
2. took the "classes.dex" and used dex2jar tool to convert
3. used DJ-Java Decompiler to have source code
4. found the location in the source code for checking license:

Code:


file: com\teslacoilsw\tesladirect\d.java



    private transient Integer a()

    {

        Integer integer;

        Object obj1;

        integer = null;

        Object obj = null;

        obj1 = new HashMap();

        String s1 = Long.toString(a);

        Object obj2 = ((Map) (obj1)).put("nonce", s1);

        Object obj3 = ((Map) (obj1)).put("packageName", "com.teslacoilsw.widgetlocker";

        String s2 = b.toString().trim();

        Object obj4 = ((Map) (obj1)).put("email", s2);

        String s3 = c;

        Object obj5 = ((Map) (obj1)).put("deviceId", s3);

        String s4 = Build.MODEL;

        Object obj6 = ((Map) (obj1)).put("deviceName", s4);

        String s5 = d.toString().trim();

        Object obj7 = ((Map) (obj1)).put("unlockCode", s5);

        String s6 = e;

        Object obj8 = ((Map) (obj1)).put("versionCode", s6);

        String s7 = f;

        Object obj9 = ((Map) (obj1)).put("extra", s7);

        JSONObject jsonobject;

        String s8 = DirectLicensingEnterCode.a("http://teslacoilsw.com:80/tesladirect/verifyLicense2.pl", ((Map) (obj1)));

        jsonobject = new JSONObject(s8);

        obj1 = g;

        String s9;

        if(jsonobject.getInt("canBeta" == 0)

            integer = null;

        obj1.c = integer;

_L3:

        s9 = jsonobject.getString("lvl";

        DirectLicensingEnterCode.b = s9;

        if(!TextUtils.isEmpty(s9)) goto _L2; else goto _L1

_L1:

        integer = Integer.valueOf(0x7f0a0162);

_L4:

        return integer;

        JSONException jsonexception;

        jsonexception;

        g.c = false;

          goto _L3

        NumberFormatException numberformatexception;

        numberformatexception;

_L8:

        integer = Integer.valueOf(0x7f0a0164);

          goto _L4

_L2:

label0:

        {

            StringBuilder stringbuilder = (new StringBuilder()).append("Result: ";

            String s10 = DirectLicensingEnterCode.b;

            StringBuilder stringbuilder1 = stringbuilder.append(s10);

            integer = DirectLicensingEnterCode.b.split("\\{\\}", 2);

            if(integer.length == 2)

                break label0;

            integer = Integer.valueOf(0x7f0a0163);

        }

          goto _L4

        String s;

        String as[];

        s = integer[0];

        integer = integer[1];

        as = s.split("\\|", 2);

        if(as.length == 2) goto _L6; else goto _L5

_L5:

        integer = Integer.valueOf(0x7f0a0163);

          goto _L4

_L6:

        if(Integer.parseInt(as[0]) != 0) goto _L8; else goto _L7

_L7:

        Signature signature;

        byte abyte1[];

        signature = Signature.getInstance("SHA1withRSA";

        java.security.PublicKey publickey = g.e;

        signature.initVerify(publickey);

        byte abyte0[] = s.getBytes();

        signature.update(abyte0);

        abyte1 = dh.a(integer);

        if(!signature.verify(abyte1)) goto _L8; else goto _L9

_L9:

        Integer integer1;

        android.content.SharedPreferences.Editor editor = g.getSharedPreferences("com.teslacoilsw.licensing.info", 0).edit();

        String s11 = b.toString().trim();

        android.content.SharedPreferences.Editor editor1 = editor.putString("email", s11);

        String s12 = d.toString().trim();

        boolean flag = editor1.putString("code", s12).commit();

        StringBuilder stringbuilder2 = new StringBuilder();

        String s13 = WLApp.a(g);

        String s14 = stringbuilder2.append(s13).append("/WidgetLockerLicense.txt".toString();

        StringBuilder stringbuilder3 = new StringBuilder();

        CharSequence charsequence = b;

        StringBuilder stringbuilder4 = stringbuilder3.append(charsequence).append("\n";

        CharSequence charsequence1 = d;

        String s15 = stringbuilder4.append(charsequence1).append("\n".toString();

        boolean flag1 = eg.a(s14, s15);

        Intent intent = new Intent("com.teslacoilsw.widgetlocker.ENABLE";

        android.content.ComponentName componentname = g.startService(intent);

        integer1 = Integer.valueOf(0);

        integer = integer1;

          goto _L4

        UnknownHostException unknownhostexception;

        unknownhostexception;

        integer = Integer.valueOf(0x7f0a0162);

          goto _L4

        FileNotFoundException filenotfoundexception;

        filenotfoundexception;

        integer = Integer.valueOf(0x7f0a0162);

          goto _L4

        JSONException jsonexception1;

        jsonexception1;

        integer = Integer.valueOf(0x7f0a0162);

          goto _L4

        printStackTrace();

          goto _L8

        cw cw1;

        cw1;

          goto _L8

        SignatureException signatureexception;

        signatureexception;

          goto _L8

        InvalidKeyException invalidkeyexception;

        invalidkeyexception;

          goto _L8

        NoSuchAlgorithmException nosuchalgorithmexception;

        nosuchalgorithmexception;

          goto _L8

    }


simple patch to this function will ensure no exceptions and we will have a working app.

the issue i'm having is with the next required steps:

5. decompress files with apktool: apktool d app.apk
during the decompression of the apk applet i'm getting an error:
Quote:

I: Baksmaling...
I: Loading resource table...
I: Loaded.
I: Loading resource table from file: C:\Users\userName\apktool\framework\1.apk
I: Loaded.
I: Decoding file-resources...
I: Decoding values*/* XMLs...
Exception in thread "main" java.lang.StringIndexOutOfBoundsException: String index out of range: 22
at java.lang.String.charAt(Unknown Source)
at brut.androlib.res.xml.ResXmlEncoders.findNonPositionalSubstitutions(ResXmlEncoders.java:165)
at brut.androlib.res.xml.ResXmlEncoders.hasMultipleNonPositionalSubstitutions(ResXmlEncoders.java:138)
at brut.androlib.res.data.value.ResStringValue.serializeExtraXmlAttrs(ResStringValue.java:63)
at brut.androlib.res.data.value.ResScalarValue.serializeToResValuesXml(ResScalarValue.java:65)
at brut.androlib.res.AndrolibResources.generateValuesFile(AndrolibResources.java:264)
at brut.androlib.res.AndrolibResources.decode(AndrolibResources.java:137)
at brut.androlib.Androlib.decodeResourcesFull(Androlib.java:93)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:98)
at brut.apktool.Main.cmdDecode(Main.java:120)
at brut.apktool.Main.main(Main.java:57)


this means that i will not be able to patch the code and then rebuild the packadge with: "apktool e <FOLDER_NAME> out.apk"

does anyone knows about how to by pass this ?

Thanks,
LaBBa.
LaBBa
January 1st, 2012, 09:06
issue was resolved with a more updated tool:
http://apkmultitool.com/?q=node/5
OHPen
January 2nd, 2012, 05:39
Hi LaBBa,

you don't need apktool at all. Patch your stuff accordingly to your needs write the changes back to the *.apk file and resign it with your own custom keys ;D
Why to make so complicated !?, hehe.

Regards,
OHPen