verizon has a new app store. it has an amazon-store like drm that's fairly simple to crack.
here's how it works. in the launching activity a thread is started that calls checkLicense(). this was in com/cp/app/MainActivity$2.smali:
if you look at isDRMDone() you'll see that it's basically a big switch. input of 0 or 1 counts as valid. everything else is some kind of error. so we just need to make sure checkLicense returns 1 and doesn't call anything else that may have side effects (timeouts, checking to see if verizon app store is installed, etc..).
checkLicense() is defined in com/verizon/vcast/apps/LicenseAuthenticator.smali. after modification it looks like:
if you're a developer, depending on how they implement the insertion of their drm, it may still be possible to use classical protection / anti-tampering techniques. i'd like to know. but really though, don't waste your time on protection. i'm not blasting verizon or amazon or google for weak security. real effort should be spent improving the program, not slowing down (because you can't stop) crackers. if you want money, use ads.
here's how it works. in the launching activity a thread is started that calls checkLicense(). this was in com/cp/app/MainActivity$2.smali:
.method public run()V
.locals 2
.prologue
.line 100
invoke-static {}, Landroid/os/Looper;->prepare()V
.line 102
:try_start_0
iget-object v0, p0, Lcom/cp/app/MainActivity$2;->this$0:Lcom/cp/app/MainActivity;
iget-object v0, v0, Lcom/cp/app/MainActivity;->licenseAuthenticator:Lcom/verizon/vcast/apps/LicenseAuthenticator;
sget-object v1, Lcom/cp/app/MainActivity;->verizonAppKeyword:Ljava/lang/String;
# call checkLicense and store result in v0
invoke-virtual {v0, v1}, Lcom/verizon/vcast/apps/LicenseAuthenticator;->checkLicense(Ljava/lang/String;)I
move-result v0
.line 103
iget-object v1, p0, Lcom/cp/app/MainActivity$2;->this$0:Lcom/cp/app/MainActivity;
# send result of checkLicense (v0) to isDRMDone()
invoke-virtual {v1, v0}, Lcom/cp/app/MainActivity;->isDRMDone(I)Z
move-result v0
# isDRMDone() handles error messages and returns true when all is good
if-eqz v0, :cond_0
# ... rest of code
if you look at isDRMDone() you'll see that it's basically a big switch. input of 0 or 1 counts as valid. everything else is some kind of error. so we just need to make sure checkLicense returns 1 and doesn't call anything else that may have side effects (timeouts, checking to see if verizon app store is installed, etc..).
checkLicense() is defined in com/verizon/vcast/apps/LicenseAuthenticator.smali. after modification it looks like:
.method public declared-synchronized checkLicense(Ljava/lang/String;)I
.locals 10
.parameter "keyword"
.prologue
# just set v0 to true and return
# the rest of the code never runs
const/4 v0, 0x1
return v0
const/16 v9, 0x64
const-string v7, "checkLicense() finished. Trying to shutDownLicenseService()"
const-string v7, "LicenseAuthenticator"
.line 256
monitor-enter p0
:try_start_0
const-string v7, "LicenseAuthenticator"
const-string v8, "begin checkLicense()"
# ... rest of code
if you're a developer, depending on how they implement the insertion of their drm, it may still be possible to use classical protection / anti-tampering techniques. i'd like to know. but really though, don't waste your time on protection. i'm not blasting verizon or amazon or google for weak security. real effort should be spent improving the program, not slowing down (because you can't stop) crackers. if you want money, use ads.
No comments:
Post a Comment