Sec-88
  • πŸ§‘Whoami
  • πŸ•ΈοΈWeb-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • βœ‰οΈAPI-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • πŸ“±Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • πŸ“ΆNetwork-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • πŸ’»Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • πŸ‘¨β€πŸ’»Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • πŸ–₯️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
  • IOS-AppSec
Powered by GitBook
On this page
  • Changing the Return Value in Methods
  • Flipping the Logic in Conditionals (IF-ELSE-GOTO Patching)
  • Deleting Code to Alter Game Logic
  • Changing Jump Instructions
  • Additional Method: Manipulating Currency in a Game

Was this helpful?

Edit on GitHub
  1. Android-AppSec
  2. SMALI

Smali Code Patching Guide

Changing the Return Value in Methods

Example: checkDebugger() Function

The original checkDebugger() function in smali checks whether a debugger is connected. By modifying this function, we can change its behavior to always return a specific result.

Original Code

.method public checkDebugger()Z
    .locals 1

    .line 30
    invoke-static {}, Landroid/os/Debug;->isDebuggerConnected()Z

    move-result v0

    return v0
.end method

In this case, the method returns the actual result of isDebuggerConnected(). To modify it, we can overwrite the value of v0 before returning it.

Modified Code

.method public checkDebugger()Z
    .locals 1

    .line 30
    invoke-static {}, Landroid/os/Debug;->isDebuggerConnected()Z

    move-result v0

    const v0, 0x0  # Overwrite the result to always be false

    return v0
.end method

Now, the method always returns false (represented by 0x0), no matter the actual result of the isDebuggerConnected() function.


Flipping the Logic in Conditionals (IF-ELSE-GOTO Patching)

Example: Processing getHit() Method in a Game

Here, we modify a method that processes a player getting hit, depending on whether the player has a shield. By flipping the conditional logic, we can change how the game behaves.

Original Code

.method public getHit()V
    .locals 3

    .line 37
    iget-boolean v0, p0, Lcom/apphacking/smalitwo/Player;->shield:Z

    const/4 v1, 0x0
    const/4 v2, 0x1

    if-ne v0, v2, :cond_0  # If shield is not active, go to cond_0

    .line 39
    iput-boolean v1, p0, Lcom/apphacking/smalitwo/Player;->shield:Z
    goto :goto_0

    .line 42
    :cond_0
    iget v0, p0, Lcom/apphacking/smalitwo/Player;->lives:I
    sub-int/2addr v0, v2
    iput v0, p0, Lcom/apphacking/smalitwo/Player;->lives:I

    .line 44
    if-lez v0, :cond_1

    .line 46
    iput-boolean v2, p0, Lcom/apphacking/smalitwo/Player;->state:Z
    goto :goto_0

    .line 49
    :cond_1
    iput-boolean v1, p0, Lcom/apphacking/smalitwo/Player;->state:Z

    .line 52
    :goto_0
    return-void
.end method

In this code, when the player has a shield (if-ne v0, v2), they don't lose lives. To flip this logic, we can change the if-ne to if-eq so that now the player will lose lives when they have a shield.

Modified Code

.method public getHit()V
    .locals 3

    .line 37
    iget-boolean v0, p0, Lcom/apphacking/smalitwo/Player;->shield:Z

    const/4 v1, 0x0
    const/4 v2, 0x1

    if-eq v0, v2, :cond_0  # If shield is active, go to cond_0 (Flipped Logic)

    .line 39
    iput-boolean v1, p0, Lcom/apphacking/smalitwo/Player;->shield:Z
    goto :goto_0

    .line 42
    :cond_0
    iget v0, p0, Lcom/apphacking/smalitwo/Player;->lives:I
    sub-int/2addr v0, v2
    iput v0, p0, Lcom/apphacking/smalitwo/Player;->lives:I

    .line 44
    if-lez v0, :cond_1

    .line 46
    iput-boolean v2, p0, Lcom/apphacking/smalitwo/Player;->state:Z
    goto :goto_0

    .line 49
    :cond_1
    iput-boolean v1, p0, Lcom/apphacking/smalitwo/Player;->state:Z

    .line 52
    :goto_0
    return-void
.end method

Now, the game logic is reversed, and the player loses lives when they have a shield.


Deleting Code to Alter Game Logic

In some cases, you can remove certain instructions to alter the game behavior entirely.

Example: processGame() Method in Java

public void processGame() {
    // Create new Player Object
    Player player = new Player();
    if (player.hasItem(MasterCap)) {
        player.power += 100;
    } else {
        player.power += 10;
    }
}

In smali, this code translates into conditional logic that adds power based on whether the player has the MasterCap.

Original Smali Code

.method public hasItem(Lcom/apphacking/smalitwo/Player;)V
    .locals 1
    .param p1, "player"    # Lcom/apphacking/smalitwo/Player;

    .line 15
    iget-boolean v0, p1, Lcom/apphacking/smalitwo/Player;->masterCap:Z

    if-eqz v0, :cond_0  # Check if the player does not have the MasterCap

    .line 17
    iget v0, p1, Lcom/apphacking/smalitwo/Player;->power:I
    add-int/lit8 v0, v0, 0x64  # Add 100 power
    iput v0, p1, Lcom/apphacking/smalitwo/Player;->power:I

    goto :goto_0

    .line 20
    :cond_0
    iget v0, p1, Lcom/apphacking/smalitwo/Player;->power:I
    add-int/lit8 v0, v0, 0xA   # Add 10 power
    iput v0, p1, Lcom/apphacking/smalitwo/Player;->power:I

    .line 23
    :goto_0
    return-void
.end method

By removing the if-eqz line, the game will always give the player 100 power, regardless of whether they have the MasterCap.

Modified Code

.method public hasItem(Lcom/apphacking/smalitwo/Player;)V
    .locals 1
    .param p1, "player"    # Lcom/apphacking/smalitwo/Player;

    .line 17
    iget v0, p1, Lcom/apphacking/smalitwo/Player;->power:I
    add-int/lit8 v0, v0, 0x64  # Always add 100 power
    iput v0, p1, Lcom/apphacking/smalitwo/Player;->power:I

    .line 23
    return-void
.end method

By eliminating the condition, the player now gets a 100 power boost unconditionally.


Changing Jump Instructions

Jump instructions (goto, if-*) can be modified to change how the program flow behaves.

Example: Modifying GOTO

In the same method, we can alter the jump instruction to make the player gain 110 power instead of choosing between 100 or 10.

Original Code

goto :goto_0

Modified Code

goto :cond_0  # Redirect to give both 10 and 100 power

Now the program first adds 10 power and then immediately adds 100 power, giving a total of 110.


Additional Method: Manipulating Currency in a Game

New Method: increaseCurrency()

This method will increase the player's in-game currency.

.method public increaseCurrency()V
    .locals 2

    .line 25
    iget v0, p0, Lcom/apphacking/smalitwo/Player;->currency:I
    const/16 v1, 0x3E8  # Add 1000 currency
    add-int/2addr v0, v1
    iput v0, p0, Lcom/apphacking/smalitwo/Player;->currency:I

    .line 

28
    return-void
.end method

Now the player will receive 1000 in-game currency every time this method is called.

PreviousSMALI Cheat SheetNextIntent Redirection Vulnerability

Last updated 7 months ago

Was this helpful?

πŸ“±