Basic of Binary Patching (Hard Way)
In this blog, we are going to talk about how we can perform android binary patching which tend to bypass for rooted detection. We are going to use various tools such as Jadx, apktool, uber-app-signer.jar and etc. This blog demonstrates step-by-step and also including an bynary to let you practice on it. Let’s get started
Challenge : root2.apk
Step 1 : Finding what are we going to patch (Jadx)
Firstly, before patching we definately have to know what exactly we are going to patch. In this blog, we will perform binary patching to bypass for rooted detection. But How do we know?
The answer is using Jadx to “decompile” obtaining human readable code
jadx-gui root1.apk1. Click on the panel, press “Ctrl + Shift + f” to open search panel
2. Search for keywords such as isRoot, “su”, “su” and etc.
3. Click on code you interested
4. Read the code. in this case, we are going to make the methods always return false
com.scottyab.rootbeer.RootBeer.isRooted
com.scottyab.rootbeer.RootBeer.isRootedWithBusyBoxCheck
Step 2 : Disassembling (apktool)
Unfortunately, we cannot directedly patch via Jadx tool but instead of using apktool to disassembling the apk file and modify smali code
Decompile for obtain human readable code (Jadx)
Disassembling to get modifiable code (apktool)
apktool d root1.apk
Step 3 : Patching (Text Editor)
Open the smali code and modify code as below on these methods
com.scottyab.rootbeer.RootBeer.isRooted
com.scottyab.rootbeer.RootBeer.isRootedWithBusyBoxCheck
Step 4 : Rebuild Application (apktool)
Execute the command below to rebuild the application. The result will be saved into the ./333c8b22-d7ca-4110-9c80-7ed42514fa79/dist directory
apktool b root1
Step 5 : Re-sign and Install Application
java -jar uber-apk-signer-1.3.0.jar -a root1.apk
References
jadx : https://github.com/skylot/jadx
apktool : https://apktool.org/docs/install/
sdk platform tools : https://developer.android.com/tools/releases/platform-tools
sumbit_me{20e048dd-c389-442a-9ad1-3bfe44aade57}