├── AI_Mate.py
├── LICENSE
├── README.md
└── src
├── C5#1.mp4
└── C5#2.mp4
/AI_Mate.py:
--------------------------------------------------------------------------------
1 | import base64
2 | import hashlib
3 | import hmac
4 | import json
5 | import time
6 | import re
7 | import os
8 | import logging
9 | from mitmproxy import http, ctx
10 |
11 | def JWT_Token():
12 | payload = {
13 | "deviceId": "19kic05ge2j2aeai",
14 | "appVersion": "1.19",
15 | "platform": "android",
16 | "applicationBuildCode": "35",
17 | "originalDeviceId": None,
18 | "iat": int(time.time()),
19 | "exp": int(time.time()) + 30
20 | }
21 | enc_payload = base64.urlsafe_b64encode(json.dumps(payload).encode("utf-8")).decode("utf-8")
22 | header = {"alg": "HS256", "typ": "JWT"}
23 | enc_header = base64.urlsafe_b64encode(json.dumps(header).encode("utf-8")).decode("utf-8")
24 | msg = f"{enc_header}.{enc_payload}"
25 | sign = hmac.new(b"site-secret#Nerd!01", msg.encode("utf-8"), hashlib.sha256).digest()
26 | enc_sign = base64.urlsafe_b64encode(sign).decode("utf-8").rstrip("=")
27 | token = f"{enc_header}.{enc_payload}.{enc_sign}"
28 | return token
29 |
30 | class AI_mate:
31 | api = "https://prod.aimate.online/v1/api/"
32 | def request(self, flow: http.HTTPFlow) -> None:
33 | if not self.api in flow.request.pretty_url:
34 | ...
35 | else:
36 | match flow.request.pretty_url.split("/")[-1]:
37 | case "create-user":
38 | try:
39 | data = json.loads(flow.request.text)
40 | data["deviceId"] = "19kic05ge2j2aeai"
41 | flow.request.text = json.dumps(data)
42 | flow.request.headers["authorization"] = f"Bearer {JWT_Token()}"
43 | except json.JSONDecodeError:
44 | ctx.log.error("Zzz")
45 | case "conversations":
46 | flow.request.headers["authorization"] = f"Bearer {JWT_Token()}"
47 | case "resume":
48 | flow.request.headers["authorization"] = f"Bearer {JWT_Token()}"
49 |
50 | addons = [AI_mate()]
51 |
52 | def websocket_message(flow: http.HTTPFlow):
53 | message = flow.websocket.messages[-1]
54 | dec = message.content.decode('utf-8')
55 | if "token" in dec:
56 | mod_bytes = re.sub(r'"token":\s*"([^"]*)"', '"token": "%s"' % JWT_Token(), dec, flags=re.DOTALL).encode("utf-8")
57 | message.content = mod_bytes
58 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | BSD 3-Clause License
2 |
3 | Copyright (c) 2022, dedshit
4 | All rights reserved.
5 |
6 | Redistribution and use in source and binary forms, with or without
7 | modification, are permitted provided that the following conditions are met:
8 |
9 | 1. Redistributions of source code must retain the above copyright notice, this
10 | list of conditions and the following disclaimer.
11 |
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 | this list of conditions and the following disclaimer in the documentation
14 | and/or other materials provided with the distribution.
15 |
16 | 3. Neither the name of the copyright holder nor the names of its
17 | contributors may be used to endorse or promote products derived from
18 | this software without specific prior written permission.
19 |
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Apk-Modding-challenge
2 | 30 small apks around 10-20Mb not >30
3 |
4 | no time to do this shit
5 |
6 | ## If your device architecture is old you might see this
7 |
8 | 
9 |
10 |
11 | most annoying thing 32bit users knew it xd
12 |
13 | in order to remove that warning either build it from source or replace that string with empty space of same character length
14 |
15 | 1) extract apktool.jar using jar command
16 | 2) use xxd/hexdump to find offset of that string
17 | 3) use dd command for editing #note (exact offset needed otherwise consequences will be bad)
18 | 4) rebuild
19 |
20 | 
21 |
22 | 
23 |
24 | 
25 |
26 | 
27 |
28 |
29 | 
30 |
31 | 
32 |
33 | 
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
43 |
44 | ### Goal -
knowledge is must
45 | - [x] *Remove Ads*
46 | - [x] *Bypass In-app purchase*
47 |
48 |
49 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
50 |
51 | ### Requirements
52 |
53 | - [x] Apktool
54 |
55 | ### Inspired by Bin32, apkunpacker, euzada & many pro guys 🧠...
56 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
57 |
58 |
59 |
60 | *Day 1*
61 |
62 | **Resistor Color Code Calculator**
63 |
64 | 
65 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
66 |
67 |
Solution
68 |
69 | - *Decompile the apk*
70 | - *Use grep for searching stuffs*
71 | - *Any text editor in my case i used **vim** coz its cool.*
72 | - *using sed & awk is optional*
73 | - *Modify the code*
74 | - *Recompile*
75 |
76 | For this apk got some interesting stuffs from resource.arsc
77 |
78 | 
79 |
80 | - ***res/values/strings.xml: Premium User*** its corresponding hex Id **0x7f0e009b**
81 |
82 | - `grep -ir 0x7f0e009b tmp --color`
83 |
84 | 
85 |
86 |
87 | two methods
88 |
89 |
90 | 
91 |
92 | - **Method 1**
93 |
94 |
95 | - *change boolean to **TRUE** by replacing move-result v3 to const/4 v3, 0x1*
96 |
97 | - **Method 2**
98 |
99 |
100 | - *goto com/jedemm/resistorcalculator/App$a*
101 |
102 | 
103 |
104 |
105 | - *replace **sget-boolean** to **sput-boolean** and add const/4 v0, 0x1 below **.locals 1****
106 |
107 | - *Recompile it using apktool*
108 |
109 | 
110 | 
111 |
112 |
113 |
114 | ## 2nd
115 |
116 | 
117 |
118 | Solution
119 |
120 |
121 | [](https://user-images.githubusercontent.com/62318734/159942517-bac17e27-40b1-4e03-8bab-c2c1e0c69283.mp4)
122 |
123 | ### Unlocking Gold theme
124 |
125 | 
126 |
127 |
128 | - ***com/aefyr/sai/billing/DonationStatus.smali***
129 |
130 | 
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 | - ***change if-ne to if-eq or if-ne p0 to if-eqz***
139 |
140 | 
141 |
142 |
143 |
144 | ### Hide ***Support Sai***
145 |
146 |
147 |
148 | 
149 |
150 | - ***com/aefyr/sai/ui/fragments/PreferencesFragment.smali***
151 |
152 | 
153 |
154 |
155 | - **change ***const/4 p2, 0x1 to const/4 p2, 0x0*****
156 |
157 | 
158 |
159 |
160 | ### 3rd
161 |
162 | 
163 |
164 |
165 | nothing in resource.arsc instead found ***donated3*** in smali*
166 |
167 | 
168 |
169 | - goto ***smali_classes2/com/silentlexx/ffmpeggui/config/Config.smali***
170 |
171 | 
172 |
173 | - search for string ***donated3*** using vim regex
174 | - either change boolean false to true in ***getBool*** method or in ***getDonated*** method by changing **move-result** to **const/4** and set it to true*
175 | - recompile it
176 |
177 |
178 | For signing use Uber-apk-signer but Google play protect warns.
