1

First of all, sorry for my english. This is not my native language. This is the first time I do something like that so i learn on the go.

Context: I try to understand how the game I installed from the Play store communicates with the server. More precisely, how a specific parameter is set on a every POST request to the server.
This HTTP parameter called 'secret' cannot be reversed engineer easily as it is a kind of hash of the others parameters to check the integrity of the request.

What i've done:

  1. I extracted the .dex files from the .apk
  2. I used d2j-dex2jar to extract the .class files.
  3. I used jd-gui tool to analyse the source code

What i've found: This is the source code that generates the value for the 'secret' parameter:

.method public static native secretForString(Ljava/lang/String;)Ljava/lang/String;
.end method

From what I learnt, java allows you to use native libraries thanks to the native keyword. These native libraries are loaded through the System.loadLibrary(...) command. In the Main.java file, I have a call to this command System.loadLibrary("Main");. If I understood correctly how it works, there is a corresponding .so file called libMain.so somewhere installed on my android phone.

I rooted my OnePlus6 and dig into the files looking for this library.

Issue: I can't find this library on my phone. There is no associated .so file in the /data/data//

Questions:

  1. Can you explain what i'm doing wrong / i'm missing.
  2. Let's say I find the library, will I be able to read the code in it or do i need a specific tool ?
  3. If the answer is no for question 2, is it possible to create a small app that loads this specific library and use it ?

Thank you for the time you will spend trying to help me :D

Megaxr
  • 241
  • 1
  • 9

1 Answers1

3

Answer to question 1:

I found that multiple .apk were installed for the game. My error was to trust the app Apk Extractor that gave me only the base .apk

I connect through SSH to my phone and list all the .apk installed. Several .apk were installed in the /data/app/ folder of my game !

  • One was dedicated to the base source code (the one i got from Apk Extractor)
  • One .apk that store only the native libraries (libMain.so)

Answer to question 2:

I used the command readelf -s libMain.so | grep '<Name of the function> to retrieve the function address. The output was something like that 00000000003c69b4

readelf -h libMain.so : gave me the architecture in which the library has been built aka AArch64.

I downloaded the same toolchain that has been used to compile the binary:
$> sudo apt-get install binutils-aarch64-linux-gnu

And then used it with this command:
$> aarch64-linux-gnu-objdump -d libMain.so --start-address=0x3c69b4
The start-adress value is set with the return value of the first command

And now i have assembly code that i need to reverse engineer !

Megaxr
  • 241
  • 1
  • 9