LDPlayer AIO (Debloat Ad-Block, Root, Custom Rom, Magisk, LSPosed)

LDPlayer AIO.md

title	tags
LDPlayer AIO (Debloat, AdBlock, Magisk Root, Custom Rom, Burp Suite, Mitmproxy)	ldplayer, android

LDPlayer AIO (Debloat, AdBlock, Magisk Root, Custom Rom, Burp Suite, Mitmproxy)

Requirements

• Brain 🧠 [NOT OPTIONAL]
• LDPlayer
• ADB (optional, included in LDPlayer Root Folder)
• Apk Files
  • Launcher3.apk / Rootless Pixel Launcher
  • Root Explorer [mirror] [4pda mirror]
  • X-Plore File Manager
  • Kitsune Mask / Magisk Apk
  • Aurora Store (optional)
  • AdAway (root) (optional)
• Burp Suite
• MitmProxy or Install MitmProxy Using VirtualEnv
• Certs Folder Location
  • /system/etc/security/cacerts Older than Android 14
  • /apex/com.android.conscrypt/cacerts/ Android 14+
• File Explorer on Windows (ofcourse)
• Powershell / CMD Terminal

Chapter 1 - Enable Root and System Read Write

Open LDPlayer Settings and Enable Root and System Read Write

To debloat LDPlayer we need to first uninstall the App Store and the Launcher. We will require adb, root access and read write access to system for this.

To do this we need to locate the launcher apk file and remove it.

Type adb shell whoami to check that we have adb working properly.

Note: If adb returns that there are no devices open the LDPLayer settings and change to Local Connection once from ADB, if still not working try setting to Remote and Local once again.

Once we have adb working we will require root shell

Root Shell

Getting a Root Shell in LD Player is Easy. Enable Root from LD Player Settings and then use adb.exe from LD Player.

Open Task Manager and look for LD Player process, and right click Open File... then in the address bar type cmd to open a prompt.

Let's use adb to connect to the device:

adb shell
# it should show a shell
# if not try changing between the adb "local" and "remote" in LD Player settings

then type

su
# super user will ask for perms, choose yes, let's check

whoami
# root

Now let's run adb as root

adb root
# adb will restart as root, let's check

adb shell whoami
# root 

Remounting System as RW

Let's remount the system to readwrite so we have a readable /system path.

Fact❕ If you're new to android / linux filesystems, this is the root of the android rom, this is where the android rom is stored.

adb root
# restarting adb as root

adb remount
# remounting system read write

Chapter 2 - Debloating

LD Player comes with a lot of ads and bloatware ie store etc apps. We need to remove it to increase performance and also remove any apps that might use network.

Remove Store and Ads from Launcher

Let's find the apk files that belong to LD Store and the Launcher cause these apps are the only apps that have advertisements.

let's check the /system --> /app, /priv-app for the apk.

adb shell ls /system/app
# ...
# Launcher3

we have found the launcher, ie Launcher3 and thus we need to find the store app. Let's refer to pm command for this one:

adb shell pm list packages
# ...
# package:com.android.ld.appstore
# ...
# package:com.ldmnq.launcher3

you will notice instantly we have a launcher package com.ldmnq.launcher3 and com.android.ld.appstore that have ld in them.

or we can just ls /system --> /priv-app

adb shell ls /system/priv-app
# ...
# LDAppStore

Removing the Store

we can see LDAppStore which we need to remove.

Let's remove the app store first

# be sure you're root
adb root && adb remount

# remove the app
adb shell rm -fr /system/priv-app/LDAppStore
adb shell pm uninstall com.android.ld.appstore

Replacing the Launcher

Now let's replace the launcher3 apk. First get one of the above mentioned launchers (or get your own preferred launcher, idk) and copy the apk to a folder (like C:\Tools\Emu\launcher.apk)

Then we remove and place the apk of that launcher in the system instead.

Push the app to device

adb push "C:\Tools\Emu\launcher.apk" /sdcard/launcher.apk

We will now remove the original Launcher3.apk and replace its apk with this apk.

Warning ⚠️ DO NOT NAME IT SAME AS OLD APK! NAME IT launcher.apk or launcher2.apk but not the same as old apk i.e. Launcher3.apk

adb shell ls /system/app/Launcher3/
# Launcher3.apk

# ⚠️ HIGHLY IMPORTANT !!
# we stat the apk first
adb shell stat /system/app/Launcher3/Launcher3.apk
#   File: `/system/app/Launcher3/Launcher3.apk'
#   Size: 10349775         Blocks: 20216   IO Blocks: 512 regular # file
# Device: 802h/2050d       Inode: 3945     Links: 1
# Access: (666/-rw-rw-rw-)        Uid: ( 2000/   shell)   Gid: ( # 2000/   shell)
# Access: 2024-12-20 08:10:05.011859333
# Modify: 2024-12-20 08:10:05.025192666
# Change: 2024-12-20 08:10:05.025192666

# so it has perms 666 and owner 2000 and gid 2000
# copy the app
adb shell cp /sdcard/launcher.apk /system/app/Launcher3/launcher.apk

# remove old apk
adb shell rm /system/app/Launcher3/Launcher3.apk

# ⚠️ HIGHLY IMPORTANT OR WONT WORK !!
# set perms we got from stat
adb shell chmod 666 /system/app/Launcher3/launcher.apk

# for older android versions try (just in case)
adb shell pm uninstall com.ldmnq.launcher3

⚠️ WARNING If Your Emulator shows "Starting" and keeps looping follow the permission setting chmod steps correctly.

