Accout verification

[gaurav-stepin]

Hello There,

Issue

I cloned latest package and tested but while when I use verify account call I get following error

(500, {u'metadata': None, u'error': u'Invalid Version: 4.47'})
...

Environment

As mentioned I cloned latest package which is 4.47. Which is mentioned in error also but not sure why it is giving this error.

Output of commands 
pip show jodel_api

Name: jodel-api
Version: 1.1.6
Summary: Unoffical Python Interface to the Jodel API
Home-page: https://github.com/nborrmann/jodel_api
Author: Nils Borrmann
Author-email: [email protected]
License: MIT
Location: /usr/local/lib/python2.7/dist-packages/jodel_api-1.1.6-py2.7.egg
Requires: requests, future, mock

pip -V
pip 9.0.1 from /home/jaldip/.local/lib/python2.7/site-packages (python 2.7)

python -V
Python 2.7.12

python -c "import jodel_api; print(jodel_api.JodelAccount.version); print(jodel_api.JodelAccount.secret)"
4.46.3
NtvKysLpomvFvDcZJMEhJrCDhaLRtcPFvspSMwZD

Thanks

[nborrmann]

The captcha verification method has been removed in version 4.48. (see also #22)

Now you can only verify an account using google cloud messaging. This should be reversable as well, but I didn't have the time to look at that yet.

[donmahallem]

I currently don't see how this can be "easily" reversed as you will have to get a valid InstanceID from Googles Servers and you will need (probably) the server-secret from jodel

[nborrmann]

Worst case is we need a dummy android app that runs on a phone and talks to the gcm-servers to verify the account. But I believe it should be possible to do that without an actual device.

We need the gcm ApiKey and an InstanceId (probably the deprecated push_token would still work as well). We can pull the apiKey from the apk. InstanceId, I don't know yet, I haven't looked at the gcm libs yet.

What worries me more at the moment is that they changed the hmac request signing method. Look at the pull request for 4.48, registering an account works, but posting doesn't. Maybe they have different keys for different api methods now. I don't have any experience reverse engineering C code, so any help here is appreciated.

[donmahallem]

I can give it a try but yeah, looks like it is now shuffling based on path too somehow.

[nborrmann]

FYI

Here's some discussion on reverse engineering libhmac.so:
https://bitbucket.org/cfib90/ojoc/issues/14/keep-up-with-hmac-key-changes

And an archive of all apks since 4.40:
https://github.com/nborrmann/jodeldecompile/tree/master/apks

Looking at the diff of libhmac between 4.47 and 4.48 might be interesting.

[donmahallem]

My assembly is quite rusty but I am doing progress.

Got it disassambled and I believe I got a/the secret atleast: swbBCdBLdtvSqgflkjyrvVwiVHMZSQDQzQWsPiMg (not tested yet)

The sign function is giving me headaches but the other atleast I know the parameters.

saltHash = SHA1 hash of signed APK signature
paramRequest = UpperCase(HttpMethod)+"@"+HttpPath => POST@/api/user
paramString = looks like the old hmac-content but with added Authorization Header Content if present added

def sign( saltHash , paramRequest, paramString)

[ioncodes]

I will reverse it as soon as I get some time for it. @donmahallem Can you tell us your steps?

[nborrmann]

I just figured this out a bit. The problem isn't with the key, or the native signing function. The key from PR #33 is correct and working.

But as soon as we log into a verified account with v4.48 it becomes unverified again (and also can't be downgraded to 4.47).
So the solution is: Hopefully you have a few old verified accounts lying around, if you never use them with 4.48 they will continue to work.
As for verifying new accounts we need to work on the GCM verification. (I have done some progress there but it is harder than expected).

[ioncodes]

@nborrmann Thanks for the information! Can you open a new repo for the GCM reversing, so I could contribute to it?

[nborrmann]

I haven't really coded anything, just looked at mitm traffic, decompiled source and documentation. But I'll open a repo and document the stuff in the readme.

[nborrmann]

Here's what I have so far:

https://github.com/nborrmann/gcmreverse

Pleae feel free to send pull requests.

[nborrmann]

Boom!

>>> j.version
4.48
>>> j.get_user_config()[1]['verified']
True

[nborrmann]

Update: I've got everything working pretty stable. Gonna post it to a branch on this repo soon.

[ioncodes]

nice!

[nborrmann]

Tested, merged and published.

Kinda ironic that it's now easier than before to verify accounts ˙ ͜ʟ˙

[donmahallem]

Nice. Well done and thank you for the work

[guitar9]

@nborrmann
Do you use mitm proxy? When i am listening to port 443 through mitm proxy i just see http traffic. But when i go to jodelapp i cant connect and dont see the traffic.

[nborrmann]

I mostly use Fiddler. But the GCM connection isn't a http request, that's just a tcp socket (an encrypted one). It won't show up in http proxies. You can try wireshark or message analyzer, but setting up ssl/tls decryption is kinda hard for these programs.

[guitar9]

@nborrmann
do you know how can i solve this problem? I cant see the traffic over jodel

[ioncodes]

@gitarre94 You have to activate HTTPS decryption.

[guitar9]

yes

[guitar9]

should i use transparent proxy?

[guitar9]

I does not work with the most android applications...

[ioncodes]

@gitarre94 What do you mean? Fiddler works generally for all applications. It wont work if they implemented some sort of certificate pinning.
However, I don't see why a transparent proxy would help. If they implemented certpinning, then you gotta remove that part from the app itself.

[guitar9]

Ok. I think that they use certpinning. How can i remove that part from the app?

[ioncodes]

@gitarre94 Reverse Engineering

[guitar9]

Ok. Should i root my android device and remove the cert pinning?

http://fiddler.wikidot.com/certpinning

[ioncodes]

@gitarre94 You don't have to root your phone if it's Android. You have to jailbreak iOS if you want to load patched binaries without developer certificate, unless they sideload the apps, but you have to resign them every week.
Just get the apk, reverse it, patch it and install the patched version on your device. Android doesn't perform any sign checks if "allow 3rd party applications" is activated.
Though, there are low level certpinning methods for Android, which force you to root the phone, but I highly doubt that Jodel is using on of those methods.

[guitar9]

i have tried to decode the apk with apktool
and build it again after this i resign the app.
After installing i get following screen. Do you know what to do or what i did wrong?

[nborrmann]

The key that is used to sign every request (basically the thing we need to change with every release) depends on the app's signature. When you rebuild the app you need to sign it with your own keys and that changes the signature.

You can work around that by hardcoding the original signature into the signing-routine before rebuilding.

You can also use this tool: https://github.com/JesusFreke/smali
It allows debugging any app and live watching and manipulating any variables.

[guitar9]

dont really know what you mean... I have only .smali files. This code is really new for me. Where can i get the original signature? And how can I hardcode the original signature?

[ioncodes]

@gitarre94 as @nborrmann said, you have to modify the signing routine to use the secret for your apk version. Basically, you have to extract the secret for each update and implement it in your modded function. Either use smali or patch the VM opcodes manually, it's actually not too hard for this situation, since everything is located and bootstrapped at the same location.

[guitar9]

@ioncodes which modded function? where can i find the secret? I just want to see the traffic. I think i have too little knowledge in reverse engineering.

[ioncodes]

@gitarre94 You have to mod the sign function, you have to teach yourself RE.

[guitar9]

can i go that way?

1. Converting dex file to jar
2. get the classes
3. copy and paste it into android studio
4. debug application on device

[ioncodes]

@gitarre94 No, you gotta inform yourself first.