Saturday, May 26, 2012

Cheating the Android


Yarr everybody,

Long time since my last post, and today I’m returning to an old subject that I like very much. Cheating in games. And this time Android games.
I include in this post a small tutorial about patching an Android application, followed with introducing a big problem I’m facing in my attempts to cheat in various games. If you are already familiar with the technique of patching Android apps you can skip straight to the last paragraph where I talk about the problematic aspects of it. I would love to hear any comments the readers might have about my methods or any tips and tricks that might make the process easier to endure.

The Tutorial part:
I would walk you through the following steps:

  1. Getting the binary
  2. Unpacking, Disassembly and Decompiling it
  3. Finding a good place to patch
  4. Patching
  5. Repacking, ReSigning and ReInstalling the app
  6. Having fun

Setting up:
For these tasks you are going to need a rooted Android device (In some cases the emulator could do), and the standard ADK tools installed.
First enable the USB debugging from the Settings->Applications->Development menu, and connect to the computer with a USB cable. Now check the connection using the “adb devices” command. If the ADB can’t find the device, recheck the cable, the drivers and the adb.
Tip for those of you who use a Samsung Android device: the fastest way to get the right drivers is by installing the SamsungKies.

Step 1 Getting the binary
To get the binary of the application in target, you can simply search the right APK under  /data/app where usually APKs are stored. Or you can:
Run the application

  • Connect to the device with adb
  • Run “adb shell”
  • Run “su” (If needed)
  • Run “ps” to find the process id.
  • Run “ls -la /proc/PROCESS_ID/fd” and search in the long list of file descriptors for the apk file.
  • Pull the file from the device using the “adb pull” command.


Step 2 Unpacking, Disassembly and Decompiling it
For this step we will get to know not one but three tools to work with APKs
1. apktool http://code.google.com/p/android-apktool/
2. dex2jar http://code.google.com/p/dex2jar/
3. jd http://java.decompiler.free.fr/
The apktool would be used to unpack the apk file into its inner components. Using the command “apktool d APK_FILE OUTPUT_DIR”,  you can produce a directory with all of the components that makes the APK including a dir called smali that contains disassembly of the Dalvik bytecode. The smali files are text files that can be edited to make a patch. The directory can be repacked into an APK simply with the command “apktool b CONTENT_DIR OUTPUT_APK”.
Another tip: If you are facing any trouble during the repacking, you can try to unpack with “-r” flag “apktool d -r APK_FILE OUTPUT_DIR”, to leave the resources untouched, sometimes, the source to many problems is the resources. If you are not trying to deface the application don’t bother solving these problems.
The 2nd and 3rd tools are used to produce a decompiled, more readable code, and they are not a must for patching. The principle, is to open the APK file with a standard unzip tool, find the classes.dex file in it, use the dex2jar tool to convert the dex to a jar file, and decompile the jar with the Java decompiler.

Step 3 Finding a good place to patch
Now you’ve got lots of decompiled Dalvik code, use your reverse engineering talent to find a good cozy spot for your patch, or any other kind of cheats you would like. Note that some applications use a native arm code combined with the Dalvik code, which is usually found under the lib subfolder and could be disassembled with IDA pro as a ELF ARM (LE) binary.

Step 4 Patching
Patching, either by changing a smali file or by patching a lib file. Note, that the smali code is not the most familiar assembly, but I find it very intuitive and easy to understand.

Step 5 Repacking, ReSigning and ReInstalling the app
Repack using the apktool: “apktool b CONTENT_FOLDER OUTPUT_APK”. Now if you try to install the APK you just made, you would most probably get an error code that says “INSTALL_PARSE_FAILED_NO_CERTIFICATES”. In that case what you need to do is to use the signapk tool found at http://code.google.com/p/signapk/ to sign the apk, you can use the sample certificate and key that are shipped with the tool.

Step 6 Having fun
Have fun.

The big problem:
Now if one would follow the exact steps trying to patch a game such as DrawSomething he would soon find out that most of the code is not in the Java nor in the native ARM binary. Instant the interesting part is found in another binary file called DrawSomethingFree.s3e, which is a binary file of the Marmalade SDK. Marmalade is a platform for developers to create games for both iOS and Android at the same time.
If one would try to decompile the Templerun game he would soon find a very similar story written in Mono for android. Mono is a C# like SDK for developing applications for both iOS and Android. Now this makes no sense, C# is a language made by Microsoft mostly optimized for Windows x86 platforms, why adapt it to Android, which handles Java like code naturally, is there really a benefit in C# coding style over Java? And if so is it worth the effort and the overhead of making a new VM to execute CLI code on Android?
Researching even further, I found out that there are awfully lots of such cross platform SDKs running everything from C to Lua including Python and Javascript. Each of them required understanding a new unknown homemade file type with new kind of bytecode encoding of some kind of imitation of a standard language.
I’m looking for any help from people on researching and understanding these files and how to disassemble and patch them for the better good.
So if anyone knows anything about the internals of any of the following:

  • Widgetpad
  • Whoop
  • RhoMobile
  • Shiva3d
  • SIO2
  • Unity
  • Corona
  • PhoneGap
  • Titanium Mobile
  • cocos2d-x
  • Edgelib
  • Moai
  • Mono
  • MoSync
  • Mominis
  • Marmalade
  • Simple DriectMedia Layer

I would be more than happy to learn more about it. And if anyone knows of any other cross platform environment, please let me know, as I’m trying to make some knowledge base about them.

