Easy Hack: How to find potential vulnerabilities and hardcoded data in an Android application. WhatsApp Sniffer: description of the program and how to protect yourself Free hack how to use the program

Disclaimer: everything written below is written solely for educational and research purposes, as well as for understanding the mechanisms of protection against hacking. The author under no circumstances recommends using this information to hack programs.

In this article I want to talk about three and a half main ways to hack .NET programs. The goal I pursue is to help developers better understand the security mechanisms of their programs, i.e. identify the most obvious threats and take appropriate action (or not).

I won't go into detail or use complex hacking tools. Everything will be described “for dummies”, i.e. all tools will be simple, easily accessible and free. And the main decompiler of programs for .NET

I chose a regular expression analyzer as a guinea pig. This program is free, the license does not seem to indicate anything about hacking, but without registration it will only work for 60 days. In other words, the harm from hacking this program is minimal, and its internal structure is very well suited for training. I hope that the author of this program will not be offended by me.

This is something like an assembler, only very smart and with very powerful instructions. And this, in principle, is the same equal language as C#, only the syntax is worse (and there are more possibilities). In addition, the .NET program actively uses metadata, i.e. all information about classes, methods, properties, attributes and everything else is saved in the executable file.
Those. in fact, decompiling a program is not a very correct concept in this case. It is already all in open form, and tools in the form of Reflector are engaged in bringing MSIL constructs to the corresponding constructs of C# or another language, increasing the readability of the code.

Let's move on to the actual hacking.

0. Trial reset

Actually, this is not even a hack, but a semi-legal way to extend the life of an inactivated program. It consists in the fact that there is a place where the date of the first launch is stored and changed/destroyed. After this, you can still use the program until the next deadline.

Let's look at our test subject with a reflector:
After walking through the code a little, we find an interesting line in the MainForm constructor

Open the registry editor, go to HKEY_CURRENT_USER\Software\Ultrapico\Expresso and see the following keys:

We delete them and get another 60 days of work.

This option, of course, is simple and obvious, but even if it were more complicated, it would take a little more time in the reflector to find out all the places where information is written and clear them.

Advice to developers who will try to write data to a hidden place: write more carefully, otherwise everything can turn into problems for ordinary users who for some reason do not have this place, or do not have enough rights to it.

1. Writing keygen

The most terrible option for the developer, and the most pleasant for the end evil user. The program considers itself licensed, no scary gestures need to be made.

We open the reflector and look for the code for classes containing License or Registration, we see:

When you enter a name and code, a hash is calculated by name and compared with the code.

This hash uses DES and all sorts of prefixes

Bytes are converted into a string using this method.

Now everything is clear, open the IDE and copy all the necessary pieces of code (or implement it yourself). All that remains is to find out what the values ​​of Prefix, Suffix and MyDES implementation parameters are. I won’t give them, these are technical details.

As a result, we generate a key for any name and see:

Bingo!

Protection against keygens is simple and obvious: use some form of asymmetric encryption. Those. make it so that it would be impossible to generate a code without knowing the private key, and this key is located only in one place - with the author of the program.

2. Using a wrapper

Checking the correctness of the license is quite a troublesome and slow task. Therefore, program developers usually check the license once, and then use the resulting flag - valid/invalid (as an option, how valid is it, if several types of licenses are allowed, differing in capabilities). Here you can play on this using the following algorithm:

1. Indicate to the program that the license has already been verified
2. Indicate to the program that the license is correct

How to do it? I already mentioned the presence of metadata in executable files at the beginning, we will use this. Let's see how the program is launched and how the license is checked:

There is nothing interesting with the launch, but the check shows that if the program is already registered, then it considers that everything is fine and does not do any further work to determine the correctness of the license.

Let's use this:
Let's create a new project, add Reference to Expresso.exe and run it through ourselves:

Let's see what happened:

Well, who would doubt it.

In this case, everything turned out to be simple, but if the author of the program had replaced public properties with private ones, then he would only have had to use Reflection for access and everything would have come down to the original problem.

I think it’s clear how you can try to protect yourself from this - check the license periodically, look at the environment from which the program is running, make it impossible to set the required variable.

