Android App Hacking – Hero Defense
Here I will show you how to disassemble an android game, and modify its files to obtain an advantage like god-mode.
The steps for this project are as follow:
- Download the Hero Defense APK.
- Extract its contents.
- Turn its dex file into a .jar file.
- Dissasemble it.
- Dissasemble the shared library containing its API.
- Patch the library.
- Repackage the APK.
- Sign the APK.
The first thing you need to do is download the APK. This can be done by using your android device, or you can do it from your pc using the APK Downloader from evozi. Once you have the APK downloaded you can rename it to a .zip file and use any zip utility to extract its contents. You will see a classes.dex file at the root of your directory, you can turn this file into a jar with the dex2jar utility. After you have done that you got yourself a dex2jar.jar file containing all the game’s class files. You can load those class files using jd-gui and begin reading the code.
After reading the code for a few minutes it becomes apparent that the game is not written in java, but instead is written in c++ using native shared library. In order to modify the game’s behavior in any meaningful way we have to patch that libdawn.so lib. So we crank up IDA Pro and see what we can do.
Loading dawn.so in IDA Pro on my computer takes about 5 minutes to index all the exports in dawn. But after a while you can see that there are many interesting names being exported. One such name is Hero::underAttack(float), which as the name would suggest handles what is supposed to happen when our hero is under attack.
Going through the underAttack function we can see that a value is loaded into R3, then checked against the value of 0. If the comparison is true then we take the conditional jump into isAlive, if not we go somewhere else.
By setting the value being checked against R3, we can ensure that the conditional jump will never be taken, and we will avoid any actions regarding that branch. In this case that turns out to be the branch where the damage is calculated and dealt to our hero, so by modifying it we end up with a hero that takes hits (visual effects), but no damage or death.
So after we modify the bytes, we use IDA Pro to generate a diff and we then patch the libdawn.so binary. After successfully patching we throw it back into the original game apk, load into our device, and sign it with zipsign.
Once signed we are ready to go.
I hope this wasn’t too hard to follow. If you are having a hard time following this drop a comment.
The hack in action can be seen here: