Alcove Script README

Overview

This script is designed to bypass a verification function in an Alcove application by replacing it with a custom function that always returns 1 (true). The script uses Frida to hook into the application's main module and apply a "Total Replacement" patch to the verification function located at a specific offset.

Additionally, for the script to work fully, the HTTP response from the /trial endpoint must be manually spoofed to return a specific JSON payload.

Prerequisites

• Frida: Ensure Frida is installed and configured on your system.
• Alcove Application: The target application must be running and accessible.
• HTTP Proxy Tool: A tool like Burp Suite, Charles Proxy, or mitmproxy to intercept and modify HTTP requests/responses.

Script Details

The script performs the following actions:

1. Identifies the main module of the Alcove application and its base address.
2. Locates the verification function at offset 0x197f0 from the base address.
3. Uses Frida's Interceptor.replace to hook the verification function and replace it with a custom NativeCallback that logs the call and returns 1 (true).

Manual HTTP Response Spoofing

For the script to work fully, you must manually spoof the HTTP response from the /trial endpoint. The application sends an HTTP request to /trial and expects a specific JSON response.

Expected HTTP Request

The application sends a request to:

POST /trial

Expected HTTP Response

The response must be a JSON object with the following structure:

{
    "uuid": "<your-uuid>",
    "started_at": "9999-12-31T23:59:59+00:00",
    "active": true
}

Steps to Spoof the HTTP Response

1. Set Up an HTTP Proxy:

   • Use a tool like Burp Suite, Charles Proxy, or mitmproxy to intercept HTTP traffic from the Alcove application.
   • Configure your device or emulator to route traffic through the proxy.

2. Intercept the /trial Request:

   • Identify the POST /trial request in your proxy tool.

3. Modify the Response:

   • Replace the server's response with the JSON payload shown above.
   • Ensure the HTTP status code is 200 OK and the Content-Type header is application/json.

4. Test the Application:

   • Run the application with the Frida script injected and the HTTP response spoofed.
   • Verify that the verification function is bypassed and the application behaves as expected.

Usage

1. Save the script as frida.js.

2. Run the script using Frida:

   frida -f <path-to-app> -l frida.js
   

   Replace <path-to-app> with the actual path of the Alcove application.

3. Set up your HTTP proxy tool to spoof the /trial endpoint response as described above.

4. Monitor the console output for logs indicating the patch status and verification function calls.

Notes

• The offset 0x197f0 is specific to the target application version. If the application is updated, this offset may change, requiring you to update the script.
• Spoofing HTTP responses may require additional configuration depending on the application's network setup (e.g., SSL pinning bypass).
• Ensure you have legal permission to modify and analyze the application, as unauthorized tampering may violate terms of service or local laws.

Troubleshooting

• Function Replacement Fails: Verify the offset 0x197f0 is correct for your application version. Use a disassembler like Ghidra or IDA to find the correct offset.
• HTTP Spoofing Fails: Ensure your proxy tool is correctly intercepting traffic and that the response matches the expected JSON format exactly.
• Frida Errors: Ensure Frida is properly installed and that the target application is running on a compatible device or emulator.