Jump to content

Welcome!

Sign In or Register to gain full access to our forums.




Photo

[HOW TO] Patching apps

[HOW TO] patching self aware cracking much wow

  • Please log in to reply
3 replies to this topic

#1 ttwj

ttwj

    Certified Troll

  • Members
  • PipPipPipPipPip
  • 389 posts

Posted 26 March 2013 - 08:12 AM

edit: can some mod move this into the tutorials section? I can't start a topic there.
 
More and more apps are beginning to implement anti-piracy methods and have managed to circumvent protections such as Overdrive.



Patching iOS apps for noobs

be leet in 10 minutes! (not really)


Brought to you by Kim Jong Cracks

Requirements:
- IDA Pro (Trial/Legit)
- Hex Editor (I'm using 0xED on Mac for this)
- Basic knowledge of assembly
- Knowledge on how to create simple MobileSubstrate tweaks
-Swag and luck

This tutorial is heavily based on THIS ONE Also, DOWNLOAD PDF TUTORIAL HERE

Getting Started
We shall be patching SpellChecker by Enfour Inc, which is notorious for it's protection..
You can download the binary here (https://dl.dropbox.c...40/SpellChecker), unpatched IPAs are available on apptrackr, grab them before they are removed!

First, open the app in IDA and remember to choose the correct processor type. [s]Choose the armv6 portion as it's easier to patch (we'll discuss about armv7 portions in another part)
armv7 may use some functions which opcodes are more complicated, I suggest you thin your binary using lipo and just play with the armv6 portion

Image%202012.10.28%206:02:08%20PM.png

Parse obj-c methods and let IDA load the binary.

I've created a MobileSubstrate tweak that hooks onto the logging system the app uses to find out where the protection is.
Oct 27 18:19:23 ttwj-iPad SpellChecker[16062]: logevent: CAUGHT_IT, params {THIS = TOOT;}Oct 27 18:19:23 ttwj-iPad SpellChecker[16062]: filemanager: /var/mobile/Applications/A2EA3A60-46DC-4D59-B209-1C78C23819C2/Library/flurryStored1158494424.archiveOct 27 18:19:23 Terence-Tans-iPad SpellChecker[16062]: logevent: CAUGHT_IT, params {THIS = "NO_INFO";}Oct 27 18:19:23 ttwj-iPad SpellChecker[16062]: filemanager: /var/mobile/Applications/A2EA3A60-46DC-4D59-B209-1C78C23819C2/SpellChecker.app/_CodeSignatureOct 27 18:19:23 ttwj-iPad SpellChecker[16062]: logevent: CAUGHT_IT, params {THIS = SIG;}
So, we now search for CAUGHT_IT in IDA
Image%202012.10.28%206:08:14%20PM.png
Next, we go to the first occurrence where THIS = TOOT was logged
Image%202012.10.28%206:10:47%20PM.png
The first segment checks some stuff about the bundle but that doesn't matter. The last 2 lines are CMP R0, #0xA and BGT loc_2B28.

CMP R0, #0xA compares the two variables so we need to patch it to CMP R0, R0 so that it wil always be true
BGT loc_2B28 checks if R0 is greater than #0x1A and jumps to loc_2B28 if it's true. We need to patch that to BEQ loc_2B28 so it will skip the part where the protection kicks in.

Patching
Now we need to find the ARM opcode and patch it in our hex editor.
Highlight the line we want to patch and hit the Hex-View-A button.
Image%202012.10.28%208:09:36%20PM.png
Image%202012.10.28%208:15:31%20PM.png
The opcode for CMP R0, #0x2A is 0A 28 so we to patch that to the opcode of CMP R0, R0

Here we have a list of the opcodes for the corresponding instructions
Image%202012.10.28%208:17:15%20PM.png
So we need to patch that to 80 42.

We need to find the offset of the opcode. Copy the offset located on the left and search for it in your hex editor
Image%202012.10.28%208:19:29%20PM.png
Image%202012.10.28%208:20:34%20PM.png

Highlight the opcode we want to patch and paste the new opcode, in this case, 80 42
Image%202012.10.28%208:22:00%20PM.png

Congratulations you have patched a part of the app! But wait, there's more! We need to patch the opcode of BGT loc_2B28 (1D 1C) to BEQ loc_2B28 (1D D0)

Repeat the steps to find the offset , select the opcode in the hex editor and paste the new opcode

tqQne.png

Save the file and you have successfully patched an app! However, most apps come with multiple protections so you'll have to patch each one of them!

Final
Copy the patched binary to your device and run ldone -s <binary>

This tutorial only covers basic ways to patch an app, I highly suggest you read up more HERE


Brought to you by Kim Jong Cracks
  • PRAISER and DblD like this
much donate: DSxuZV9E1ZDGDKfxFLNLhpCbQFdzNxBGKU



#2 uhrcracker

uhrcracker

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 26 March 2013 - 10:34 AM

Can have a look @Whatsapp Beta?

http://www.appaddict...eded/#entry1891

#3 iEvOKinG

iEvOKinG

    iEvOKinG

  • Members
  • PipPipPip
  • 82 posts

Posted 28 March 2013 - 06:49 PM

Moved to Tutorial.


sigrx.jpg
 


#4 DblD

DblD

    Such admin

  • Members
  • PipPipPipPipPipPip
  • 3,326 posts
  • LocationValve Corporation

Posted 17 July 2013 - 10:56 PM

Can you show me that MS tweak for logging app activity? I am a fan of reverse engineering things :)


Such Admin! I toss in a few high quality cracks here and there.

Check out my github website: http://crackengine.github.io/
Wanna donate me some cryptocurrency?
BTC: 17qEMPD6oX9HLX4gmeWtgUWMmhPPcFXVj8

DOGE: DJQYzwQdGPQDzDh9VCUgpu1mkM6JG6V2Cf




NtWpjY2.png






Also tagged with one or more of these keywords: [HOW TO], patching, self, aware, cracking, much wow

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users