“Receive” invite for Hound voice assistant

  • Tutorial

Many have seen a demo video of the Hound personal assistant, who is as powerful as possible and even ahead of such well-known applications as Google Now and Siri. Hound is also available for free download on Google Play (in the US), but, unfortunately, it is under development and requires an invite at startup.

Immediately my hands were combed over urgently to test this miracle, and, tired of waiting for an invite by mail (about a minute later), I took up the debugger ... which I never needed, because everything turned out to be simpler, but about it in order.

Note: I am not a professional Android developer, cracker, etc., everything is done to satisfy my own curiosity and at my own risk. Report any inaccuracies in the comments or in private messages.

First of all, you need to get the apk file with the application. You can search the Internet, but we are not looking for easy ways. I downloaded the latest version from Google Play and pulled out the application from the /data/app/com.hound.android.app-1 folder (requires administrator rights, i.e. root).

Any application for Andoid is an apk file, which is actually a renamed zip archive. If you open it with any archiver, we will see the following picture:

Consider the contents in more detail:
  • assets - stores a variety of files that the application can use at its discretion, for example, in our case there are fonts
  • lib - third-party libraries are stored here in the form of .so files.
  • META-INF - this contains metadata about the apk file, such as the SHA1 hash of each file and the signature of the developer. Therefore, you cannot change the application without breaking the signature. You can sign it again with your signature, but Android will not allow it to be installed on top of the original version, so it must be removed before installation.
  • res - here are some application resources, such as images and xml files containing information about the appearance of the application.
  • AndroidManifest.xml - all service information about the application, version, permissions and much more.
  • classes.dex - but what we need is that all the application executable files (classes) written in the Java language are packed into this file.
  • resources.arsc are also application resources, only in compiled form, but I don’t know how they differ from those in the res folder.

We are fortunate that almost the entire application, with the exception of third-party libraries, is written in Java, which means we do not need to sit in the debugger and disassemble the low-level code.

Now you need to unpack classes.dex and try to get the code out of it. For this we use Apktool . From the “Install” page, download the executable jar file, as well as a wrapper for using it from the command line. It is enough to copy both files to the application folder (or add to the environment variable) and run the following command:

apktool -r decode имя_файла.apk

The -r option is necessary so as not to waste time unpacking resources that we will not edit.

Now in the folder of the same name with the application name, we already see a little more than in the archiver. The classes.dex file is now missing, and instead the smali folder appears, in which the classes are stored as text files. But hey, where's Java? Around there are some files with the extension .smali, which store something remotely similar to assembler.

This is the Dalvik opcode language into which Java code is compiled. There are applications that can try to restore the source code from these files, but then you need to change this code later, and rebuilding from Java code is a thankless task. Therefore, we will understand the smali code, since it is quite understandable, and also the function names remained intact in it. Which we will use.

Find the code that is responsible for accessing the application. Knowing the name of the application and the English language, it becomes clear that the main classes of the application are in the smali / com / hound / android / appcommon folder . The problem is to find the place where the invite is checked. File search will help us, for example, in Windows you can use the command:

findstr /s /i /m искомая_строка *.*

The code can contain either “invite” or “invitation”, so we will remove the last letter from the word and look for “invit”. Bingo, here it is, the isInvitationComplete () method in the smali / com / hound / android / appcommon / app / Config.smali file :

.method public isInvitationComplete()Z
    .locals 2
    .line 578
    const v0, 0x7f080174
    const v1, 0x7f0b001f
    invoke-direct {p0, v0, v1}, Lcom/hound/android/appcommon/app/Config;->getBoolean(II)Z
    move-result v0
    return v0
.end method

It requests a Boolean variable from the application parameters and returns its value. But why do we need such difficulties! Let's always return true . Replace “move-result v0” with “const / 4 v0, 0x1” and save the file. Let's hope that the whole application relies on this little function, which from now on will consider us full beta testers.

It remains only to assemble the application back. We use the wonderful Apktool utility again:

apktool -r build имя_папки

Do not forget that we need the entire folder unpacked before that, and not just smali . After apktool finishes work, go to this folder, then to dist , where the assembled apk file is located.

And it will not work, or rather, it will not be installed. We changed the contents of the application, which means the signature is now invalid. You must re-sign the application. If you are an Android developer, you can use your own signature and Android SDK. But many do not have either one, they can use a test signature, and separately taken from the SDK utility signapk.jar. There is also a sign.jar utility that already has a signature built in. It is enough to run the following command:

java -jar sign.jar имя_файла.apk

Next appears the file file_name.s.apk , which will be the signed application. We upload it to the device, install it, and enjoy the fully working application!

And you can just find on the Internet a patched version that someone recently posted.

Also popular now: