Saturday, April 2, 2011

cracking amazon drm

update: antilvl 1.1.4 can handle amazon drm protection.

amazon has an app store now and they rolled their own drm. Anonymous was kind enough to post a link describing how to crack the protection:

there may be a cleaner solution, and if you find one you are encouraged to share it. here's the code from the above link but syntax highlighted:
# virtual methods
.method public final a()V
    .registers 6

    const-string v4, "LICENSE_FAILURE_CONTENT"

    iget-object v0, p0, Lcom/amazon/android/aa/d;->b:Lcom/amazon/android/o/d;

    const-string v1, "APPLICATION_LICENSE"

    invoke-virtual {v0, v1}, Lcom/amazon/android/o/d;->b(Ljava/lang/String;)Z

    move-result v0

    # Comment out first jump
    #if-eqz v0, :cond_14

    sget-object v0, Lcom/amazon/android/aa/d;->a:Lcom/amazon/android/u/a;

    const-string v1, "license verification succeeded"

    invoke-virtual {v0, v1}, Lcom/amazon/android/u/a;->a(Ljava/lang/String;)V


    invoke-virtual {p0}, Lcom/amazon/android/aa/d;->f()Z

    move-result v0

    # Comment out second jump
    #if-eqz v0, :cond_1d

    invoke-virtual {p0}, Lcom/amazon/android/aa/d;->g()V

    new-instance v1, Lcom/amazon/android/l/m;

    iget-object v0, p0, Lcom/amazon/android/aa/d;->b:Lcom/amazon/android/o/d;

    const-string v2, "LICENSE_FAILURE_CONTENT"

    invoke-virtual {v0, v4}, Lcom/amazon/android/o/d;->a(Ljava/lang/String;)Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Lcom/amazon/android/l/d;

    # Comment out third jump
    #if-eqz v0, :cond_3d

    iget-object v2, p0, Lcom/amazon/android/aa/d;->b:Lcom/amazon/android/o/d;

    const-string v3, "LICENSE_FAILURE_CONTENT"

    iget-object v2, v2, Lcom/amazon/android/o/d;->a:Lcom/amazon/android/o/b;

    invoke-virtual {v2, v4}, Lcom/amazon/android/o/b;->c(Ljava/lang/String;)V

    invoke-direct {v1, v0}, Lcom/amazon/android/l/m;->(Lcom/amazon/android/l/d;)V

    iget-object v0, p0, Lcom/amazon/android/aa/d;->c:Lcom/amazon/android/l/f;

    invoke-interface {v0, v1}, Lcom/amazon/android/l/f;->a(Lcom/amazon/android/l/a;)V

    goto :goto_13

    sget-object v0, Lcom/amazon/android/aa/f;->e:Lcom/amazon/android/l/d;

    goto :goto_34
.end method

the file name will likely always be different with obfuscation. just search for strings like "LICENSE_FAILURE_CONTENT" or "APPLICATION_LICENSE" and perform the three modifications mentioned above.

i'll be adding this functionality to the next release of antilvl. it will also contain a few more bypasses for anti-cracking techniques i've seen, and some improvements in lvl fingerprinting.


  1. Awesome..Please keep up the great work

  2. How is amazon injecting code into the APK and getting it to run?

  3. I'm not sure. Either the developer sets it up and sends it in (likely) or they have some automated patching system (unlikely).

  4. Just in case you want to batch patch your amazon apps. (NOTE: The weirdness in sed is cause bash on OS X is weird.)

    for i in $( find 2b_patched -name '*.apk' -type f | sed 's/\'$'\s//' | tr '\n' ':' )
    java -jar ./antilvl.jar --amazon-only ./$i

    All you need is this script, and a folder called 2b_patched int the same file path as antilvl.jar


  5. why hello HTH. i've enjoyed reading your various posts at various sites. ;) very clever. thanks for the sharing tip.

  6. Where to write this code in android cellphone

    1. Try You can do anything at The only limit is yourself.

  7. Will surely come and visit this blog more often. Thanks for sharing.
    facetime for android

  8. There is still this red scren coming up on JK3 touch when i try this. The app runs fine. I found out this is another security measure put in. Any fixes?

  9. Found your post interesting to read. I cant wait to see your post soon.
    Good Luck for the upcoming update.This article is really very interesting and effective.


Do NOT post about or link to specific apps!