How to bypass fake crash (Process exited due to signal (6))

By

This is about bypassing a fake crash from an old deleted game Fetty Wap Nitro Nation Stories, I did 5 years ago. I normally wouldn't teach how to bypass security, but this game is old, deleted and the security is too simple. So it's safe to teach at this point.

 

You need to have knowledge of ARM and x86 assembly and know how to use IDA pro, but you will learn a bit more here

 

If you installed with a re-signed apk file, the game crashes if you click RACE after the game loaded

 

Sometime the game would show an error message

 


Or this

 

 

It was smart… (not really) but it's pretty easy to bypass

 

How do I know what caused the crash? It's not always easy to know but try look in the logcat. You can use Android Studio app or ADB in cmd for non-rooted devices or use Matlog Libre for rooted devices/emulator. I will use Matlog on an emulator

 

So basically, I'm looking after

Process [packagename] [pid] has died

 


And reading lines below it and above it. I see more

 

10-21 16:12:45.762 D/houdini (8014): [8035] Added shared library /data/app/com.creativemobile.nns-2/lib/arm/libNativeCarX.so for ClassLoader by Native Bridge.

10-21 16:12:45.809 I/ActivityManager(487): Process com.creativemobile.nns (pid 8014) has died

10-21 16:12:45.850 I/Zygote  (100): Process 8014 exited due to signal (6)

 

I see the lib libNativeCarX.so has been loaded, and crashed afterwards in just in few ms

 

Sometime, it may print DEBUG to logcat, depending on device firmware I think

 

12-27 19:30:21.421 D/dalvikvm(14637): Trying to load lib /data/app-lib/com.creativemobile.nns-1/libNativeCarX.so 0xa4fb34e0

12-27 19:30:21.453 D/dalvikvm(14637): Added shared lib /data/app-lib/com.creativemobile.nns-1/libNativeCarX.so 0xa4fb34e0

12-27 19:30:21.453 F/libc    (14637): Fatal signal 6 (SIGABRT) at 0x0000392d (code=-6), thread 14651 (UnityMain)

12-27 19:30:21.557 I/DEBUG   (  130): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

12-27 19:30:21.557 I/DEBUG   (  130): Build fingerprint: 'SAMSUNG/hlteatt/hlteuc:4.4.4/tt/eng.jenkins.20161121.163001:userdebug/test-keys'

12-27 19:30:21.557 I/DEBUG   (  130): Revision: '0'

12-27 19:30:21.557 I/DEBUG   (  130): pid: 14637, tid: 14651, name: UnityMain  >>> com.creativemobile.nns <<<

12-27 19:30:21.557 I/DEBUG   (  130): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------

12-27 19:30:21.693 I/DEBUG   (  130):     eax 00000000  ebx 0000392d  ecx 0000393b  edx 00000006

12-27 19:30:21.697 I/DEBUG   (  130):     esi 0000393b  edi 00000014

12-27 19:30:21.697 I/DEBUG   (  130):     xcs 00000073  xds 0000007b  xes 0000007b  xfs 00000000  xss 0000007b

12-27 19:30:21.697 I/DEBUG   (  130):     eip b76bdd76  ebp b7722ce0  esp 9452fa90  flags 00200203

12-27 19:30:21.697 I/DEBUG   (  130):

12-27 19:30:21.697 I/DEBUG   (  130): backtrace:

12-27 19:30:21.697 I/DEBUG   (  130):     #00  pc 0003bd76  /system/lib/libc.so (tgkill+22)

12-27 19:30:21.697 I/DEBUG   (  130):     #01  pc 00000005  <unknown>

12-27 19:30:21.697 I/DEBUG   (  130):

12-27 19:30:21.697 I/DEBUG   (  130): stack:

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa50  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa54  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa58  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa5c  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa60  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa64  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa68  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa6c  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa70  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa74  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa78  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa7c  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa80  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa84  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa88  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa8c  00000000

12-27 19:30:21.697 I/DEBUG   (  130):     #00  9452fa90  00000006

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa94  89a14f34  /data/app-lib/com.creativemobile.nns-1/libNativeCarX.so

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa98  b771dfcc  /system/lib/libc.so

12-27 19:30:21.697 I/DEBUG   (  130):          9452fa9c  b769a516  /system/lib/libc.so (pthread_kill+102)

12-27 19:30:21.697 I/DEBUG   (  130):          9452faa0  0000392d

12-27 19:30:21.697 I/DEBUG   (  130):          9452faa4  0000393b

12-27 19:30:21.697 I/DEBUG   (  130):          9452faa8  00000006

12-27 19:30:21.697 I/DEBUG   (  130):          9452faac  00000000

12-27 19:30:21.697 I/DEBUG   (  130):          9452fab0  b93bb620  [heap]

12-27 19:30:21.697 I/DEBUG   (  130):          9452fab4  1fb00045

12-27 19:30:21.697 I/DEBUG   (  130):          9452fab8  b769a4b9  /system/lib/libc.so (pthread_kill+9)

12-27 19:30:21.697 I/DEBUG   (  130):          9452fabc  b771dfcc  /system/lib/libc.so

12-27 19:30:21.697 I/DEBUG   (  130):          9452fac0  9452fb0c  [stack:14651]

12-27 19:30:21.697 I/DEBUG   (  130):          9452fac4  22c0003d

12-27 19:30:21.697 I/DEBUG   (  130):          9452fac8  bb393870  [heap]

12-27 19:30:21.697 I/DEBUG   (  130):          9452facc  b769a8dc  /system/lib/libc.so (raise+44)

12-27 19:30:21.801 I/BootReceiver(  658): Copying /data/tombstones/tombstone_04 to DropBox (SYSTEM_TOMBSTONE)

12-27 19:30:21.801 W/ActivityManager(  658):   Force finishing activity com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity

12-27 19:30:21.805 D/        (  658): HostConnection::get() New Host Connection pid 658, tid 14945, stream_port_num=22468

12-27 19:30:21.805 D/        (  658): useHgsmi for host connection!!!

