This is about bypassing a fake crash from an old deleted game Fetty Wap Nitro Nation Stories, I did 5 years ago. I normally wouldn't teach how to bypass security, but this game is old, deleted and the security is too simple. So it's safe to teach at this point.
You need to have knowledge of ARM and x86 assembly and know how to use IDA pro, but you will learn a bit more here
If you installed with a re-signed apk file, the game crashes if you click RACE after the game loaded
Sometime the game would show an error message
Or this
It was smart… (not really) but it's pretty easy to bypass
How do I know what caused the crash? It's not always easy to know but try look in the logcat. You can use Android Studio app or ADB in cmd for non-rooted devices or use Matlog Libre for rooted devices/emulator. I will use Matlog on an emulator
So basically, I'm looking after
And reading lines below it and above it. I see more
I see the lib libNativeCarX.so has been loaded, and crashed afterwards in just in few ms
Sometime, it may print DEBUG to logcat, depending on device firmware I think
What does Process 8014 exited due to signal (6) and Fatal signal 6 (SIGABRT) means?
If you are familiar with linux system calls, SIGABRT indicates that abort() was called. abort() is usually called by library functions which detect an internal error or some seriously broken constraint. But this dev is taking advantage and using abort() as a fake crash
So how do I bypass?
It's easy, but you need some ARM or x86 assembly knowledge. Open APK using 7zip or Winrar, extract the lib folder and disassemble the file libNativeCarX.so, armv7 or x86 into IDA Pro
We need to search after abort(). You can also look after JNI_OnLoad because it is the function called by the JVM (Dalvik/ART) when a native library is loaded.
On a Functions window, press CTRL+F and search abort. Double click on _abort
Click on _abort to highlight
Press X to xref
Click OK. You will arrive to JNI_OnLoad. Press space to switch to graph overview like this
This is x86 of libNativeCarX.so
This is ARM of libNativeCarX.so. It's the same code
In this function it looks like to be a signature check, it computes some hash, compares it to a predefined value (strcmp) and branches to abort() if they do not match.
To bypass, we need to nop the branch jnz short loc_xxxxx (x86) or BNE loc_xxxxx (ARM) so the abort does not get called.
We need the offsets to search and edit in hex editor, to get them, click on jnz short loc_xxxxx (x86) or BNE loc_xxxxx (ARM) and look below
Or press space to switch to generic view, and look at offset beside the instruction
Note, offsets are not always the same
Open libNativeCarX.so in your favorite hex editor. I'm using 010 editor. Go to the offset you found
For x86, go to offset you found (2F666) and replace 75 41 with 90 90 (90 is a hex of NOP. Yes, I did double NOPs because x86 assembler instructions have a variable length unlike in ARM)
For ARM, go to offset you found (24E54) and replace 10 00 00 1A with 00 F0 20 E3 (NOP)
NOP means no operation = do nothing
Save the file, put back the .so file inside APK using 7zip or Winrar, sign and install
The game should let you race without crash :)
Enjoy!
Thanks to Riu from Libre for the help back then
You need to have knowledge of ARM and x86 assembly and know how to use IDA pro, but you will learn a bit more here
If you installed with a re-signed apk file, the game crashes if you click RACE after the game loaded
Sometime the game would show an error message
Or this
It was smart… (not really) but it's pretty easy to bypass
How do I know what caused the crash? It's not always easy to know but try look in the logcat. You can use Android Studio app or ADB in cmd for non-rooted devices or use Matlog Libre for rooted devices/emulator. I will use Matlog on an emulator
So basically, I'm looking after
Code:
Process [packagename] [pid] has died
Code:
10-21 16:12:45.762 D/houdini (8014): [8035] Added shared library /data/app/com.creativemobile.nns-2/lib/arm/libNativeCarX.so for ClassLoader by Native Bridge.
