WEBVTT 00:00.590 --> 00:06.830 Now, I don't know if you noticed it, but each time that I've successfully logged in, the new activity 00:06.830 --> 00:09.740 contains a message saying that the device is routed. 00:10.810 --> 00:15.940 So we can also bypass route detection mechanisms just by changing the source code. 00:17.010 --> 00:18.270 You I see how you can do it. 00:21.380 --> 00:26.240 This time, we're going to use the APIC lab extension for source code modification and signing. 00:27.430 --> 00:30.360 So go to Visual Studio Code. 00:31.740 --> 00:38.190 And to open the command pallette press command shift P or for Windows Control P. 00:39.910 --> 00:41.620 Click on RPK Lab. 00:43.920 --> 00:46.950 And the APK file of insecure bank. 00:48.700 --> 00:52.120 Select decompiled Java as your option. 00:53.850 --> 00:56.250 And look at that, it's decompiled now. 01:01.760 --> 01:03.280 So it opens in a new window. 01:05.370 --> 01:07.650 And here is the Java source code. 01:08.650 --> 01:11.740 Open com and Android folder's. 01:14.380 --> 01:17.880 So there's also assembly code under the assembly folder. 01:19.540 --> 01:26.110 After the signing process, we'll need to change the family code to see the modifications in the RPK 01:26.110 --> 01:26.500 file. 01:28.380 --> 01:30.990 And won't change the post login activity. 01:34.130 --> 01:39.380 So first off, let's have a look at the Java source code to understand exactly what this method does. 01:41.460 --> 01:48.840 So there's a method that's called cheroot status and that returns a message based on whether the device 01:48.840 --> 01:50.040 is routed or not. 01:51.390 --> 01:53.190 And then looking at this method. 01:54.190 --> 02:03.070 Do method's called does super user APIC exist and does S2 exist, and these are used to determine if 02:03.070 --> 02:07.060 the device has been routed, the bypass route detection. 02:08.050 --> 02:15.130 We can force a jump to always at device not rooted just by changing the conditional loop. 02:16.700 --> 02:19.190 So let's open the assembly code and make the changes. 02:20.990 --> 02:22.790 Search for connection to. 02:27.990 --> 02:32.100 On line for 50, there's a conditional loop. 02:34.350 --> 02:41.760 So it means that when, if not equal, jump to the device, not routed tag. 02:42.820 --> 02:47.690 You follow mapping this to the previously decompiled job of files. 02:48.130 --> 02:56.650 This is a loop where if two methods are true, then jump to route a device or else jump to device not 02:56.650 --> 02:57.100 rooted. 02:59.120 --> 03:06.830 So to force a jump to always at device not rooted, we can change the conditional loop into a go to 03:06.830 --> 03:07.220 loop. 03:09.270 --> 03:11.910 So first, we just need to disable this line. 03:13.670 --> 03:16.850 So to make this line comment, just add a sharp character. 03:18.590 --> 03:22.310 Then at a go to loop, to jump to condition to directly. 03:23.290 --> 03:25.960 And don't forget to add a space after go to. 03:27.530 --> 03:29.120 Now, save the changes. 03:30.600 --> 03:38.530 All right, so we're ready to rebuild and reassign the APK file, so just right click on the AK toolbag, 03:38.580 --> 03:44.490 why Amelle file and rebuild the APK file selected the option for Saul. 03:47.390 --> 03:50.480 OK, so APK Lab is rebuilding. 03:52.140 --> 03:53.520 Using RPK to. 03:55.400 --> 03:59.240 I'm going to merge the emulator and Vaskov screens so that you can see it better. 04:02.680 --> 04:10.810 And what you're looking at is a U.K. lab has signed a line and verify the APK file all in one step. 04:12.140 --> 04:20.320 New APIC file is under the desk folder, so now we're ready to install the epic file to the device, 04:20.930 --> 04:25.260 just make sure that you uninstall the old one before installing this new one. 04:25.810 --> 04:27.640 So we'll go to the disk folder and. 04:27.640 --> 04:27.940 Right. 04:27.940 --> 04:31.210 Click on the new RPK file, install the APK. 04:33.420 --> 04:36.240 OK, so the installation is successful. 04:37.230 --> 04:38.250 Let's open the app. 04:39.700 --> 04:41.340 Continue and OK. 04:42.900 --> 04:45.450 Now log into the app with the default credentials. 04:46.510 --> 04:49.630 And make sure that you can figure the server IP. 04:51.830 --> 04:53.210 All right, click on Log in. 04:54.690 --> 05:01.660 And yep, just like that, you can see that we see the device not routed message on the screen. 05:02.040 --> 05:02.750 What does that mean? 05:03.270 --> 05:06.360 We have bypass route detection mechanisms successfully.