Geek Answers Handbook

How to switch from jailbroken APK to Java code? One-click tool hacked my application

So, I published an Android application, I worked it out, applied LVL and even changed the LVL code, but in any case, I found it somewhere using the Lucky Patcher tool. I am not going to ask how I can protect against such tools with one click, as I think there is no single answer (unless you have an idea and cannot point to it).

I need to ask you to help figure out how my code was hacked. I understand that this tool accepts the APK file and removes the license. Now, considering this, how can I take this APK file and reverse engineer it back into Java files to see how the tool cracked my code (so I fixed it)

Please help me thanks

+7
source share
5 answers

After Proguard there is no way to decompile your code into public Java.
Although this complicates the reverse engineering process, it is not possible for a smart reverser to define a hidden algorithm.

As for the tools,
Use android-apktool to decompile smali and extract all encoded xml resources.
Use dex2jar to transfer Dalvik to the jar and finally jd-gui to see the resulting Java reverse code

+1
source
Piracy is a big problem, and I don’t think that any platform or OS can be completely protected from it.

however, Google has already made several guards to protect against it, for example: http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopping-vampires-using-license-verification-library-in -app-billing-and-app-engine.html

also: http://android-developers.blogspot.co.il/2010/09/securing-android-lvl-applications.html

I think you can also use some complex hurdles using C instead of java.

just as Google suggests, consider using a different approach: make the basic functions free and make everything else available for purchase through billing in the application. You can also add ads and features to remove them by billing in the app.

+1
source

Here is a lot of information on how to switch from a DEX file back to a Java source. Also, have you looked at this blog post that discusses many ways to protect your source?

+1
source

I thought about this, and it seems that if you really want to protect your application from hackers, there is only one way to do this. You can implement all kinds of fancy insurance methods for your application, which is licensed and paid, as described in a Google article, but all that is required is a good hacker to decompile your application and find where the code is located, then comment on it or change the function to always return true.

Instead, run some of your application, which is required for use in jni / ndk, and check for validation in this code. It doesn't have to be extremely complex code, but you can't just put something like a function (like checkValidity), as the user can easily comment on the java call that calls into ndk. Instead, you should make some call to your ndk in order to actually do something that is not trivial to run your application, that the user cannot simply comment on or off with a specific function that does the same. From the ndk code, check the integrity / licensing of your application, and if it fails to destroy the application or something else you need to do.

To get around this, the hacker will need to re-implement the ndk code or reverse engineer it. Which should be much more complicated and not worth it.

This is obviously not a simple solution and still does not guarantee that your application will never be hacked, but it is much harder to break than other methods.

+1
source

I personally believe that Obfuscation {Proguard, Dexguard} and native {.so} are quite effective if used correctly.

It definitely hides less experienced “players” and definitely complicates the life of even experienced “players”

Don't just copy / paste the Google code examples for Android ....

0
source

More articles:


All Articles