…
10-21 16:12:45.809 I/ActivityManager(487): Process com.creativemobile.nns (pid 8014) has died
…
10-21 16:12:45.850 I/Zygote (100): Process 8014 exited due to signal (6)Sometime, it may print DEBUG to logcat, depending on device firmware I think
Code:
12-27 19:30:21.421 D/dalvikvm(14637): Trying to load lib /data/app-lib/com.creativemobile.nns-1/libNativeCarX.so 0xa4fb34e0
12-27 19:30:21.453 D/dalvikvm(14637): Added shared lib /data/app-lib/com.creativemobile.nns-1/libNativeCarX.so 0xa4fb34e0
12-27 19:30:21.453 F/libc (14637): Fatal signal 6 (SIGABRT) at 0x0000392d (code=-6), thread 14651 (UnityMain)
12-27 19:30:21.557 I/DEBUG ( 130): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-27 19:30:21.557 I/DEBUG ( 130): Build fingerprint: 'SAMSUNG/hlteatt/hlteuc:4.4.4/tt/eng.jenkins.20161121.163001:userdebug/test-keys'
12-27 19:30:21.557 I/DEBUG ( 130): Revision: '0'
12-27 19:30:21.557 I/DEBUG ( 130): pid: 14637, tid: 14651, name: UnityMain >>> com.creativemobile.nns <<<
12-27 19:30:21.557 I/DEBUG ( 130): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
12-27 19:30:21.693 I/DEBUG ( 130): eax 00000000 ebx 0000392d ecx 0000393b edx 00000006
12-27 19:30:21.697 I/DEBUG ( 130): esi 0000393b edi 00000014
12-27 19:30:21.697 I/DEBUG ( 130): xcs 00000073 xds 0000007b xes 0000007b xfs 00000000 xss 0000007b
12-27 19:30:21.697 I/DEBUG ( 130): eip b76bdd76 ebp b7722ce0 esp 9452fa90 flags 00200203
12-27 19:30:21.697 I/DEBUG ( 130):
12-27 19:30:21.697 I/DEBUG ( 130): backtrace:
12-27 19:30:21.697 I/DEBUG ( 130): #00 pc 0003bd76 /system/lib/libc.so (tgkill+22)
12-27 19:30:21.697 I/DEBUG ( 130): #01 pc 00000005 <unknown>
12-27 19:30:21.697 I/DEBUG ( 130):
12-27 19:30:21.697 I/DEBUG ( 130): stack:
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa50 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa54 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa58 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa5c 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa60 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa64 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa68 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa6c 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa70 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa74 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa78 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa7c 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa80 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa84 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa88 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa8c 00000000
12-27 19:30:21.697 I/DEBUG ( 130): #00 9452fa90 00000006
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa94 89a14f34 /data/app-lib/com.creativemobile.nns-1/libNativeCarX.so
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa98 b771dfcc /system/lib/libc.so
12-27 19:30:21.697 I/DEBUG ( 130): 9452fa9c b769a516 /system/lib/libc.so (pthread_kill+102)
12-27 19:30:21.697 I/DEBUG ( 130): 9452faa0 0000392d
12-27 19:30:21.697 I/DEBUG ( 130): 9452faa4 0000393b
12-27 19:30:21.697 I/DEBUG ( 130): 9452faa8 00000006
12-27 19:30:21.697 I/DEBUG ( 130): 9452faac 00000000
12-27 19:30:21.697 I/DEBUG ( 130): 9452fab0 b93bb620 [heap]
12-27 19:30:21.697 I/DEBUG ( 130): 9452fab4 1fb00045
12-27 19:30:21.697 I/DEBUG ( 130): 9452fab8 b769a4b9 /system/lib/libc.so (pthread_kill+9)
12-27 19:30:21.697 I/DEBUG ( 130): 9452fabc b771dfcc /system/lib/libc.so
12-27 19:30:21.697 I/DEBUG ( 130): 9452fac0 9452fb0c [stack:14651]
12-27 19:30:21.697 I/DEBUG ( 130): 9452fac4 22c0003d
12-27 19:30:21.697 I/DEBUG ( 130): 9452fac8 bb393870 [heap]
12-27 19:30:21.697 I/DEBUG ( 130): 9452facc b769a8dc /system/lib/libc.so (raise+44)
12-27 19:30:21.801 I/BootReceiver( 658): Copying /data/tombstones/tombstone_04 to DropBox (SYSTEM_TOMBSTONE)
12-27 19:30:21.801 W/ActivityManager( 658): Force finishing activity com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity
12-27 19:30:21.805 D/ ( 658): HostConnection::get() New Host Connection pid 658, tid 14945, stream_port_num=22468
12-27 19:30:21.805 D/ ( 658): useHgsmi for host connection!!!
