Bypassing Bike Race fake crash (Old tutorial)
This tutorial is old. I’m no longer updating it
Decompile, compile, sign and install APK. Game force closed
![](https://i.imgur.com/G5CZgtO.png)
I took a
look in logcat and found this. "Call init() first", hmm... why does
it need to Call init first?
![](https://i.imgur.com/xt3dHqn.png)
This is the
code I found on \smali\com\topfreegames\bikerace\AppRemoteConfig.smali
file where the error occured. I looked everywhere and couldn't figure it out
why this happen.
![](https://i.imgur.com/Rxn73gC.png)
I went to https://www.apk4fun.com/
and look for earlier versions of APKs, I found something interesting. The lib
was added on 7.0.2 while 7.0.1 have no lib. Later version 7.7.0 had all string
stripped out so I disassembled lib from 7.0.2 on IDA which was the first
version it have lib included.
Wow this look interesting
![](https://i.imgur.com/CBwU68C.png)
I don't know
where to start looking, so I look all of DexCheck.
Intersting is there is time bomb code in wasCracked
but it doesn't exist in smali and it's not used anyway
![](https://i.imgur.com/xpHdK4d.png)
I analyze
them all and Xref, and I found Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit
and Java_com_topfreegames_bikerace_activities_CheatsActivity_nativeGetDexStrings.
The first one look very intersting because they might be related to Init crash
of AppRemoteConfig. Thanks logcat for
useful infomation about AppRemoteConfig
Sorry for my bad diagram XD
![](https://i.imgur.com/S0x32m9.png)
So let's
look into Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit
This is it!
this is the reason why it need to call init() first. If dex was modified, it
will return 0 and crash, else... I don't know what it returns
![](https://i.imgur.com/t6NFWMj.png)
Stripped
version
![](https://i.imgur.com/z6oozS3.png)
IDA View
![](https://i.imgur.com/iu66ESv.png)
In x86, to
bypass it, change "test al, al" to "test al, 0" (A8 00) and
the game will work. I don't know what "test" mean to be honest, I
guess it compare register or something. You can also return wasCracked as false.
In armeabi,
change "CMP R1, #0" to "CMP R1, #1" (01 29)
![](https://i.imgur.com/GPp3sDt.png)
In armeabi-v7a,
go to sub_xxxx of wasCracked and return false "MOV
R0, #0" (00 20 70 47)
Others,
figure out yourself
That's all.
The smart (more like idiot) fake crash bypassed!
Months later
after I discovered it, they removed libnative-wrapper.so and the fake Init
crash no longer present. I guess they already know I discovered fake crash
hahahahaha. Not sure if they add other fake bugs or not.
Comments
Post a Comment