PiracyChecker icon indicating copy to clipboard operation
PiracyChecker copied to clipboard

Published 20 hours ago verified publisher icon javiersantos

LuckyPatcher easily bypasses simple LVL implementation

Open franciscofranco opened this issue 7 years ago • 7 comments

Hi Javier. Thanks for your efforts. As much as we try to protect our apps other 3rd party tools keep finding new ways to fuck us up.

For example LuckyPatcher detects this string https://github.com/javiersantos/PiracyChecker/blob/master/library/src/main/java/com/google/android/vending/licensing/LicenseValidator.java#L105 and simply returns true.

My suggestion is simply change the methods name, move strings around, just make it a tad harder for automated programs to understand what's going on. Seems simple, but it'll bypass some of the automated scripts. And yes, it'll work even if the app is properly obfuscated etc.

franciscofranco avatar Feb 16 '17 16:02 franciscofranco

@franciscofranco

Hi Francisco, what LuckyPatcher detects is the CHECK_LICENSE permission.

In one of my apps, I have been using this library for a long time. This library didn't have that permission on versions 0.0.1 or 0.0.2, but I added it and it was merged in 0.0.3

This wasn't on purpose. I just didn't know about this then.

Anyways, I made a fork of the library removing it again, and have tested and Lucky Patcher says it isn't "patcheable", and the library still checks for license properly ...

I saw your other issue regarding checking if certain apps are installed. I have been working on a library, that does the same as PiracyChecker, (it even uses its code) but also checks those apps you mentioned in the other issue (the ones in the link to the xda thread).

It works fine for me.

I don't mind adding those extra checks I made, to the source code of my fork of PiracyChecker and creating a Pull Request.

I'm almost sure @javiersantos would merge it since we know each other for some time already, and he might be quite busy with other projects.

Anyways, my code isn't the best, I tried making it "not easy to understand" by complicating the code read, which isn't neither the best practice nor an actual thing to avoid pirates, but still I did it.

So, knowing how good of a developer you are, and considering your interest in this library and maybe these things, I wanted to ask you if you would like to check my code and help me improve it a bit, so when I merge the changes it is clean and good enough.

Let me know what you think about this. Thanks in advance.

jahirfiquitiva avatar Mar 12 '17 00:03 jahirfiquitiva

https://github.com/javiersantos/PiracyChecker/commit/297f1802fd0938b87845402366fff5c7c606cf63 looks fine to me, and it's a good idea to remove some automatic patching capability.

https://github.com/javiersantos/PiracyChecker/commit/82ae6a48e2673e61196907486e7b07a1dda58ade this looks good for me too. Although lucky patcher guys can easily just parse this new values as well, it breaks the automation part.

https://github.com/javiersantos/PiracyChecker/commit/e7d47565083b669883d7149fa911063921abd1af looks fine to me too!

All in all this will help a lot. As long as automated processes can't parse this lib I'm happy. I'm sure all the other users will be happy too.

Can you push 0.0.4? Would like to try these changes 👍

franciscofranco avatar Mar 12 '17 03:03 franciscofranco

I have just released the v1.0 update. Thank you @jahirfiquitiva for your PR and @franciscofranco for your suggestions and testing!

dependencies {
    compile 'com.github.javiersantos:PiracyChecker:1.0.1'
}

javiersantos avatar Mar 13 '17 20:03 javiersantos

@javiersantos

No problem. Always glad to help. 😀

jahirfiquitiva avatar Mar 13 '17 23:03 jahirfiquitiva

franciscofranco no changing names wont help you to be honest,the tools does not even work on strings or as the other guys saying CHECK_LICENSE permission,permission is checked just to show the app has license library,you can still patch by removing license verification,there is other ways which you guys do not know which can protect it properly from these tools and checks but i am not in mood to let you know,the library is good but is 5 steps back in security but gives a good idea to people.

Good Luck

Jasi2169 avatar Apr 03 '17 14:04 Jasi2169

@Jasi2169 Thank you for the very informative and detailed post. None would be possible without your infinite wisdom and profound knowledge. Please grace us with your presence and enlightment in the near future. Luckily my mood was in good shape to even bother to reply.

franciscofranco avatar Apr 03 '17 14:04 franciscofranco

No offense to my master Jasi2169 he is the greated guy i ever seen. lucky patcher still work even if you guys randomize things specially against xposed based emulation . you can slow down root based user from emulating though . to make it hard - do hard obfuscation on 2 things -

  1. android.content.Intent ;- > its init method take 1 string argument which have all intent list like "com.android.vending.billing.InAppBillingService.BIND" or License intent , if lucky patcher found it then it replace it with own intent action and then it check to setPackage , if setPackage(" ") = "com.android.vending" it replace it with its own package name and then rest of all purchase /LVL handled by lucky patcher
  2. so encrypt those 2 thing - intent name and setpackage name . dont try to use base64 encode them , base64 will be catched by lucky patcher

apkunpacker avatar Oct 21 '20 06:10 apkunpacker