Tutorial Bypassing Bike Race fake crash (Old tutorial)

AndnixSH

PMT Elite Modder
Original poster
Staff member
Modding-Team
Jun 27, 2017
4,680
296,960
1,213
Modding World
This tutorial is old. I'm no longer updating it

A year ago, A modder asked for help with Bike Race, so I had decided to look into it. I had bypassed fake crash long time ago but now I will finally make tutorial to help you get smarter with the fake crash situation. Devs think they are smart enough to create fake crash to troll cheaters but not at all, I'm smarter than them haha.

Decompile, compile, sign and install APK. Game force closed

G5CZgtO.png


I took a look in logcat and found this. "Call init() first", hmm... why does it need to Call init first?

xt3dHqn.png


This is the code I found on \smali\com\topfreegames\bikerace\AppRemoteConfig.smali file where the error occured. I looked everywhere and couldn't figure it out why this happen.

Rxn73gC.png


I went to APK4Fun - Download APK for Fun Android Apps & Games and look for earlier versions of APKs, I found something interesting. The lib was added on 7.0.2 while 7.0.1 have no lib. Later version 7.7.0 had all string stripped out so I disassembled lib from 7.0.2 on IDA which was the first version it have lib included.

Wow this look interesting

CBwU68C.png


I don't know where to start looking, so I look all of DexCheck. Intersting is there is time bomb code in wasCracked but it doesn't exist in smali and it's not used anyway

xpHdK4d.png


I analyze them all and Xref, and I found Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit and Java_com_topfreegames_bikerace_activities_CheatsActivity_nativeGetDexStrings. The first one look very intersting because they might be related to Init crash of AppRemoteConfig. Thanks logcat for useful infomation about AppRemoteConfig

Sorry for my bad diagram XD


S0x32m9.png


So let's look into Java_com_topfreegames_bikerace_AppRemoteConfig_nativeInit
This is it! this is the reason why it need to call init() first. If dex was modified, it will return 0 and crash, else... I don't know what it returns

t6NFWMj.png


Stripped version

z6oozS3.png


IDA View

iu66ESv.png


In x86, to bypass it, change "test al, al" to "test al, 0" (A8 00) and the game will work. I don't know what "test" mean to be honest, I guess it compare register or something. You can also return wasCracked as false.

In armeabi, change "CMP R1, #0" to "CMP R1, #1" (01 29)

GPp3sDt.png


In armeabi-v7a, go to sub_xxxx of wasCracked and return false "MOV R0, #0" (00 20 70 47)

Others, figure out yourself

That's all. The smart (more like idiot) fake crash bypassed!
Months later after I discovered it, they removed libnative-wrapper.so and the fake Init crash no longer present. I guess they already know I discovered fake crash hahahahaha. Not sure if they add other fake bugs or not.
 
Last edited: