π How to Bypass Geo Restrictions in Android Apps and Games
Β π How to Bypass Geo Restrictions in Android Apps and Games
π Background:
In Android apps and games, geo-related information is commonly retrieved via TelephonyManager methods such as:
– getNetworkOperatorName() / getSimOperatorName() β Operator/Carrier Name (e.g., “AT&T”)
– getNetworkOperator() / getSimOperator() β PLMN (MCC+MNC, e.g., “310410”)
– getNetworkCountryIso() / getSimCountryIso() β Country ISO code (e.g., “US”)
π TelephonyManager API:
https://developer.android.com/reference/android/telephony/TelephonyManager
At the smali level we can patch the code right after the invoke-virtual call and the move-result-object so that the register that received the string result is overwritten with a fixed string (dummy/fake values). Below are example regex searches and the replacement snippets to inject constant strings.
π οΈ Smali Patching Instructions
1οΈβ£ Spoofing Carrier Name
π Search Pattern (Regex):
(invoke-virtuals{(?:[pv]d+)},sLandroid/telephony/TelephonyManager;->get(?:Network|Sim)OperatorName()Ljava/lang/String;n(?:s(?:[.#][^n])?n)smove-result-objects([pv]d+))(?:nnsconst-strings2,s".")?
βοΈ R
eplace With:
$1nn
tconst-string $2, "AT&T"
This
overrides the result of getNetworkOperatorName() or getSimOperatorName() with a hardcoded carrier name.
2οΈβ£ Spoofing PLMN (MCC+MNC)
π Search Pattern (Regex):
(invok
e-virtuals{(?:[pv]d+)},sLandroid/telephony/TelephonyManager;->get(?:Network|Sim)Operator()Ljava/lang/String;n(?:s(?:[.#][^n])?n)smove-result-objects([pv]d+))(?:nnsconst-strings2,s".")?
βοΈ Replace
With:
$1nntcons
t-string $2, "310410"
This sets
the MCC+MNC code to “310410″ (AT&T USA).
3οΈβ£ Spoofing Country ISO
π Search Pattern (Regex):
(invoke-virt
uals{(?:[pv]d+)},sLandroid/telephony/TelephonyManager;->get(?:Network|Sim)CountryIso()Ljava/lang/String;n(?:s(?:[.#][^n])?n)smove-result-objects([pv]d+))(?:nnsconst-strings2,s".")?
βοΈ Replace With:
$1nntconst-stri
ng $2, "US"
This forces the
app to believe the device is located in the United States.
π§ Why These Regex Patterns Are Powerful
These regexes are designed with advanced smali parsing in mind. Here’s what makes them robust and reliable:
1. β Comprehensive Matching: They capture all possible TelephonyManager calls, even if debug directives, annotations, or comments are present or absent.
2. π Multi-line Resilience: Whether debug info appears single line or across multiple lines, the regex still matches accurately without breaking.
3. π Safe Reapplication: You can apply these regexes repeatedly without stacking duplicate replacements or injecting dummy code fragments.
π Notes:
1. Because this modifies smali code (dex disassembly), it will not work if the app uses native code, runtime-decrypted strings, or has tamper-proofing/encryption/packing that prevents straightforward smali patching.
2. This technique changes only the returned string values at the smali level. It does not handle other checks the app may make (e.g., location APIs, server-side verification, or other device identifiers).
3. To obtain MCC+MNC codes, you can check out the following resources.
– π Website:
https://mcc-mnc.net β A comprehensive database of Mobile Country Codes (MCC) and Mobile Network Codes (MNC).
– π¦ GitHub Repository:
https://github.com/P1sec/MCCMNC β An open-source collection of MCC/MNC data maintained by the community.
βββββββββββββββββββ
π£ Main Channel: @TDOhex
π±Second Channel: @AndroidPatches
π¬ Discussion Group: @TDOhexDiscussion
βββββββββββββββββββ
