• Sky
  • Mint
  • Azure
  • Indigo
  • Blueberry
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Pomegranate
  • Ruby Red
  • Orange
  • Banana
  • Apple
  • Emerald
  • Teal
  • Chocolate
  • Slate
  • Midnight
  • Maastricht
  • Charcoal
  • Matte Black
  • Disable
Welcome to iOSGods

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more!

This message will be removed once you have signed in.


Android Tutorial

63 posts in this topic







From their website:

About Charles

Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your own computer. Your web browser (or any other Internet application) is then configured to access the Internet through Charles, and Charles is then able to record and display for you all of the data that is sent and received.

In Web and Internet development you are unable to see what is being sent and received between your web browser / client and the server. Without this visibility it is difficult and time-consuming to determine exactly where the fault is. Charles makes it easy to see what is happening, so you can quickly diagnose and fix problems.

Simply translated, this program allows you to see the "hidden" communication between your browser and the target server.
"Big Deal I can get that information off Firefox/Chrome etc. already"
Well the key difference is how the information is displayed and what you can do with it. Looking at a few of the key features:

SSL Proxying – view SSL requests and responses in plain text
AJAX debugging – view XML and JSON requests and responses as a tree or as text
Repeat requests to test back-end changes
Edit requests to test different inputs

(Only partial list of key features, the ones that we will put to use)
As you can see, this will allow us to not only read and understand the severs response from a HTTPS game server (or most web pages using SSL), its able to easily modify requests sent to the server as a MITM application.

Ok Let's get started, for this PoC hack I will be using a completely unedited game from the Play store, Prince Billy Bob (Playstore Link: Game. Lastly, the Android phone I have the game installed on normally, which will have to be run on wifi to connect to the proxy computer.

1st Step: Setup Charles

  • Install Charles following its standard direction, if you can't get that far without needing more detailed help, please exit stage right
  • Start up the program and setup the SSL web proxy. Here's how (DISCLAIMER: I have seen a few different versions of the toolbars in Charles, here is my version, just find the same information if you have a diff version):
    1. Go to Proxy > Proxy Settings
    2. In the Proxies tab enter "8888" in the HTTP Proxy Port field
    3. In same window, Go to SSL tab
    4. Check enable SSL and ensure under locations, it has a checkbox with * next to it and the checkbox is checked. Example:
    5. Check your computer's ipv4 address, if on the same LAN with your computer use the internal ip address before the router, should start with 192.168... or 10.0... assuming standard LAN setup. save this number for later. If not on the LAN with the computer, get on it (or setup an external proxy which is beyond the scope of this tutorial, as LAN setup will allow SSL responses in plaintext, you'll have to figure out your proper configuration to use an external proxy).
    6. Lastly, prep your two SSL certificates. Go to Help > Install Charles CA SSL Certificate. You are going to install on both your PC, and your android. PC installation easy, simply hit Install Certificate and let it select its certificate store, save and done. Next for Android, after hitting the menu item Install Charles CA SSL Certificate, choose the details tab, then copy to file. Save as a DER encoded binary X.509 (CER file) name it whatever and after choosing its destination, send it to your android phone via usb, wifi, sd card, NFC, bluetooth, aliens, IDGAF just send it onto your phone then use any decent file explorer to select and install it.
    7. Alright leave Charles open and now setup the target phone

2nd Step: Setup Android

  1. (if not already done) Install the game from Play store link above (or Gapps/sideload obv fine, just stating the point that the game itself remains untouched with this method, no version conflict to worry about, achievements are available, etc.)
  2. Change your LAN wifi settings. I believe its pretty universal among android versions on how to do this. Go to Settings >Wifi. Long press your network name, and select modify network.. Check the advanced options. Change Proxy settings to manual, scroll down the menu to proxy hostname, change to the LAN ipv4 address you saved from your PC. change proxy port to 8888 to match your settings above. You can leave the rest of the settings alone. Scroll back up and enter wifi password so you can save settings.

