Hey guys,
Cheers for checking out the thread.
In this one I hope to give you a little something out of the ordinary when it comes to Android reverse engineering - something a bit more advanced.
So a few days ago I cam across a version of iMPlayer which has not been made public which was modified, themed and connecting to a panel which I found interesting - after attempting to reach out to the owner to try and get my hands on it for my own use (as you do.) It became apparent that wasn't going to be the case - so I set out too modify the modified version to be able to connect to my own hosted panel.
Upon checking out the classes.dex I quickly noticed that something unusual had been done to the APK, I'm not talking about obsfucation like ProGuard or anything like that, that sort of issue can be resolved in seconds, no, this was something much nicer - DexProtector.
Now DexProtector when used will encrypt the Dex files of an APK and decrypt it/them on runtime in the case of a Davlik type Dex it will decrpyt it to an actual .dex archive using DexOpt. In the case of this application (ART) it will decrpyt too an .odex or .dat as I found, which was just an .odex in a different wrapper. This is done by using Dex2Oat and easily converted back to an unoptimized .dex using - you guessed it - Oat2Dex, see here.
Now this tool DexIntercept uses a cut down version of inotify-await for Android, see here. Which will look out for filed being made by the application and 'steal' them away before the application can then delete them again which is what DexProtector is programmed to do. From there you can then either directly edit the .dex or convert the .odex/.dat to .dex and edit away to create a DRM free version of the application.
Hopefully someone will have fun with this as I have, please don't pester me for instructions on how to use!
Thanks again for reading!
- Ian.
Note: I've included the APK for those who seek to learn how this works and would like to target other protected applications.
Helpful Information:
Cheers for checking out the thread.
In this one I hope to give you a little something out of the ordinary when it comes to Android reverse engineering - something a bit more advanced.
So a few days ago I cam across a version of iMPlayer which has not been made public which was modified, themed and connecting to a panel which I found interesting - after attempting to reach out to the owner to try and get my hands on it for my own use (as you do.) It became apparent that wasn't going to be the case - so I set out too modify the modified version to be able to connect to my own hosted panel.
Upon checking out the classes.dex I quickly noticed that something unusual had been done to the APK, I'm not talking about obsfucation like ProGuard or anything like that, that sort of issue can be resolved in seconds, no, this was something much nicer - DexProtector.
Now DexProtector when used will encrypt the Dex files of an APK and decrypt it/them on runtime in the case of a Davlik type Dex it will decrpyt it to an actual .dex archive using DexOpt. In the case of this application (ART) it will decrpyt too an .odex or .dat as I found, which was just an .odex in a different wrapper. This is done by using Dex2Oat and easily converted back to an unoptimized .dex using - you guessed it - Oat2Dex, see here.
Now this tool DexIntercept uses a cut down version of inotify-await for Android, see here. Which will look out for filed being made by the application and 'steal' them away before the application can then delete them again which is what DexProtector is programmed to do. From there you can then either directly edit the .dex or convert the .odex/.dat to .dex and edit away to create a DRM free version of the application.
Hopefully someone will have fun with this as I have, please don't pester me for instructions on how to use!
Thanks again for reading!
- Ian.
Note: I've included the APK for those who seek to learn how this works and would like to target other protected applications.
Helpful Information:
Last edited by a moderator:
![[WOI] NewsBot](/data/avatars/s/33/33004.jpg?1732189642){kind=avatar}
