7 December 2017

Archive - Reverse engineering and removing Pokémon GO’s certificate pinning in IDA Pro

I have got some requests about bypassing certificate pinning but never got time to look into it. Here is the old explained guide how to bypass Pokemon Go's certificate pinning in IDA Pro by eaton-works. Hope it helps :)

Original source:
https://eaton-works.com/2016/07/31/reverse-engineering-and-removing-pokemon-gos-certificate-pinning/

Archived page in case if the website is down or dead:
https://web.archive.org/web/20171207174207/https://eaton-works.com/2016/07/31/reverse-engineering-and-removing-pokemon-gos-certificate-pinning/

--------------------------------------------------------------------------------------------------------------------------
What is certificate pinning?
Put simply, it is Pokémon GO performing additional validation against the certificate provided by the server. Pokémon GO expects the Niantic Labs certificate, but when you MITM with Fiddler, Pokémon GO sees Fiddler’s certificate. Pokémon GO detects this and aborts the connection before any data is sent to the server.
If you are interested in reading more about this in more detail, this page has a great explanation.

Has Pokémon GO always had certificate pinning?
On July 30th, 2016, version 0.31.0 of Pokémon GO was released. This is the second update for the game. The base game and the first update did not have certificate pinning. I was a little surprised that certificate pinning was not implemented from the beginning. However, once it was added, it was easily noticeable in Fiddler with all the failed CONNECTs.



And an error in Pokémon GO itself, even though the network and account are both fine.


Based on those observations, coupled with the fact that Fiddler worked fine on the previous version of Pokémon GO, there is a very high chance certificate pinning is now implemented in version 0.31.0.

Do I need root access?
You do not need root access! This method works on both rooted and non-rooted devices.

Will I be banned if I do this?
No bans were encountered during testing on version 0.31.0, but this can easily change in a future version. It is recommended you use a throwaway account when you need to MITM, just in case there are any custom/secret APK modification checks.

If you log in using Google…
Due to an Android security feature, you may be unable to log in to Pokémon GO using your Google account with a patched APK.

Reverse engineering the certificate pinning

Note: These steps are only valid for Pokémon GO version 0.31.0.

If you aren’t interested in learning how this was done and just want to patch your APK, scroll down to “Patching the APK”.
Pokémon GO obviously must have the entire leaf, intermediate, or root certificate or at least the public key to validate against somewhere in the APK, likely in a file that contains code. The first thing I tried was searching for the leaf certificate’s public key. To get that, I went to the Niantic Labs website and examined its leaf certificate using Chrome.


Let’s extract the APK and use a hex editor to do a byte sequence search in the files that contain code to find the public key.
classes.dex? Nope.
lib\armeabi-v7a\libmain.so? Nope.
lib\armeabi-v7a\libNianticLabsPlugin.so? 
DING!


One instance found for the public key. This definitely looks like a copy of the Niantic Labs leaf certificate.
This is an so (shared object) file which is full of native code. This is where things get more complicated. I’m going to be using IDA Pro version 6.9 to dig into this file. There are other disassemblers out there that can do the job, but IDA Pro is my tool of choice.
The fun begins.


Let’s search for that same sequence of public key bytes.
There is one instance, as expected. Scrolling up a bit eventually reveals a function that references the entire leaf certificate.


Let’s go into sub_A9BE4. Conveniently, the compiler has left a string at the top that identifies this function.


After a little research on Google, I discovered that NianticTrustManager is basically Niantic’s customized X509TrustManager, and they have chosen to override the default GetAcceptedIssuers method. By overriding it, they, according to Java documentation, have the option to “Return an array of certificate authority certificates which are trusted for authenticating peers.”
Let’s see if there is anything interesting in this function.


I’ve spent enough time reverse engineering to know that a memcmp (compare two blocks of memory) and a “Rejected” string appearing in the same function is definitely something worth investigating. unk_1E2584 is the embedded Niantic Labs leaf certificate, so this function must be comparing it against another certificate. In this case, the other certificate is the Fiddler certificate. Looking at the flow of the assembly, we can NOP (no-operation) that branch below the memcmp and it will eliminate the possibility of getting to that “Rejected” block because of a memcmp failure. A NOP opcode in ARM is 0x00BF, so let’s patch that in and see what the function looks like.


As you can see, our NOP is in place and there is no chance of getting to that “Rejected” block anymore.
One more patch is needed. Before the memcmp, the function is checking the server certificate’s length. It is making sure the server certificate is 0x5FF in length. The Niantic Labs leaf certificate is that long, but Fiddler’s is not. Unfortunately, the flow of the assembly does not allow us to NOP this branch. Right now, it is a BEQ, which, in this context, means “branch if the server certificate’s length is equal to 0x5FF.” Let’s change that to just a B, which is an unconditional branch, meaning it will always branch to a specified location. This will eliminate the possibility of getting to that “Rejected” block because of a length mismatch. To change this BEQ to a B, all we need to do is to update the opcode from 0x14D0 to 0x14E0.


Looks good! There are a few more possibilities of getting to that “Rejected” block, but let’s test this out before we worry about them.
Patching the APK
Note: These steps are only valid for Pokémon GO version 0.31.0.
Open libNianticLabsPlugin.so using a hex editor, or use IDA Pro’s Edit->Patch program menu functions to do the following:
  1. Go to offset 0xA9C76 and change 14 D0 to 14 E0. If you do not see 14 D0, you might be looking at the wrong file, or are looking at the wrong version of Pokémon GO.
  2. Go to offset 0xA9CB0 and change E2 D1 to 00 BF. If you do not see E2 D1, you might be looking at the wrong file, or are looking at the wrong version of Pokémon GO.
  3. Save the changes and close the hex editor.
  4. Replace the old libNianticLabsPlugin.so file in the APK with the patched one. You can do this using any program that can open zip files – an APK is basically a zip file.
  5. Sign the APK using your tool of choice or ZipSigner in the Google Play store.
  6. Uninstall Pokémon GO on your device if it is installed and then install the patched APK, ignoring the unknown sources warnings.
If everything was done correctly, you will be able to see the HTTPS requests in Fiddler, and Pokémon GO will function without displaying any error messages.



Does this work on iPhone?
You need a jailbroken iPhone to modify apps. Thanks to reddit user Mila432, we know that the function is very similar and can be patched the same way.



6 December 2017

IDA Pro - Don't forget to search function name in Exports window

There are more function names to find in Exports window. Some names are shown on both windows. If you can't see Exports window, click View -> Open subviews -> Exports
Enjoy!

5 December 2017

SNES ROM assembly in libil2cpp.so file!?!?!?

Hahahaha i have no idea why il2cpp have SNES ROM assembly. Isn't it an easter egg? anyone know?


4 December 2017

APK Easy Tool v1.41 for Windows (GUI apktool) (1 dec 2017)

Image

Note: Some business anti-virus are detecting this tool as a malware but they are false positive. Don't worry about it because i don't make malware, i don't like destroying someones life and we never use any business anti-virus
See virustotal for more info: 
https://www.virustotal.com/#/file/ea9579dfc7cd17a524b6f325d6faed73538ba1a6f1c420cd7fba76c5e7b01805/detection

Requirements:
Windows 7 or newer (This tool will not work for Windows XP)
.NET Framework 4.5.2 or newer
Java SE/JDK is required for decompile, compile, and sign APK. If you don't have Java installed, you can only use Zipalign or Install APK. Download and install Java SE/JDK now

Features:
7z Compression-level 0-9
APK infomation with icon by aapt dump badging
Background workers to get rid of lags
Remember window position (SHIFT + Q to reset window position)
Advanced log viewer, with .txt file selection
Extract APK / Zip APK
Switch between apksigner.jar by Google and signapk.jar by bootstraponline
Quick help
Full environment path support
Adb process kill
Apktool.jar version selections
Decompile APK
Compile APK
Sign APK after compile
Sign seletected APK (It will clone the selected APK, and sign it)
Sign compiled APK (If you forgot to sign your compiled APK, you can sign it)
SignAPK (signapk.jar v1.0)
Remember path when closed (config will reset if EXE file was moved to somewere else)
Framework installer (uses apktool.jar's commands)
Logs tab
Drag and drop file support
Full options of decompile and compile
Cancel button in waiting dialog box
Clear logs when exit
Allow path changes in textbox
Java heap option. Default 512m
ZipAlign
Options to rename the apk file
Options to select apktool version.
Tooltips
Enable/Disable check for updates
Enable/Disable tips and ToolTips
and more...

How to use:
1. Download .msi or zip file,
2. If you download .msi, open it and simply install it. If you download portable version .zip, extract to the portable drive you like to.
3. Launch APK Easy Tool, directory are automatically set
4. Select the APK file you want to work with or drop the APK to perform an action
5. Do some work and good luck

You do not need to select APK and set the directory if you do drag and drop actions.

Framework are for ROM developers and System App modder only

It works the same way as the command line version

DOWNLOAD LINKS:
Users download link

(For peoples who live in china that can't access any other websites above)

Credits:
Evildog1 (Creator of this tool)
ibotpeaches (Creator of apktool.jar)
Google (adb, aapt, apksigner and zipalign)
bootstraponline (signapk)
Igor Pavlov (7zip)

Donate:
If you support me, feel free to donate 

Changelogs:
1.41 (2017-12-01)
- Added News tab. It requires an internet connection
- Added options to change path of signing keys .pem and .pk8
- Added donation button
- Added Full APK Infomation.
- Added options to select your own .pk8 and .pem file for signing
- Improved apktool version check.
- Fixed wrong directory when the program auto create them
- Removed changelogs from the tool. You can see them in news and online
- Removed WS_EX_COMPOSITED to get rid of some UI glitches. Weird UI drawing may occur but looks cool for me :).
- Changed transparent BackColor to write to improve UI performance a bit
- .NET framework target is 4.6
- Some UI changes
- Some fixes

More changelogs:



25 November 2017

Video - Hacking Unity3D using Cheat engine and mod using Hex editor

This video shows you complicated way to mod Unity games and how to test modified hex using Cheat engine and mod it using hex editor after testing





Resources - GetSignature tools

GetApkSignInfo.jar
Usage: java -jar GetApkSignInfo.jar <apk|jar>
Screenshot:

GetAndroidSig.jar (old)
Usage: java -jar GetAndroidSig.jar <apk/jar>
Screenshot:
 

17 November 2017

This is how iOS apps/games detect jailbreak and tampering

Any apps/games can have ability to detect something even in sandbox mode.

Well done Apple lol

15 November 2017

Last Day On Earth - Replace/swap savegame using Fiddler2

After update 1.6.8, my savedata got corrupted caused the game got stuck in loading screen. I reinstalled the game, stull stuck. I have no choice but I had to erase my savegame using Fiddler2 because there is no way to erase my savegame that was logged in with my Google account and contacing support will take long time. I found out that you can swap savegame using restore. Check out the video.

Note: I only hack my own savegame with the generated savegames. I don't hack others and I don't have access to see ID list.

Anyone is interested?



11 November 2017

Fake bug - How to remove fake crash in .dll file (Unity games)


Application.Quit() is the common code to troll and confuse modders, which stop modders from modding their game. There are still other ways to create fake crashes outside Unity code.

In dnSpy or Reflector, Search "Quit", and Analyze Quit of unityEngine.Application

Find the suspecious method that call Application.Quit() method


Simply remove the code Application.Quit(); and that's all

10 November 2017

How to protect your binary/SO file using CPAntiDumper


Note: This will not prevent IDA Pro from disassembling

CPAntiDumper created by Caoyin is a tool that obfuscate binary files and .dylibs and prevent others from dumping offsets. It support ARMv7 and ARM64 iOS Binary and Android ARM binaries. ARM THUMB and x86 are currently not supported yet.


How to use:
For ease of use, DiDA have included a CPAD.bat file inside the download link below which simplifies the whole process by simply dragging your binary file to the .bat file and reading the on-screen instructions. Of course, you can modify the .bat to your liking. You will also need to edit it to add the location of cpad.exe on your computer. Example usage of CPAD.bat file.

NOTE CPAD is only a Windows tool but will likely work on other operating systems with Wine since it's a simple CLI. 

If you would like to run CPAD using cmd, you can do so using this command:
cpad.exe BINARYFILENAME VALUE ARCH

iOS Examples:
cpad.exe baba 15000 arm64
cpad.exe iosfps 25000 armv7

Android Example:
cpad.exe libmarvel.so 2000 elfarmv7

Once you run the command, CPAD will analyze the binary and start obfuscating it thus preventing Binary Compare.

Once CPAD completes the process, it will generate 2 new files. BINARYNAME(.so)obf & BINARYNAME.txt

BINARYNAME(.so)obf will be the obfuscated binary file you will need to use. Rename the file and place it back into your IPA/APK and test/share your hack.

BINARYNAME(.so).txt will be the file that contains all the writeData instructions for you to implement inside your Tweak.xm. Most effective way to integrate all the writeDatas inside the .txt to your Tweak.xm is by placing your real writeData in a random place amongst all the other CPAD writeDatas. So if someone tries to dump your offsets, they will have to go through <YOURVALUE> (20,000 other writeDatas for example). This is only for iOS .deb hacks.

