├── AI_Mate.py ├── LICENSE ├── README.md └── src ├── C5#1.mp4 └── C5#2.mp4 /AI_Mate.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import hashlib 3 | import hmac 4 | import json 5 | import time 6 | import re 7 | import os 8 | import logging 9 | from mitmproxy import http, ctx 10 | 11 | def JWT_Token(): 12 | payload = { 13 | "deviceId": "19kic05ge2j2aeai", 14 | "appVersion": "1.19", 15 | "platform": "android", 16 | "applicationBuildCode": "35", 17 | "originalDeviceId": None, 18 | "iat": int(time.time()), 19 | "exp": int(time.time()) + 30 20 | } 21 | enc_payload = base64.urlsafe_b64encode(json.dumps(payload).encode("utf-8")).decode("utf-8") 22 | header = {"alg": "HS256", "typ": "JWT"} 23 | enc_header = base64.urlsafe_b64encode(json.dumps(header).encode("utf-8")).decode("utf-8") 24 | msg = f"{enc_header}.{enc_payload}" 25 | sign = hmac.new(b"site-secret#Nerd!01", msg.encode("utf-8"), hashlib.sha256).digest() 26 | enc_sign = base64.urlsafe_b64encode(sign).decode("utf-8").rstrip("=") 27 | token = f"{enc_header}.{enc_payload}.{enc_sign}" 28 | return token 29 | 30 | class AI_mate: 31 | api = "https://prod.aimate.online/v1/api/" 32 | def request(self, flow: http.HTTPFlow) -> None: 33 | if not self.api in flow.request.pretty_url: 34 | ... 35 | else: 36 | match flow.request.pretty_url.split("/")[-1]: 37 | case "create-user": 38 | try: 39 | data = json.loads(flow.request.text) 40 | data["deviceId"] = "19kic05ge2j2aeai" 41 | flow.request.text = json.dumps(data) 42 | flow.request.headers["authorization"] = f"Bearer {JWT_Token()}" 43 | except json.JSONDecodeError: 44 | ctx.log.error("Zzz") 45 | case "conversations": 46 | flow.request.headers["authorization"] = f"Bearer {JWT_Token()}" 47 | case "resume": 48 | flow.request.headers["authorization"] = f"Bearer {JWT_Token()}" 49 | 50 | addons = [AI_mate()] 51 | 52 | def websocket_message(flow: http.HTTPFlow): 53 | message = flow.websocket.messages[-1] 54 | dec = message.content.decode('utf-8') 55 | if "token" in dec: 56 | mod_bytes = re.sub(r'"token":\s*"([^"]*)"', '"token": "%s"' % JWT_Token(), dec, flags=re.DOTALL).encode("utf-8") 57 | message.content = mod_bytes 58 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2022, dedshit 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Apk-Modding-challenge 2 | 30 small apks around 10-20Mb not >30 3 | 4 | no time to do this shit 5 | 6 | ## If your device architecture is old you might see this 7 | 8 | ![20220406_122147](https://user-images.githubusercontent.com/62318734/161913189-80b35701-f64b-4df2-b58b-8fdf8d716ce4.png) 9 | 10 | 11 | most annoying thing 32bit users knew it xd 12 | 13 | in order to remove that warning either build it from source or replace that string with empty space of same character length 14 | 15 | 1) extract apktool.jar using jar command 16 | 2) use xxd/hexdump to find offset of that string 17 | 3) use dd command for editing #note (exact offset needed otherwise consequences will be bad) 18 | 4) rebuild 19 | 20 | ![Screenshot_20220406-124018_Termux](https://user-images.githubusercontent.com/62318734/161916321-1b86b56a-1427-416b-8383-eec038991c15.png) 21 | 22 | ![Screenshot_20220406-124257_Termux](https://user-images.githubusercontent.com/62318734/161917304-090f4a08-951d-4130-a558-2baea86e7f4f.png) 23 | 24 | ![Screenshot_20220406-125318_Termux](https://user-images.githubusercontent.com/62318734/161918697-c5fe0d82-12f1-4e73-9a31-d872057ffa5e.png) 25 | 26 | ![Screenshot_20220406-131404_Termux](https://user-images.githubusercontent.com/62318734/161922528-f28a10de-d030-4ab0-b335-aa4dbd09e05c.png) 27 | 28 | 29 | ![Screenshot_20220406-125547_Termux](https://user-images.githubusercontent.com/62318734/161919104-2d5f0df8-112b-4fa1-9a68-fc0a974be61e.png) 30 | 31 | ![Screenshot_20220406-130132_Termux](https://user-images.githubusercontent.com/62318734/161920253-8989c13f-3b17-4e39-aa5d-b16f3c858968.png) 32 | 33 | ![Screenshot_20220406-130341_Termux](https://user-images.githubusercontent.com/62318734/161920554-4f6dd72a-b8b2-43fb-844c-1bc5ac29af83.png) 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ 43 | 44 | ### Goal - knowledge is must 45 | - [x] *Remove Ads* 46 | - [x] *Bypass In-app purchase* 47 | 48 | 49 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ 50 | 51 | ### Requirements 52 | 53 | - [x] Apktool 54 | 55 | ### Inspired by Bin32, apkunpacker, euzada & many pro guys 🧠... 56 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ 57 | 58 | 59 | 60 | *Day 1* 61 | 62 | **Resistor Color Code Calculator** 63 | 64 | ![Screenshot_20220318-101945_Google Play Store](https://user-images.githubusercontent.com/62318734/158939543-ea2a7b37-3108-4456-9e93-79a7f63895e2.png) 65 | ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ 66 | 67 |

