Tutorial Bypass SafetyNet Signature&Root Detection on some games

Yaskashije

PMT Elite Modder
Original poster
Staff member
Modding-Team
Sep 9, 2018
4,553
834,771
1,213
Minkowski Space
Hello everyone,


Magia Record Madoka Magica got shut down some days ago (or got demoted into "Gallery Mode", whatever that means).
In August, I managed to bypass their signature and root check thanks to some tutorials @AndnixSH has scattered over the internet.

Disclaimer:
SafetyNet is a test to check tampering/root on devices, and there's chances game devs might not implemented it properly.
In this case, game shutting down means they could've downgraded their security versions before I ever downloaded it; or security was barely functional since low revenue doesn't allow for proper measures.


Without further ado:

Tools requiered:
>Apktool or any apk decompiler
>Notepad++

Procedure:
>If we break the game's signature by recompiling the apk, the following message will appear:
Verification.jpg

>We open Notepad++, and search for that same string in the smali folder ("Only applications downloaded from the Google Play Store can be used").
>One of the results will be the following file (found in \smali\jp\f4samurai\bridge): CheatHandler.smali
>We open it, and will find the following:
1605309420963.png

>I think I tried editing line 57, but issues still persisted (I don't recall, and I didn't take notes about this back then, since why jot down a failure?); so we go to th function "fromGooglePlay()"
>We know it will return a boolean, so we we make it return a 1, replacing everything inside.
>We will also see the func "checkDevice()". We wipe it clean to avoid possible issues with rooted or whatever. We also delete the array that this function requieres (array_0) found just afterwards.
(I got surprised the func hasIntegrity, which looked like a "problematic" one, didn't cause any issue)
>Save changes and compile the apk.
>This popup will no longer appear, and you are free to start modding its lib.


Already modified CheatHandler.smali:
Hidden content
** You must be signed up and reply to the thread or click 'Like' under this post before you can see the hidden links contained here. **
If you still facing issues revealing the hidden links, please read this.

Hope this helps yourealize just because some test is present, it doesn't mean the game's thoroughly protected.
 
Last edited:

AndnixSH

PMT Elite Modder
Staff member
Modding-Team
Jun 27, 2017
4,685
297,066
1,213
Modding World
SafetyNet is a test to check tampering/root on devices, and it's not a proper security implementation.
SafetyNet is not easy to bypass because SafetyNet relies on Google Play Services, and is bigger than you think SafetyNet: Google's tamper detection for Android · John Kozyrakis ~ blog. Take Pokemon Go as an example. It does a lot of server-side checks with a help of Google Play Services

This is just very very poor implementation to SafetyNet in Java
As i checked the smali in Jadx, this is just a package check

Java:
private boolean fromGooglePlay() {
    String installerPackageName = this.mActivity.getPackageManager().getInstallerPackageName(this.mActivity.getPackageName());
    if (installerPackageName != null) {
        return TextUtils.equals("com.android.vending", installerPackageName);
    }
    return false;
}
And checkDevice() just look bad ?

Wow what a noob game developers

It can be done way better but we will not give any tips to them haha
 
  • Wow
Reactions: Yaskashije

Yaskashije

PMT Elite Modder
Original poster
Staff member
Modding-Team
Sep 9, 2018
4,553
834,771
1,213
Minkowski Space
This is just very very poor implementation to SafetyNet in Java
As i checked the smali in Jadx, this is just a package check


It can be done way better but we will not give any tips to them haha
Let's just pray that it doesn't get properly implemented in more cases then??
Let me edit op so that ppl that skip comments don't get mislead, and thanks for your knowledge.
 
  • Like
Reactions: AndnixSH

AndnixSH

PMT Elite Modder
Staff member
Modding-Team
Jun 27, 2017
4,685
297,066
1,213
Modding World
Let's just pray that it doesn't get properly implemented in more cases then??
Let me edit op so that ppl that skip comments don't get mislead, and thanks for your knowledge.
Alright haha
Even worse that some devs who have no knowledge in security, will invest for services like appg****, but bypass is possibly coming later. we just beated another big protection ?
 
  • Love
Reactions: Yaskashije