Challenge - Donations to fight covid-19

Informatix

Informatix

Expert
Licensed User
Longtime User
I've just learned that my region is going to be the new epicenter in France of the Covid-19 outbreak. The hospital in my town (Aubagne) is calling for donations. To encourage donations, I propose to explain in this forum, on Saturday, April 11, how I do to protect an application against copying or modification (if you are a ProBundle donor, you already know how).

Pending my explanations and to prove my method, your challenge is to copy the Play Store version from one device to another, or to modify the application available on my server (for example, perform an addition instead of a multiplication when clicking on Test). In the end, the application must be fully functional.
You can use all the means at your disposal (decompiler, external debugger, rooted device, etc.). The source code is here.

To donate, just click on the button in my signature. You can see the current amount on my Paypal account:
paypal.jpg

On Saturday, April 11th, I will make a donation with the full contents of the account. Thank you in advance for your generosity.
 
Last edited:
MarcoRome

MarcoRome

Expert
Licensed User
Longtime User
Transaction Code: 80V557500N084921A **20€**
I know this ugly beast. In Italy he made a massacre.
I wish you luck and "everything will be fine"
👍👍
 
Informatix

Informatix

Expert
Licensed User
Longtime User
The Play Store version is available here: https://play.google.com/store/apps/details?id=b4a.protecthw.flm
The challenge is how to copy it to another device. Of course, it must still work.
To help you a bit, I attach the source code to this message. You will see that there is a condition that verifies that the installation source is the Play Store. The problem is how to neutralize this condition.
This source code will not work after compilation on your computer because some of the assets are protected. Only the creator of these resources (me) can compile a working version.
 

Attachments

  • Challenge.zip
    71.3 KB · Views: 229
Informatix

Informatix

Expert
Licensed User
Longtime User
I found that almost no one had downloaded the application for this challenge and, to date, I only have four donations (five with mine). This message probably lacked visibility.
Anyway, here is the promised explanation and you still have until tonight to make a donation.

If you look at the source code, you can see that the copy protection is quite simple since it is all in these three lines:
If PU.GetInstallerPackageName(PU.GetMyPackageName) = Null Or PU.GetInstallerPackageName(PU.GetMyPackageName) <> "com.android.vending" Then
ExitApplication
End If
Click to expand...
If the installation source is not the Play Store ("com.android.vending"), the program ends.
This protection would be very weak if a malicious person could remove these lines with a tool like apktool, so the APK must also be protected against modification. For this, I used the F5Steg library. It can encrypt data inside an image using the APK signature. No password is required from the user. The encryption password is automatically created by the library's C code from the signature (and I won't explain how, of course, because otherwise it would be a piece of cake to circumvent this protection). If someone modifies the program, he has to reassemble it and sign it with his own private key. This will change the signature and therefore F5Steg will not be able to decrypt the image correctly.

In the demo, the image containing the encrypted data is "logo.jpg". In this image, I encoded a list with two entries: a password (which is used to decompress the "value.zip" archive) and a Map which contains three data (an integer, a floating number and the name of the image with my picture). Without these data, the application cannot calculate anything correctly when the user clicks the Test button.
 
Last edited:
You must log in or register to reply here.
Top