Sorry, your browser cannot access this site
This page requires browser support (enable) JavaScript
Learn more >

Cracked an APK

Coding

Published on: Feb 2, 2020

views

From childhood to adulthood, my biggest motivation has always been playing games and looking cool… Today I wanted to play Monster Hunter 4G but couldn’t get back to Guangzhou, so I played it on my 5-year-old 3DS. Since it’s an old game that wasn’t very popular in the Chinese community at the time (Ping’s Dex was inconvenient due to system issues), it’s hard to find Chinese resources. To play the game better… I turned to an app that requires watching ads to earn points, which can then be used to exchange for specific equipment functions.

This app’s monetization is based on watching ads to earn points, which are then used to exchange for specific equipment functions. My original goal was to make the points infinite or make the usage of exchanged functions unlimited. I thought there should be a variable in the program code that decreases each time a function is used. By removing this line of code, I could achieve unlimited usage.

So let’s move on to the operation.

Unpacking and Parsing APK

Actually, an APK file is just a compressed package. You can directly unzip it. The software package after extraction should include many parts, with the actual executable file being *.dex, which is the compiled execution file. To parse it, you need to convert this file into jar. I used enjarify, which comes from GitHub; you can clone it and use it.

1
2
unzip your.apk
/path/tool/enjarify.sh classes.dex

Next, you need to view the Java code. I used jd-gui, which is available in the Arch User Repository (aur/jd-gui-bin). Drag the file into it. This is purely reading the code. Since the code wasn’t written by me and the author might have added some obfuscation to protect themselves, it may be difficult to locate. So I thought of using log tracking:

  1. First, use adb shell to connect to the phone terminal and run pm list packages to view the name of the target app.
  2. According to the name, capture logs for the specified app with adb logcat device_id|grep you.app.name.
  3. On the phone, operate this app, such as entering the paid page of the app, so you can see in the logs which class was called.

After locating it, it’s quite tedious… Guess the logic of the code in the specified file (since I don’t understand Java), and then try to find a solution,

De-compiling APK and Modifying Code

I used apktools, which you can install via sudo pacman -S android-apktool after adding the Arch Linux China source. After installation, use apktool d your.apk to decompile it.

After decompilation, enter the folder generated by the file, where there will be a smali folder with the same directory structure as the Java project but in smali assembly language code instead of java. Although the languages are different (and some implementation logic is quite different), achieving the same thing, so according to the Java code I read earlier, you can find the corresponding part in the file and modify it accordingly using smali syntax.

Re-packaging and Signing

After modifying the code files, you can re-generate the APK file with the modified folder: apktool b -o your.mod.apk your_path.

However, the newly packaged APK cannot be used directly. It needs to be signed… The signing process involves generating a key for information first, then signing it. I found this process too complicated and instead found a quick-signing project on GitHub called uber-apk-signer, which will use an internal test signature to quickly sign the unregistered APK file, allowing you to install it.

1
java -jar  uber-apk-signer-1.1.0.jar --apks your.mod.apk

After that, test the modified app. If it doesn’t achieve the desired effect, you can modify it again. Actually, I didn’t achieve my initial goal because I couldn’t find where the value decreases in the code (since I really don’t understand Java), but I found a conditional check for whether points are sufficient when making purchases. So I directly bypassed this check and let the point exchange complete, achieving my goal in a different way… The only drawback is that… I still have to enter the purchase page and make many exchanges…

Well, since doing it this way isn’t very good for the original author… So I won’t give the app name or the actual code.

I wonder if this skill will be effective in strange places again…

Updated on: Apr 28, 2026

Apktools

crack

Comments

Please leave your comments here