Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Lucky patcher, how can I protect from it? [duplicate]

I know this topic has been opened multiple times and I learnt a lot but I stumbled across a problem I really need advice on.

I'm using LVL with Obfuscation. I changed the default LVL ALOT so that anti-LVL does not break it. However, Lucky Patcher with one click breaks it! I tried to see the new broken APK. Yes it simply called my "allow method".

My question is if someone can recommend a way to prevent Lucky Patcher from breaking it? I know I can't make it bullet-proof, but I want it at least to be not so easy for one-click software.

like image 426
Snake Avatar asked Nov 18 '12 23:11

Snake


People also ask

Can I get caught using Lucky patcher?

While it's unlikely that you'll get sued or put in jail for these actions, you can get banned from games that catch you using Lucky Patcher. Keep in mind that app and game developers depend on the money they earn from in-app purchases and ads.

How do I completely remove lucky patcher?

You need to go to the /data/app folder and delete a . odex file relating to that app. Once done just reboot your device.

Does lucky patcher harm your device?

Lucky Patcher is an unsafe application. These kinds of applications, due to their characteristics, offer no guarantee that they are respectful of your data or your device. Here are some of the reasons why we think so.


2 Answers

Code to check your certificate:

public void checkSignature(final Context context) {     try {         Signature[] signatures = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures;          if (signatures[0].toCharsString() != <YOUR CERTIFICATE STRING GOES HERE>) {             // Kill the process without warning. If someone changed the certificate             // is better not to give a hint about why the app stopped working             android.os.Process.killProcess(android.os.Process.myPid());         }     }      catch (NameNotFoundException ex) {         // Must never fail, so if it does, means someone played with the apk, so kill the process         android.os.Process.killProcess(android.os.Process.myPid());     } } 

Next how to find which one is your certificate. You must produce an APK, in release mode, as the debug certificate is different from the release one. Output your certificate into your Logcat:

signatures[0].toCharsString(); 

Remember that when you are back to debug mode, the certificate is different again. To avoid debug issues use next line to skip the verification:

if ((context.getApplicationContext().getApplicationInfo().flags &= ApplicationInfo.FLAG_DEBUGGABLE) != 0)     return; 

Next the lucky patcher checker. I decompiled all versions of Lucky Patcher, and I've found that its creator used 2 package names between all realeases. So you only need to keep track of new versions and keep adding future package names.

private boolean checkLuckyPatcher() {     if (packageExists("com.dimonvideo.luckypatcher"))         return true;      if (packageExists("com.chelpus.lackypatch"))         return true;      if (packageExists("com.android.vending.billing.InAppBillingService.LACK"))         return true;      return false; }  private boolean packageExists(final String packageName) {     try {          ApplicationInfo info = this.getPackageManager().getApplicationInfo(packageName, 0);          if (info == null) {             // No need really to test for null, if the package does not             // exist it will really rise an exception. but in case Google             // changes the API in the future lets be safe and test it             return false;         }          return true;     }     catch (Exception ex) {         // If we get here only means the Package does not exist     }      return false; } 
like image 197
PerracoLabs Avatar answered Sep 18 '22 04:09

PerracoLabs


As of current version (6.4.6), Lucky Patcher generates very short token. For example, real purchase token:

felihnbdiljiajicjhdpcgbb.AO-J1OyQgD6gEBTUHhduDpATg3hLkTYSWyVZUvFwe4KzT3r-O7o5kdt_PbG7sSUuoC1l6dtqsYZW0ZuoEkVUOq5TMi8LO1MvDwdx5Kr7vIHCVBDcjCl3CKP4UigtKmXotCUd6znJ0KfW 

And that is Lucky Token:

kvfmqjhewuojbsfiwqngqqmc 

Pretty straight forward solution is to check string length of token

@Override public void onIabPurchaseFinished(IabResult result, Purchase info) {     if (info.getToken().length < 25) {         Log.wtf("PIRATE", "PIRATE DETECTED");         return;     } } 
like image 20
Dima Rostopira Avatar answered Sep 17 '22 04:09

Dima Rostopira