Restart LD Player, and now you have a new clean launcher!

Chapter 3 - Saving Changes to System Rom

Now you've cleaned the LD Player and might want this as the default clean rom for all your LD Player device. Let's make this LD Player Rom for all devices!

First Open LD Player installation folder, then Terminate LD Player.

Once done check the vms folder for your vm name. Usually its leidianA where A is the number.

Open the folder and copy the system.vmdk file.

Next Go to the LD Player root folder and rename system.vmdk to system.vmdk.old, and paste the copied system.vmdk file.

This is what it will look like. Now run the dnmultiplayer exe, or open LDMultiPlayer app from start, then create a instance.

Your new android vm is completely ad-free!

Chapter 4 - Installing a Custom SSL System Cert (Burp Suite etc)

Often times we want to use LD Player for Burp Suite and other tools for intercepting HTTPs Requests from Apps.

Android Apps Often Use SSL Pinning to protect against third party certificates and interception.

• OkHttp [1] [2]
• Universal [2]
• Flutter

But sometimes injecting frida into an app isn't as easy as copying over frida-gadget and calling a script. (like [1], [2], [3]), Crap it's lot of work for me!

Instead injecting into system certs allow us to intercept all requests, regardless of the app!

Converting Certificates to DER format

First and foremost let's export the private key of the cert.

• For Burp Suite choose
  • Proxy --> Settings --> Certificates --> Import / Export CA Certificate --> Export Certificate in DER format --> burp.der

• For MitmProxy
  • look for mitmproxy-ca.pem under ~/.mitmproxy of your os once after you run it.

Converting it to our desired format ie DER requires openssl commandline tools (for windows users check here). Then follow this instructions.

Note:

• We require a DER version and a PEM version of the certs
• DER are in cert binary form
• PEM are in cert base64 encoded with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers
• CER are just file extension used by windows for certificates, can be a der or a pem (mostly der).

Convert Der Certificates to Cer

Burp Suite exports public key in burp.der format. Converting to CER is required for burp.

# convert to CER first
openssl x509 -inform DER -in burp.der -out burp_ca.cer

Pem Certificates

Next we need to get the cert hash

1. Burp For burp we need to use the public key cer to get subject hash

   # generate hash
   openssl x509 -inform PEM -subject_hash_old -in burp_ca.cer | head -1
   # c8750f0d

2. Mitmproxy

   # generate hash
   openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca.cer | head -1
   # c8750f0d

Then copy over the certs to android after renaming to hash.0 filename.

For mitmproxy we copy the .cer file

cp mitmproxy-ca.cer c8750f0d.0

# Remount
adb shell whoami && adb root && adb remount

# Copy Cert
adb push c8750f0d.0 /system/etc/security/cacerts/

# Set cert permissions
adb shell chmod 644 /system/etc/security/cacerts/c8750f0d.0

Then reboot the device, and try to find the host gateway.

and proxy should work!

Chapter 5 - Installing Magisk (Kitsune Mask)

Magisk is an alternative root manager for android with extra features like modules, systemless root etc. For this tutorial we will install a basic version of it.

We will require Magisk apk (use above provided links)

Once Magisk is installed, run it, for root prompt "remember choice"

Go to Install --> Next and then close the app. Open "App Info" for the app --> "Force Close"

Re-Open the app, Install --> Next now you'll see new options. Click on "Direct Install /system"

Then click next to Install. Don't reboot.

Open a ADB terminal in the LD Player root folder and type the command to remount system read write

adb shell whoami && adb root && adb remount

Open Cyanogen File Manager or Root Explorer or X-Plorer or adb and delete the following files:

• /system/xbin/su
• /system/bin/su

I'll just use adb

adb shell whoami && adb root && adb remount
adb shell rm -f /system/xbin/su
adb shell rm -f /system/bin/su

and then reboot the vm, check magisk logs

If you find logs from magisk, we have successfully installed it!

Chapter 6 - LSPosed

First Enable Zygisk, Bootloop Protection, Magisk Hide and Enforce SuList from Magisk

Get latest LSPosed-zygisk from here and install from Magisk Modules and Reboot!

Chapter 7 - Complete!

That's complete tutorial on LD Player. Follow CypherpunkSamurai for more.