View Full Version : Reversing Android APK

January 1st, 2012, 07:51
I have taken a target called WidgetLocker 2.2.3 that can be found easily on 4shared with google.

i have started doing the standart APK reversing:
1. changed the .apk to a zip and extracted
2. took the "classes.dex" and used dex2jar tool to convert
3. used DJ-Java Decompiler to have source code
4. found the location in the source code for checking license:


file: com\teslacoilsw\tesladirect\d.java

private transient Integer a()
Integer integer;
Object obj1;
integer = null;
Object obj = null;
obj1 = new HashMap();
String s1 = Long.toString(a);
Object obj2 = ((Map) (obj1)).put("nonce", s1);
Object obj3 = ((Map) (obj1)).put("packageName", "com.teslacoilsw.widgetlocker";
String s2 = b.toString().trim();
Object obj4 = ((Map) (obj1)).put("email", s2);
String s3 = c;
Object obj5 = ((Map) (obj1)).put("deviceId", s3);
String s4 = Build.MODEL;
Object obj6 = ((Map) (obj1)).put("deviceName", s4);
String s5 = d.toString().trim();
Object obj7 = ((Map) (obj1)).put("unlockCode", s5);
String s6 = e;
Object obj8 = ((Map) (obj1)).put("versionCode", s6);
String s7 = f;
Object obj9 = ((Map) (obj1)).put("extra", s7);
JSONObject jsonobject;
String s8 = DirectLicensingEnterCode.a("http://teslacoilsw.com:80/tesladirect/verifyLicense2.pl", ((Map) (obj1)));
jsonobject = new JSONObject(s8);
obj1 = g;
String s9;
if(jsonobject.getInt("canBeta" == 0)
integer = null;
obj1.c = integer;
s9 = jsonobject.getString("lvl";
DirectLicensingEnterCode.b = s9;
if(!TextUtils.isEmpty(s9)) goto _L2; else goto _L1
integer = Integer.valueOf(0x7f0a0162);
return integer;
JSONException jsonexception;
g.c = false;
goto _L3
NumberFormatException numberformatexception;
integer = Integer.valueOf(0x7f0a0164);
goto _L4
StringBuilder stringbuilder = (new StringBuilder()).append("Result: ";
String s10 = DirectLicensingEnterCode.b;
StringBuilder stringbuilder1 = stringbuilder.append(s10);
integer = DirectLicensingEnterCode.b.split("\\{\\}", 2);
if(integer.length == 2)
break label0;
integer = Integer.valueOf(0x7f0a0163);
goto _L4
String s;
String as[];
s = integer[0];
integer = integer[1];
as = s.split("\\|", 2);
if(as.length == 2) goto _L6; else goto _L5
integer = Integer.valueOf(0x7f0a0163);
goto _L4
if(Integer.parseInt(as[0]) != 0) goto _L8; else goto _L7
Signature signature;
byte abyte1[];
signature = Signature.getInstance("SHA1withRSA";
java.security.PublicKey publickey = g.e;
byte abyte0[] = s.getBytes();
abyte1 = dh.a(integer);
if(!signature.verify(abyte1)) goto _L8; else goto _L9
Integer integer1;
android.content.SharedPreferences.Editor editor = g.getSharedPreferences("com.teslacoilsw.licensing.info", 0).edit();
String s11 = b.toString().trim();
android.content.SharedPreferences.Editor editor1 = editor.putString("email", s11);
String s12 = d.toString().trim();
boolean flag = editor1.putString("code", s12).commit();
StringBuilder stringbuilder2 = new StringBuilder();
String s13 = WLApp.a(g);
String s14 = stringbuilder2.append(s13).append("/WidgetLockerLicense.txt".toString();
StringBuilder stringbuilder3 = new StringBuilder();
CharSequence charsequence = b;
StringBuilder stringbuilder4 = stringbuilder3.append(charsequence).append("\n";
CharSequence charsequence1 = d;
String s15 = stringbuilder4.append(charsequence1).append("\n".toString();
boolean flag1 = eg.a(s14, s15);
Intent intent = new Intent("com.teslacoilsw.widgetlocker.ENABLE";
android.content.ComponentName componentname = g.startService(intent);
integer1 = Integer.valueOf(0);
integer = integer1;
goto _L4
UnknownHostException unknownhostexception;
integer = Integer.valueOf(0x7f0a0162);
goto _L4
FileNotFoundException filenotfoundexception;
integer = Integer.valueOf(0x7f0a0162);
goto _L4
JSONException jsonexception1;
integer = Integer.valueOf(0x7f0a0162);
goto _L4
goto _L8
cw cw1;
goto _L8
SignatureException signatureexception;
goto _L8
InvalidKeyException invalidkeyexception;
goto _L8
NoSuchAlgorithmException nosuchalgorithmexception;
goto _L8

simple patch to this function will ensure no exceptions and we will have a working app.

the issue i'm having is with the next required steps:

5. decompress files with apktool: apktool d app.apk
during the decompression of the apk applet i'm getting an error:

I: Baksmaling...
I: Loading resource table...
I: Loaded.
I: Loading resource table from file: C:\Users\userName\apktool\framework\1.apk
I: Loaded.
I: Decoding file-resources...
I: Decoding values*/* XMLs...
Exception in thread "main" java.lang.StringIndexOutOfBoundsException: String index out of range: 22
at java.lang.String.charAt(Unknown Source)
at brut.androlib.res.xml.ResXmlEncoders.findNonPositionalSubstitutions(ResXmlEncoders.java:165)
at brut.androlib.res.xml.ResXmlEncoders.hasMultipleNonPositionalSubstitutions(ResXmlEncoders.java:138)
at brut.androlib.res.data.value.ResStringValue.serializeExtraXmlAttrs(ResStringValue.java:63)
at brut.androlib.res.data.value.ResScalarValue.serializeToResValuesXml(ResScalarValue.java:65)
at brut.androlib.res.AndrolibResources.generateValuesFile(AndrolibResources.java:264)
at brut.androlib.res.AndrolibResources.decode(AndrolibResources.java:137)
at brut.androlib.Androlib.decodeResourcesFull(Androlib.java:93)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:98)
at brut.apktool.Main.cmdDecode(Main.java:120)
at brut.apktool.Main.main(Main.java:57)

this means that i will not be able to patch the code and then rebuild the packadge with: "apktool e <FOLDER_NAME> out.apk"

does anyone knows about how to by pass this ?


January 1st, 2012, 09:06
issue was resolved with a more updated tool:

January 2nd, 2012, 05:39
Hi LaBBa,

you don't need apktool at all. Patch your stuff accordingly to your needs write the changes back to the *.apk file and resign it with your own custom keys ;D
Why to make so complicated !?, hehe.