1

I'm editing some smali code in which I need to change the value of a certain currency parcel awarded as an achievement entity in a game.

.method public writeToParcel(Landroid/os/Parcel;I)V
.locals 0

invoke-static {p0, p1, p2}, Lcom/google/android/gms/games/achievement/AchievementEntityCreator;->a(Lcom/google/android/gms/games/achievement/AchievementEntity;Landroid/os/Parcel;I)V

return-void
.end method

The class Landroid/os/Parcel is set as an integer. I want to set a solid numerical value of 1 billion to this class. This would award me an in-game currency parcel of that size when an achievement is completed, every time - the code is rather self-explanatory. Is that possible? If so, how can it be done?

Note: I am NOT a blackhat hacker using this knowledge to violate anyone's property. It is simply to reverse engineer a test application as a temporary, innocuous learning experience, not for commercial circulation or any malicious intents.

GoldenAge153
  • 45
  • 1
  • 10
  • Yes, this is possible. No, I won't tell you how. You're trying to learn, right? :) Hint: take a look at the `const` opcode. – JesusFreke Oct 02 '16 at 03:56

1 Answers1

1

Well let's see, here's what I came up with. The hint was very satisfactory man, so thanks! Here's my updated code:

.method public writeToParcel(Landroid/os/Parcel;I)V
.locals 0

const p2, 0x3b9aca00 

invoke-static {p0, p1, p2}, Lcom/google/android/gms/games/achievement/AchievementEntityCreator;->a(Lcom/google/android/gms/games/achievement/AchievementEntity;Landroid/os/Parcel;I)V

move-result-object p2

return-void
.end method

I used the IEEE 754 converter to find a dalvik byte code equivalent to 1 billion (resulting in 0x4e6e6b28) - would that work? Its here: https://www.h-schmidt.net/FloatConverter/IEEE754.html. I visited your page here: https://github.com/JesusFreke/smali/wiki/Registers and where it said how method parameters are passed, I picked up some guidance :) I saw there were 3 argument registers (Lcom/google/android/gms/games/achievement/AchievementEntityCreator;, Lcom/google/android/gms/games/achievement/AchievementEntity; and Landroid/os/Parcel;) being the p0, p1 and p2. So this is my best attempt at this... If i'm wrong about anything, constructive help would be great!

GoldenAge153
  • 45
  • 1
  • 10
  • @JesusFreke I've tried changing the value above, however I'm not too confident in it... I don't know what the /4 after the const does or if it's correct to add it there or if the numerical value is in correct binary format and is properly set as a value of the Landroid/os/Parcel parameter. As I said before, your constructive feedback would be greatly appreciated! – GoldenAge153 Oct 02 '16 at 18:50
  • A few points. 1. a move-result instruction must immediately follow the invoke instruction that it is getting the result for. It's not valid to insert an instruction between the invoke and move-result instructions. 2. IEEE 754 is for floating point numbers. You want an integer. so that is wrong :) 3. the method's return value is V (void), but you're trying to return a value. 4. I suspect you want to change the value of p2 before invoking the `...AchievementEntityCreator;->a` method – JesusFreke Oct 02 '16 at 20:05
  • @JesusFreke WOW! It worked bro! I just earned an achievement for like 40 kills or something after building, signing and moving the apk over to my phone and after a little loading my in-game currency of credits was 1,000,000,043!! I was able to use the credits without any limits, but I think it will probably be reset as the game has a very strong anti-hack system, and even though I deleted the ban event from the game they'll probably have a moderator do it lol. Anyway, this was a GREAT learning experience and I feel a lot more comfortable with smali and reverse engineering in general! – GoldenAge153 Oct 03 '16 at 01:41
  • Your pointers were very helpful, and I think you forgot to mention but the const/4 could not fit an int value of 1 billion in it, const alone is fine. I can actually call myself a reverse engineer in my profile description. All thanks to you! Your blogs/articles were amazing and so was your advice... I needed that in my journey and you gave it, so bless you man! – GoldenAge153 Oct 03 '16 at 01:49
  • I never said anything about const/4. I suggested const for simplicity :) – JesusFreke Oct 03 '16 at 17:43
  • "reverse engineer a test application".. hmm. That doesn't sound like a "test application" to me ;) – JesusFreke Oct 03 '16 at 17:45
  • Jesus remember not to have extended discussion in the comments? Allow my sly self to leave it at that ;) – GoldenAge153 Oct 03 '16 at 19:20