SlideShare a Scribd company logo

Learning by hacking - android application hacking tutorial

Landice Fu, profile picture
Landice Fu

The document is a tutorial on Android application hacking by Landice Fu, covering concepts such as Java knowledge, Android app design, and using tools like apktool and smali. It emphasizes responsible usage for educational purposes and includes techniques for localization, decompiling, and reverse engineering. The content also highlights strategies for protecting applications against hacking and provides insights into modifying applications.

Engineering
Related topics:
Reverse Engineering
1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Learning by Hacking Android application hacking tutorial Landice Fu! rusty.flower@gmail.com
About me Landice Fu Android system developer at ASUS! ! FOSS user and promoter! ! Android app hacker! ! Ruby / JAVA / C / Qt
Android application hacking tutorial Background Knowledge ❖ Java! ❖ Android Application Design! ❖ Using Android Logcat with Android Debug Bridge (ADB)! ❖ Assembly syntax
My proclamation about this presentation ❖ The application binary and decompiled code I use in this presentation are only for teaching and learning! ! ❖ After the presentation, I would not provide or use them in ANY circumstances and I will immediately delete them
You must be really bad! ❖ Pirate! ❖ Stealing accounts and data! ❖ Mess up the device! ❖ BitCoin mining using others’ device
Learning by hacking - android application hacking tutorial
What about… ❖ UI Localization! ❖ Ad. removal! ❖ Resource extraction! ❖ Wow, that’s cool! How did you do that?! ❖ Fix the bug yourself! ❖ Get to know your enemy and how to better protect your product! ❖ Add some features to it Are you kidding?
Learning by hacking - android application hacking tutorial
APKTOOL ❖ https://code.google.com/p/android-apktool/! ❖ Command line tool for disassembling/assembling APK! ❖ Decompile APK apktool d file_name.apk! ❖ Rebuild APK apktool b folder_name
xxxxx!Free Localization Demo ❖ You don’t even need to know how to write android app or JAVA! ! ❖ Android multi-language support mechanism [1][2]! ! [1] http://developer.android.com/training/basics/supporting-devices/languages.html! ! [2] http://jjnnykimo.pixnet.net/blog/post/37831205-android%E5%A4%9A%E5%9C%8B%E8%AA %9E%E8%A8%80%E8%B3%87%E6%96%99%E5%A4%BE%E5%91%BD%E5%90%8D %E6%96%B9%E5%BC%8F
Localization Demo ❖ Get the original APK! ❖ AndroidAssistant (backup)! ❖ /data/app/ (root access)! ❖ Copy values folder to values-zh-rTW! ❖ Localize the content of values-zh-rTW/strings.xml! ❖ Build and sign the APK
Smali/Baksmali ❖ Assembler/disassembler for the dex format used by Dalvik! ❖ The syntax is loosely based on Jasmin’s dedexer's syntax! ❖ Supports the full functionality of the dex format! ❖ Annotations (@Override, @SuppressWarnings …)! ❖ Debug Information! ❖ Line Information! ❖ Etc.! ❖ https://code.google.com/p/smali/
Dalvik opcodes ❖ Write a simple application and decompile it and see how it is turned into Dalvik operations! ❖ http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html! ❖ http://www.netmite.com/android/mydroid/dalvik/docs/ dalvik-bytecode.html
Types in smali Smali JAVA Primitive Type V void - can only be used for return types Z boolean B byte S short C char I int J long (64 bits) F float D double Class Object Lcom/lansion/myapp/xxxparser;
Framework Resource ❖ Some code and resources that are built into the Android system on your device! ❖ /system/framework/framework-res.apk! ❖ Installing framework resource for apktool apktool if framework-res.apk
Integrated Development Hacking Environment
Virtuous Ten Studio (VTS) ❖ Integrated Reverse Engineering Environment for APK! ❖ Built-in ApkTool, ADB, Zipalign, Sign, dex2jar…! ❖ Support for APKs and framework JARs! ❖ Text editing of smali, xml files with syntax highlighting, live checking and code folding! ❖ M10 file editing (HTC Sense)! ❖ Unpack/ repack boot images! ❖ Generate JAVA sources using multiple libraries! ❖ http://virtuous-ten-studio.com/
Demo: Remove the ad. from xxxxx!free ❖ What you need! ❖ Know the API of libraries! ❖ Know the API of Android! ❖ Luck! ❖ Patience! ❖ Tip1 : When you don’t know how to do something in smali, just write it in JAVA and decompile it
Source Obfuscation ❖ Make it really difficult for human to understand and time consuming to hack! ❖ Make the names of variables, methods, classes and packages meaningless! ❖ Remove debug information! ❖ Complicated call flow! ❖ Redundant source code! ❖ …………..! ❖ Penalty of obfuscation Stop laughing…! This is you!!
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
Build your own crack tool ❖ Provide static functions! ❖ Add logcat logs with variable states! ❖ Add stack trace dump! ❖ Do the complicated tricks out side of the original program (much easier in JAVA)
A more difficult task - ??????? ❖ UI is always the key to find the starting point! ❖ Resource ID (name) turns into constant value map! ❖ Insert the snippets decompiled from your crack tool! ❖ Most of the local license checking is not too complicated! ❖ Altering one of the boolean-returning function does the trick in a majority of cases
Learning by hacking - android application hacking tutorial
Still a piece of cake ❖ Knowing the system API is very helpful! ❖ More complicated check might involve getting IMEI, MAC… from your device! ❖ You still can trick the application by replacing the system API call to your own function
What I did to Age of Empires on Android ❖ Modify the menu bar to provide control interface! ❖ TCP server to communication with another Android device with the same hacked APK! ❖ Add a robot state machine to get money, resource… from the other account without effort.
Protect your work ❖ Design with NDK! ❖ Using framework like cocos2d (generates native library)! ❖ Don’t just use one method for checking! ❖ Strong obfuscation! ❖ Provide the content using web! ❖ Find a way to mess up the decompiler
What you might be interested in ❖ You can use the decompiled code from other apps in your application! ❖ Embed a broadcast receiver to interact with external application
Thanks for your attention

More Related Content

PDF
Hacking your Android (slides)
Justin Hoang
 
PDF
The art of android hacking
Abhinav Mishra
 
PPTX
[Wroclaw #2] iOS Security - 101
OWASP
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
Android Hacking
antitree
 
PDF
My Null Android Penetration Session
Avinash Sinha
 
PDF
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
PDF
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Hacking your Android (slides)
Justin Hoang
 
The art of android hacking
Abhinav Mishra
 
[Wroclaw #2] iOS Security - 101
OWASP
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Android Hacking
antitree
 
My Null Android Penetration Session
Avinash Sinha
 
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 

What's hot (20)

PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
PDF
Android App Hacking - Erez Metula, AppSec
DroidConTLV
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PDF
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
PPTX
Android pen test basics
OWASPKerala
 
PPTX
Drozer - An Android Application Security Tool
nullowaspmumbai
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PDF
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
PDF
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PDF
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
PDF
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
PDF
iOS Application Security
Egor Tolstoy
 
PDF
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
PDF
Hacking android apps by srini0x00
srini0x00
 
PDF
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Black Duck by Synopsys
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Android App Hacking - Erez Metula, AppSec
DroidConTLV
 
[Wroclaw #1] Android Security Workshop
OWASP
 
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
Android pen test basics
OWASPKerala
 
Drozer - An Android Application Security Tool
nullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
Android Security & Penetration Testing
Subho Halder
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
iOS Application Security
Egor Tolstoy
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Hacking android apps by srini0x00
srini0x00
 
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Black Duck by Synopsys
 

Viewers also liked (20)

PDF
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
PPT
Reverse Engineering Android Application
n|u - The Open Security Community
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
PDF
Understanding the Dalvik bytecode with the Dedexer tool
Gabor Paller
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
PDF
Mobile Hacking
Novizul Evendi
 
PPTX
Reverse engineering android apps
Pranay Airan
 
PDF
Practice of Android Reverse Engineering
National Cheng Kung University
 
PPTX
Dancing with dalvik
Thomas Richards
 
PDF
Understanding the Dalvik Virtual Machine
National Cheng Kung University
 
PDF
Hacking Tutorial for Apps
Grant Eaton
 
PPSX
CyberLab CCEH Session -13 Hacking Web Applications
CyberLab
 
PDF
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO Alliance
 
PPT
Web Application Hacking
SensePost
 
PPTX
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Alliance
 
PDF
Hacking your Droid (Aditya Gupta)
ClubHack
 
DOCX
Smali语法
xiaoshan8743
 
PDF
RoR Workshop - Web applications hacking - Ruby on Rails example
Railwaymen
 
PDF
Hacking ingress
Eran Goldstein
 
PPTX
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
REvERSE University of Naples Federico II
 
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
Reverse Engineering Android Application
n|u - The Open Security Community
 
Attacking and Defending Mobile Applications
Jerod Brennen
 
Understanding the Dalvik bytecode with the Dedexer tool
Gabor Paller
 
Hacking Mobile Apps
Sophos Benelux
 
Mobile Hacking
Novizul Evendi
 
Reverse engineering android apps
Pranay Airan
 
Practice of Android Reverse Engineering
National Cheng Kung University
 
Dancing with dalvik
Thomas Richards
 
Understanding the Dalvik Virtual Machine
National Cheng Kung University
 
Hacking Tutorial for Apps
Grant Eaton
 
CyberLab CCEH Session -13 Hacking Web Applications
CyberLab
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO Alliance
 
Web Application Hacking
SensePost
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Alliance
 
Hacking your Droid (Aditya Gupta)
ClubHack
 
Smali语法
xiaoshan8743
 
RoR Workshop - Web applications hacking - Ruby on Rails example
Railwaymen
 
Hacking ingress
Eran Goldstein
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
REvERSE University of Naples Federico II
 

Similar to Learning by hacking - android application hacking tutorial (20)

PDF
Desert Code Camp 2014: C#, the best programming language
James Montemagno
 
KEY
Txjs
Brian LeRoux
 
PDF
Debugging and Tuning Mobile Web Sites with Modern Web Browsers
Troy Miles
 
PPTX
JavaScript All The Things
Jordan Yaker
 
PDF
Maximiliano Firtman - Разработка приложений с помощью PhoneGap
.toster
 
PDF
PhoneGap mobile development
Maximiliano Firtman
 
KEY
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
davyjones
 
PDF
PhoneGap/Cordova
Mihai Corlan
 
PDF
Introduction to PhoneGap
Raymond Camden
 
PPTX
Diploma 1st Year Project Internship Presentation.pptx
silentworld966
 
KEY
Philly ete-2011
davyjones
 
PPTX
[Mas 500] Mobile Basics
rahulbot
 
PDF
MTC Spring 2013 - crossplatform woes - robert virkus - 2013-03-13
Enough Software
 
KEY
Phonegap for Engineers
Brian LeRoux
 
PDF
Mono for Android... for Google Devs
Craig Dunn
 
ODP
Apache Cordova, Hybrid Application Development
thedumbterminal
 
PPTX
Intro to PhoneGap
Chris Griffith
 
PDF
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Dakiry
 
PDF
MozTW YZU CSE Lecture
littlebtc
 
PDF
Firefox OS Apps & APIs - Dutch Mobile Conference / Serbia & Montenegro App da...
Jan Jongboom
 
Desert Code Camp 2014: C#, the best programming language
James Montemagno
 
Txjs
Brian LeRoux
 
Debugging and Tuning Mobile Web Sites with Modern Web Browsers
Troy Miles
 
JavaScript All The Things
Jordan Yaker
 
Maximiliano Firtman - Разработка приложений с помощью PhoneGap
.toster
 
PhoneGap mobile development
Maximiliano Firtman
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
davyjones
 
PhoneGap/Cordova
Mihai Corlan
 
Introduction to PhoneGap
Raymond Camden
 
Diploma 1st Year Project Internship Presentation.pptx
silentworld966
 
Philly ete-2011
davyjones
 
[Mas 500] Mobile Basics
rahulbot
 
MTC Spring 2013 - crossplatform woes - robert virkus - 2013-03-13
Enough Software
 
Phonegap for Engineers
Brian LeRoux
 
Mono for Android... for Google Devs
Craig Dunn
 
Apache Cordova, Hybrid Application Development
thedumbterminal
 
Intro to PhoneGap
Chris Griffith
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Dakiry
 
MozTW YZU CSE Lecture
littlebtc
 
Firefox OS Apps & APIs - Dutch Mobile Conference / Serbia & Montenegro App da...
Jan Jongboom
 

Recently uploaded (20)

PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PDF
composite construction of structures.pdf
AinieButt1
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PPT on Performance Review to get promotions
prashant593122
 
Welding lecture in detail for understanding
sahilpoonia10
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
Project quality management in manufacturing
BarMusaTetik
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
composite construction of structures.pdf
AinieButt1
 