Example:
vm_writeData(0x100673DC0,0xC0033FD6); // writeData Generated by CPAD
vm_writeData(0x100A969D8,0x2100014A); // writeData Generated by CPAD
vm_writeData(0x100A969DC,0x420002CB); // writeData Generated by CPAD
vm_writeData(0x100A969E4,0x210001CB); // writeData Generated by CPAD
vm_writeData(0x10051EBF8,0xE00300AA); // writeData Generated by CPAD
vm_writeData(0x100114DF8,0x12345678); // Your Real Offset!
vm_writeData(0x10051EC44,0x000000CB); // writeData Generated by CPAD
vm_writeData(0x10051EC4C,0x840004CB); // writeData Generated by CPAD
vm_writeData(0x10051EC6C,0xC0033FD6); // writeData Generated by CPAD
vm_writeData(0x10051EC74,0xE20302AA); // writeData Generated by CPAD
vm_writeData(0x10051EC88,0xE10301AA); // writeData Generated by CPAD
Remember! You can go crazy with your value by entering 100000 into CPAD which will make it super secure but will likely take a lot of time depending on your computer.

NOTE: For CPAD to be more efficient. Use it AFTER you have modded your binary.


Credits: DiDA and Caoyin - iOSGods.com

9 November 2017

ARM basics cheatsheet

7 November 2017

We don't need Il2CppDumper for Metadata version 24

On Il2Cpp Games with metadata version 24, the method names are no longer stripped, we don't need to use Il2CppDumper.

To check metadata version, check this tutorial:
http://www.iandrohacker.net/2017/10/how-to-check-il2cpp-metadata-version.html

Enjoy modding il2cpp games!

How to bypass signature check in smali (Client-sided bypassing)


Bypassing client-sided signature check is super easy and can be bypassed in many ways
In

In this tutorial, I will show you how to bypass "Not a genuine copy" from TAP SPORTS BASEBALL 2016

You need Notepad++ and apktool. You can use APK Easy Tool

Decompile APK file

Open Notepad++, click Search -> Find in files… . Select the directory to search and search "not a genuine copy"


Here is the result. We only look for name="invalid_signature" that is used by smali code. Search invalid_signature


Find the const-string v that is using the invalid_signature string, like:
const-string v3, "string/invalid_signature" as seen below


Replace const/4 v4, 0x0 with 0x1 so it returns true. The game will pass the signature check and let you play.


That's all, the game will launch

My next step is to bypass server-sided signature check that makes the game stuck in loading screen, yep another fake bug that I will look into it.

About bypassing server-sided signature check, it required you to spoof signature hash by putting original hash in smali or keep original signature (we call it unsigned). The server needs at least one original signature hash that matches the server-sided signature hash to let you play. Giving the server wrong signature hash, such as, blank string, hash from testkeys, "null", "don't ban me please", etc won't let you play the game online.

Credit: iAndroHacker 

You can check information about spoofing signature hash




5 November 2017

APK Easy Tool v1.40 for Windows (GUI apktool) (5 nov 2017)


Good news: I have fixed false positives and now only 1 buisness anti-virus detect this tool as a malware. Nobody here uses SentinelOne, only companies uses it. Virustotal:

Requirements:
Windows vista or newer (This tool will not work for Windows XP)
.NET Framework 4.5.2 or newer
Java SE/JDK is required for decompile, compile, and sign APK. If you don't have Java installed, you can only use Zipalign or Install APK. Download and install Java SE/JDK now

Features:
7z Compression-level 0-9
APK infomation with icon by aapt dump badging
Background workers to get rid of lags
Remember window position (SHIFT + Q to reset window position)
Advanced log viewer, with .txt file selection
Extract APK / Zip APK
Switch between apksigner.jar by Google and signapk.jar by bootstraponline
Quick help
Full environment path support
Adb process kill
Apktool.jar version selections
Decompile APK
Compile APK
Sign APK after compile
Sign seletected APK (It will clone the selected APK, and sign it)
Sign compiled APK (If you forgot to sign your compiled APK, you can sign it)
SignAPK (signapk.jar v1.0)
Remember path when closed (config will reset if EXE file was moved to somewere else)
Framework installer (uses apktool.jar's commands)
Logs tab
Drag and drop file support
Full options of decompile and compile
Cancel button in waiting dialog box
Clear logs when exit
Allow path changes in textbox
Java heap option. Default 512m
ZipAlign
Options to rename the apk file
Options to select apktool version.
Tooltips
Enable/Disable check for updates
Enable/Disable tips and ToolTips
and more...

How to use:
1. Download .msi or zip file,
2. If you download .msi, open it and simply install it. If you download portable version .zip, extract to the portable drive you like to.
3. Launch APK Easy Tool, directory are automatically set
4. Select the APK file you want to work with or drop the APK to perform an action
5. Do some work and good luck

You do not need to select APK and set the directory if you do drag and drop actions.