Solution

68 | 69 | - *Decompile the apk* 70 | - *Use grep for searching stuffs* 71 | - *Any text editor in my case i used **vim** coz its cool.* 72 | - *using sed & awk is optional* 73 | - *Modify the code* 74 | - *Recompile* 75 | 76 |

For this apk got some interesting stuffs from resource.arsc

77 | 78 | ![20220319_105716](https://user-images.githubusercontent.com/62318734/159108433-f258a81e-1489-4325-87dd-3f041b17929c.png) 79 | 80 | - ***res/values/strings.xml: Premium User*** its corresponding hex Id **0x7f0e009b** 81 | 82 | - `grep -ir 0x7f0e009b tmp --color` 83 | 84 | ![20220319_152200](https://user-images.githubusercontent.com/62318734/159116412-c76829bf-e8e9-457a-a9a0-430b867403e1.png) 85 | 86 | 87 |

two methods

88 | 89 | 90 | ![20220319_153423](https://user-images.githubusercontent.com/62318734/159116731-83b06779-c110-451d-9282-c554067aaf5a.png) 91 | 92 | - **Method 1** 93 | 94 | 95 | - *change boolean to **TRUE** by replacing move-result v3 to const/4 v3, 0x1* 96 | 97 | - **Method 2** 98 | 99 | 100 | - *goto com/jedemm/resistorcalculator/App$a* 101 | 102 | ![20220319_155924](https://user-images.githubusercontent.com/62318734/159117464-1b078ec4-3c93-4bb5-8692-aaf5883d4391.png) 103 | 104 | 105 | - *replace **sget-boolean** to **sput-boolean** and add const/4 v0, 0x1 below **.locals 1**** 106 | 107 | - *Recompile it using apktool* 108 | 109 | ![Screenshot_20220319-160846_RCC Calculator](https://user-images.githubusercontent.com/62318734/159117699-29e1d203-b0cb-4e63-9e13-da7e958a6faa.png) 110 | ![Screenshot_20220319-160852_RCC Calculator](https://user-images.githubusercontent.com/62318734/159117704-9d21a35d-43aa-49cb-9c8d-199ed3e59cf0.png) 111 | 112 | 113 | 114 | ## 2nd 115 | 116 | ![Screenshot_20220324-170306_Google Play Store](https://user-images.githubusercontent.com/62318734/159907680-c25ceada-a5ed-4708-9cda-89bb9977c186.png) 117 | 118 |

Solution

119 | 120 | 121 | [![000](https://user-images.githubusercontent.com/62318734/159939739-4284d286-f927-4b4a-9be3-b43575fe8b9d.png)](https://user-images.githubusercontent.com/62318734/159942517-bac17e27-40b1-4e03-8bab-c2c1e0c69283.mp4) 122 | 123 | ### Unlocking Gold theme 124 | 125 | ![20220324_224520](https://user-images.githubusercontent.com/62318734/159974165-bcfe54dc-b01b-4975-8e3c-1ea95cbbb0b9.png) 126 | 127 | 128 | - ***com/aefyr/sai/billing/DonationStatus.smali*** 129 | 130 | ![20220324_225551](https://user-images.githubusercontent.com/62318734/159975085-d8afcdae-4fb0-4b73-b1ca-e8a40f0a829f.png) 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | - ***change if-ne to if-eq or if-ne p0 to if-eqz*** 139 | 140 | ![20220324_232334](https://user-images.githubusercontent.com/62318734/159980184-ecad9cf5-e119-413c-8406-b7e6543fdb22.png) 141 | 142 | 143 | 144 | ### Hide ***Support Sai*** 145 | 146 | 147 | 148 | ![20220324_230812](https://user-images.githubusercontent.com/62318734/159977158-bbb2e0fa-a757-43ad-a045-2874e41f0ce1.png) 149 | 150 | - ***com/aefyr/sai/ui/fragments/PreferencesFragment.smali*** 151 | 152 | ![20220324_231658](https://user-images.githubusercontent.com/62318734/159978548-26c634f0-9cc4-46cf-8d1b-ee98a86d5748.png) 153 | 154 | 155 | - **change ***const/4 p2, 0x1 to const/4 p2, 0x0***** 156 | 157 | ![20220324_232356](https://user-images.githubusercontent.com/62318734/159979958-1c1c7b3a-bbfe-420a-a374-a5bab0fdc181.png) 158 | 159 | 160 | ### 3rd 161 | 162 | ![Screenshot_20220324-234704_Google Play Store](https://user-images.githubusercontent.com/62318734/159987415-19a7b044-8f62-4d27-b9ec-4948252c28e6.png) 163 | 164 | 165 | nothing in resource.arsc instead found ***donated3*** in smali* 166 | 167 | ![20220325_000444](https://user-images.githubusercontent.com/62318734/159987753-fc23fec5-95a1-40a0-8540-be08d28e0a16.png) 168 | 169 | - goto ***smali_classes2/com/silentlexx/ffmpeggui/config/Config.smali***
170 | 171 | ![20220325_001630](https://user-images.githubusercontent.com/62318734/159989232-3bdb4d80-0106-45d5-946e-6e0ce33abcec.png) 172 | 173 | - search for string ***donated3*** using vim regex 174 | - either change boolean false to true in ***getBool*** method or in ***getDonated*** method by changing **move-result** to **const/4** and set it to true* 175 | - recompile it 176 | 177 | 178 |

