Skip to content

Instantly share code, notes, and snippets.

@calvinbui

calvinbui/tutorial.md

Forked from freyta/tutorial.md
Created April 13, 2019 03:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save calvinbui/6b7985c301d20955123ccafcd1403924 to your computer and use it in GitHub Desktop.
Save calvinbui/6b7985c301d20955123ccafcd1403924 to your computer and use it in GitHub Desktop.
Download ZIP
Patching the 7Eleven 1.7.1 APK for mock location, root and "foreign APK" installation
Raw
tutorial.md

Required files: jadx -> https://github.com/skylot/jadx/releases APK Easy Tool to easily decompile/recompile the APK -> https://forum.xda-developers.com/android/software-hacking/tool-apk-easy-tool-v1-02-windows-gui-t3333960 7 Eleven Fuel App APK ripped off your phone or download from here -> https://apkpure.com/7-eleven-fuel/au.com.fuel7eleven A Google Maps API key -> https://developers.google.com/maps/documentation/android-sdk/signup

I'll be explaining how to remove the mock location check and allow root access for version 1.7.1 in this little guide.

Step 1 - Install the downloaded APK onto your phone and open it up. What happens? It closes straight away. Bugger! Lets take a look at our code and see what could be causing that.

Step 2 - Decompile the APK with APK Easy Tool, then drag and drop the APK you ripped or downloaded into jadx so it opens it up, and let it index the app.

Allowing "foreign" APKs to be installed

Step 3 - Inside of jadx search for the words "exit". Scroll down until you see the nodes starting with "au.com.seveneleven". You will see a line that says "System.exit(0);". Double click on that and it will lead you a file called au.com.seveneleven.ui.activities.MainActivity which is where it is causing the program to quit when it is started or resumed. If you look at the code it initially sets the value of i to 1 (which is "true"), and then it searches through an array of 2 rows which says where the APK was installed from. On older phones the Google Play Store used the string "com.google.android.feedback", whereas new phones use "com.android.vending". If you just install the APK with a file browser or with ADB it simply returns a null value. Therefore, if you didn't install the APK from the Google Play Store it will set the value of i to 0 (false) and then quit the program. So what do we do? Simple, there are two options. First we can simply make it so i always returns 1, or we can just remove the code that quits the program.

Step 4 - I'll show you both methods on how to do it. The first one if we open the file smali/au/com/seveneleven/ui/activitiesMainActivity.smali in your editor and search for the words "onResume()". It should lead you to around line 4003 which says ".method protected onResume()V". If you look at the top it says const/4 v0, 0x1 and const/4 v5, 0x0. This means that the variable v0 equals 1 and that v5 equals zero. So if we scroll down a few lines it has the words we were interested in "com.google.android.feedback" and "com.android.vending". Here (lines 4012 onwards) is where it creates the array, eventually you will see the line "if-eqz v2, :cond_8" and "if-eqz v1, :cond_8". This is where the check happens. So lets jump down to cond_8 which for me is line 4260, and there you will see that it moves v5 to v0. That means that we are setting v0 to equal 0 (or false), that's not good! Lets set v0 to equal 1 (true), so overwrite line 4261 with the following (no quotes) "const/4 v0, 0x1".

Step 4.2 - The second method is pretty simple too. On line 4263 it says "goto/16 :goto_0" this means we need to scroll back up until we see the start of :goto_0, which is around line 4052. Simply delete the 3 lines following the :goto_0, and that's all you need to do! It should now read as follows: :goto_0 :cond_0 sget v0, Landroid/os/Build$VERSION;->SDK_INT:I

Now you can install the APK on your phone without it closing on boot.

Removing the mock location check

Step 5 - If you read my last tutorial you'll know we now should search for "mock locations" in jadx to find where the mock location check takes place. So open the file au.com.seveneleven.ar.c and you will see that we are again in an if statement. All that this statement does is check if we are using mock locations and if we are then show the error, submit to the vmob tracker that we used a mock location and then eventually close the app. So we will pretty much just copy what we did in Step 4.2 by deleting the whole statement. After opening smali/au/com/seveneleven/ar/c.smali in your editor again search for "Mock Locations" and it should lead you to the start of cond_6, which is around line 1240.

If you scroll up you will see that there are multiple if statements, and if any of them do not equal zero (i.e. they are true) then it will display the mock location error. So what we can do is from the start of all of these checks simply delete them all and delete cond_6. So from the start of cond_5 (where the checks start) which for me is line 1179 highlight until the start of cond_7 (for me it is line 1258 and reads "goto/16 :goto_1") which is where the mock location error part ends and simply delete them all. Note: You need to have a line that says ":cond_5" otherwise you will get compilation errors.

Boom! Mock location checks are passed. Now onto the root bypass.

Allow rooted phones to use the APK

Step 6 - Again we need to search in jadx for a keyword, this time we will search for "root". There is a match in the file au.com.seveneleven.ay.aa. So double click the line that says "a.a("Error", "Rooted", Build.MODEL);" and it will land us where we need to search.

Step 6.1 - Open the file smali/au/com/seveneleven/ay/aa.smali in your editor and then select all of :cond_2 and simply replace it with the words "return-void", meaning that it returns null and does nothing. Bang! Root check is patched too. How super simple was that?

Enabling Google Maps API

Step 7 - Go to https://developers.google.com/maps/documentation/android-sdk/signup and signup for an API key with the Maps SDK for Android enabled. Or be a cheeky bugger and "borrow" someone elses who hasn't signed their APKs properly.

Step 7.1 - Open the file "strings.xml" located in the res/values/ folder and search for , replace the default value with your key.

Step 8 - Recompile your app again, transfer it to your phone and look at the results! Congratulations, you've successfully modified your 7 Eleven app! What next? Now you can just download the APK off the comments section because it looks like too much work to do it all manually ;o). But thanks for reading if you got this far anyway!

Step 9 - ???

Step 10 - Profit

I find it a good idea to have 2 copies of jadx open while modifying APKs to see if the changes I made are what I intended them to be. For instance, if you delete just 1 of the if statements from step 5, you can see where in the code you are.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment