Scribd
Upload
98 views

Reverse Engineering An Android Application (APK Hacking)

This document summarizes how to hack an Android app called AirAudio to remove unwanted audio beeps and licensing messages. It details extracting the APK file, disassembling the shared library file libbb.so using IDA, identifying the target functions that handle beeps and licensing, and manually patching the machine code instructions to disable these features. The patched library file is then repackaged and signed to create a new hacked APK without the original limitations.

Uploaded by

hombre pocilga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
98 views

Reverse Engineering An Android Application (APK Hacking)

This document summarizes how to hack an Android app called AirAudio to remove unwanted audio beeps and licensing messages. It details extracting the APK file, disassembling the shared library file libbb.so using IDA, identifying the target functions that handle beeps and licensing, and manually patching the machine code instructions to disable these features. The patched library file is then repackaged and signed to create a new hacked APK without the original limitations.

Uploaded by

hombre pocilga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Leakedforums.

com [CodeCracker]

ANATOMY OF AN ANDROID APP


It’s a format used to package and distribute android application. An APK file contains all of that
program’s code (such as .dex .so files), resources, assets, certificates, and manifest file.
Interesting thing is, It’s just an archive file renamed with APK extension. To check, just rename it
with zip extension and extract it, you would get below the following files and directories.

TOOLS

I used IDA Version 6.6 (32 bit) for disassembly, HEX Editor NEO for
Patching.

THE TARGET
AirAudio v6.2.1 is a very powerful audio streamer for Android and can Stream all audio even
system audio from any app to every receiver with just 1 click. This App requires a rooted phone
to hook or redirect system Audio.

THE HACKING
Download the target APK file here and use WinRar to extract the contents of the APK file to a
folder. With some hit and trial mixed with experience and intuition I got down to the shared
lib libbb.so this is the armeabi-v7a, there is also the x86 version which is not covered. To start,
fire up IDA the world’s best Disassembler, Click File -> Open select libbb.so in \lib\armeabi-v7a\.
In the load new file dialog box select ELF for ARM if not auto selected keep all other settings as
it is and click OK Button. Decompilication will start and will open up in a few seconds, in the
Functions Window scroll down to find
the Java_eu_airaudio_proxy_AudioProxy_transfer___3Bsubroutine.
On the right side of Functions Window there is the IDA View Window, select IDA View-A Tab now
scroll down a few hundred more lines to find the below text :-
This is the start of our target Function but is not listed in the Functions Window, to list it in the
functions window click on the first assembly instruction -
> .text:00005120 PUSH.W {R4-R11,LR} Right click and select Create Function

Now you can see the function is listed in the Functions Window, this is our Target function and
we can remove the disabling feature which introduces annoying audio BEEPS in the audio stream
after 5 minutes of use. How I got down to the exact location to patch is a different story and will
probably require a complete book on Reverse Engineering to explain every detail, for now, from
the Jump Drop down Menu select Jump to Address. Enter Address 0x52CC in the Jump
address edit box and click OK. Now we see a conditional branch instruction
CBZ R5,loc_52E8
The annoying BEEP can be disabled if I replace the conditional Branch to loc_52E8 with an
Unconditional Branch to loc_52E8, which means code execution will never reach address 0x52CE
and will always branch to loc_52E8 disabling the Audio BEEP.

Now the hex code for original instruction CBZ R5,loc_52E8 is 0x65 0xB1, i need to replace this
instruction with B loc_52E8 which is an unconditional branch to loc_52E8. We know it is the
assembler or compiler which generates machine code from source code but here I will have to
hand code the replacement instruction and calculate the branch offset. According to the
documentation for the THUMB Instruction Set, the first 5 bits (11100b) decode to an unconditional
branch opcode, and the last 11 bits (00000001010b) decode to Offset11, so the byte code for
instruction B loc_52E8 translates to 0x0C 0xE0 to patch the lib file open the file in a suitable HEX
editor ( I used HEX Editor NEO) Go to location 0x52CC and replace Hex bytes 65 B1 with 0C
E0save the file and you are done.

Well this much takes care of the BEEPS but you will still see the not licensed message when
connecting to a receiver, so next I will disable it to make it look as if it is licensed. On the functions
window select sub_47EC
Replace the first instruction of the subroutine with BX LR this will effectively convert the subroutine
into a null sub which just returns without doing anything, which takes care of the licensing part,
with the file opened in the Hex Editor go to address 0x47EC and replace Hex bytes31 49 with 70
47 save the file to finish. Now we are done Patching and will replace the original file with the
patched file in the \lib\armeabi-v7a\ directory. Finally use Winrar to repackage the files into a Zip
file, after the Zip file is created change the extension from .zip to .apk and use signapk.jar to sign
the APK. Now you have an installable APK which is 100% functional.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy