Monday, October 17, 2011

protection using checksums and key / unlocker apps

if an app requires an unlocker key app, it's likely there will be protection hidden in the key. perhaps the key performs a checksum on the main app, or the key stores pre-computed checksum values for the main app. this is easy to add if you're a developer and is somewhat tricky to handle as a cracker. the reason is the cracker must know how to calculate the checksums himself and inject those values into the app.

calculating checksums is a way to determine if your apk has been modified. there are at least four easy methods to do this. they are: md5, sha1, crc32 and adler32. once you run these guys on your apk you will have either a long number or a byte array. of course, you can't store the checksum in your main app since you wont know the checksum until the app is finished. for this reason, either the calculations or just the checksum values must be stored in another app signed by the same certificate, such as a key / unlocker app.

here's some example code of what the protection may look like in java:
// Copied directly and made private from R.java of Key App
// After creating strings..
private static final int tt_crc32=0x7f040002;
private static final int tt_md5=0x7f040004;

public static TestResult checkCRC32ChkSum() {
  // Get path to our apk on the system.
  String apkPath = Main.MyContext.getPackageCodePath();
  Long chksum = null;
  try {
    // Open the file and build a CRC32 checksum.
    // You could also use Adler32 in place of CRC32.
    FileInputStream fis = new FileInputStream(new File(apkPath));
    CRC32 chk = new CRC32();
    
    CheckedInputStream cis = new CheckedInputStream(fis, chk);
    byte[] buff = new byte[80];
    while ( cis.read(buff) >= 0 ) ;
    
    chksum = chk.getValue();
  } catch (Exception e) {
    e.printStackTrace();
  }

  // After creating your apk, calculate the crc32 checksum
  // and store it as a string value in the KEY / unlock App.
  String keyStrVal = getKeyString(tt_crc32);
  
  // Key is not installed.
  if ( keyStrVal.equals("") ) {
    // Key not installed. Validation failure.
  }
  
  Long chksumCmp = Long.parseLong(keyStrVal);
  
  if ( chksum.equals(chksumCmp) ) {
    // Success. Checksum stored in key matches the
    // checksum we just created. We can assume APK
    // is not modified. Kinda.
  }
  else {
    // Validation failure! Apk has been modified.
  }
}

public static TestResult checkMD5ChkSum() {
  // Do pretty much the exact same thing here,
  // except instead of a CRC32 checksum, we'll be
  // using an MD5 digest. You could also use SHA1.
  // Any cracker worth his salt will immediately recognize
  // CRC32 and MD5 keywords and know them to be checksum
  // attempts. Using Adler32 or SHA1 may put them off.
  String apkPath = Main.MyContext.getPackageCodePath();
  MessageDigest msgDigest = null;
  byte[] digest = null;
  try {
    msgDigest = MessageDigest.getInstance("MD5");
  } catch (NoSuchAlgorithmException e1) {
    e1.printStackTrace();
  }
  
  byte[] bytes = new byte[8192];
  int byteCount;
  FileInputStream fis = null;
  
  try {
    fis = new FileInputStream(new File(apkPath));

    while ((byteCount = fis.read(bytes)) > 0)
      msgDigest.update(bytes, 0, byteCount);
    
    digest = msgDigest.digest();
  } catch (Exception e) {
    e.printStackTrace();
  }

  String keyStrVal = getKeyString(tt_md5);
  // Key is not installed.
  if ( keyStrVal.equals("") ) {
    // Key not installed. Validation failure.
  }

