iGO Navigation 9.35.2.250945 (2021.02.02) - "WORLD"

**lunapark** · 23rd February 2021, 05:17 PM

it seems possible to add additional UXs but not replace the existing ones in the obb archives,
however we can get around this restriction with a little trick

like for example to personalize the ux speedcam.zip with a similar name :

rename it as speedcams.zip and and also the internal path ux/speedcams/

add a dependency in info.ini

[INFO]
dependencies="+speedcam"

update the global.ui to load first a new lua file

import "~/common/ui/check_plugins.lua"

import "~/common/ui/speedcam_models.lua"
import "~/common/ui/speedcam.css"

import "~/common/ui/i_speedcam.lui"
import "~/common/ui/speedcam_base.lui"
import "~/common/ui/speedcam_flow.lui"

import "~/common/ui/i_speedcam.lua"
import "~/common/ui/speedcam_base.lua"
import "~/common/ui/speedcam_flow.lua"

import "~/common/ui/speedcam.ui"
import "~/common/ui/speedcam_mods.ui"
import "~/common/ui/speedcam.lua"
import "~/common/ui/speedcam_obs.ui"

this lua must unload previous speedcam.zip by containing this line

ui.Plugin:unload("speedcam")

that's all I found while waiting for a version of the apk to be available that does not require the two obb files

**alcdl0** · 8th March 2021, 01:55 PM

Hello I patch a long time ago igo in ARM for IOS. I think, like it's arm based too, it's a similar code. At one moment in the code, they check for and md5 checksum in additional file.
__text:003751B4 ADD R1, R6, #0x14 ; void *
__text:003751B8 MOV R2, #0x10 ; size_t
__text:003751BC BL _memcmp

To bypass just set R2 register with 0 instead 0x10 and it will accept all files (map and so on).
To open all option, there is a boolean check that return 1 to activate or 0 to deactivate

**roedi** · 8th March 2021, 02:39 PM

Yep that's 32 as for 64 is way different.
How did you get to the above code, via debugger or just disassembler?
If it was via ida/android remote then it didn't work out for me, but via disassembler what string did you trace? is it one with licensing? as i have over 100 of them..
i did reduce or improve the default license compatibility, hide unhide invalid content, no trial expiration anymore and some other non related to the real license.
'couse via debugger i can't debug it, even i made the ig apk debug enable and tried debugging with ida pro hex-rays 7.5 (deleted i don't have it or need it anymore), JEB Decompiler 3.19.1 Pro, some other chinese debugger old. NOTHING worked !

So i quit it for over a week ago since without debugging i have to spend a lot of time in disassembler and i do have other things to attend to beside that.
last time in ghidra i checked those
007e5e38 str x8=>s_licensing_01e09eca,[sp, #local_88] DATA
00812c14 str x8=>s_licensing_01e09eca,[sp, #local_278] DATA
0080f864 str x8=>s_licensing_01e09eca,[sp, #0x8] DATA

for ghidra use this it has Debugger !
[Only registered and activated users can see links. ]

then to save correctly ELF or PE (without importing as raw binary anymore) use this
[Only registered and activated users can see links. ]

Spoiler: pic

happy patching guys !

**alcdl0** · 8th March 2021, 06:01 PM

Just by IDA dessassembler
If you give me a link with the version you look I can search for a patern (FLIRT)

Roedi if a 32nits arm version of this igo version exists (look first into it). It will be more easy and after finding it You can extrapolate the place where is the code involved in the 64bits.
Because the source code is sutrly the same.

**roedi** · 8th March 2021, 06:39 PM

Ghidra iGO Navigation_v9.35.2.250945 (aarch64) = 949 MB (995,667,968 bytes)
It's a lot of analyzing..

Will be faster if grab the apkpure.com XAPK link from upper posts and analyze it.

btw i will ask again "what string" did you search/select/function for/in order to do the..
of course only if you are willing to share that!

**alcdl0** · 8th March 2021, 08:08 PM

It's a long time ago. I need to reopen the software. Sure I will do to help you in next days.