Provided you did all that correctly, you should now be set. Test by going on Charles to verify the button that looks like a white circle with a smaller red circle is depressed, then going on your browser on your phone and search something on google, or go to homepage, etc. The second you tap any of those on your phone, Charles should come to life, populating its structure/sequence windows with all sorts of neat data.

All right you're all setup. Next post I'll have up shortly to detail what kind of details you want to focus on, how to get the server to throw you a bone to work with and not just Facebook tracking data, etc. Lastly I'll show my specific exploit I used for Billy Bob .


Now back to how to do the hack.

1. Start Billy Bob game. Its going to load up a bunch of folders and info that if you try to figure out where anything useful is you may get lost, so sit tight and let the game start, load up google plus, etc. once its all done and it looks like Charles is done loading new folders constantly, we are going to
2. Stop the recording session (press white/red button). This info is mostly useless unless you want to dig for app api keys, hashes, fun stuff for more complex hacks, but this is a beginners tut to show the benefits of Charles at all levels. Personally I saved this session before I clear it for study later, but you may either save it or just clear it, its not needed for this hack.
3. Now that Charles is clear, restart the recording session. With all the junk out the way, its more likely to only call the server based on your input, thus easier to track what you want. So here is what i did. I started looking for things that you do that trigger a call to the games main server. Things to try include checking daily rewards, in app purchases, buying premium items in game using premium in game currency(read: currency they expect you to pay real money to get any decent quantity), or as I found for my example, the cloud save sent to https://billybobglobal.mafrpgserver.net/google_game/save . This one was the jackpot which game me completely clear (thanks to Charles SSL credentials) JSON string the developer used in this save. Heres the string you can find by checking the request we sent to the server, easiest to read in Form view, it will look a lot like this


Hidden Content

    Like this post or reply to this topic to see the hidden content. More info


Doesn't look like much up front, but you'll notice a lot of number match your details, for simplicity sake, heres a easy translation for most the variables, haven't played with all of them yet


Hidden Content

    Like this post or reply to this topic to see the hidden content. More info


So in conclusion what I decided to do, was alter the numbers being VERY carefulk not to delete any delimiters like ,\": etc (in a file editor was easier for me to c/p but you can edit charles inline) and resend the save request with the altered numbers from Charles. You wont get a confirmation about your svae from that, but its ok, once you get a 200 response from the server, you can hit load game from the app directly, and it will load the numbers you put in.

Play around with it to see what you can do, and dont forget to go into your android wifi setting to disable the proxy when done or you wont be able to use the network properly unless your PC is on, etc. Charles stops when shut down so no need to do anything there.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By TheArmQueen

      The following service lets you download an APK onto your PC/MAC through a web browser .
      All you need to do is enter the game/app's package name . Example -> com.kiloo.subwaysurf
      Or the Google Play Store ID -> https://play.google.com/store/apps/details?id=com.kiloo.subwaysurf&hl=en
      info It will take some time to generate the Download Link depending on File Size & Wifi Connection
      Website Link & Screenshots : 

      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info Other Websites You Can Use :

      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info
    • By evildog1
      I have found a new way to decrypt .dll and other files using Termux. In this tutorial, I'll show you how to decrypt an encrypted .dll file
      - Rooted device or Emulator. ARM or x86.
      - A powerful Android device: 1 GB RAM, 4 cores, 1.5 - 2.x GHz. If you have a low-end device, your device may freeze during dumping.
      - Available free space of Internal storage or Sdcard: 2 GB
      - Requires Android 5.0 and up. Works on Marshmallow 6.0.1. Termux will not work on 4.4.4 and below.
      - Termux app. It is avaliable on Play Store
      - Modified Winhex for Windows (free version will not work for this purpose).

      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info Notes:
      There is no need PIE patching. gdb 7.12 natively support Android 5.0 and up
      If your device is running Kitkat 4.4.4 and below, please read my old tutorial:
      Using Android Emulator?
      Sorry, gdb gcore doesn't work with x86.
      Finding the package name of the app:
      Find the package name of the app you're going to hack!
      This will be required to find the app in the Terminal app we're going to use soon.
      It's usually called "com.DEVELOPER_CODE.GAME_CODE".
      You can find it going (with your browser) to the Google Play website, looking for the game you have installed on your device and then copying what's next to "id=".
      See screenshot:

      Alternatively, you can Install Package Name Viewer 2.0 from play store and you'll find the package name of any app you have installed on your device.