  // Using Base64 encoding is just a lazy way to store byte arrays.
  // You -could- also embed the values in the code of the Apk
  // Read more here:
  // http://stackoverflow.com/questions/2721386/android-how-to-share-code-between-projects-signed-with-the-same-certificate
  if ( Arrays.equals(Base64.decode(keyStrVal, Base64.DEFAULT), digest) )
    // Validated
  else
    // Apk has been modified
}


private static String getKeyString(int resId) {
  // You will need this to retrieve the stored checksums from the KEY App.
  String result = "";
  
  try {
    Context c = Main.MyContext.createPackageContext("your.package.name.key", Context.CONTEXT_IGNORE_SECURITY);
    result = c.getString(resId);
  } catch (Exception e) {
    Console.log("Error while getting key string:\n" + e);
    e.printStackTrace();
    result = "";
  }
  
  return result;
}


and here's what the above java looks like in smali, so you have some idea what to look for. cracking this will require you to write an app that simulates how the app calculates the checksum. then you'll have to come up with a clever way to get the value into the smali. if it's a long number, this is fairly easy, but if it's a byte array, you may need to use base64 encoding or some other method to make a byte array safe for literal strings. the keywords to look for, of course, are md5, sha1, crc32 and adler32. they may not appear at all if the developer is using reflection to make the method calls.
.method public static checkCRC32ChkSum()V
    .locals 11

    .prologue
    .line 934
    sget-object v9, Lcom/lohan/testtarget/Main;->MyContext:Landroid/content/Context;

    invoke-virtual {v9}, Landroid/content/Context;->getPackageCodePath()Ljava/lang/String;

    move-result-object v0

    .line 935
    .local v0, apkPath:Ljava/lang/String;
    const/4 v3, 0x0

    .line 939
    .local v3, chksum:Ljava/lang/Long;
    :try_start_0
    new-instance v7, Ljava/io/FileInputStream;

    new-instance v9, Ljava/io/File;

    invoke-direct {v9, v0}, Ljava/io/File;->(Ljava/lang/String;)V

    invoke-direct {v7, v9}, Ljava/io/FileInputStream;->(Ljava/io/File;)V

    .line 940
    .local v7, fis:Ljava/io/FileInputStream;
    new-instance v2, Ljava/util/zip/CRC32;

    invoke-direct {v2}, Ljava/util/zip/CRC32;->()V

    .line 942
    .local v2, chk:Ljava/util/zip/CRC32;
    new-instance v5, Ljava/util/zip/CheckedInputStream;

    invoke-direct {v5, v7, v2}, Ljava/util/zip/CheckedInputStream;->(Ljava/io/InputStream;Ljava/util/zip/Checksum;)V

    .line 943
    .local v5, cis:Ljava/util/zip/CheckedInputStream;
    const/16 v9, 0x50

    new-array v1, v9, [B

    .line 944
    .local v1, buff:[B
    :cond_0
    invoke-virtual {v5, v1}, Ljava/util/zip/CheckedInputStream;->read([B)I

    move-result v9

    if-gez v9, :cond_0

    .line 946
    invoke-virtual {v2}, Ljava/util/zip/CRC32;->getValue()J

    move-result-wide v9

    invoke-static {v9, v10}, Ljava/lang/Long;->valueOf(J)Ljava/lang/Long;
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v3

    .line 953
    .end local v1           #buff:[B
    .end local v2           #chk:Ljava/util/zip/CRC32;
    .end local v5           #cis:Ljava/util/zip/CheckedInputStream;
    .end local v7           #fis:Ljava/io/FileInputStream;
    :goto_0
    const v9, 0x7f040002

    invoke-static {v9}, Lcom/lohan/testtarget/PerformTestsTask;->getKeyString(I)Ljava/lang/String;

    move-result-object v8

    .line 956
    .local v8, keyStrVal:Ljava/lang/String;
    const-string v9, ""

    invoke-virtual {v8, v9}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    .line 960
    invoke-static {v8}, Ljava/lang/Long;->parseLong(Ljava/lang/String;)J

    move-result-wide v9

    invoke-static {v9, v10}, Ljava/lang/Long;->valueOf(J)Ljava/lang/Long;

    move-result-object v4

    .line 962
    .local v4, chksumCmp:Ljava/lang/Long;
    invoke-virtual {v3, v4}, Ljava/lang/Long;->equals(Ljava/lang/Object;)Z

