Upload files to "/"
This commit is contained in:
94
README.md
Normal file
94
README.md
Normal file
@ -0,0 +1,94 @@
|
||||
# Alcove Script README
|
||||
|
||||
## Overview
|
||||
|
||||
This script is designed to bypass a verification function in an Alcove application by replacing it with a custom function that always returns `1` (true). The script uses Frida to hook into the application's main module and apply a "Total Replacement" patch to the verification function located at a specific offset.
|
||||
|
||||
Additionally, for the script to work fully, the HTTP response from the `/trial` endpoint must be manually spoofed to return a specific JSON payload.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- **Frida**: Ensure Frida is installed and configured on your system.
|
||||
- **Alcove Application**: The target application must be running and accessible.
|
||||
- **HTTP Proxy Tool**: A tool like Burp Suite, Charles Proxy, or mitmproxy to intercept and modify HTTP requests/responses.
|
||||
|
||||
## Script Details
|
||||
|
||||
The script performs the following actions:
|
||||
|
||||
1. Identifies the main module of the Alcove application and its base address.
|
||||
2. Locates the verification function at offset `0x197f0` from the base address.
|
||||
3. Uses Frida's `Interceptor.replace` to hook the verification function and replace it with a custom `NativeCallback` that logs the call and returns `1` (true).
|
||||
|
||||
## Manual HTTP Response Spoofing
|
||||
|
||||
For the script to work fully, you must manually spoof the HTTP response from the `/trial` endpoint. The application sends an HTTP request to `/trial` and expects a specific JSON response.
|
||||
|
||||
### Expected HTTP Request
|
||||
|
||||
The application sends a request to:
|
||||
|
||||
```
|
||||
POST /trial
|
||||
```
|
||||
|
||||
### Expected HTTP Response
|
||||
|
||||
The response must be a JSON object with the following structure:
|
||||
|
||||
```json
|
||||
{
|
||||
"uuid": "<your-uuid>",
|
||||
"started_at": "9999-12-31T23:59:59+00:00",
|
||||
"active": true
|
||||
}
|
||||
```
|
||||
|
||||
### Steps to Spoof the HTTP Response
|
||||
|
||||
1. **Set Up an HTTP Proxy**:
|
||||
|
||||
- Use a tool like Burp Suite, Charles Proxy, or mitmproxy to intercept HTTP traffic from the Alcove application.
|
||||
- Configure your device or emulator to route traffic through the proxy.
|
||||
|
||||
2. **Intercept the** `/trial` **Request**:
|
||||
|
||||
- Identify the `POST /trial` request in your proxy tool.
|
||||
|
||||
3. **Modify the Response**:
|
||||
|
||||
- Replace the server's response with the JSON payload shown above.
|
||||
- Ensure the HTTP status code is `200 OK` and the `Content-Type` header is `application/json`.
|
||||
|
||||
4. **Test the Application**:
|
||||
|
||||
- Run the application with the Frida script injected and the HTTP response spoofed.
|
||||
- Verify that the verification function is bypassed and the application behaves as expected.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Save the script as `frida.js`.
|
||||
|
||||
2. Run the script using Frida:
|
||||
|
||||
```bash
|
||||
frida -f <path-to-app> -l frida.js
|
||||
```
|
||||
|
||||
Replace `<path-to-app>` with the actual path of the Alcove application.
|
||||
|
||||
3. Set up your HTTP proxy tool to spoof the `/trial` endpoint response as described above.
|
||||
|
||||
4. Monitor the console output for logs indicating the patch status and verification function calls.
|
||||
|
||||
## Notes
|
||||
|
||||
- The offset `0x197f0` is specific to the target application version. If the application is updated, this offset may change, requiring you to update the script.
|
||||
- Spoofing HTTP responses may require additional configuration depending on the application's network setup (e.g., SSL pinning bypass).
|
||||
- Ensure you have legal permission to modify and analyze the application, as unauthorized tampering may violate terms of service or local laws.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
- **Function Replacement Fails**: Verify the offset `0x197f0` is correct for your application version. Use a disassembler like Ghidra or IDA to find the correct offset.
|
||||
- **HTTP Spoofing Fails**: Ensure your proxy tool is correctly intercepting traffic and that the response matches the expected JSON format exactly.
|
||||
- **Frida Errors**: Ensure Frida is properly installed and that the target application is running on a compatible device or emulator.
|
||||
18
frida.js
Normal file
18
frida.js
Normal file
@ -0,0 +1,18 @@
|
||||
function main() {
|
||||
const mainModule = Process.mainModule;
|
||||
const baseAddress = mainModule.base;
|
||||
console.log(`[*] Found main module "${mainModule.name}" at base: ${baseAddress}`);
|
||||
const verificationFuncAddr = baseAddress.add(0x197f0);
|
||||
console.log(`[*] Applying 'Total Replacement' to function at: ${verificationFuncAddr}`);
|
||||
try {
|
||||
Interceptor.replace(verificationFuncAddr, new NativeCallback(function() {
|
||||
console.log(`\n[+] Total Replacement: Verification function at ${verificationFuncAddr} called.`);
|
||||
console.log('[*] Total Replacement: Bypassing and returning 1 (true).');
|
||||
return 1;
|
||||
}, 'int', []));
|
||||
console.log('[+] Total Replacement: Patch is active.');
|
||||
} catch (e) {
|
||||
console.log(`[!] Total Replacement: Error replacing function: ${e.message}`);
|
||||
}
|
||||
}
|
||||
main();
|
||||
Reference in New Issue
Block a user