For signing use Uber-apk-signer but Google play protect warns.
179 | 180 | 181 | 182 | instead you may use my keystore to sign apk to stop Google play protect warnings 183 | 184 | ![20220325_005820](https://user-images.githubusercontent.com/62318734/159995288-1ae4ead1-c97b-4133-a268-b33a6285174b.png) 185 | 186 | ![20220325_005803](https://user-images.githubusercontent.com/62318734/159995403-1c4fca87-3485-4528-97a7-f89136dd35d6.png) 187 | 188 | 189 | ![Screenshot_20220325-010208_FFmpeg Media Encoder](https://user-images.githubusercontent.com/62318734/159995820-9ee06bb3-a3c6-41ef-92c8-b3fd40d9954a.png) 190 | 191 | 192 | 193 | ### 4th 194 | 195 | ![Screenshot_20220326-225540_Google Play Store](https://user-images.githubusercontent.com/62318734/160250653-10478016-6570-4e98-a847-00bbf3078e94.png) 196 | 197 | 198 | #### solution 199 | 200 | 201 | ![20220326_233829](https://user-images.githubusercontent.com/62318734/160251946-c83f0290-21da-418c-b72d-28c29a23dcc2.png) 202 | 203 | 204 | - ***smali/com/smokyink/smokyinklibrary/pro/licence/DefaultFeatureManager.smali*** 205 | 206 | ![20220326_234751](https://user-images.githubusercontent.com/62318734/160252246-aac22194-48c0-45e9-91d4-0c0a7cbfe375.png)
207 | 208 | 209 | - change *nez* to *eqz*. **Samething can be achieved by removing condition** 210 | - recompile 211 | 212 | # Before 213 | ![20220327_001449](https://user-images.githubusercontent.com/62318734/160252995-9a44168e-c6aa-4bf7-90d7-9315b4c67b6e.png) 214 | # After 215 | ![Screenshot_20220327-001547_Timeshift](https://user-images.githubusercontent.com/62318734/160253031-2bd89cc3-ac1e-4665-91e8-16ebeb2cae2c.png) 216 | ![Screenshot_20220327-001554_Timeshift](https://user-images.githubusercontent.com/62318734/160253039-e4f71025-2e5f-403e-b5b1-dfe49cde57e4.png) 217 | 218 | 219 | # 5 220 | 221 | ![Screenshot_20220327-173523_Google Play Store](https://user-images.githubusercontent.com/62318734/160280662-f75678b2-c1d6-4c19-9e0b-94193c99f188.png) 222 | 223 | ![Screenshot_20220327-201000_WhatsApp](https://user-images.githubusercontent.com/62318734/160286773-dc671165-fb7f-4042-a2ac-8aa9eb41f894.png) 224 | 225 | ### solution 226 | 227 | 228 | - Decompile the apk 229 | - search for this toast msg 230 | - find its id 231 | - search and change it 232 | 233 | 234 | [![](https://i.imgur.com/a2yXU0C_d.webp?maxwidth=760&fidelity=grand)](https://player.vimeo.com/video/692934120?h=16dfe012f9&badge=0&autopause=0&player_id=0&app_id=58479) 235 | 236 | [![](https://i.imgur.com/R9vBLST_d.webp?maxwidth=760&fidelity=grand)](https://player.vimeo.com/video/692946381?h=ae557748b7&badge=0&autopause=0&player_id=0&app_id=58479) 237 | 238 | 239 | 240 | 241 | - `grep -r 0x7f1200fc --color` 242 | 243 | ![20220328_111427](https://user-images.githubusercontent.com/62318734/160334393-c20bdaf2-337c-4b56-b64b-184292948dd0.png) 244 | 245 | 246 | [![](https://i.imgur.com/BVFHitC.png)](https://player.vimeo.com/video/692984086?h=6618b4cce9&badge=0&autopause=0&player_id=0&app_id=58479) 247 | 248 | 249 | 250 | 251 | 252 | https://user-images.githubusercontent.com/62318734/160352852-c7507200-1cc0-4022-b347-927c5863ce6d.mp4 253 | 254 | 255 | 256 | 257 | 258 | https://user-images.githubusercontent.com/62318734/160353280-dff1427f-0c2b-413f-ade6-9f6553f76078.mp4 