Bypassing Bike Race fake crash (Old tutorial)
This tutorial is old. I’m no longer updating it
Decompile, compile, sign and install APK. Game force closed
I took a
look in logcat and found this. "Call init() first", hmm... why does
it need to Call init first?
This is the
code I found on \smali\com\topfreegames\bikerace\AppRemoteConfig.smali
file where the error occured. I looked everywhere and couldn't figure it out
why this happen.
I went to https://www.apk4fun.com/
and look for earlier versions of APKs, I found something interesting. The lib
was added on 7.0.2 while 7.0.1 have no lib. Later version 7.7.0 had all string
stripped out so I disassembled lib from 7.0.2 on IDA which was the first
version it have lib included.
Wow this look interesting
I don't know
where to start looking, so I look all of DexCheck.
Intersting is there is time bomb code in wasCracked
but it doesn't exist in smali and it's not used anyway
I analyze
them all and Xref, and I found Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit
and Java_com_topfreegames_bikerace_activities_CheatsActivity_nativeGetDexStrings.
The first one look very intersting because they might be related to Init crash
of AppRemoteConfig. Thanks logcat for
useful infomation about AppRemoteConfig
Sorry for my bad diagram XD
So let's
look into Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit
This is it!
this is the reason why it need to call init() first. If dex was modified, it
will return 0 and crash, else... I don't know what it returns
Stripped
version
IDA View
In x86, to
bypass it, change "test al, al" to "test al, 0" (A8 00) and
the game will work. I don't know what "test" mean to be honest, I
guess it compare register or something. You can also return wasCracked as false.
In armeabi,
change "CMP R1, #0" to "CMP R1, #1" (01 29)
In armeabi-v7a,
go to sub_xxxx of wasCracked and return false "MOV
R0, #0" (00 20 70 47)
Others,
figure out yourself
That's all.
The smart (more like idiot) fake crash bypassed!
Months later
after I discovered it, they removed libnative-wrapper.so and the fake Init
crash no longer present. I guess they already know I discovered fake crash
hahahahaha. Not sure if they add other fake bugs or not.
Comments
Post a Comment