Jump to content
Tuts 4 You

Android Crackmes & Keygemmes Challenges


Jasi2169

Recommended Posts

Difficulty : 0 - 5
Language : Android Studio
Platform : Android
OS Version : JellyBean+
Packer / Protector : None

Description :

Here are couple of crackmes and keygenmes i coded for android any beginner or want to test can test their hand in :-

1. App :- Android_Crackme1_TeamURET , Difficulty :- 0/10

2. App :- Android_Crackme2_TeamURET , Difficulty :- 1/10

3. App :- AndroidKeygenMe_1-URET , Difficulty :- 2/10

4. App :- URET Android Official KeygenMe 01 , Difficulty :- 5/10 (This Is Official KeygemMe Only Defeated By One Guy Yet)

Enjoy....

Files are attached

URET_Android_crackmes_Keygenmes.rar

  • Like 3
Link to comment
Share on other sites

  • 3 weeks later...

1. App :- Android_Crackme1_TeamURET , Difficulty :- 0/10

package acm.jasi2169.acm1;

public class Acm extends Activity
{
  String a = "2169";

2169 is the key.

I will check 2 son.
 

  • Like 1
Link to comment
Share on other sites

On 2/22/2017 at 2:37 AM, CodeCracker said:

1. App :- Android_Crackme1_TeamURET , Difficulty :- 0/10

package acm.jasi2169.acm1;

public class Acm extends Activity
{
  String a = "2169";

2169 is the key.

I will check 2 son.
 

great ,looking forward for Official Uret ANdroid Keygenme solution from you :)

Link to comment
Share on other sites

  • 4 weeks later...
CodeExplorer

Patching Android_Crackme2_TeamURET.apk

class acm.jasi2169.acm2.AA

  String b = "Application Is Not Licensed";
  String c = "Application Is Licensed";

I've used ApkAnayser to get from where are used:
and both are used from:
acm.jasi2169.acm2.Aa.Aa() @ 5
This was just the constructor class method!

b ( "Application Is Not Licensed") is also used from:
acm.jasi2169.acm2.Aa.c() @ 3

  public void c()
  {
    d();
    b.a(this, this.b, this.d);
  }

c() method is the bad boy!

Local graph for c() method:
class b run() void
class Aa b() void
class Aa c() void

  public void b()
  {
    if (!a(this))
    {  // bad boy 1
      if (!this.f.getBoolean("a", false))
      {
        this.g.putBoolean("a", true);
        this.g.commit();
      }
      c();
    }
    for (;;)
    {
      return;
      if (!a(this))
      {
        d();
        moveTaskToBack(true);
        finish();
        i();
      }
      else if (!android.support.a.a.a.a(this))
      {
        this.g.putBoolean("a", true);    // bad boy 2
        this.g.commit();
        c();
      }
    }
  }
 


    public void m6b() {
        if (!m1a((Context) this)) {
            if (!this.f5f.getBoolean("a", false)) {
                this.f6g.putBoolean("a", true);
                this.f6g.commit();
            }
            m7c(); // call bad boy!
        } else if (!m1a((Context) this)) {
            m8d();
            moveTaskToBack(true);
            finish();
            m13i();
        } else if (!C0007a.m17a(this)) {
            this.f6g.putBoolean("a", true);
            this.f6g.commit();
            m7c();  // call bad boy!
        }
    }

classType = Lacm/jasi2169/acm2/Aa;

Method Size: 3
Method Code Offset: 37516
Method: a(Landroid/content/Context;)Z
{
const-string v0 "playstore is not installed means chinese user ?"
const-string v0 "playstore is required to check license :)"
invoke-virtual {v2} Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v0
invoke-virtual {v2} Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v1
invoke-virtual {v0,v1} Landroid/content/pm/PackageManager;->getInstallerPackageName(Ljava/lang/String;)Ljava/lang/String;
move-result-object v0
if-eqz v0 :label_28
const-string v1 "com.android.vending"
invoke-virtual {v0,v1} Ljava/lang/String;->startsWith(Ljava/lang/String;)Z
move-result v0
if-eqz v0 :label_28
const/4 v0 1
label_27:
return v0
label_28:
const/4 v0 0 ; to replace 1200 with 1210 - to always return true
goto :label_27

}

929C is the body address!

android.support.a.a
method a

classType = Landroid/support/a/a/a;
Method Code Offset: 39764
Real body start: 9B64

Same changes as before: replace 1200 with 1210 - to always return true

ApkEditor - to be able to install the apk:
Select an Apk File, choose "Common Edit" option,
as "Internal Location" choose "Internal Only"
APK is stored on:
/storage/sdcard/ApkEditor/tmp/gen_signed.apk

Link download of solved crackme:
http://www33.zippyshare.com/v/BUSak2ZA/file.html
 

Edited by CodeCracker
  • Like 3
Link to comment
Share on other sites

  • 3 weeks later...

@CodeCracker

great work on second one,change at right place rather then modifying the string by some users who tried before.

looking for official keygenme thats the real challenge :)

Link to comment
Share on other sites

CodeExplorer

@Jasi2169: I've noticed that your crackmes are very small (great job), how you did it?
What android developer you use? (If I may know)
As for me solving the keygen me, that for sure require (android) coding skills, which currently I don't poses,
I am a beginner with android development.
 