179 |
180 |
181 |
182 | instead you may use my keystore to sign apk to stop Google play protect warnings
183 |
184 | 
185 |
186 | 
187 |
188 |
189 | 
190 |
191 |
192 |
193 | ### 4th
194 |
195 | 
196 |
197 |
198 | #### solution
199 |
200 |
201 | 
202 |
203 |
204 | - ***smali/com/smokyink/smokyinklibrary/pro/licence/DefaultFeatureManager.smali***
205 |
206 | 
207 |
208 |
209 | - change *nez* to *eqz*. **Samething can be achieved by removing condition**
210 | - recompile
211 |
212 | # Before
213 | 
214 | # After
215 | 
216 | 
217 |
218 |
219 | # 5
220 |
221 | 
222 |
223 | 
224 |
225 | ### solution
226 |
227 |
228 | - Decompile the apk
229 | - search for this toast msg
230 | - find its id
231 | - search and change it
232 |
233 |
234 | [](https://player.vimeo.com/video/692934120?h=16dfe012f9&badge=0&autopause=0&player_id=0&app_id=58479)
235 |
236 | [](https://player.vimeo.com/video/692946381?h=ae557748b7&badge=0&autopause=0&player_id=0&app_id=58479)
237 |
238 |
239 |
240 |
241 | - `grep -r 0x7f1200fc --color`
242 |
243 | 
244 |
245 |
246 | [](https://player.vimeo.com/video/692984086?h=6618b4cce9&badge=0&autopause=0&player_id=0&app_id=58479)
247 |
248 |
249 |
250 |
251 |
252 | https://user-images.githubusercontent.com/62318734/160352852-c7507200-1cc0-4022-b347-927c5863ce6d.mp4
253 |
254 |
255 |
256 |
257 |
258 | https://user-images.githubusercontent.com/62318734/160353280-dff1427f-0c2b-413f-ade6-9f6553f76078.mp4
259 |
260 |
261 |
262 | ### if apk not installed remove ***unknown*** and ***META-INF*** folder before build
263 |
264 | # 6
265 |
266 | 
267 |
268 | ### solution
269 |
270 | - before decompile, remove framework apk to avoid unnecessary problems
271 |
272 | 
273 | 
274 |
275 |
276 |
277 |
278 | https://user-images.githubusercontent.com/62318734/161417057-71ce779c-5c98-434a-81eb-30eaed67e33e.mp4
279 |
280 |
281 | https://user-images.githubusercontent.com/62318734/161417127-ad03b382-0c3e-41e2-a7d4-0e7b4c588020.mp4
282 |
283 |
284 | # AstroTalk
285 |
286 | ## bypassed via response manipulation
287 |
288 |
289 | 
290 |
291 |
292 | # For demo
293 |
294 |
295 |
296 | https://github.com/dedshit/AstroTalk-PoC.git
297 |
298 | # PrepLadder
299 |
300 | 
301 |
302 |
303 | ## SecretKey: 6120e6224d4127aee7d0b1f6a2d77d6e
304 | ## Mode: CBC
305 | ## KeySize: 256
306 | ## IV: 750e579bbdec194f
307 |
308 |
309 |
310 | https://user-images.githubusercontent.com/62318734/225829000-2e060b1c-1cb7-48db-bd97-8fc3e17cd4e5.mp4
311 |
312 | # Business Standard
313 |
314 | 
315 |
316 | # **OTP bypass - Unintended disclosure of OTP to client leads to account takeover**
317 |
318 | 
319 | 
320 |
321 | ## Api : `https://bsnodeapinew.business-standard.com/auth/signup-login-with-otp`
322 |
323 |
324 | # AI Mate
325 |
326 |
327 | 
328 |
329 |
330 |
331 | https://github.com/dedshit/Apk-Modding-challenge/assets/62318734/f8444510-59e6-47d7-ae3a-812bf359eb27
332 |
333 |
334 |
--------------------------------------------------------------------------------
/src/C5#1.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dedshit/Apk-Modding-challenge/979d112f36d22afc45058e6dacd5fc88e1afcfdf/src/C5#1.mp4
--------------------------------------------------------------------------------
/src/C5#2.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dedshit/Apk-Modding-challenge/979d112f36d22afc45058e6dacd5fc88e1afcfdf/src/C5#2.mp4
--------------------------------------------------------------------------------