    .line 970
    return-void

    .line 947
    .end local v4           #chksumCmp:Ljava/lang/Long;
    .end local v8           #keyStrVal:Ljava/lang/String;
    :catch_0
    move-exception v9

    move-object v6, v9

    .line 948
    .local v6, e:Ljava/lang/Exception;
    invoke-virtual {v6}, Ljava/lang/Exception;->printStackTrace()V

    goto :goto_0
.end method

.method public static checkMD5ChkSum()V
    .locals 12

    .prologue
    const/4 v11, 0x0

    .line 981
    sget-object v10, Lcom/lohan/testtarget/Main;->MyContext:Landroid/content/Context;

    invoke-virtual {v10}, Landroid/content/Context;->getPackageCodePath()Ljava/lang/String;

    move-result-object v0

    .line 982
    .local v0, apkPath:Ljava/lang/String;
    const/4 v9, 0x0

    .line 983
    .local v9, msgDigest:Ljava/security/MessageDigest;
    const/4 v3, 0x0

    check-cast v3, [B

    .line 985
    .local v3, digest:[B
    :try_start_0
    const-string v10, "MD5"

    invoke-static {v10}, Ljava/security/MessageDigest;->getInstance(Ljava/lang/String;)Ljava/security/MessageDigest;
    :try_end_0
    .catch Ljava/security/NoSuchAlgorithmException; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v9

    .line 990
    :goto_0
    const/16 v10, 0x2000

    new-array v2, v10, [B

    .line 992
    .local v2, bytes:[B
    const/4 v6, 0x0

    .line 995
    .local v6, fis:Ljava/io/FileInputStream;
    :try_start_1
    new-instance v7, Ljava/io/FileInputStream;

    new-instance v10, Ljava/io/File;

    invoke-direct {v10, v0}, Ljava/io/File;->(Ljava/lang/String;)V

    invoke-direct {v7, v10}, Ljava/io/FileInputStream;->(Ljava/io/File;)V
    :try_end_1
    .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_2

    .line 997
    .end local v6           #fis:Ljava/io/FileInputStream;
    .local v7, fis:Ljava/io/FileInputStream;
    :goto_1
    :try_start_2
    invoke-virtual {v7, v2}, Ljava/io/FileInputStream;->read([B)I

    move-result v1

    .local v1, byteCount:I
    if-gtz v1, :cond_0

    .line 1000
    invoke-virtual {v9}, Ljava/security/MessageDigest;->digest()[B
    :try_end_2
    .catch Ljava/lang/Exception; {:try_start_2 .. :try_end_2} :catch_1

    move-result-object v3

    move-object v6, v7

    .line 1005
    .end local v1           #byteCount:I
    .end local v7           #fis:Ljava/io/FileInputStream;
    .restart local v6       #fis:Ljava/io/FileInputStream;
    :goto_2
    const v10, 0x7f040004

    invoke-static {v10}, Lcom/lohan/testtarget/PerformTestsTask;->getKeyString(I)Ljava/lang/String;

    move-result-object v8

    .line 1007
    .local v8, keyStrVal:Ljava/lang/String;
    const-string v10, ""

    invoke-virtual {v8, v10}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    .line 1015
    invoke-static {v8, v11}, Landroid/util/Base64;->decode(Ljava/lang/String;I)[B

    move-result-object v10

    invoke-static {v10, v3}, Ljava/util/Arrays;->equals([B[B)Z

    .line 1020
    return-void

    .line 986
    .end local v2           #bytes:[B
    .end local v6           #fis:Ljava/io/FileInputStream;
    .end local v8           #keyStrVal:Ljava/lang/String;
    :catch_0
    move-exception v10

    move-object v5, v10

    .line 987
    .local v5, e1:Ljava/security/NoSuchAlgorithmException;
    invoke-virtual {v5}, Ljava/security/NoSuchAlgorithmException;->printStackTrace()V

    goto :goto_0

    .line 998
    .end local v5           #e1:Ljava/security/NoSuchAlgorithmException;
    .restart local v1       #byteCount:I
    .restart local v2       #bytes:[B
    .restart local v7       #fis:Ljava/io/FileInputStream;
    :cond_0
    const/4 v10, 0x0

