How to bypass root detection on cocos2d games

By

How to bypass root detection on cocos2d games from Andnix on Vimeo.

Devs don’t know how to secure their game and just blocked rooted device, but the game can be easly hacked which will work on non-rooted devices so it’s pointless to block rooted device. Having a rooted device doesn’t mean you can just hack games, you can do a lot of customization on Android OS. That’s the reason why many peoples root their device and reason why we have XDA community. Devs just don’t understand that.

So let’s get started.

First of all you need:
- IDA Pro (To disassemble .so file)
- Any hex editor (To edit .so file)

- Winrar or 7-zip (Extract files from APK file)

Note: You need to have basic knowledge of IDA and ARM assembly

Root detection usally come from smali but cocos2d have ability to communicate with smali to get root detection data from it.

Disassemble libcocos2dcpp.so file

Here is what I found, a Root detection scene that appear a warning screen that root is detected and can’t play. After I analized for a while, RootDetectScene::createScene(void)  is only interesting


Hightlight the function, press X to xref and select the first address RootDetectScene::createScene


Xref again


IDA showed me this code.


Press SPACEBAR and look at Graph overview. We can see it placed right down at the bottom with a visible red line. We can easly see there is an if-else-statement in the middle of graph


Click on the middle of Graph where the red line come from


Press F5 to view Pseudocode to understand the code easier. See, there is an if-statement


If you want to look deeper, hightlight on isGlowingRed(v42) and press ENTER. You do it 5 times

isGlowingRed(v42) -> isGlowingRed(this); -> j_j_isGlowingRedJni(this); -> j_isGlowingRedJni((int)this); isGlowingRedJni();

and you will reach this code. Here it gets boolean data from isGlowingRed from smali location “jp/aktsk/cocos2dx/extension/RootDetect”


Go back to AppDelegate::applicationDidFinishLaunching.

We want to replace CMP R0, #1 to NOP

 

Open any hex editor, go to the offset of CMP R0, #1 you found and replace it with 00 BF (NOP)

That’s all. You have bypassed the root warning message


Credit:
AndnixSH#

Popular Posts

[TOOL] Unity Assets Bundle Extractor

By
Image
Unity .assets and AssetBundle editor UABE is an editor for Unity 3.4+/4/5/2017/2018 .assets and AssetBundle files. It can create standalone mod installers from changes to .assets and/or bundles. Type information extracted from Unity is used in order to generate text representations of various asset types. Custom MonoBehaviour types also are supported. There are multiple plugins to convert Unity assets from/to common file formats : The Texture plugin can export and import .png and .tga files and decode&encode most texture formats used by Unity. The TextAsset plugin can export and import .txt files. The AudioClip plugin can export uncompressed .wav files from U5's AudioClip assets using FMOD, .m4a files from WebGL builds and Unity 4 sound files. The Mesh plugin can export .obj and .dae (Collada) files, also supporting rigged SkinnedMeshRenderers. The MovieTexture plugin can export and import .ogv (Ogg Theora) files.
Read more

Il2CppDumper GUI Android App

By
Image
This is @Perfare’s Modified version of il2cppDumper (GUI) for Android Supported Versions Android 5 - Android 13 API Level 21 - API Level 33 Tested Tested in Android 6, 10, 11, 12L physical device Download Download: Releases · Poko-Apps/Il2cppDumpDroidGUI Before Downloading the apk file , you should know this app may have one or multiple bugs maybe your device not compatible for this app Installation While installation process , play protect might warn you . Like this : If so then click ‘Install Anyway’. If installation failed for any reason, uninstall the previous version and try again !! Notes Protected Target’s can’t be dump by this dumper (same as @Perfare’s one) If you find any bug or problem then please kindly report it with proper information, I’ll try my best to resolve it. In low-end devices it take a while to dump . Output files directory is under ‘DumpDroid’ folder App is on active devlopment Often Asked Question Does it supports dumping w
Read more