259 | 260 | 261 | 262 | ### if apk not installed remove ***unknown*** and ***META-INF*** folder before build 263 | 264 | # 6 265 | 266 | ![Screenshot_20220330-102459_Google Play Store](https://user-images.githubusercontent.com/62318734/160754203-dd9f8341-0b42-451e-9dbb-d527a4f00751.png) 267 | 268 | ### solution 269 | 270 | - before decompile, remove framework apk to avoid unnecessary problems 271 | 272 | ![Screenshot_20220403-124446_Termux](https://user-images.githubusercontent.com/62318734/161416301-7588272a-fdb8-4061-ae51-6d0a40a7b063.png) 273 | ![Screenshot_20220403-124500_Termux](https://user-images.githubusercontent.com/62318734/161416305-78576e6a-2020-46af-af66-ab89eb5b8d63.png) 274 | 275 | 276 | 277 | 278 | https://user-images.githubusercontent.com/62318734/161417057-71ce779c-5c98-434a-81eb-30eaed67e33e.mp4 279 | 280 | 281 | https://user-images.githubusercontent.com/62318734/161417127-ad03b382-0c3e-41e2-a7d4-0e7b4c588020.mp4 282 | 283 | 284 | # AstroTalk 285 | 286 | ## bypassed via response manipulation 287 | 288 | 289 | ![8vUxI0l](https://user-images.githubusercontent.com/62318734/195670639-9a6a370c-33eb-48ed-a6c5-1d64baeb6522.png) 290 | 291 | 292 | # For demo 293 | 294 | 295 | 296 | https://github.com/dedshit/AstroTalk-PoC.git 297 | 298 | # PrepLadder 299 | 300 | ![Screenshot_20230317-115630_Google Play Store](https://user-images.githubusercontent.com/62318734/225833061-3e79cc64-84e7-4319-96a9-882ae9cb5351.png) 301 | 302 | 303 | ## SecretKey: 6120e6224d4127aee7d0b1f6a2d77d6e 304 | ## Mode: CBC 305 | ## KeySize: 256 306 | ## IV: 750e579bbdec194f 307 | 308 | 309 | 310 | https://user-images.githubusercontent.com/62318734/225829000-2e060b1c-1cb7-48db-bd97-8fc3e17cd4e5.mp4 311 | 312 | # Business Standard 313 | 314 | ![Screenshot_20230331-221102_Chrome](https://user-images.githubusercontent.com/62318734/229180159-4b146a24-1820-4368-bcb5-5e11758ae87f.png) 315 | 316 | # **OTP bypass - Unintended disclosure of OTP to client leads to account takeover** 317 | 318 | ![20230331_224559](https://user-images.githubusercontent.com/62318734/229187322-6470a288-e138-4294-8975-600398b3e710.png) 319 | ![20230331_224411](https://user-images.githubusercontent.com/62318734/229187369-81e49e19-e1d4-4668-92c0-3097aec14acd.png) 320 | 321 | ## Api : `https://bsnodeapinew.business-standard.com/auth/signup-login-with-otp` 322 | 323 | 324 | # AI Mate 325 | 326 | 327 | ![Screenshot_20240227_223104](https://github.com/dedshit/Apk-Modding-challenge/assets/62318734/d7f44b49-8f5e-4119-9cd0-2da35117101a) 328 | 329 | 330 | 331 | https://github.com/dedshit/Apk-Modding-challenge/assets/62318734/f8444510-59e6-47d7-ae3a-812bf359eb27 332 | 333 | 334 | -------------------------------------------------------------------------------- /src/C5#1.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dedshit/Apk-Modding-challenge/979d112f36d22afc45058e6dacd5fc88e1afcfdf/src/C5#1.mp4 -------------------------------------------------------------------------------- /src/C5#2.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dedshit/Apk-Modding-challenge/979d112f36d22afc45058e6dacd5fc88e1afcfdf/src/C5#2.mp4 --------------------------------------------------------------------------------