12-27 19:30:21.805 D/        (  658): HostConnection::get() New Host Connection established 0xb94d13a8, tid 14945

12-27 19:30:21.829 D/dalvikvm(  658): GC_FOR_ALLOC freed 661K, 27% free 10097K/13708K, paused 20ms, total 20ms

12-27 19:30:21.833 D/dalvikvm(  658): GC_FOR_ALLOC freed 628K, 30% free 9671K/13708K, paused 8ms, total 8ms

12-27 19:30:21.849 W/InputDispatcher(  658): channel '529388c8 com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity (server)' ~ Consumer closed input channel or an error occurred.  events=0x9

12-27 19:30:21.849 E/InputDispatcher(  658): channel '529388c8 com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity (server)' ~ Channel is unrecoverably broken and will be disposed!

12-27 19:30:21.849 W/MediaFocusControl(  658):   AudioFocus   audio focus client died

12-27 19:30:21.849 I/MediaFocusControl(  658): AudioFocus  removeFocusStackEntry(): removing entry for android.os.BinderProxy@528b37e4

12-27 19:30:21.849 W/InputDispatcher(  658): Attempted to unregister already unregistered input channel '529388c8 com.creativemobile.nns/com.prime31.UnityPlayerNativeActivity (server)'

12-27 19:30:21.849 I/ActivityManager(  658): Process com.creativemobile.nns (pid 14637) has died.

 

What does Process 8014 exited due to signal (6) and Fatal signal 6 (SIGABRT) means?

 

If you are familiar with linux system calls, SIGABRT indicates that abort() was called. abort() is usually called by library functions which detect an internal error or some seriously broken constraint. But this dev is taking advantage and using abort() as a fake crash

 

So how do I bypass?

 

It's easy, but you need some ARM or x86 assembly knowledge. Open APK using 7zip or Winrar, extract the lib folder and disassemble the file libNativeCarX.so, armv7 or x86 into IDA Pro

 

We need to search after abort(). You can also look after JNI_OnLoad because it is the function called by the JVM (Dalvik/ART) when a native library is loaded.

 

On a Functions window, press CTRL+F and search abort. Double click on _abort

 

 

Click on  _abort to highlight

 


Press X to xref



Click OK. You will arrive to JNI_OnLoad. Press space to switch to graph overview like this

 

This is x86 of libNativeCarX.so

 


 

This is ARM of libNativeCarX.so. It's the same code

 


In this function it looks like to be a signature check, it computes some hash, compares it to a predefined value (strcmp) and branches to abort() if they do not match.

 

To bypass, we need to nop the branch jnz short loc_xxxxx (x86) or BNE loc_xxxxx (ARM) so the abort does not get called.

 

We need the offsets to search and edit in hex editor, to get them, click on jnz short loc_xxxxx (x86) or BNE loc_xxxxx (ARM) and look below

 


Or press space to switch to generic view, and look at offset beside the instruction

 


Note, offsets are not always the same

 

Open libNativeCarX.so in your favorite hex editor. I'm using 010 editor. Go to the offset you found

 

For x86, go to offset you found (2F666) and replace 75 41 with 90 90 (90 is a hex of NOP. Yes, I did double NOPs because x86 assembler instructions have a variable length unlike in ARM)

For ARM, go to offset you found (24E54) and replace 10 00 00 1A with 00 F0 20 E3 (NOP)

 

NOP means no operation = do nothing

 


Save the file, put back the .so file inside APK using 7zip or Winrar, sign and install

 

The game should let you race without crash :)

 


Enjoy!

 

Thanks to Riu from libre.io for the help back then

Popular Posts

[TOOL] Unity Assets Bundle Extractor

By
Image
Unity .assets and AssetBundle editor UABE is an editor for Unity 3.4+/4/5/2017/2018 .assets and AssetBundle files. It can create standalone mod installers from changes to .assets and/or bundles. Type information extracted from Unity is used in order to generate text representations of various asset types. Custom MonoBehaviour types also are supported. There are multiple plugins to convert Unity assets from/to common file formats : The Texture plugin can export and import .png and .tga files and decode&encode most texture formats used by Unity. The TextAsset plugin can export and import .txt files. The AudioClip plugin can export uncompressed .wav files from U5's AudioClip assets using FMOD, .m4a files from WebGL builds and Unity 4 sound files. The Mesh plugin can export .obj and .dae (Collada) files, also supporting rigged SkinnedMeshRenderers. The MovieTexture plugin can export and import .ogv (Ogg Theora) files.
Read more

Il2CppDumper GUI Android App

By
Image
This is @Perfare’s Modified version of il2cppDumper (GUI) for Android Supported Versions Android 5 - Android 13 API Level 21 - API Level 33 Tested Tested in Android 6, 10, 11, 12L physical device Download Download: Releases · Poko-Apps/Il2cppDumpDroidGUI Before Downloading the apk file , you should know this app may have one or multiple bugs maybe your device not compatible for this app Installation While installation process , play protect might warn you . Like this : If so then click ‘Install Anyway’. If installation failed for any reason, uninstall the previous version and try again !! Notes Protected Target’s can’t be dump by this dumper (same as @Perfare’s one) If you find any bug or problem then please kindly report it with proper information, I’ll try my best to resolve it. In low-end devices it take a while to dump . Output files directory is under ‘DumpDroid’ folder App is on active devlopment Often Asked Question Does it supports dumping w
Read more