Framework are for ROM developers and System App modder only

It works the same way as the command line version
(For peoples who live in china that can't access any other websites above)

Credits:
Evildog1 (Creator of this tool)
ibotpeaches (Creator of apktool.jar)
Google (adb, aapt, apksigner and zipalign)
bootstraponline (signapk)
Igor Pavlov (7zip)

Changelogs:
1.40 (2017-11-05)
- Added package infomation with icon. Icon cache is stored at %AppData%\Local\Temp\AET and it's automatically cleared
- Added copy to clipboard on package name. Just click on package name to copy to clipboard.
- Added extract/zip APK button with drag and drop support. (Requested)
- Added an option to remember window position. Useful for multiple monitors. Press SHIFT + Q to reset position if window is out of screen. (Requested)
- Added 7zip binary to extract / zip file. Why because it's faster and better than crappy .NET version.
- Added background workers to remove lags.
- Added framework file counter to check how many framework is installed
- Added "copy" context menu on Logs fields. Select the text, right click and click "copy" to copy to clipboard
- Added option to enable dump APK infomation using aapt.
- Added option to change extracted APK / zipped APK
- Added apksigner.jar for Java 9 and an option to switch between apksigner and signapk
- Options to change path are moved to Options.
- False positives fixed. Buisness and crappy unpopular anti-virus that nobody uses it, still detect this tool as a malware
- Update check improved.
- Updated adb to 1.0.39, and aapt and zipalign to 27.0.0 (SDK 27) (Android 8.1.0)
- Re-written CMD arguments code from scratch. Signing issue aka 0 KB should be gone forever
- Zipalign verbose output disabled by default.
- New logo font
- New waiting UI.
- Improved UI.
- Improved checks.
- Inplemented log system. It will create log files everyday and it will continue to load/save logs if the file is created and the date still match.
- Removed exe downloader.
- Removed Kill adb button. It is not necessary.
- Removed setup directories for me button. The program automatically create directories if they are not set.
- German (üöä), danish (æøå) and some other foreign characters are supported. Chinese, japanese, etc are ONLY supported IF system locale is correctly set. See more: https://www.top-password.com/blog/tag/change-system-locale-windows-command-line/
- Uncheck "Sign APK after compile" no longer uncheck and grey out "Install APK after compile". Now you can install unsigned APK for rooted devices only.
- Check "Keep original signature" no longer uncheck "Install APK after compile" and disable "Zipalign"
- Fixed tab orders
- Drag and drop APK on framework install button now supported
- Java heap size is 1024 MB by default

More changelogs:

Screenshots:

 



3 November 2017

Java JDK 9 no longer support signapk.jar

I was about to release APK Easy Tool 1.40 today but i found out that signapk.jar no longer work on Java JDK 9, caused Base64 error. It only support Java 8 and older. The developer of Signapk recommeneded us to Google's apk signer instead.

In APK Easy Tool 1.40, there will be an option to switch between signapk.jar for Java 8 and below and apksigner.jar for Java 9 and  other Java versions

Stay tuned!

2 November 2017

How to fix Lucky Patcher root problem on Memu emulator


In Memu 3.x.x.x, it is running Kitkat ROM by default but there is a bug in libdvm.so (dalvik runtime) that caused Lucky Patcher not to work correctly. In logcat, I found an error of libdvm.so. There is no clear details about libdvm.so errors

10-30 20:51:40.800 I/System.out( 6175): CANNOT LINK EXECUTABLE: could not load library "libdvm.so" needed by "/data/data/com.android.vending.billing.InAppBillingService.CLON/files/dalvikvm"; caused by "libdvm.so" has unexpected e_machine: 3

I have contacted both developers of Lucky Patcher and Memu but I have not got any response from them.

So how do I do now? how do I fix the problem?

There is no fix yet, but luckily there is a workaround. Lucky Patcher works on Lollipop ROM so let's install it.

Open Multiple Instance Manager (Multi-MEmu shortcut on your desktop)

Create Android 5.1 ROM

 

Android 5.1 will be created. Start it


Visit https://lucky-patcher.netbew.com/ and download latest Lucky Patcher APK.

Click on APK icon and select Lucky Patcher APK to install


That's all. Here is the proof that Lucky Patcher works.


If you still want Lucky Patcher to work on Kitkat ROM, join Memuplay facebook group and ask them: https://www.facebook.com/groups/memuplayer/
There is very little change that they will respond