Cheers,
Assaf

32 comments:

  1. Anonymous17/7/12

    not sure how you're interested in game hacking nowadays but this guy seem to have some quite nice insights regarding punkbuster and the like
    http://gamehackingadventures.blogspot.jp

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  2. Hello Assaf,

    I recently had this same issue decompiling an android application and finding that it was written in marmalade. Were you able to find any information on how to go about decompiling the s3e binary files?

    ReplyDelete
  3. Nope, sorry. I didn't have the time to go any deeper on that thing, but I would love to research that in the future and maybe write a follow up.

    ReplyDelete
    Replies
    1. Thank you for getting back to me. I look forward to a follow up on this subject.

      Delete
  4. Anonymous15/12/16

    I am agree with your post. I hope you are always shared me this type of post. Thanks a lot. blossom blast saga tips

    ReplyDelete
  5. If you need feel safe about your children, then click here to read about tracking app that can help you with getting any information you need. Click hack cell phone mobile for iphone to find more!

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training in India . Nowadays Java has tons of job opportunities on various vertical industry.

      Delete
  6. Anonymous20/2/17

    Good information, thanks for providing us such a useful information. Keep up the good work and continue providing us more quality information from time to time. look here

    ReplyDelete
  7. DevelopTech has a number of Android products in the market which are having great popularity among the users for Android mobile phones and not only in India but also across the whole globe.
    more info

    ReplyDelete
  8. This is what we expert in. The things which differentiate us from others are our professional behavior towards our clients. And our expertise in these regarding fields. Subway surfer hacks

    ReplyDelete
  9. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. Apk Mirror

    ReplyDelete
  10. Techliance provides customization fix -Android application Development, Android Wireless job Development, Android outgoing Networking App Development, Android lattice Development, Android haste unfolding also different talk Google Android App Development.
    Game killer apk

    ReplyDelete
  11. Very good written article. It will be supportive to anyone who utilizes it, including me. Keep doing what you are doing – can’r wait to read more posts.
    Search Button

    ReplyDelete
  12. When you ask Gathering versatile applications what takes in the most measure of your endeavors and vitality in their ordinary day their prompt reaction would be 'printed material and documentation. Anger Of Stick 5 Mod Apk

    ReplyDelete
  13. including reasonable comments here... Towelroot v3

    ReplyDelete
  14. Techliance provides customization fix -Android application Development, Android Wireless job Development, Android outgoing Networking App Development, Android lattice Development, Android haste unfolding also different talk Google Android App Development. prompter

    ReplyDelete
  15. The secureteen app can be downloaded at this site

    ReplyDelete
  16. Anonymous31/8/17

    Good information, thanks for providing us such a useful information. Keep up the good work and continue providing us more quality information from time to time. www.oceansoffgame.com

    ReplyDelete
  17. Anonymous9/9/17

    Wonderful great going, I love your work and look forward for more work from your side. I am a regular visitor of this site and by now have suggested many people. APK for Android

    ReplyDelete
  18. To be completely forthright, a mobile application is a good to beat all for the client encounter, while calls and instant messages are the preeminent elements of a mobile gadget. ZArchiver download

    ReplyDelete
  19. Anonymous15/9/17

    I needed to thank you for this extraordinary read. I certainly appreciating each and every piece of it I have you bookmarked to look at new stuff you post. www.featuretechnology.com

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. It is very user-friendly and it is considered as the most in demand application store in the world where you can install the latest games. Free COC Gems

    ReplyDelete
  22. Srinivasan28/9/17

    Please continue this great work and I look forward to more of your awesome blog posts.
    Appvn

    ReplyDelete
  23. Anonymous16/10/17

    you write very well this article, there are a lot of good resource here. i am sure i will visit this place again soon. Visit Website

    ReplyDelete
  24. Several cell phone producers are incorporating the Android operating system into their cell phones.https://www.oukitelcentral.com/

    ReplyDelete
  25. The open deliberation of whether to pay for Android apps will proceed for eternity. Freedom Apk

    ReplyDelete
  26. Wonderful article, I love your work and looking forward for more work from your side. I am a regular visitor of your site and as of now I have suggested many people.
    Game Killer Apk

    ReplyDelete
  27. No doubt this is an excellent post I got a lot of knowledge after reading good luck. Theme of blog is excellent there is almost everything to read, Brilliant post. android blog

    ReplyDelete