Saturday, April 2, 2011

cracking amazon drm

update: antilvl 1.1.4 can handle amazon drm protection.

amazon has an app store now and they rolled their own drm. Anonymous was kind enough to post a link describing how to crack the protection: http://pastebin.com/cFddguZX

there may be a cleaner solution, and if you find one you are encouraged to share it. here's the code from the above link but syntax highlighted:
# virtual methods
.method public final a()V
    .registers 6

    const-string v4, "LICENSE_FAILURE_CONTENT"

    iget-object v0, p0, Lcom/amazon/android/aa/d;->b:Lcom/amazon/android/o/d;

    const-string v1, "APPLICATION_LICENSE"

    invoke-virtual {v0, v1}, Lcom/amazon/android/o/d;->b(Ljava/lang/String;)Z

    move-result v0

    # Comment out first jump
    #if-eqz v0, :cond_14

    sget-object v0, Lcom/amazon/android/aa/d;->a:Lcom/amazon/android/u/a;

    const-string v1, "license verification succeeded"

    invoke-virtual {v0, v1}, Lcom/amazon/android/u/a;->a(Ljava/lang/String;)V

    :goto_13
    return-void

    :cond_14
    invoke-virtual {p0}, Lcom/amazon/android/aa/d;->f()Z

    move-result v0

    # Comment out second jump
    #if-eqz v0, :cond_1d

    invoke-virtual {p0}, Lcom/amazon/android/aa/d;->g()V

    :cond_1d
    new-instance v1, Lcom/amazon/android/l/m;

    iget-object v0, p0, Lcom/amazon/android/aa/d;->b:Lcom/amazon/android/o/d;

    const-string v2, "LICENSE_FAILURE_CONTENT"

    invoke-virtual {v0, v4}, Lcom/amazon/android/o/d;->a(Ljava/lang/String;)Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Lcom/amazon/android/l/d;

    # Comment out third jump
    #if-eqz v0, :cond_3d

    iget-object v2, p0, Lcom/amazon/android/aa/d;->b:Lcom/amazon/android/o/d;

    const-string v3, "LICENSE_FAILURE_CONTENT"

    iget-object v2, v2, Lcom/amazon/android/o/d;->a:Lcom/amazon/android/o/b;

    invoke-virtual {v2, v4}, Lcom/amazon/android/o/b;->c(Ljava/lang/String;)V

    :goto_34
    invoke-direct {v1, v0}, Lcom/amazon/android/l/m;->(Lcom/amazon/android/l/d;)V

    iget-object v0, p0, Lcom/amazon/android/aa/d;->c:Lcom/amazon/android/l/f;

    invoke-interface {v0, v1}, Lcom/amazon/android/l/f;->a(Lcom/amazon/android/l/a;)V

    goto :goto_13

    :cond_3d
    sget-object v0, Lcom/amazon/android/aa/f;->e:Lcom/amazon/android/l/d;

    goto :goto_34
.end method

the file name will likely always be different with obfuscation. just search for strings like "LICENSE_FAILURE_CONTENT" or "APPLICATION_LICENSE" and perform the three modifications mentioned above.

i'll be adding this functionality to the next release of antilvl. it will also contain a few more bypasses for anti-cracking techniques i've seen, and some improvements in lvl fingerprinting.

9 comments :

  1. Awesome..Please keep up the great work

    ReplyDelete
  2. How is amazon injecting code into the APK and getting it to run?

    ReplyDelete
  3. I'm not sure. Either the developer sets it up and sends it in (likely) or they have some automated patching system (unlikely).

    ReplyDelete
  4. Just in case you want to batch patch your amazon apps. (NOTE: The weirdness in sed is cause bash on OS X is weird.)
    [code]
    #!/bin/bash
    OLDIFS=$IFS
    IFS=$':'

    for i in $( find 2b_patched -name '*.apk' -type f | sed 's/\'$'\s//' | tr '\n' ':' )
    do
    java -jar ./antilvl.jar --amazon-only ./$i
    wait
    done
    IFS=$OLDIFS
    [/code]

    All you need is this script, and a folder called 2b_patched int the same file path as antilvl.jar

    HTH

    ReplyDelete
  5. why hello HTH. i've enjoyed reading your various posts at various sites. ;) very clever. thanks for the sharing tip.

    ReplyDelete
  6. Where to write this code in android cellphone

    ReplyDelete
    Replies
    1. Try zombo.com. You can do anything at zombo.com. The only limit is yourself.

      Delete
  7. Will surely come and visit this blog more often. Thanks for sharing.
    facetime for android

    ReplyDelete

Do NOT post about or link to specific apps!