# Alcove Script README

## Overview

This script is designed to bypass a verification function in an Alcove application by replacing it with a custom function that always returns `1` (true). The script uses Frida to hook into the application's main module and apply a "Total Replacement" patch to the verification function located at a specific offset.

Additionally, for the script to work fully, the HTTP response from the `/trial` endpoint must be manually spoofed to return a specific JSON payload.

## Prerequisites

- **Frida**: Ensure Frida is installed and configured on your system.
- **Alcove Application**: The target application must be running and accessible.
- **HTTP Proxy Tool**: A tool like Burp Suite, Charles Proxy, or mitmproxy to intercept and modify HTTP requests/responses.

## Script Details

The script performs the following actions:

1. Identifies the main module of the Alcove application and its base address.
2. Locates the verification function at offset `0x197f0` from the base address.
3. Uses Frida's `Interceptor.replace` to hook the verification function and replace it with a custom `NativeCallback` that logs the call and returns `1` (true).

## Manual HTTP Response Spoofing

For the script to work fully, you must manually spoof the HTTP response from the `/trial` endpoint. The application sends an HTTP request to `/trial` and expects a specific JSON response.

### Expected HTTP Request

The application sends a request to:

```
POST /trial
```

### Expected HTTP Response

The response must be a JSON object with the following structure:

```json
{
    "uuid": "<your-uuid>",
    "started_at": "9999-12-31T23:59:59+00:00",
    "active": true
}
```

### Steps to Spoof the HTTP Response

1. **Set Up an HTTP Proxy**:

   - Use a tool like Burp Suite, Charles Proxy, or mitmproxy to intercept HTTP traffic from the Alcove application.
   - Configure your device or emulator to route traffic through the proxy.

2. **Intercept the** `/trial` **Request**:

   - Identify the `POST /trial` request in your proxy tool.

3. **Modify the Response**:

   - Replace the server's response with the JSON payload shown above.
   - Ensure the HTTP status code is `200 OK` and the `Content-Type` header is `application/json`.

4. **Test the Application**:

   - Run the application with the Frida script injected and the HTTP response spoofed.
   - Verify that the verification function is bypassed and the application behaves as expected.

## Usage

1. Save the script as `frida.js`.

2. Run the script using Frida:

   ```bash
   frida -f <path-to-app> -l frida.js
   ```

   Replace `<path-to-app>` with the actual path of the Alcove application.

3. Set up your HTTP proxy tool to spoof the `/trial` endpoint response as described above.

4. Monitor the console output for logs indicating the patch status and verification function calls.

## Notes

- The offset `0x197f0` is specific to the target application version. If the application is updated, this offset may change, requiring you to update the script.
- Spoofing HTTP responses may require additional configuration depending on the application's network setup (e.g., SSL pinning bypass).
- Ensure you have legal permission to modify and analyze the application, as unauthorized tampering may violate terms of service or local laws.

## Troubleshooting

- **Function Replacement Fails**: Verify the offset `0x197f0` is correct for your application version. Use a disassembler like Ghidra or IDA to find the correct offset.
- **HTTP Spoofing Fails**: Ensure your proxy tool is correctly intercepting traffic and that the response matches the expected JSON format exactly.
- **Frida Errors**: Ensure Frida is properly installed and that the target application is running on a compatible device or emulator.