Link to comment
Share on other sites

hi ,i used old sdk build tools i do not remember maybe they are of jellybean sdks 16 or 17 i guess,also they were built on Eclipse IDE

now the sdk tools is v25 nougat,even if you use v21 lollipop build tools your size will be more

why ? because the AppCompat support library is automatically added by android studio which takes 1.5-1.9mb space.

this is the reason uret patcher is 2.5mb,patcher is only 1mb 1.5 mb is taken by this support n design library added by sdk tools when compiling the debug or release build

 

i would suggest you keep using android studio as its easy and simple ,eclipse was good but nothing compare to Android studio built on modules of intelij idea

 

or try changing your Extends AppCompatActivity to Activity in all the activity and try removing extra libraries in dependancies of your build gradle module

  • Like 1
Link to comment
Share on other sites

CodeExplorer

Old android studios hanges.freezes and crashes alot :) i use v2.1.2 i did not updated to latest as it works great for me

so use latest Android studio but download old android sdk and push it to

C:\Users\JASI\AppData\Local\Android\sdk (this is default location)  ,make android folder in Local and put sdk folder there in username

and then go to android studio and in settings locate android studio folder and click apply and restart

 

we just need android build tools old and support library old for example in android sdk downloader download jellybean api 16 stuff and use that to compile the apk

i would suggest compatibility is most important over size

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 year later...

App :- URET Android Official KeygenMe 01 , Difficulty :- 5/1: include a mistake in coding ... are you  update this version?or it is the last!? Jasi2169

i will post key generator for two keygenme's (5/10 & 2/10) under Android platform!

and explain what the wrong in this official version!

thx for  this challenging.

 

Link to comment
Share on other sites

please explain @zAWS! the mistake ? those extra digits needs brute forcing is that what you talking about ?

PS i dont have source code left anymore by mistake i deleted the wrong folders and my source code was gone as well but i remember the idea not full but yes how key was generated :)

i will check out your results soon at home!

good work,also could you share your views here to make it better and feedbacks ?

 

EDIT :- first keygen works,second doesnot work for me

PS it creates only one serial if you know it does not accept the same again,but anyway serial not working

also now days the root can cause problem which adds boolean in serial,sometime phone is rooted systemless but binaries are not present in system <- you mean this mistake ?

you could do like add boolean to user to say if your phone rooted add 1 or not rooted add 2 and generate serial sometime on new android OS keygenme wont detect root as systemless for example and boolean stays false in this case so asking for user is good option

Edited by Jasi2169
Link to comment
Share on other sites

Hi jasi2169

Quote

“PS i dont have source code left anymore by mistake i deleted the wrong folders and my source code was gone as well but i remember the idea not full but yes how key was generated”

Please read Pdf file ..it is a quick Guide charts to remember what’s going inside your keygen.

Quote

“please explain the mistake ? those extra digits needs brute forcing is that what you talking about ? “

1- yes ..that’s the point..  I wrote an external code to brute force this two digits and I generated these digits for values from(350 to 1500), I found strange thing

Every hundred,  there are an (8 to 9 values) that can’t be generated those digits!)-:

Example: (if the SUM OF ASCII Numbers (without two digits) are from (589 to 596) or (from 688 to 695) ext.... WE CAN’T get these digits..

And in some cases I generated the fives keys(MD5-SHA-1, SHA-256, SHA-384, SHA-512) for the same username and got the SUM between those magic numbers(BAD LUCK) and I can’t generate the two digits, so for that reason I generated only one key based of (MD5) hash AND doesn’t care with other keys So We can easily generated other hash values..and add its to keygen.

Quote

“sometime on new android OS keygenme wont detect root as systemless for example and boolean stays false in this case so asking for user is good option “

No ..i do not agree with you ..it’s weak point for keygener to ask the customer input special Expression ..maybe he – she did not know what the meaning of root?! I think developer must get it by code.. and don't let anyone know what's going inside keygen.

Quote

  “PS it creates only one serial if you know it does not accept the same again,but anyway serial not working “

AS I explain I generated only one key (Based on MD5 hash) and that key only work with First check, or you must click multi check button to re write MD5 value again IN(億.xml) file. (億 – Billion in English)and got good boy message again.

So ..If  serial not working ..maybe there is a problem of detecting  device rooting.. i did not test on new devices..

I test my root detected code on (Emulator,lolliopop OS ,KTKAT OS) and works great ..

Now on my case:

Root value : 2

BRAND : Samsung

Serial :dbe26236

If we apply the routine we got view result as screen shots!

Screenshot_2018-05-12-15-12-28.png.193a3aca7018de06c7c4e5bc5b2eeaa0.png

 

 

Uert offical keygen me charts analysis.pdf

  • Like 1
Link to comment
Share on other sites

Hi ,i can see that i got the idea but the two guys

https://www.uret.in/topic/2910-uret-android-official-keygenme-01/

bruteforced with every single hash properly

when i coded the keygen i also made the keygen which bruteforced properly i didnot remember the trick i used but i brute forced the 2 characters within freeze of 5seconds max with any serial, also the way niko and djmen bruteforced i liked that but i dont have their keygenme solution anymore either my bad :(

but yes you analyzed it the algo and i see use used b4a android to develop the application :)

  • Like 1
Link to comment
Share on other sites

thx..

the link above need  a special access permission.. i think  website need an invitation code to register!😀

Link to comment
Share on other sites

12 minutes ago, zAWS! said:

thx..

the link above need  a special access permission.. i think  website need an invitation code to register!😀

i will send you invitation,send me PM with the email and username you want to register with :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...