Patching the apk
The original 3.12 clients are designed to only serve as a EOS notice. Howerver, the functionalities are still (mostly) there, so we can patch it to work.
This docs will outline the necessary steps and how to do them, should you need to make your own clients. This docs assume we start with a stock clients. You can get these by dumping the app from Google Playstore or from other apk distribution sites.
Patching android binary¶
Note that some of these steps will not be necessary depending on what you started with and what you want to do.
Also note that some commands might become outdated after the tools are updated. If this is the case, try getting the specific version used or try to adapt the command yourself.
Unpacking the apk¶
The first step is to unpack the apk so we can modify it.
We will do this with apktool, version 2.9.3
to be exact.
We can either use the wrapper or .jar directly. Of course, java will be necessary.
Open up a terminal (command prompt) in the same directory(folder) as the .apk
and run the following:
apktool d LLAS_GL_3.12.0.apk
After unpacking, you should have a folder that has the same name as the .apk
except for the extension, so LLAS_GL_3.12.0
in our case.
The LLAS_GL_3.12.0.apk
is just the file name, here it refer to LLAS, GL, version 3.12.0, but you can rename the apk to pretty much anything.
After that, you can do the relevant modifcation, then finally repack it
Packing the binary to unlock the game features¶
By default, the game only show the EOS screen. Helpfully for us, the developer left in everything, and the EOS screen is triggered by a check function. To make the game work, we need to patch away this check. Furthermore, some feature are also time-sensitive, so they requires or will require other check later on.
Easy way out¶
You can use these clients that has the binary patch in them, and do the later modification step if necessary.
Directly edit the binaries¶
The file we need to patch is libil2cpp.so
, we can find it in LLAS_GL_3.12.0/lib/arm64-v8a/
(64 bit), or LLAS_GL_3.12.0/lib/armeabi-v7a/
(32 bit).
We will need to change some specific bytes in the libil2cpp.so
file to make the client work.
Tool and the relevant patch for editing is here. Either build the tool and run it with the relevant patch, or make the edit manually using any binary editor.
Doing things properly¶
If we want to make other binary modification, then we have to understand things properly. This is a very indepth topic, so here is a summary and resource to get started:
- SIFAS uses
il2cpp
withUnity
. This means that their higher level code eventually get compiled toC/C++
code, and then machine code (.so
). - This is done for better performance, but it also allow us to use the various reverse engineer tools that are developed for
il2cpp
. - More precisely, Il2CppInspector and Il2CppDumper can read the project and provide more information.
- So we can setup
libil2cpp.so
inside Ghidra, and see what the code is doing more easily. - After that, we can analyse the code and see what the game is actually doing, and then perform the relevant modification.
- The prepade patch explains what we need to do, you can look at the same address in Ghidra to see the difference.
- If you want to do modification, it might be better to directly patch the binary rather than doing the modification in Ghidra then exporting it.
Patching the RSA key and the server address¶
The RSA key and server address are stored in the global-metadata.dat
of the apk
. So in our case, we can find it at LLAS_GL_3.12.0/assets/bin/Data/Managed/Metadata/global-metadata.dat
.
In short, this is just the way the game stores string literals, and we need to edit the relevant strings:
- The server address is the URL or the IP of the server, it's just the address that the client connect to.
-
The RSA key is used in communication between the client and the server.
- The client has the public key, and the server has the private key.
- Because we don't have the private key for the public key that come with the client, we have to generate our own private-public key pairs
- And then we have to change the public key for the client.
Using the MetaData String Editor GUI¶
First download MetaData String Editor.
It is written in C#, and the .exe
need Windows to run.
To change the address string, open the tool, then press the top left button and open up the global-metadata.dat
file. You can find it in:
You will see many strings. Search for the current values using the textbox at the top. Double click on the string, click on the popup thing, and you will see another window pop up. You can edit that data to any other data. You will need to change:
-
The server address:
- For gl client, the original address is "https://gl-real-prod-8f2jln5l4evlw5l1.llas.bushimo.jp/ep3120"
- For jp client, the original address is "https://jp-real-prod-v4tadlicuqeeumke.llas.bushimo.jp/ep3120"
- For elichika's clients, the original address is "http://127.0.0.1:8080" or "http://localhost:8080".
-
You can change the address to anything you want, but keep in mind the following:
- Do not have
/
at the end of the address. - For
https
, you might run into problems with trust certificate if you don't set things up properly. - The RSA key:
- Do not have
-
Both gl and jp clients user the same original RSA key, the prefix is: "
v2VElqvCwrhdiXJ" -
Elchika's RSA key is:
<RSAKeyValue><Modulus>1r6QjkBr1hIGrgq95ZEEDnXqCYa+81hvhejsGoUcfCZ/kkngBuUbq8/rqRfoFVEZOmDRG8DKrhtfFoWQyftqycCrQj8ELQeGCQJFtdXg+eljb3HDP8Zzzh+9YXJHNIswCYfMFYXlBHP90QniFfZqfERVSqK9V1uJU8EyxHMismU=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
- The key is in XML format, so if you want to use your own RSA keys then you have to convert it.
After editing the data, click the bottom right button to change it. After that, click the middle button on the top left of the program. Save the metadata as some other file, as you can't overwrite to the current file. After that you can close the tool, remove the original global-metadata.dat
and rename the new file to global-metadata.dat
.
Using the MetaData String Editor CLI¶
Instead of the GUI, you can use the Metadata String Editor CLI that can replace string or edit strings by ids.
It also come with the relevant patches for SIFAS.
Changing the package name, app name, and icon¶
Aside from changing metadata and binary, we can also change a few things about the app itself.
Changing the package name¶
If you want to keep multiple clients, either for testing or for playing on multiple servers, you will have to change the package name as android systems don't allow multiple apps with the same package name.
To do this, you need to change the manifest file at LLAS_GL_3.12.0/AndroidManifest.xml
.
Assume the package name is com.klab.lovelive.allstars.global
, and we want to change it to com.klab.lovelive.allstars.global.mod
, then we have to change every instance of com.klab.lovelive.allstars.global
to com.klab.lovelive.allstars.global.mod
except for the instance that say com.klab.lovelive.allstars.global.GlobalUnsafeMainActivity
.
Changing the app name¶
To change the app name, you will have to change the field "app_name"
to what you want in LLAS_GL_3.12.0/res/values/strings.xml
.
Changing the app icon¶
You can also modify the icon in LLAS_GL_3.12.0/res/mipmap...
. Note that this depend on your DPI, so you might have to edit them all.
Repacking the apk¶
First, use apktool to build the .apk
:
apktool b LLAS_GL_3.12.0
After apktool
is done, you can find the output .apk
at LLAS_GL_3.12.0/dist/LLAS_GL_3.12.0.apk
However, this .apk
is not completed, we need to sign it before it can be installed in standard devices.
The easiest way to do this is to use the uber-apk-signer. If you know how to do it in other ways (i.e. with apksigner), feel free to do so.
Download uber-apk-signer-
java -jar uber-apk-signer-<version>.jar -a LLAS_GL_3.12.0/dist/LLAS_GL_3.12.0.apk
You can find the output apk in the same folder as the input one:
LLAS_GL_3.12.0/dist/LLAS_GL_3.12.0-aligned-debugSigned.apk
After this, you can install that .apk
. If you already have a version of SIFAS, you might get an error saying that the signature doesn't match. You can uninstall the old version or change the client package name to have a different app entirely.
Patching Android client to new address with frida¶
It's possible to use frida to change the address and avoid having to patch the .apk
, as demonstated by sarah
in the LL Hax discord. If you don't want to use the above patching process, you might want to try that.