**Boki** · 8th March 2021, 09:43 PM

Guys, you are trying, but I get the impression that you are not familiar with the concept of iGO functioning.
Simply patching software, in this case, is not simple. iGO does not have a retail edition. It is dependent on licenses in every possible way and at every level.
Read [Only registered and activated users can see links. ].
Meanwhile, with the advent of the Luna release, the situation has gotten even worse.

I mean - whatever you do with the software, if you don't have the proper licenses and interact with them - nothing.
...try to read between the lines...

**alcdl0** · 9th March 2021, 12:48 PM

@Boki, I think tamper with the check that accept the license file.
@Roedi perhaps, it's not to this thread
The serach made is from 1D04F24 licennse/d_fingerprint.txt
1E94A96 license/
In IOS the string was license/%s. The more similar in the apk saw is license/%d. It is a "l" 00 00 00 "i" 00 00 00 "c" 00 00 00 and so on string. The size on IOS version tampered was 15mb and armv7.

__text:004EAE90 ADD R5, SP, #0x28+var_20
__text:004EAE94 MOV R4, R1
__text:004EAE98 MOV R1, #0xCB066C <= ref "l" 00 00 00 "i" 00 00 00 "c" 00 00 00 "e" 00 00 00 "n" 00 00 00 "s" 00 00 00 "e"
__text:004EAEA0 MOV R0, R5
__text:004EAEA4 BFC R2, #0, #1
__text:004EAEA8 ADD R10, SP, #0x28+var_18
__text:004EAEAC BL sub_3A200
__text:004EAEB0 MOV R0, #0x8140

mine license/%s

the check is some several bytes after in

_text:004F3A80 loc_4F3A80 ; CODE XREF: sub_4F3590+4A4↑j
__text:004F3A80 MOV R0, R8 ; void *
__text:004F3A84 LDR R1, [SP,#0x80+var_6C] ; void *
__text:004F3A88 MOV R2, #0 ; size_t size word #10 before patching it
__text:004F3A8C BL _memcmp
__text:004F3A90 MOV R2, #0
__text:004F3A94 MOV R11, R0
__text:004F3A98 LDR R0, [SP,#0x80+var_54]

Send me a private mes
sage and we can get in contact. The main idea will be to have the armv7 version and armv8 but start with the v7

**roedi** · 9th March 2021, 03:01 PM

@alcdl0 Thanks
I will fire up the ghidra..a bit later..

Still this one has 36mb..and as you saw is full with license/licensing/licence. That's why when i saw the quantity of them..

I checked earlier version as armv7, but on my Android 11 is slow, very slow compared with the latest one armv8 aarch64 that is flying !
alcdl0 i tried to debugg it as is the fastest way to score, but for me it seems that nothing worked at least a breakpoint or even a trace.
whatever what i noticed that the team behind iGO managed to hide some info regarding errors, and that put further break(s) on the matter..

btw the code is changed form armv7 to armv8 32bit and 64bit, i checked. the code has been changed since last one available here on gpspower iGO_World_9.18.27.736653.

so for you the "license/" is the culprit?!
i think that without functional debugger, the iGO is possible to have another check(s) that i cant trace, and the apk will soon exit after patch.

i will reply if any news. and yes is better private.
merci beaucoup

**lunapark** · 9th March 2021, 03:08 PM

the version currently available for armv7 is as follows iGO Navigation v9.35.2.252289

[Only registered and activated users can see links. ]

the version for armv8 should logically be in the first post

What interests me now is not cracking the software to use it with other licenses, but only to be able to either not depend on the two obb files, or to be able to hope for message # 22 from alcdl0 from consider bypassing somehow the checksum test of these two files in order to modify them to reintegrate them into the system, the question will be to know if it is possible to reconstitute a fully functional obb, or if it will be necessary to 're-sign' this file type as with an apk

Thread: iGO Navigation 9.35.2.250945 (2021.02.02) - "WORLD"

Thread Tools

Display

Advertissements

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions