Thread: Reversing Android APK

    Reversing Android APK

    I have taken a target called WidgetLocker 2.2.3 that can be found easily on 4shared with google.

    i have started doing the standart APK reversing:
    1. changed the .apk to a zip and extracted
    2. took the "classes.dex" and used dex2jar tool to convert
    3. used DJ-Java Decompiler to have source code
    4. found the location in the source code for checking license:

    file: com\teslacoilsw\tesladirect\
        private transient Integer a()
            Integer integer;
            Object obj1;
            integer = null;
            Object obj = null;
            obj1 = new HashMap();
            String s1 = Long.toString(a);
            Object obj2 = ((Map) (obj1)).put("nonce", s1);
            Object obj3 = ((Map) (obj1)).put("packageName", "com.teslacoilsw.widgetlocker");
            String s2 = b.toString().trim();
            Object obj4 = ((Map) (obj1)).put("email", s2);
            String s3 = c;
            Object obj5 = ((Map) (obj1)).put("deviceId", s3);
            String s4 = Build.MODEL;
            Object obj6 = ((Map) (obj1)).put("deviceName", s4);
            String s5 = d.toString().trim();
            Object obj7 = ((Map) (obj1)).put("unlockCode", s5);
            String s6 = e;
            Object obj8 = ((Map) (obj1)).put("versionCode", s6);
            String s7 = f;
            Object obj9 = ((Map) (obj1)).put("extra", s7);
            JSONObject jsonobject;
            String s8 = DirectLicensingEnterCode.a("", ((Map) (obj1)));
            jsonobject = new JSONObject(s8);
            obj1 = g;
            String s9;
            if(jsonobject.getInt("canBeta") == 0)
                integer = null;
            obj1.c = integer;
            s9 = jsonobject.getString("lvl");
            DirectLicensingEnterCode.b = s9;
            if(!TextUtils.isEmpty(s9)) goto _L2; else goto _L1
            integer = Integer.valueOf(0x7f0a0162);
            return integer;
            JSONException jsonexception;
            g.c = false;
              goto _L3
            NumberFormatException numberformatexception;
            integer = Integer.valueOf(0x7f0a0164);
              goto _L4
                StringBuilder stringbuilder = (new StringBuilder()).append("Result: ");
                String s10 = DirectLicensingEnterCode.b;
                StringBuilder stringbuilder1 = stringbuilder.append(s10);
                integer = DirectLicensingEnterCode.b.split("\\{\\}", 2);
                if(integer.length == 2)
                    break label0;
                integer = Integer.valueOf(0x7f0a0163);
              goto _L4
            String s;
            String as[];
            s = integer[0];
            integer = integer[1];
            as = s.split("\\|", 2);
            if(as.length == 2) goto _L6; else goto _L5
            integer = Integer.valueOf(0x7f0a0163);
              goto _L4
            if(Integer.parseInt(as[0]) != 0) goto _L8; else goto _L7
            Signature signature;
            byte abyte1[];
            signature = Signature.getInstance("SHA1withRSA");
   publickey = g.e;
            byte abyte0[] = s.getBytes();
            abyte1 = dh.a(integer);
            if(!signature.verify(abyte1)) goto _L8; else goto _L9
            Integer integer1;
            android.content.SharedPreferences.Editor editor = g.getSharedPreferences("", 0).edit();
            String s11 = b.toString().trim();
            android.content.SharedPreferences.Editor editor1 = editor.putString("email", s11);
            String s12 = d.toString().trim();
            boolean flag = editor1.putString("code", s12).commit();
            StringBuilder stringbuilder2 = new StringBuilder();
            String s13 = WLApp.a(g);
            String s14 = stringbuilder2.append(s13).append("/WidgetLockerLicense.txt").toString();
            StringBuilder stringbuilder3 = new StringBuilder();
            CharSequence charsequence = b;
            StringBuilder stringbuilder4 = stringbuilder3.append(charsequence).append("\n");
            CharSequence charsequence1 = d;
            String s15 = stringbuilder4.append(charsequence1).append("\n").toString();
            boolean flag1 = eg.a(s14, s15);
            Intent intent = new Intent("com.teslacoilsw.widgetlocker.ENABLE");
            android.content.ComponentName componentname = g.startService(intent);
            integer1 = Integer.valueOf(0);
            integer = integer1;
              goto _L4
            UnknownHostException unknownhostexception;
            integer = Integer.valueOf(0x7f0a0162);
              goto _L4
            FileNotFoundException filenotfoundexception;
            integer = Integer.valueOf(0x7f0a0162);
              goto _L4
            JSONException jsonexception1;
            integer = Integer.valueOf(0x7f0a0162);
              goto _L4
              goto _L8
            cw cw1;
              goto _L8
            SignatureException signatureexception;
              goto _L8
            InvalidKeyException invalidkeyexception;
              goto _L8
            NoSuchAlgorithmException nosuchalgorithmexception;
              goto _L8
    simple patch to this function will ensure no exceptions and we will have a working app.

    the issue i'm having is with the next required steps:

    5. decompress files with apktool: apktool d app.apk
    during the decompression of the apk applet i'm getting an error:
    I: Baksmaling...
    I: Loading resource table...
    I: Loaded.
    I: Loading resource table from file: C:\Users\userName\apktool\framework\1.apk
    I: Loaded.
    I: Decoding file-resources...
    I: Decoding values*/* XMLs...
    Exception in thread "main" java.lang.StringIndexOutOfBoundsException: String index out of range: 22
    at java.lang.String.charAt(Unknown Source)
    at brut.androlib.res.xml.ResXmlEncoders.findNonPositionalSubstitutions(
    at brut.androlib.res.xml.ResXmlEncoders.hasMultipleNonPositionalSubstitutions(
    at brut.androlib.res.AndrolibResources.generateValuesFile(
    at brut.androlib.res.AndrolibResources.decode(
    at brut.androlib.Androlib.decodeResourcesFull(
    at brut.androlib.ApkDecoder.decode(
    at brut.apktool.Main.cmdDecode(
    at brut.apktool.Main.main(
    this means that i will not be able to patch the code and then rebuild the packadge with: "apktool e <FOLDER_NAME> out.apk"

    does anyone knows about how to by pass this ?

    Last edited by LaBBa; January 1st, 2012 at 08:05.

    issue was resolved with a more updated tool:

    Hi LaBBa,

    you don't need apktool at all. Patch your stuff accordingly to your needs write the changes back to the *.apk file and resign it with your own custom keys ;D
    Why to make so complicated !?, hehe.

    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

