Bypassing smart fake init crash

A year ago, A modder asked for help with Bike Race, so I had decided to look into it. I had bypassed fake crash long time ago but now I will finally make tutorial to help you get smarter with the fake crash situation. Devs think they are smart enough to create fake crash to troll cheaters but not at all, I'm smarter than them haha.

Decompile, compile, sign and install APK. Game force closed


I took a look in logcat and found this. "Call init() first", hmm... why does it need to Call init first?


This is the code I found on \smali\com\topfreegames\bikerace\AppRemoteConfig.smali file where the error occured. I looked everywhere and couldn't figure it out why this happen.

 

I went to https://www.apk4fun.com/ and look for earlier versions of APKs, I found something interesting. The lib was added on 7.0.2 while 7.0.1 have no lib. Later version 7.7.0 had all string stripped out so I disassembled lib from 7.0.2 on IDA which was the first version it have lib included.

Wow this look interesting


I don't know where to start looking, so I look all of DexCheck. Intersting is there is time bomb code in wasCracked but it doesn't exist in smali and it's not used anyway


I analyze them all and Xref, and I found Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit and Java_com_topfreegames_bikerace_activities_CheatsActivity_nativeGetDexStrings. The first one look very intersting because they might be related to Init crash of AppRemoteConfig. Thanks logcat for useful infomation about AppRemoteConfig

Sorry for my bad diagram XD
 

So let's look into Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit

This is it! this is the reason why it need to call init() first. If dex was modified, it will return 0 and crash, else... I don't know what it returns


Stripped version


IDA View


In x86, to bypass it, change "test al, al" to "test al, 0" (A8 00) and the game will work. I don't know what "test" mean to be honest, I guess it compare register or something. You can also return wasCracked as false.

In armeabi, change "CMP R1, #0" to "CMP R1, #1" (01 29)


In armeabi-v7a, go to sub_xxxx of wasCracked and return false "MOV R0, #0" (00 20 70 47)

Others, figure out yourself

That's all. The smart (more like idiot) fake crash bypassed!


Months later after I discovered it, they removed libnative-wrapper.so and the fake Init crash no longer present. I guess they already know I discovered fake crash hahahahaha. Not sure if they add other fake bugs or not.

Kommentarer