Hi to all.
Does anybody know how many and what kind of antidebug protection tricks this apk has inside?
In main dalvik code methods are used to verify if we attach an elf file with android_debug e.g. and so sigill error is created?
Thanks to all.
Palm
I think this app is very similar to skygo so many protections should be same. For example drm protection is based on vgdrm files. Other protection is about apk signature, so if we decompile, modify manifest for debugging and recompile, new app goes in error when launched. It would be interesting to know how the system compares the 2 signatures. Most likely server side by sending the hash string to the server. Has anyone understood more? Thanks
Is possible to break into vgdrm help service when started by apk? Did anybody try it with debugger? Thanks
Related
This is gonna sound weird but I rebooted my phone earlier and I suddenly have a new app called DSA Client (com.sprint.dsa.apk). I went to launch it but it just force closes. Does anybody else have this installed? I have since removed it since I'm rooted but it was in /data/app. From what I can tell by hex editing the resources, it's just some Hello World app. The classes.dex file has "dsa.spcsdns.net" in there and a bunch of stuff about MEID, ESN, MSID, Self Activation, AAA Auth Algorithms, and other CDMA info like that.
Anybody have any ideas?
the_miker said:
This is gonna sound weird but I rebooted my phone earlier and I suddenly have a new app called DSA Client (com.sprint.dsa.apk). I went to launch it but it just force closes. Does anybody else have this installed? I have since removed it since I'm rooted but it was in /data/app. From what I can tell by hex editing the resources, it's just some Hello World app. The classes.dex file has "dsa.spcsdns.net" in there and a bunch of stuff about MEID, ESN, MSID, Self Activation, AAA Auth Algorithms, and other CDMA info like that.
Anybody have any ideas?
Click to expand...
Click to collapse
Virus?
Are you using Superuser Whitelist? Probably a good idea if you have su sitting out there in /system/bin.
Directory System Agent (DSA) software supports directory data bases, I guess it's used in some of Sprint's areas
Hi there. I've just migrated to Android from WinMo and have a few questions. Firstly, where can I find the ROM apks? In which folder are they stored? I'm particularly interested in the HTC Desire's FM Radio app. Is there anyway I can track what commands does it send to the FM Radio device so I can make a custom Radio app? And as far as those apps run on the Dalvik VM, can the code be partially decompiled? I know it's a long shot for a newbie, but at least it would be an interesting thing to attempt. I got used to dlls in Windows and have almost no experience with Linux, so I know it would be hard. Anyway, any help or suggestions will be much appreciated
Edit:
----------------------------------------
So here are the files I succeeded in decompiling: HTCRadio.rar (18.7 MB)
In case anybody needs them
The archive contains HtcFMRadio.apk, HtcFMRadio.odex, their decompiled resources and classes in smali format and the com.htc.resources framework
I will try to make sense of them, but I'm almost certain I'll fail
martintzvetomirov said:
Firstly, where can I find the ROM apks? In which folder are they stored?
Click to expand...
Click to collapse
/system/app for system apps, and /system/framework for frameworks: Java runtime, Android libraries, etc.
martintzvetomirov said:
And as far as those apps run on the Dalvik VM, can the code be partially decompiled?
Click to expand...
Click to collapse
http://code.google.com/p/smali/ - Dalvik bytecode (dis)assembler
http://code.google.com/p/android-apktool/ - decodes app resources (they are compiled/optimized to binary form), simplifies working with decoded files, uses smali
Thanks, mate! That's a really good start point for me
EDIT: I successfully decompiled the resources and the classes. I've added a link in my fist post in case someone searching in Google for that comes accross this topic
Ok, from what I've seen HTCRadio.apk has registered a service called FMRadioService and luckily its android:exported is set to true. Does it mean that I can call this service from my app and get something useful from it? And if yes, how can I call a service for which the only thing I know about is its name? Cheers
EDIT: I successfully invoked the Remote Service and I think implemented the aidl correctly. Now it's time to figure out how to make it work
Good day,
I am new to the forum so please forgive me if this is not the right place to ask.
I have been reading through some of the threads on the forum and is curious to know if there is a way to load custom kernel libraries or device drivers onto the phone.
If there is a way, is there a correct procedure? For example to load a custom device driver / kernel library, do I also have to have an entry in the registry? Does the dll file have to be in /Windows?
Thanks in advance.
Good questions. There's been only a little research on this so far. I can tell you waht I've found, though:
For a stock ROM, nobody has managed it yet, but it might be possible. You'll need to have your DLL signed, and the certificate added to the Code Integrity store on the phone (just mailing yourself the .cer is insufficient! That will put it in the wrong store). You'll probalby want the DLL to be in \Windows, although I'm not sure it's needed. You almost certainly will need to add registry entries; the current drivers seem to have them.
Good day,
thanks for your reply. And thanks for all the good research you have done.
So at the moment, the software approach is not working but for custom roms, is it possible to include custom device drivers / kernel libraries in them?
Thank you.
mousefish321 said:
Good day,
thanks for your reply. And thanks for all the good research you have done.
So at the moment, the software approach is not working but for custom roms, is it possible to include custom device drivers / kernel libraries in them?
Thank you.
Click to expand...
Click to collapse
Well, it's possible. The HD2 Multitouch driver is an example that its somehow possible. Should be the same for the other devices (espacially HTC first gens)...
But don't know what you're getting at? Why would you need a custom driver?
Good day,
well, I just think that having a driver that acts like HTCUtility would make things convenient.
As for file operations, besides the application that Heathcliff has created (WP7RootTool), are there other applications that can do write operations to the /Windows folder?
What are the things that needs to be done before we can write to that folder?
Thank you.
Any app with Elevated or TCB privileges can write to \Windows, I think. Using HtcRoot project or WP7 Root Tools works (both elevate apps to TCB permissions, though using different methods). Also, using an OEM driver, such as HtcProvisionDrv or HtcFileUtility, works (although those two particular drivers were crippled in the 4.x firmware).
Good day,
thanks for the information. I tried the HtcRoot tool and it works. Thanks for the tool and the source that allows me to know how it works.
Can I assume that I would be able to have write access to the Certificate and Code Integrity store also?
I am also curious as to the workings of HTCFileUtility. A quick search on this turns up little information on its workings.
Furthermore, is there a guide to inserting custom certificates to the root Certificate and Code Integrity store? I have tried downloading the Certificates.zip file in http://forum.xda-developers.com/showthread.php?t=1236027 and test rom files in http://forum.xda-developers.com/showthread.php?t=1248799 hoping that they will shed some light but is unable to download them.
Any help is appreciated. Thank you.
Yes, installing your own cert into Code Integrity is possible (in several ways, actually, but I did it using HtcRoot just as an exercise). The certificates are actually stored in the registry, so any tool that can write to HKLM can add them. I believe that WP7 Root Tools will also let you choose the store for adding a certificate if you "open" the cert from the Root Tools filebrowser.
Although I don't know exactly how HtcFileUtility works, here's the basics. It's a software driver that exposes an interface - probably an IOCTL - which apps can use to perform filesystem operations. Since it runs with TCB permissions (it's probably kernel mode, though I haven't actually checked, but it's definitely in TCB) it can perform any operation that the filesystem supports. Of course, that doesn't mean that it exposes all those operations through the IOCTL... but it exposes enough of them for a pretty solid filebrowser implementation (that's how TouchXplorer and Advanced Explorer worked, although they used an OEM COM DLL that called into the driver rather than doing the IOCTL themselves).
The new version of it has very limited operations permitted; it will only list files in a few folders and so forth. It does still "work" within those limitations - Connection Setup, for example, uses it to check the folder that we use for interop-unlock on HTC - but it isn't useful for a general-purpose browser anymore.
It would be great to even figure out how to roll back the OEM drivers to earlier versions. For example, I've got WP7 Root Tools installed on my HD7, but I don't want to install HTC updates because they'll break my drivers such that if something ever goes wrong I won't be able to re-install Root Tools, or if a new hack is found (or developed; I'm working on some stuff with HtcRoot still) I won't be able to run it on my phone. Being able to use the advantages of the new firmware (Internet Sharing, compass in managed apps, hopefully an end to the damn music player freezing between songs...) while still having hackable OEM drivers would be reallllly nice...
Good day,
thanks for the information.
I noticed in the HTCRoot project thread where you mentioned that "It is not a true handle (no handle table, no handle data) but everything that checks for tokens also checks for this const value, and appears to pretty much skip all remaining permissions checks if it finds it".
Would you mind sharing some of the function names so that I could take a look at the code where the checking occurs?
Thanks.
hey guys and gals,
found a new key that looks like when altered will allow unsigned apps/arm compiled apps to run. Unfortunately I don't have the expertise to compile my own program nor any unsigned app to try.
key is here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\Download
the key I have edited is check signatures from yes to no. interested to see if it will allow for unsigned code to be installed. see attached for an edited reg file to inject.
AppHost is the process which runs HTML5/JS Windows Store apps. Removing the signature check on such apps may allow modification of store apps without re-signing them, but it's unlikely to have any impact on other EXEs. Worth a shot though, I guess.
This is the only way to get unsigned apps to run, because the signing level is held in the kernel and read at boot time, not in any registry key:
http://surfsec.wordpress.com/2013/01/06/circumventing-windows-rts-code-integrity-mechanism/
Hi,
I was looking for a smali to java converter and came across this thread: http://forum.xda-developers.com/showthread.php?t=2430413. I tried to use the app attached there (seems to have worked well for many other users).
Norton Anti-virus on my machine immediately blocked and deleted the .exe file - said it has WS.Reputation.1 worm.
I don't have privileges to update above thread, hence posting here if someone can help verify and remove the file.
Regards,
Anil.
hello,
I scanned the file in question and everything seems to be ok to me. Out of 51 different virus scanning tools only 1 came back with anything. It came up with a file called
Suspicious.Insight
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en
Click to expand...
Click to collapse
I think norton thought the file was something that it is not. You can see the scan results in the link below
https://www.virustotal.com/en/file/...c835f477dd5a7dcef5ffde62/analysis/1411291539/
Thanks Mark, much appreciated. Seems Norton is a bit over-zealous on this one.