Background#
This matter cannot be summed up in just a few words, so I wrote a long title because I really don't know how to summarize it briefly.
To put it simply, I created a modified cheat version of a game and released it for free on the internet. However, someone plagiarized my game installation package and added a restriction that requires entering their password to play the game. This password can only be obtained by completing certain tasks, such as forwarding an advertisement QR code to more than 500 people in 3 different group chats (a typical requirement). I was quite annoyed when I saw this. I stayed up late to crack it, and yet he easily took it for himself?
So, I downloaded his installation package to study it:
Wow, this is the interface that appears as soon as the game starts. Looks like I got it right.
He didn't even remove the watermark I added for the game version. I wonder what he was thinking.
Start Research, Attempt to Unpack#
First, let's compare my original installation package with the one he modified:
Newly added files:
==============================
classes2.dex
Modified files:
==============================
AndroidManifest.xml
META-INF/ANDROID.RSA
META-INF/ANDROID.SF
META-INF/MANIFEST.MF
I thought the secret was in these "classes", so I quickly searched for the keyword "password" inside them, but found nothing.
Even after going through all the modified files, I still had no clue. I hadn't even found the real answer when evening self-study started.
While daydreaming during self-study, I suddenly thought: Every time the game is opened, the images inside need to be reloaded. If the images are stored locally, they don't need to be reloaded at all. It's possible that the images are hosted on some image hosting site.
Since the images are displayed using a website, could it be that he also embedded the website into the APK for this password input interface? So, I couldn't find it inside the installation package because it's not actually in the package!
Now the case is solved. The next step is to find this website. I originally wanted to use a bug in the Android app (Disclaimer: I'm not very knowledgeable about whether this can be considered a bug in the app or more accurately an HTML bug. If any experts see this, please correct me in the comments. Thank you) - if the network is suddenly disconnected while running, it will display "xxx" (the specific website URL) cannot be connected. This way, I can obtain the URL and uncover the password. However, when I entered this app without an internet connection, it displayed "Failed to retrieve data". It seems that he didn't rely on this method to obtain it.
Attempt Packet Capture, Discover Password#
I don't know if you guys have heard of a tool called "黄鸟抓包" (Yellow Bird Packet Capture), which was quite popular a few years ago. I tested it and found two websites using "黄鸟抓包", as follows:
http://imgurl.xiaok1.com/imgs/2022/04/13/b36c1b16e3de9b6d.jpg
↑ As mentioned earlier, this website is used to display images.
http://acgzlm.xyz/acg/config.json
↑ This is the main part where the password is entered.
Among them, I found the following code in the second website:
It seems that this 6952 is the final password. It's surprising how simple it is.
Subsequent Thoughts | I am the separator~
I didn't expect that obtaining the password for this game would be so easy... I overestimated it.
This article was supposed to be written on September 27th, but unfortunately, my computer broke down at that time.
He modified my game on September 25th, and on the second day of his modification, I managed to uncover the password. I guess I slapped him in the face.
I release my games for free, and the game collection is currently available at https://huaji.xlog.app/youxi. I will not and cannot participate in any reselling. If you bought the game, please report the seller.
Say no to reselling. Everyone has a responsibility, and those who engage in reselling will meet their doom.