Hello reddit. Today, I'm going to be reverse engineering the Blackmart app. In case you don't know, Blackmart is an alternative Android app store which allows you to download paid apps for free.
###Redirecting and capturing the traffic### First of all, I will need to redirect the traffic of my tablet to my computer so I can use Wireshark to look at the data. To do this, I use LANS.py. It is a small python script which allows you to do MITM attacks.
LANS.py also shows you the URLs of the pages used by an app. It really helps with reverse-engineering APIs.
After redirecting the traffic to my computer and starting Wireshark, I run the Blackmart app, look at the recent apps section, do 2 searches for terraria and chronometer and download a chronometer app.
After doing these, I stop the capture, save it and start looking at the data.
###Finding The API### Let's start with the recent apps section. The first app on the list is called Wireless Power Chief. Now we will try to find that in Wireshark.
If we press CTRL+F on Wireshark, it opens a Search dialog. To search in the data, we need to choose String and Packet Bytes. After doing this, we search for Wireless Power.
It should find a TCP stream. Just right-click it and select Follow TCP Stream. That shows us the GET request to "http://svc.blmrt.org/blackmart/category/new/0/date_desc/0".
OH YEAH! WE GOT JSON!
###The Recent Apps API###
The JSON we get from "http://svc.blmrt.org/blackmart/category/new/0/date_desc/0" has a list of the recent apps, and it includes information like
- App name
- App developer
- Date added
- Size and MD5 hash of the APK
- Full app id (com.example.app)
- App description
- App permissions
###The Search API###
Remember the searches we made. Let's find the chronometer one with CTRL+F like we did before.
This time, we find a GET request to "http://svc.blmrt.org/blackmart/search/**chronometer**/0/downloads_desc/0". This returns the data in JSON, in the same format as the recent apps one.
###Getting the icons###
The app also displays icons next to their names, but we didn't see an icon URL in the JSON response. So we do the most logical thing, press CTRL+F and search for icon.
This shows us a GET request to "http://144.76.98.177/blackmart/icons/com.karlstein.chrono.5.png". Instead of getting the icons from svc.blackmart.org, it uses another server. I already tried getting the icons from svc.blackmart.org, didn't work.
To generate the icon URL from the app id, you can use this Python function.
def getImageURL(app_id):
return "http://144.76.98.177/blackmart/icons/{}.5.png".format(app_id)
So basically it is http://144.76.98.177/blackmart/icons/ + app_id + .5.png.
###Downloading the APKs### We've gotten app info and the app icons. Now all we need is the actual APK file.
I downloaded a chronometer app, lets search for its full app id (com.carlstein.chrono).
This time we find a GET request to "http://144.76.98.177/blackmart/downloads/com.karlstein.chrono.6.apk".
So it seems that Blackmart gets the app info from svc.blmrt.org and gets the icon and apk data from 144.76.98.177.
The Python code to get the APK url is
def getApkURL(app_id):
return "http://144.76.98.177/blackmart/downloads/{}.6.apk".format(app_id)
That is http://144.76.98.177/blackmart/downloads/ + app_id + .6.apk.
###Getting info on an app id### If you just want to get information on an app id, just get "http://svc.blmrt.org/blackmart/info/**com.example.app**". It returns a JSON response just like the other APIs.
The Blackmart app also sends the info request for all your installed apps when you first install Blackmart. And sends an info request each time you install a new application. This might be for checking updates or informing Blackmart that there is a new version of the application.