    :try_start_3
    invoke-virtual {v9, v2, v10, v1}, Ljava/security/MessageDigest;->update([BII)V
    :try_end_3
    .catch Ljava/lang/Exception; {:try_start_3 .. :try_end_3} :catch_1

    goto :goto_1

    .line 1001
    .end local v1           #byteCount:I
    :catch_1
    move-exception v10

    move-object v4, v10

    move-object v6, v7

    .line 1002
    .end local v7           #fis:Ljava/io/FileInputStream;
    .local v4, e:Ljava/lang/Exception;
    .restart local v6       #fis:Ljava/io/FileInputStream;
    :goto_3
    invoke-virtual {v4}, Ljava/lang/Exception;->printStackTrace()V

    goto :goto_2

    .line 1001
    .end local v4           #e:Ljava/lang/Exception;
    :catch_2
    move-exception v10

    move-object v4, v10

    goto :goto_3
.end method

.method private static asdfgetKeyString(I)Ljava/lang/String;
    .locals 6
    .parameter "resId"

    .prologue
    .line 1025
    const-string v2, ""

    .line 1028
    .local v2, result:Ljava/lang/String;
    :try_start_0
    sget-object v3, Lcom/lohan/testtarget/Main;->MyContext:Landroid/content/Context;

    const-string v4, "your.package.name.key"

    const/4 v5, 0x2

    invoke-virtual {v3, v4, v5}, Landroid/content/Context;->createPackageContext(Ljava/lang/String;I)Landroid/content/Context;

    move-result-object v0

    .line 1029
    .local v0, c:Landroid/content/Context;
    invoke-virtual {v0, p0}, Landroid/content/Context;->getString(I)Ljava/lang/String;
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v2

    .line 1036
    .end local v0           #c:Landroid/content/Context;
    :goto_0
    return-object v2

    .line 1030
    :catch_0
    move-exception v3

    move-object v1, v3

    .line 1031
    .local v1, e:Ljava/lang/Exception;
    new-instance v3, Ljava/lang/StringBuilder;

    const-string v4, "Error while getting key string:\n"

    invoke-direct {v3, v4}, Ljava/lang/StringBuilder;->(Ljava/lang/String;)V

    invoke-virtual {v3, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/Object;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v3}, Lcom/lohan/testtarget/Console;->log(Ljava/lang/String;)V

    .line 1032
    invoke-virtual {v1}, Ljava/lang/Exception;->printStackTrace()V

    .line 1033
    const-string v2, ""

    goto :goto_0
.end method

7 comments :

  1. Hi lohan+, is there any way to crack lite app to full app ?

    ReplyDelete
  2. sometimes. :D (what kind of answer did you expect?)

    ReplyDelete
  3. I want instruction for changing smali file or something else :D Some lite apps have full feature but they disable user from using full feature, i want to learn to unlock this !
    Thanks !

    ReplyDelete
  4. there is no _one_ way to crack an app just as there is no _one_ way to program one or _one_ way to convince someone that eating apples is good. you will have to analyze and understand each app individually and determine if the lite version is just a crippled full version or if it is lacking certain assets or programming that make it impossible to "unlock".

    ReplyDelete
  5. Hi, lohan+! The thing is, it always breaks down to a single instruction: the instruction on line 36: chksum.equals(chksumCmp) can simply set to a constant which is true in bytecode. Do you have a suggestion concerning this single point of failure?

    -Adi

    ReplyDelete
  6. hello Adi, not sure what you mean by "suggestion". how to crack or how to protect against? to crack, yes, you can just replace the equals and move-result with something like const/4 v#, 0x1 to make it always equal. sometimes reflection is employed, along with encrypted strings, to make the equals invocation look different. does this answer your question?

    ReplyDelete
  7. Thanks for your fast reply! I meant to protect against cracking. The only way I can see is to compare two computed public fields in multiple locations of the execution flow.
    -Adi

    ReplyDelete

Do NOT post about or link to specific apps!