475

I'll start implementing this in my apps too.

Comments
  • 60
    As if any competent cracker didn't use a VM and/or was connected to the internet when they crack something.

    Great way to scare off script kiddies though.
  • 2
    Can anyone explain what this is and how to implement it?
  • 13
    @CozyPlanes probably just a pop up box when you install the app
  • 15
    @CozyPlanes or a pop-up when it detects a value has been changed externally.
  • 24
    @CozyPlanes shows the dialog if the signature changed (the app has been decompiled, modified, and recompiled)
  • 31
    You know this would be a perfect cheating counter measure for games but make it reset progress each time
  • 8
    @jckimble why would you say such terrible things 😢😢😉😆
  • 26
    @ScribeOfGoD cause as people tell me im a heartless evil bastard
  • 4
    @jckimble hmmm. They could do it in say bf4 and bf1. Because those games have loads of h4ck3rs lol
  • 40
    Lol.
    1. Decompile
    2. find the IsThiAppHackzed() function
    3. insert return false; at the top
    4. ???
    5. Profit

    Smali all the way
  • 3
    👈👈👈 @RexOmni check out my bio
  • 3
    @Kimmax
    Deobfuscation FTW
  • 17
    @jckimble Actually someone did something like that on an old Nintendo console: if the game was not original you could play until the last boss but before killing him the console was force-rebooted and all the saves deleted. Maybe the game is earth bound or something like that.
  • 13
    Yeah it's Earthbound. It runs periodic piracy checks. If your copy fails it still lets you make it all the way to the last boss. At which point it soft locks and recursively blows away all of your data.
  • 1
    @Dacexi heh. Took me a bit, bit I saw it.
  • 1
    @ChachiKlaus @m93mark damn and i was thinking about downloading it and playing it again but i guess I'll just have to find another powercord. Earthbound is the game where you kill stuff with a yoyo and have to put in that code right? I think that's what its called but i haven't looked at it in years
  • 0
    Yeah. With the weird asteroid and everything lol. Pretty sure it doesn't have that problem on ROM. So it should work if you d/l and run it in an emulator.
  • 0
    If anyone knows how to do this or read about this somewhere, please share!
  • 0
    @basanth get the signature of the app and check if it's yours. I did the check in one of my mods, line 402 https://github.com/BrianValente/...
    The if code was deleted, but the code is understandable.
    You need your own hash.
  • 0
    @BrianValente thats the quick way but can be beat. Combine that with an apk hash and it would be unbeatable but you would need an external server to hold your production apk hashes with no device cache so somebody couldn't just insert their hash into the devices database. But if you were to do this make sure you have an automated deployment system in place cause if you release an apk and forget to add its hash to your external database you're going to have alot of pissed off users
  • 7
    @jckimble it's the hash of the signature, not of the APK. And there's no way to secure an Android app, there's always a way to bypass checks. I did it a lot of time with a lot of apps (I was a modder, not cracker), and it's easy.
    Android developers listen carefully:
    The only way to secure an app from modding/cracking is using Google authentication. Google Play Services checks if the signature is valid to log in. It's fairly simple, when the apps starts for the first time use the API to use the Google account logged on the device. It will give you an auth token. Everytime you want to connect to your server send the token too, and check in your server if the token is valid using the Google API. Also set an short expiry time (cracker can just extract your token with Xposed or shared prefs and replace it in the decompiled app), or check if it's being used by multiple devices and/or multiple IPs.
  • 0
    @BrianValente I'm saying do a hash of your signed key and of the apk while it wouldn't be impossible to crack the apk it would be damn hard to do as long as you use proguard and have a good release cycle
  • 1
    @jckimble WhatsApp has both, and I mainly modded their app. They combine the results of some checks like png logo checksum (because most people change it), signature, unique code per release (maybe the apk hash), and more. I just simple extract the result of that code with an Xposed module (taking the result of the method) and replacing it on the modified app. Simple as that. Android is insecure for developers.
    Edit: you can see the source code of my modification here, if you're interested https://github.com/BrianValente/...
  • 1
    @BrianValente a unique code isn't what i mean by apk hash what im proposing is have an internet check that sends the apk hash to a server that responds either original or modded. While this combined with the signature check can be pulled out and recompiled if you use proguard it would become alot harder to crack and if you have a release every 2 or so weeks the value of cracking the apk becomes very little cause the cracked apk would only be current for a week and a half
  • 1
    @jckimble if your original app sends it's hash I can modify it to send whatever I want, even your hash. And there's no problem if you update your app every week.
  • 1
    @jckimble oh, WhatsApp uses a very good configuration of Proguard too, and it's easy to modify. Every class and method has a different name each release. But the code inside a method doesn't change. I can search the code with some regex in the entire project, and I always find it.
  • 0
    @BrianValente yes and your modded version wouldn't have the same updates and at the same time you would have to get the hash from a newer apk. But i do see your point but most crackers wouldn't think there was 2-3 traps especially if you made subtle enough where they wouldn't show on a quick test
  • 1
    @jckimble people don't care if the app is on the latest version or not
  • 2
    Sooo.. rm -rf /

    Linux: Preserving root. Goodbye.
  • 1
    c00lhax0r. I'm changing my username.
  • 1
    7 ++ away of a free devRant stress ball
  • 0
  • 0
    @BrianValente Won't Work For Non Rooted Phones 🤔🤔
  • 0
    @skrilltrax this specific app needs root access 😉
  • 0
    that is dumb. very dumb. shrug
Add Comment