12-27 19:30:21.805 D/ ( 658): HostConnection::get() New Host Connection established 0xb94d13a8, tid 14945
12-27 19:30:21.829 D/dalvikvm( 658): GC_FOR_ALLOC freed 661K, 27% free 10097K/13708K, paused 20ms, total 20ms
12-27 19:30:21.833 D/dalvikvm( 658): GC_FOR_ALLOC freed 628K, 30% free 9671K/13708K, paused 8ms, total 8ms
12-27 19:30:21.849 W/InputDispatcher( 658): channel '529388c8 com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity (server)' ~ Consumer closed input channel or an error occurred. events=0x9
12-27 19:30:21.849 E/InputDispatcher( 658): channel '529388c8 com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity (server)' ~ Channel is unrecoverably broken and will be disposed!
12-27 19:30:21.849 W/MediaFocusControl( 658): AudioFocus audio focus client died
12-27 19:30:21.849 I/MediaFocusControl( 658): AudioFocus removeFocusStackEntry(): removing entry for android.os.BinderProxy@528b37e4
12-27 19:30:21.849 W/InputDispatcher( 658): Attempted to unregister already unregistered input channel '529388c8 com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity (server)'
12-27 19:30:21.849 I/ActivityManager( 658): Process com.creativemobile.nns (pid 14637) has died.If you are familiar with linux system calls, SIGABRT indicates that abort() was called. abort() is usually called by library functions which detect an internal error or some seriously broken constraint. But this dev is taking advantage and using abort() as a fake crash
So how do I bypass?
It's easy, but you need some ARM or x86 assembly knowledge. Open APK using 7zip or Winrar, extract the lib folder and disassemble the file libNativeCarX.so, armv7 or x86 into IDA Pro
We need to search after abort(). You can also look after JNI_OnLoad because it is the function called by the JVM (Dalvik/ART) when a native library is loaded.
On a Functions window, press CTRL+F and search abort. Double click on _abort
Click on _abort to highlight
Press X to xref
Click OK. You will arrive to JNI_OnLoad. Press space to switch to graph overview like this
This is x86 of libNativeCarX.so
This is ARM of libNativeCarX.so. It's the same code
In this function it looks like to be a signature check, it computes some hash, compares it to a predefined value (strcmp) and branches to abort() if they do not match.
To bypass, we need to nop the branch jnz short loc_xxxxx (x86) or BNE loc_xxxxx (ARM) so the abort does not get called.
We need the offsets to search and edit in hex editor, to get them, click on jnz short loc_xxxxx (x86) or BNE loc_xxxxx (ARM) and look below
Or press space to switch to generic view, and look at offset beside the instruction
Note, offsets are not always the same
Open libNativeCarX.so in your favorite hex editor. I'm using 010 editor. Go to the offset you found
For x86, go to offset you found (2F666) and replace 75 41 with 90 90 (90 is a hex of NOP. Yes, I did double NOPs because x86 assembler instructions have a variable length unlike in ARM)
For ARM, go to offset you found (24E54) and replace 10 00 00 1A with 00 F0 20 E3 (NOP)
NOP means no operation = do nothing
Save the file, put back the .so file inside APK using 7zip or Winrar, sign and install
The game should let you race without crash :)
Enjoy!
Thanks to Riu from Libre for the help back then
Last edited:
