From 5faf981da19b221bbf8e83ec19e9d26b44d0e3aa Mon Sep 17 00:00:00 2001
From: Luki <thenightlygod@noreply.localhost>
Date: Fri, 13 Jun 2025 01:06:53 +0000
Subject: [PATCH] Upload files to "/"

---
 README.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 frida.js  | 18 +++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 README.md
 create mode 100644 frida.js

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2a33e1e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,94 @@
+# Alcove Script README
+
+## Overview
+
+This script is designed to bypass a verification function in an Alcove application by replacing it with a custom function that always returns `1` (true). The script uses Frida to hook into the application's main module and apply a "Total Replacement" patch to the verification function located at a specific offset.
+
+Additionally, for the script to work fully, the HTTP response from the `/trial` endpoint must be manually spoofed to return a specific JSON payload.
+
+## Prerequisites
+
+- **Frida**: Ensure Frida is installed and configured on your system.
+- **Alcove Application**: The target application must be running and accessible.
+- **HTTP Proxy Tool**: A tool like Burp Suite, Charles Proxy, or mitmproxy to intercept and modify HTTP requests/responses.
+
+## Script Details
+
+The script performs the following actions:
+
+1. Identifies the main module of the Alcove application and its base address.
+2. Locates the verification function at offset `0x197f0` from the base address.
+3. Uses Frida's `Interceptor.replace` to hook the verification function and replace it with a custom `NativeCallback` that logs the call and returns `1` (true).
+
+## Manual HTTP Response Spoofing
+
+For the script to work fully, you must manually spoof the HTTP response from the `/trial` endpoint. The application sends an HTTP request to `/trial` and expects a specific JSON response.
+
+### Expected HTTP Request
+
+The application sends a request to:
+
+```
+POST /trial
+```
+
+### Expected HTTP Response
+
+The response must be a JSON object with the following structure:
+
+```json
+{
+    "uuid": "<your-uuid>",
+    "started_at": "9999-12-31T23:59:59+00:00",
+    "active": true
+}
+```
+
+### Steps to Spoof the HTTP Response
+
+1. **Set Up an HTTP Proxy**:
+
+   - Use a tool like Burp Suite, Charles Proxy, or mitmproxy to intercept HTTP traffic from the Alcove application.
+   - Configure your device or emulator to route traffic through the proxy.
+
+2. **Intercept the** `/trial` **Request**:
+
+   - Identify the `POST /trial` request in your proxy tool.
+
+3. **Modify the Response**:
+
+   - Replace the server's response with the JSON payload shown above.
+   - Ensure the HTTP status code is `200 OK` and the `Content-Type` header is `application/json`.
+
+4. **Test the Application**:
+
+   - Run the application with the Frida script injected and the HTTP response spoofed.
+   - Verify that the verification function is bypassed and the application behaves as expected.
+
+## Usage
+
+1. Save the script as `frida.js`.
+
+2. Run the script using Frida:
+
+   ```bash
+   frida -f <path-to-app> -l frida.js
+   ```
+
+   Replace `<path-to-app>` with the actual path of the Alcove application.
+
+3. Set up your HTTP proxy tool to spoof the `/trial` endpoint response as described above.
+
+4. Monitor the console output for logs indicating the patch status and verification function calls.
+
+## Notes
+
+- The offset `0x197f0` is specific to the target application version. If the application is updated, this offset may change, requiring you to update the script.
+- Spoofing HTTP responses may require additional configuration depending on the application's network setup (e.g., SSL pinning bypass).
+- Ensure you have legal permission to modify and analyze the application, as unauthorized tampering may violate terms of service or local laws.
+
+## Troubleshooting
+
+- **Function Replacement Fails**: Verify the offset `0x197f0` is correct for your application version. Use a disassembler like Ghidra or IDA to find the correct offset.
+- **HTTP Spoofing Fails**: Ensure your proxy tool is correctly intercepting traffic and that the response matches the expected JSON format exactly.
+- **Frida Errors**: Ensure Frida is properly installed and that the target application is running on a compatible device or emulator.
diff --git a/frida.js b/frida.js
new file mode 100644
index 0000000..b04c738
--- /dev/null
+++ b/frida.js
@@ -0,0 +1,18 @@
+function main() {
+    const mainModule = Process.mainModule;
+    const baseAddress = mainModule.base;
+    console.log(`[*] Found main module "${mainModule.name}" at base: ${baseAddress}`);
+    const verificationFuncAddr = baseAddress.add(0x197f0);
+    console.log(`[*] Applying 'Total Replacement' to function at: ${verificationFuncAddr}`);
+    try {
+        Interceptor.replace(verificationFuncAddr, new NativeCallback(function() {
+            console.log(`\n[+] Total Replacement: Verification function at ${verificationFuncAddr} called.`);
+            console.log('[*] Total Replacement: Bypassing and returning 1 (true).');
+            return 1;
+        }, 'int', []));
+        console.log('[+] Total Replacement: Patch is active.');
+    } catch (e) {
+        console.log(`[!] Total Replacement: Error replacing function: ${e.message}`);
+    }
+}
+main();
\ No newline at end of file