      If your device is running Cyanogenmod/Lineage OS, you can go to Settings -> Apps and then you'll find the package name of any app you have installed on your device.

      Termux setup and decryption:
      Open Termux. It should be very similar to the following one:

      Type the following commands:
      apt update Update package infomation
      apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies.
      apt install gdb tsu Install both gdb and tsu
      gdb is a process debugger
      tsu is a root mode for Termux.
      Press the home button and launch the game. Let the game fully load.
      Open multitask, and go back to Termux
      Type the following commands:
      su Enter Superuser mode
      Grant root access to enter superuser mode for your device when asked.
      dumpsys meminfo | grep com*
      Show process list
      This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol). The package name of the game is always at top. Don't forget to write it down

      Exit Superuser mode
      Enter root mode for Termux
      gdb -pid <pid>
      attach a process with gdb

      gdb -pid 12345 Hit return to continue when asked.
      Do not worry about any warnings like these you may read in the Terminal app:

      gcore <path>
      save core file
      gcore /sdcard/thegametodump Type Y when asked
      This will take 3-5 minutes. You device may freeze during dumping. Do not touch your device.
      quit gdb
      And deattach the process when asked
      Or you can exit Termux session from notification

      Connect your device to your computer and copy your dumped file, if the file does not appear, just create a folder and move the file. This way Windows should be able to see it
      Recover decrypted files using WinHex:
      Open Winhex.exe
      File -> Open... and select a dumped file
      Tools -> Disk Tools -> File Recovery by Type

      Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
      Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

      The file recover will now begin and, when it finished you'll get a message like this:

      Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.
      You can finally close WinHex.
      Happy modding!
      x-ways devs (Winhex program)
      Fredrik (Termux app)
    • By Infamous-Bluetooth

      Well that's pretty easy, just search IsGenuine, GetSignature or InstalledFromRightLocation and return it to TRUE. They are all boolean.

      Use dnSpy, it's much easier to edit code. Right click inside method code, select "Edit Method (C#)..." and replace it with "return true;"

      Tip: Dump source code from dll and search keywords in files using Notepad++ and analize them. It's much easier for me because i can search string, url string, excat code etc.

      Keywords to search: Integrity, Check, Genuine, Signature, Installed, Location etc.

      How i found IsGenuine?

      First, i was analizing ShowInvalidBuildError() but i was unable to locate the check, so i just just dump the entire source code and search "signature" in files using Notepad++ because it's much easier for me to find the useful code. My former friend told me that trick.

      How i found InstalledFromRightLocation?

      I recorded a logcat using Matlog app to find an error, and i already found interesting function ReceiveInstallFromWrongLocationError()

      so i took a look in dnSpy. I analized it , look InitOnStart() and there is a code
      bool flag2 = AndroidUnityUtilWrapper.InstalledFromRightLocation(); InstalledFromRightLocation() is also an interesting method. It was a boolean so I returned it true and it worked!

    • By Joel Ohsteen
      Hey guys,
      I'd like to share my personal sniping method that I use to catch high IV pokemons for free. 
      Link: www.pokegoscout.com
      iDevices: PokeGo++ [Google it ;)]
      Android: https://github.com/pokesniperandroid/PokeSniper-Android/releases
      I recommend you to use www.pokegoscout.com to find a huge list of rare high IV pokemons and their co-ordinates.
      You can then use the above cited applications to fake your location and snipe your favorite pokemon. All the things I've linked to, are absolutely free!
      Happy sniping!  
  • Recently Browsing   0 members

    No registered users viewing this page.

    • Administrators |
    • Global Moderators  |
    • Moderators  |
    • ViP |
    • Cheaters |
    • Modders  |
    • Novice Cheaters |
    • Rookie Modders |
    • Supporters |
    • GFX Team  |
    • Senior Members |
    • Members |