Friday, June 10, 2011

cracking verizon's v cast apps drm

verizon has a new app store. it has an amazon-store like drm that's fairly simple to crack.

here's how it works. in the launching activity a thread is started that calls checkLicense(). this was in com/cp/app/MainActivity$2.smali:
.method public run()V
    .locals 2

    .prologue
    .line 100
    invoke-static {}, Landroid/os/Looper;->prepare()V

    .line 102
    :try_start_0
    iget-object v0, p0, Lcom/cp/app/MainActivity$2;->this$0:Lcom/cp/app/MainActivity;

    iget-object v0, v0, Lcom/cp/app/MainActivity;->licenseAuthenticator:Lcom/verizon/vcast/apps/LicenseAuthenticator;

    sget-object v1, Lcom/cp/app/MainActivity;->verizonAppKeyword:Ljava/lang/String;

    # call checkLicense and store result in v0
    invoke-virtual {v0, v1}, Lcom/verizon/vcast/apps/LicenseAuthenticator;->checkLicense(Ljava/lang/String;)I
    move-result v0

    .line 103
    iget-object v1, p0, Lcom/cp/app/MainActivity$2;->this$0:Lcom/cp/app/MainActivity;

    # send result of checkLicense (v0) to isDRMDone()
    invoke-virtual {v1, v0}, Lcom/cp/app/MainActivity;->isDRMDone(I)Z
    move-result v0

    # isDRMDone() handles error messages and returns true when all is good
    if-eqz v0, :cond_0

    # ... rest of code

if you look at isDRMDone() you'll see that it's basically a big switch. input of 0 or 1 counts as valid. everything else is some kind of error. so we just need to make sure checkLicense returns 1 and doesn't call anything else that may have side effects (timeouts, checking to see if verizon app store is installed, etc..).

checkLicense() is defined in com/verizon/vcast/apps/LicenseAuthenticator.smali. after modification it looks like:
.method public declared-synchronized checkLicense(Ljava/lang/String;)I
    .locals 10
    .parameter "keyword"

    .prologue
    
    # just set v0 to true and return
    # the rest of the code never runs
    const/4 v0, 0x1
    return v0

    const/16 v9, 0x64

    const-string v7, "checkLicense() finished.  Trying to shutDownLicenseService()"

    const-string v7, "LicenseAuthenticator"

    .line 256
    monitor-enter p0

    :try_start_0
    const-string v7, "LicenseAuthenticator"

    const-string v8, "begin checkLicense()"

    # ... rest of code

if you're a developer, depending on how they implement the insertion of their drm, it may still be possible to use classical protection / anti-tampering techniques. i'd like to know. but really though, don't waste your time on protection. i'm not blasting verizon or amazon or google for weak security. real effort should be spent improving the program, not slowing down (because you can't stop) crackers. if you want money, use ads.

19 comments :

  1. Which apk are you referring to here?

    ReplyDelete
  2. i do not post anything regarding specific apps. that would be straight up illegal. this is a general case. yours may be modified beyond recognition.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. @ Lohan
    Hi.. I'm a bit of a noob who's trying to edit some apps n got stuck..

    this particular app wont resize for my Asus Transformer.. it's TouchOSC

    I got main menus fixed but as soon as I try using the control surface(layout) it stays in small screen.. n I did try editing layout file (.xml).. which did nothing..

    so I'm thinking it's .smali files I've got.. is there a way .smali files would be able to control screen size?? if so how?

    here's .smali's

    http://stackoverflow.com/questions/6688448/smali-files-and-screen-size-issue-in-touchosc

    ReplyDelete
  5. @Waryam i do not fully understand you.

    @fr1s have you considered contacting the developer? they might be able to fix it readily. the file you posted is a viewgroup, so you might want to fully understand how android treats those. it could be something in the xml or it could be something in the code. check out http://developer.android.com/reference/android/view/ViewGroup.html and look for anything useful. viewgroups contain child views and maybe those aren't resizing. sorry, i don't know much more about this.

    ReplyDelete
  6. well thank you for help anyways :)
    I i didnt contact the developer.. but nothing sofar

    ReplyDelete
  7. I mean I did back few days ago..
    typed wrong thing

    ReplyDelete
  8. Anyways..
    would you mind taking a look?? maybe i missed something

    http://www.mediafire.com/?p300cpn0t7634v5 .apk file
    http://www.mediafire.com/?i8b8c56x0rp8e85 rest of the stuff inside

    ReplyDelete
  9. hi lohan, i'm having an issue and i was wondering if you could offer any insight. i posted my problem here: http://stackoverflow.com/questions/7130324/calling-a-class-method-within-a-third-party-apk-from-a-class-onclick-in-android-p

    if you have any suggestions, plz contact me at jsnake862@gmail.com. i would be extraordinarily grateful.

    ReplyDelete
  10. "if you want money, use ads."

    I do agree with you, but just these past few weeks I'm seeing alarming amounts of ANDROID ADFREE releases, meaning that for some people, even getting the program free is not enough, they will rip the ads out too.

    Have you checked how these rips are done or do you have any tips for implementing ad supported apps that won't have this faith?

    ReplyDelete
  11. @Anonymous, i don't know anything about these people. there's really no easy way to prevent it from happening. removing ads can be as simple as modifying resources by removing the layout element, or by breaking part of the ad library. if i knew something easy, i'd tell you.

    ReplyDelete
  12. Thanks. That was my guess too, it's a shame that this can turn in to exactly the same cat and mouse game that wastes precious time that could be used to improve the games/apps.

    Our game hasn't been released yet, so I'll probably try to find some statistics of this before implementing protective measures. If the "ADFREE" players are rare enough, as I hope, it's not worth putting effort into.

    ReplyDelete
  13. Ads are antithetical to free

    Once adware is ripped from an app claimed to be free it becomes actually-free

    I remove license check because app X does NOT need internet access. I do buy apps. I do NOT tolerate the PRIVACY RAPING that is allowing apps to render interweb ads

    ReplyDelete
  14. roberto, you have some interesting opinions on rape and privacy. i wonder if you would still have the exact same opinion if you were a developer.

    ReplyDelete
  15. Lohan+
    Who the fuck are you to say how a developer should monetize on his effort? Have you developed an app, do you know how much you get from ADs? If you are lucky you might get enough to buy a beer...
    ADs need Internet access, most of the moronic android users do not know what internet is, or the ones who do simply shut down the ads...

    You are stealing and telling people how to steal, this is far worse and actually a couple of developers are already in contact with blogspot to reveal your contact details.

    ReplyDelete
  16. White text on black background - you sir truly are a moron!!

    ReplyDelete
  17. over generalization is a sign of supreme intelligence. your advice is as profound as it is genius. thank you. my life is forever changed.

    ReplyDelete
  18. good article. I have implemented something similar to this, in one of my app. I wish good luck to the eventual cracker though, if that ever happens :)

    ReplyDelete
  19. Amazing Post!
    I love it. Will come back again - taking your feeds also.
    Thanks.
    iCaption That

    ReplyDelete

Do NOT post about or link to specific apps!