Recently it has come to my attention thanks to a few reverse engineering groups that it is really easy to find the parts of an app that call RevenueCat to verify premium status, so I decided I will post it here along with the general procedure I used to almost perfectly crack a very expensive app.
Revenue cat works by having the app call an entitlement object and verify active subscription as shown in the following pseudocode I got from Telegram (you can also see it in different languages on RevenueCat's website):
To find the classes/methods where this process is done, search in MT Manager with the following Regex code I also got from Telegram:
Now for some tips of my own for attacking the caller methods:
- Most higher budget app devs will not simply take the output of RevenueCat and use that as the only verification, they are aware of those show-off videos on Telegram where a bunch of low-budget developers who were too lazy to use better protection got their app cracked in seconds. Be patient and carefully analyze any extra security in the caller methods but do not get overly hung up on any weird obfuscated methods it may call that aren't a standard part of the process. You need to focus on making it act as if the app was purchased and not go down a bottomless rabbit hole.
- The extra security in the caller methods (yes, some apps will use multiple so you have to patch them all) is often a confusing mess of additional obfuscated checks and other operations. Take every conditional that hops to either 0x1 or 0x0 const/4 declarations and change the 0x0 option to 0x1, including the ones at the beginning for the RevenueCat check.
- This will not always yield a perfect crack, there might be a feature or two broken in the app but most of the paid features should work. At least that's the case with the expensive app I just cracked.
Revenue cat works by having the app call an entitlement object and verify active subscription as shown in the following pseudocode I got from Telegram (you can also see it in different languages on RevenueCat's website):
Code:
// Check if the specified entitlement is active
if (customerInfo.getEntitlements().get(<my_entitlement_identifier>).isActive()) {
// Grant user "pro" access
// We can reach the actual location through the code flow here, where we can apply our patch.
}
Code:
invoke-virtual \{([pv]\d+)\}, Lcom/revenuecat/purchases/(CustomerInfo|PurchaserInfo);->getEntitlements\(\)Lcom/revenuecat/purchases/EntitlementInfos;([\w\W])*?move-result-object ([pv]\d+)- Most higher budget app devs will not simply take the output of RevenueCat and use that as the only verification, they are aware of those show-off videos on Telegram where a bunch of low-budget developers who were too lazy to use better protection got their app cracked in seconds. Be patient and carefully analyze any extra security in the caller methods but do not get overly hung up on any weird obfuscated methods it may call that aren't a standard part of the process. You need to focus on making it act as if the app was purchased and not go down a bottomless rabbit hole.
- The extra security in the caller methods (yes, some apps will use multiple so you have to patch them all) is often a confusing mess of additional obfuscated checks and other operations. Take every conditional that hops to either 0x1 or 0x0 const/4 declarations and change the 0x0 option to 0x1, including the ones at the beginning for the RevenueCat check.
- This will not always yield a perfect crack, there might be a feature or two broken in the app but most of the paid features should work. At least that's the case with the expensive app I just cracked.