Learning by hacking - android application hacking tutorial

  • 1. Learning by Hacking Android application hacking tutorial Landice Fu! rusty.flower@gmail.com
  • 2. About me Landice Fu Android system developer at ASUS! ! FOSS user and promoter! ! Android app hacker! ! Ruby / JAVA / C / Qt
  • 3. Android application hacking tutorial Background Knowledge ❖ Java! ❖ Android Application Design! ❖ Using Android Logcat with Android Debug Bridge (ADB)! ❖ Assembly syntax
  • 4. My proclamation about this presentation ❖ The application binary and decompiled code I use in this presentation are only for teaching and learning! ! ❖ After the presentation, I would not provide or use them in ANY circumstances and I will immediately delete them
  • 5. You must be really bad! ❖ Pirate! ❖ Stealing accounts and data! ❖ Mess up the device! ❖ BitCoin mining using others’ device
  • 7. What about… ❖ UI Localization! ❖ Ad. removal! ❖ Resource extraction! ❖ Wow, that’s cool! How did you do that?! ❖ Fix the bug yourself! ❖ Get to know your enemy and how to better protect your product! ❖ Add some features to it Are you kidding?
  • 9. APKTOOL ❖ https://code.google.com/p/android-apktool/! ❖ Command line tool for disassembling/assembling APK! ❖ Decompile APK apktool d file_name.apk! ❖ Rebuild APK apktool b folder_name
  • 10. xxxxx!Free Localization Demo ❖ You don’t even need to know how to write android app or JAVA! ! ❖ Android multi-language support mechanism [1][2]! ! [1] http://developer.android.com/training/basics/supporting-devices/languages.html! ! [2] http://jjnnykimo.pixnet.net/blog/post/37831205-android%E5%A4%9A%E5%9C%8B%E8%AA %9E%E8%A8%80%E8%B3%87%E6%96%99%E5%A4%BE%E5%91%BD%E5%90%8D %E6%96%B9%E5%BC%8F
  • 11. Localization Demo ❖ Get the original APK! ❖ AndroidAssistant (backup)! ❖ /data/app/ (root access)! ❖ Copy values folder to values-zh-rTW! ❖ Localize the content of values-zh-rTW/strings.xml! ❖ Build and sign the APK
  • 12. Smali/Baksmali ❖ Assembler/disassembler for the dex format used by Dalvik! ❖ The syntax is loosely based on Jasmin’s dedexer's syntax! ❖ Supports the full functionality of the dex format! ❖ Annotations (@Override, @SuppressWarnings …)! ❖ Debug Information! ❖ Line Information! ❖ Etc.! ❖ https://code.google.com/p/smali/
  • 13. Dalvik opcodes ❖ Write a simple application and decompile it and see how it is turned into Dalvik operations! ❖ http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html! ❖ http://www.netmite.com/android/mydroid/dalvik/docs/ dalvik-bytecode.html
  • 14. Types in smali Smali JAVA Primitive Type V void - can only be used for return types Z boolean B byte S short C char I int J long (64 bits) F float D double Class Object Lcom/lansion/myapp/xxxparser;
  • 15. Framework Resource ❖ Some code and resources that are built into the Android system on your device! ❖ /system/framework/framework-res.apk! ❖ Installing framework resource for apktool apktool if framework-res.apk
  • 17. Virtuous Ten Studio (VTS) ❖ Integrated Reverse Engineering Environment for APK! ❖ Built-in ApkTool, ADB, Zipalign, Sign, dex2jar…! ❖ Support for APKs and framework JARs! ❖ Text editing of smali, xml files with syntax highlighting, live checking and code folding! ❖ M10 file editing (HTC Sense)! ❖ Unpack/ repack boot images! ❖ Generate JAVA sources using multiple libraries! ❖ http://virtuous-ten-studio.com/
  • 18. Demo: Remove the ad. from xxxxx!free ❖ What you need! ❖ Know the API of libraries! ❖ Know the API of Android! ❖ Luck! ❖ Patience! ❖ Tip1 : When you don’t know how to do something in smali, just write it in JAVA and decompile it
  • 19. Source Obfuscation ❖ Make it really difficult for human to understand and time consuming to hack! ❖ Make the names of variables, methods, classes and packages meaningless! ❖ Remove debug information! ❖ Complicated call flow! ❖ Redundant source code! ❖ …………..! ❖ Penalty of obfuscation Stop laughing…! This is you!!
  • 22. Build your own crack tool ❖ Provide static functions! ❖ Add logcat logs with variable states! ❖ Add stack trace dump! ❖ Do the complicated tricks out side of the original program (much easier in JAVA)
  • 23. A more difficult task - ??????? ❖ UI is always the key to find the starting point! ❖ Resource ID (name) turns into constant value map! ❖ Insert the snippets decompiled from your crack tool! ❖ Most of the local license checking is not too complicated! ❖ Altering one of the boolean-returning function does the trick in a majority of cases
  • 25. Still a piece of cake ❖ Knowing the system API is very helpful! ❖ More complicated check might involve getting IMEI, MAC… from your device! ❖ You still can trick the application by replacing the system API call to your own function
  • 26. What I did to Age of Empires on Android ❖ Modify the menu bar to provide control interface! ❖ TCP server to communication with another Android device with the same hacked APK! ❖ Add a robot state machine to get money, resource… from the other account without effort.
  • 27. Protect your work ❖ Design with NDK! ❖ Using framework like cocos2d (generates native library)! ❖ Don’t just use one method for checking! ❖ Strong obfuscation! ❖ Provide the content using web! ❖ Find a way to mess up the decompiler
  • 28. What you might be interested in ❖ You can use the decompiled code from other apps in your application! ❖ Embed a broadcast receiver to interact with external application
  • 29. Thanks for your attention