Created
November 30, 2018 18:19
-
-
Save richyk1/4909d6c16a44894c82fa2ba3faf44432 to your computer and use it in GitHub Desktop.
Decompiling and reversing SL.apk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This gist is assuming that the user who reads this has knowledge of aligning & signing their modified APK's whilst also the ability of writing & reading .smali code. | |
To succesfully modify price & duration of bought tickets you have to complete two essential steps. | |
Upon analysing this apk I found out that it does not have any anti tamper, which made decompiling in .smali much easier. | |
After decompiling the apk file into .smali you will be presented with the smali folder | |
Upon starting, the application requests all the dynamic information from their server. | |
Using jadx-gui and opening classes.dex com.sl.SlBilijetter.Backend.ServerCommunication class makes calls to: | |
* /sl-appserver/services/appversion/getappversion | |
* /sl-appserver/services/generateUserToken | |
* /sl-appserver/services/userdata | |
* /sl-appserver/services/ticketofferings | |
* /sl-appserver/services/swish/generateticket | |
* etc.. | |
The interesting one is com.sl.SLBilijetter.Backend.ServerCommunication.getTicketOfferings(), because it makes call to their server for ticket offerings and then later down the method, the response is returned in Log.d, which can be read through "adb logcat -s getTicketOfferings". This response basically returns the whole JSON of the ticket information. Replacing that JSON file with your own custom one is very easy and can be done through swapping that request url with the url that requests the custom JSON file. | |
The fetched values are then given to Swish which makes it possible to pay a lower/higher price. After the transaction is done Swish will return a "good" response which tells the application to make a request to the servers to get the ticket. | |
The second obstacle occurs when the application sends the request for the ticket. The price you paid is compared to the original price so to combat that you have to modify the JSONObject that then is used as a request for the ticket. Method com.sl.SLBilijetter.Backend.ServerCommunication.buyTicket() has to be edited. Just before the ticket is requested jsonTicket.put("orderAmount", X) has to be added with X being the original price of the modified value. | |
This will basically make the request look legit, but the only problem arises when you want to have multiple modified values. Then you would probably need to add some extre .smali code so that it compares and then modifies the jsonTicket["orderAmount"] accordingly. | |
How to fix this problem: | |
* acquire a new Swish api key and put it into the updated SL app, so that the old versions do not work anymore. | |
* on release build exclude Log.d's | |
* add extra encryption on the information received | |
The tools used for reversing: | |
- dex2jar | |
- apksigner | |
- apktool | |
- jad | |
- jadx-gui | |
- zipalign | |
- text editor | |
- adb |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is the ticket_offering.json is originally sent from the server
[{
"zone": "P",
"price": 12000,
"tariff": "a",
"orderCode": "VP",
"validityTimeInMinutes": 90
}, {
"zone": "S,UL1,UL5,UL2",
"price": 11600,
"tariff": "a",
"orderCode": "VSLUL125",
"validityTimeInMinutes": 150
}, {
"zone": "S,UL5,UL2",
"price": 9200,
"tariff": "a",
"orderCode": "VSLUL25",
"validityTimeInMinutes": 150
}, {
"zone": "S,UL5,UL2",
"price": 6000,
"tariff": "r",
"orderCode": "USLUL25",
"validityTimeInMinutes": 150
}, {
"zone": "S,P",
"price": 14100,
"tariff": "r",
"orderCode": "RABP",
"validityTimeInMinutes": 120
}, {
"zone": "S",
"price": 3000,
"tariff": "r",
"orderCode": "RAB",
"validityTimeInMinutes": 75
}, {
"zone": "S,UL1,UL5,UL2",
"price": 7600,
"tariff": "r",
"orderCode": "USLUL125",
"validityTimeInMinutes": 150
}, {
"zone": "UL5,UL2",
"price": 6000,
"tariff": "a",
"orderCode": "VUL25",
"validityTimeInMinutes": 90
}, {
"zone": "S,P",
"price": 15100,
"tariff": "a",
"orderCode": "VUXP",
"validityTimeInMinutes": 120
}, {
"zone": "UL1,UL5,UL2",
"price": 9000,
"tariff": "a",
"orderCode": "VUL125",
"validityTimeInMinutes": 120
}, {
"zone": "UL5,UL2",
"price": 3800,
"tariff": "r",
"orderCode": "UUL25",
"validityTimeInMinutes": 90
}, {
"zone": "S",
"price": 4400,
"tariff": "a",
"orderCode": "VUX",
"validityTimeInMinutes": 75
}, {
"zone": "UL1,UL5,UL2",
"price": 5700,
"tariff": "r",
"orderCode": "UUL125",
"validityTimeInMinutes": 120
}]