Archive for January, 2009
5
Vending.odex dumped


Mmmmm... Market Data...

Mmmmm... Market Data...


Well it’s really late right now, and I’ve been working on a ton of thing, though I thought I’d release this.

This is a decompile version of Vending.odex (Vending.apk/Market.apk) for the G1. It was done using a slightly modified DeDexer by Gabor, mentioned in previous posts.

Enjoy — I’ll post more on it later!

Vending.rar

1
Using Dedexer by Gabor…


Was playing around with dedexer, mention in this previous post, and noticed it wasn’t working well on my ubuntu dev. machine. Turns out it just didn’t play well with the default ubuntu java – so switching it made all the difference. So if your getting the following error or something like this when running:

tstrazze@strazz-workstation:~/Desktop$ java -jar ddx.jar -d dump classes.dex
Processing com/android/im/util/QueryUtils
Exception in thread “main” java.lang.NoSuchMethodError: method java.io.PrintStream. with signature (Ljava.io.File;)V was not found.
at hu.uw.pallergabor.dedexer.JasminStyleCodeGenerator.generate(JasminStyleCodeGenerator.java:29)
at hu.uw.pallergabor.dedexer.Dedexer.run(Dedexer.java:116)
at hu.uw.pallergabor.dedexer.Dedexer.main(Dedexer.java:12)

Then run the following command;

tstrazze@strazz-workstation:~/Desktop$ java -version
java version “1.5.0”
gij (GNU libgcj) version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)

Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
tstrazze@strazz-workstation:~/Desktop$ sudo update-java-alternatives -l
java-6-sun 63 /usr/lib/jvm/java-6-sun
java-gcj 1042 /usr/lib/jvm/java-gcj

We want to be using java-6-sun, not java-gcj so we’ll do the following;

tstrazze@strazz-workstation:~/Desktop$ sudo update-java-alternatives -s java-gcj
No alternatives for apt.
No alternatives for extcheck.
No alternatives for firefox-3.0-javaplugin.so.
No alternatives for HtmlConverter.
No alternatives for idlj.
No alternatives for javap.
No alternatives for java-rmi.cgi.
No alternatives for jconsole.
No alternatives for jdb.
No alternatives for jhat.
No alternatives for jinfo.
No alternatives for jmap.
No alternatives for jps.
No alternatives for jrunscript.
No alternatives for jsadebugd.
No alternatives for jstack.
No alternatives for jstat.
No alternatives for jstatd.
No alternatives for jvisualvm.
No alternatives for schemagen.
No alternatives for wsgen.
No alternatives for wsimport.
No alternatives for xjc.
Using ‘/usr/lib/jvm/java-gcj/bin/appletviewer’ to provide ‘appletviewer’.
Using ‘/usr/lib/jvm/java-gcj/bin/jarsigner’ to provide ‘jarsigner’.
Using ‘/usr/lib/jvm/java-gcj/bin/javac’ to provide ‘javac’.
Using ‘/usr/lib/jvm/java-gcj/bin/javadoc’ to provide ‘javadoc’.
Using ‘/usr/lib/jvm/java-gcj/bin/javah’ to provide ‘javah’.
Using ‘/usr/lib/jvm/java-gcj/bin/native2ascii’ to provide ‘native2ascii’.
Using ‘/usr/lib/jvm/java-gcj/bin/rmic’ to provide ‘rmic’.
Using ‘/usr/lib/jvm/java-gcj/bin/tnameserv’ to provide ‘tnameserv’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/jar’ to provide ‘jar’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/java’ to provide ‘java’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/keytool’ to provide ‘keytool’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/orbd’ to provide ‘orbd’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/rmid’ to provide ‘rmid’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/rmiregistry’ to provide ‘rmiregistry’.
Using ‘/usr/lib/jvm/java-gcj/jre/bin/serialver’ to provide ‘serialver’.
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so
update-java-alternatives: plugin alternative does not exist: /usr/lib/gcj-4.2/libgcjwebplugin.so

Ta-da! A simple (and probably obvious for most) work around. Just figured I’d throw it up here to help anyone who might bump into the problem.

2
papihack?!

Oh no, papihack!

Oh no, papihack!


So haven’t been around for a while, due to the flu. So it gave me plenty of time to play PapiJump and PapiRiver. Though I kind of got interested in the method of high scores so I took a more indepth look at it. I’ll posted all the code to emulator a papi* score submit. I took out the little tidbit that actually sends the request, so this just prints to the screen. I’ve also removed the “secret keys” which wouldn’t be too hard to find if your really wanted to use this.

Ah, also – kudos to anyone who figures out what I replaced the keys with. It’s sort of a little joke…

On a little after thought, maybe it should be called papipwn? Eh – oh well, either way it will be easily bannable/removable by the administrators. It’s not hard as they are linked to your specific android id so I wouldn’t recommend using this or if you do, going over board with it.

3
Dexdump alternatives…

Thanks to my friend Gabor, over at http://mylifewithandroid.blogspot.com/ has created a really well done dex file dissembler. The direct link for the post is here and the source code is all free and located at dedexer.sourceforge.net.

It’s nice as it outputs the format in jasmin like the following;

Opposed to the normal;

Great work Gabor, and keep up the good work!

0
Careful with your code devs! Please!

Keep your code secure!

Keep your code secure!


I was looking around at some applications on the Android Market today and was trying to look at how some of the applications well, did what they did. I was also interested in looking at how they did they’re own licensing schemes, anyways. Hopefully all the developers know this – but maybe some of this, surprisingly, don’t know this. A .apk file is merely a .jar file – meaning it is a [b]zipped[/b] up. This means it can [b]easily be unzipped[/b]. So before releasing things, you should [i]really[/i] double check your .apk file and make sure it contrains [i]only[/i] what you want. This would normally include a /res folder, /META folder and you main directory that has AndroidManifest.xml, Classes.dex and resources.arsc.

Source code is usually NOT given to users, right?

Source code is usually NOT given to users, right?

You should definitely check if it contains extra files like “LicenseActivity.java.bak”;

Or more files… Which might essentially give your “paid” application out for free, and it’s source code essentially open source. While it’s a “nice” thing that you’ve essentially open sourced your application. I’m sure it wasn’t your intent to do so, and distribute it on the Android Market and your website.

Hopefully no one else other than the developer (who has been contacted) has to learn this lesson… Shesh! There was also a few other (and large fully working) .java.bak files that where include, above is just a “licensing snippet” I was looking over. Though I’ve only pasted a small portion that doesn’t include any indication on exactly which application it is.

5
Vending.apk reversing and getting live market data…


Mmmmm... Market Data...

Mmmmm... Market Data...


So I’m not sure why I didn’t think to try to get live market data? For some reason I just *figured* it would be done with SSL or something so I just didn’t try it. Long story short, after building a market-cache parser – I realized, DOH! You can just get the market data live using certain requests! Luckily the parser I made worked fine with the data that I was getting sent back.

It took a little reversing of Vending.apk to see exactly what type of encoding was being used – I sort of guessed right just by looking at what the phone was sending via a Cain&Abel and Wireshark dump. Though google just happened to have some data in there that would through errors if you tried decoding the data directly or certain ways.

I’ll post come up some of the reversing I did on Vending.apk – more specifically the .buildPostParameters routine which is where everything was created for post. It’s actually pretty interesting stuff, and it helped find some routines online that google has publicly available through apache… Though I didn’t find them in the Android libraries :) (nice of them, no? haha)

Anyway, tournament tomorrow followed by a snowboarding trip tomorrow – so I’ll probably post that data on monday!

1