IDA Hacking Android Apps – Hero Defense
Here I will show you how to disassemble an android game, and modify its files to obtain an advantage like god-mode using ida pro. For simplicity purposes I will refer to editing codes with ida in this article as ida hacking.
The ida hack in action can be seen here:
- APK Downloader
- IDA Pro or similar disassembler (our main tool, and thus the phrase ida hacking)
- Binary patcher
IDA Hacking Tutorial
The steps for this project are as follow:
- Download the Hero Defense APK.
- Extract its contents.
- Turn its dex file into a .jar file.
- Dissasemble it.
- Dissasemble the shared library containing its API.
- Patch the library.
- Repackage the APK.
- Sign the APK.
The first thing you need to do before you start ida hacking is download the APK. This can be done by using your android device, or you can do it from your pc using the APK Downloader from evozi. Once you have the APK downloaded you can rename it to a .zip file and use any zip utility to extract its contents. You will see a classes.dex file at the root of your directory, you can turn this file into a jar with the dex2jar utility. After you have done that you got yourself a dex2jar.jar file containing all the game’s class files. You can load those class files using jd-gui and begin reading the code.
If the entire game were written in Java there would be no need for us to do any ida hacking. After reading the code for a few minutes, however, it becomes apparent that the game is not written in java, but instead is written in c++ using native shared library. In order to modify the game’s behavior in any meaningful way we have to patch that libdawn.so lib. So we crank up IDA Pro and see what we can do.
Loading dawn.so in IDA Pro on my computer takes about 5 minutes to index all the exports in dawn. But after a while you can see that there are many interesting names being exported. One such name is Hero::underAttack(float), which as the name would suggest handles what is supposed to happen when our hero is under attack.
Going through the underAttack function we can see that a value is loaded into R3, then checked against the value of 0. If the comparison is true then we take the conditional jump into isAlive, if not we go somewhere else.
Doing a bit of ida hacking and setting the value being checked against R3, we can ensure that the conditional jump will never be taken, and we will avoid any actions regarding that branch. In this case that turns out to be the branch where the damage is calculated and dealt to our hero, so by modifying it we end up with a hero that takes hits (visual effects), but no damage or death.
So after we modify the bytes, we use IDA Pro to generate a diff and we then patch the libdawn.so binary. After successfully patching we throw it back into the original game apk, load into our device, and sign it with zipsign.
Once signed we are ready to go.
I hope this wasn’t too hard to follow. This is some of the most basic ida hacking you can do but like everything it will take a bit of time to figure it out. If you are having a hard time following this drop a comment.