But all these protections will lead to the attacker using

3. Physical hacking of the program

Everything is getting serious here. The entire program is decompiled into MSIL and then assembled back from it (remember, I wrote that MSIL is the same language as C#?). To decompile, we need a utility from the SDK called ildasm, and for compilation the compiler is from the .NET Framework ilasm.

Launch ildasm, open Expresso.exe and save the dump to an .il file. We find the already discussed IsRegistered method and add a little of our code (without labels):

Then we take ilasm and put everything back together (not forgetting to connect the resources).

What this code does: sets the required name for registration (optional), and returns the status that everything is fine.
To make it clearer, this is how it looks in the reflector, in C#

Those. It is quite obvious that now everything will be fine:

A little about the code in MSIL: it is a stack machine that does not have registers, all operations have the form: push the required number of parameters onto the stack, execute a function that takes the required number of parameters and puts the result. Well, and vice versa: set the value of the variable to what is on the stack. To better understand how all this works, I recommend a simple technique: write a small program in a familiar language, compile it, see what happens in MSILe and understand the language constructs.
At the same time, some things in MSIL can be done very beautifully, for example, swapping two variables - 4 nice lines (less in C#, but ugly).

What the attacker sacrifices: the signature of the program, now it is no longer the author’s, but his. In some cases, this is a problem if the program uses many libraries. Then the evil hacker will have to disassemble them all and reassemble them, but if he copes with this, then he will have “his own” signed version of the program his key.

There is actually little protection from all this disgrace: carry out obfuscation or move part of the logic/security checks into the native code.

Conclusion

I think I told you how easily everything can be broken on .NET if the creator has not made an effort to protect his program. And you decide whether it’s worth making protection and spending time and resources on it. Or maybe just make a web-based system, or a free limited version. It's up to the developers to decide.

Sometimes there is a need to find out what bugs were found in some top Android application. There can be a lot of reasons for this: from attempts to promote the vector further and search for similar vulnerabilities to banal hardcode checks. Let's try to do it, and the HackApp + Vulners combination will help us with this.

HackApp is a shareware toolkit and service for finding bugs in mobile applications. HackApp maintains its own database of found vulnerabilities, where they describe attack vectors and vulnerable versions in detail. Vulners is a free and open source engine for finding vulnerabilities in various products. In addition to the bugs themselves, Vulners finds and displays vulnerability-related exploits, patches, and even news from open sources.

With Vulners and HackApp, you can search for vulnerabilities in more than 22,025 top Android apps from Google Play! Store. To search, you need to specify the type type:hackapp . The search results display the title, the number of vulnerabilities by severity level (red circle - critical, yellow circle - moderate criticality, gray circle - note), information about the application (icon, current version, developer and release date).

The link to the application vulnerability bulletin looks like https://vulners.com/hackapp/HACKAPP:RU.SBERBANK_SBBOL.APK. The bulletin lists all vulnerabilities with a brief description and indicates which versions of the application are considered vulnerable. A full description of the vulnerabilities is available via the link on the HackApp website.

But the real killer feature is the ability to find applications whose careless developers have hardcoded Amazon AWS accounts inside. The simplest query https://vulners.com/search?query=type:hackapp%20AWS%20credentials will return a whole bunch of such “gems”.

Great, we have AWS_KEY. Now we also need AWS_SECRET_KEY . Let's not stop and take a look at the developers' "house"? 🙂

The vulnerable APK can be conveniently downloaded directly from the HackApp website. Then we reveal it in a well-known way:

Java -jar apktool_2.1.1.jar d.apk

Run grep and... voila! It seems that we really found something:

MacBook-Pro:pwner$ grep -R "AKIAI5AWXTYSXJGU55QA" ./ .//smali/com/adobe/air/AdobeAIR.smali:.field private static final TEST_ACCESS_KEY:Ljava/lang/String; = "AKIAI5AWXTYSXJGU55QA" .//smali/com/adobe/air/AdobeAIR.smali: const-string v1, "AKIAI5AWXTYSXJGU55QA"

What can I say: pwned in less than 1 minute!

By combining these two tools and a simple full-text search, you can unearth many more shameful secrets of mobile apps :).

Good luck and successful learning!

1. Remember that when you install a third-party application, you are responsible for the consequences!
2. By reading someone else's correspondence, you are violating his rights, and for this there is criminal liability!
3. This instruction only provides information about how attackers read other people’s correspondence, but in no way calls you to this action.

What is a "sniffer"? In thieves' jargon, these words mean a person who can open a safe with anything, even the rustiest pin. Let's figure out why you need an application like WhatsApp Sniffer for your computer and phone, which, by the way, can be downloaded from our website.

Why is it necessary?

This utility was created in special secret laboratories in America - at least that’s what the developers say. Using a sniffer, you can easily hack any account on WhatsApp and gain access to all the secrets of the desired person’s correspondence. Of course, you download the program at your own peril and risk; no one is responsible for its bugs and other possible unpleasant moments.

So, according to the developers, the sniffer allows:

• completely take over the “victim’s” accounts, as if it were your personal account on WhatsApp;
• read all user messages;
• send messages to the user's friends on his behalf;
• change the photo on your avatar;
• change status;
• send and receive files.

How does it work

The utility only works on Android. The developers also assure us that this application is completely safe for the phone.

So, the essence of the sniffer’s work is as follows: each phone has its own original MAC code, which the utility copies and, thus, the program thinks that it was logged in from a familiar smartphone or other gadget. The sniffer can copy the MAC code in three ways:

• SMS. Send a special SMS to the victim with a link. When the victim opens the link, the sniffer will penetrate the user’s phone and WhatsApp program, opening access for you.
• Call. The application calls the victim's phone and when she answers it penetrates the phone and the application.
• Wi-Fi. If you are close to the victim, and you share Wi-Fi with him, then you just need to launch the sniffer on your phone and indicate the victim’s number: in a second you will have access to her WhatsApp.

To use the sniffer, just launch the utility, select the method of use and press “spoof” - a button that allows you to detect the phone number of the person you are interested in.

Where to download and how to install

To download WhatsApp Sniffer for Android, you need to type in Google: “whatsapp sniffer apk download”, or use the installation file, which you can find on our website. Unfortunately, you won’t be able to download Whatsapp sniffer for iPhone, because it simply doesn’t exist for this operating system.

To install the utility on your phone, follow these steps:

1. Transfer the installation file to your smartphone.
2. Run it and it will install normally.
3. When opening the file, it will ask for permission to access some functions, select “Allow”. That's all: the sniffer is installed on your gadget.

If you can’t install Sniffer, then it is recommended to hack it, for which you need to download WhatsApp Hach Sniffer for free in Russian.

How to protect yourself from WhatsApp Sniffer

What to do if you are not a spy, but a victim? At any slightest suspicion that your phone is being used by attackers for personal gain, you should delete the WhatsApp application and install it again. Moreover, it is recommended:

• Clean your phone using any antivirus;
• Contact the WhatsApp developers so that they can install more serious protection against the penetration of third-party programs into the utility.
• Always check whether the Wi-Fi network you are using is reliable. So, if you have any suspicions that hackers may be connected to it, then it is better not to connect to it.

06 February 2013, 09:57

Console loading speed from 5 seconds to two minutes
(this specificity of work is absolutely all chips reset glitch hack)
As for the speed of launching games, games launch both from an external drive and from an internal one quickly and quietly.

File manager for freeboot

XexMenu is a simple shell for launching games from any media, has a built-in file manager, allows you to launch games and applications with *.xex extensions
Control buttons (rb, X - source selection dvd usb hdd, Y - output menu of operations on copy past cut files) The easiest way to launch games and applications for beginners.
How to use? Very simple.
On the console, go to the “game library” section and launch it (if it is not displayed in the game library, then select the demo version)

XexMenu can also be written to a memory card, flash drive or internal hdd. To do this, launch the hexmenu from the disc, press X, select DVD and copy the C0DE9999 folder with all its contents to the content\0000000000000000 (16 zeros) folder of your HDD. That's it, now you can forget about the blank with the hexmenu.

HOW TO RUNNER ISO FROM USB?
The file system of the hard drive must be FAT 32 only (use acronis disk director for formatting)
Download the Xbox image browser program (link below)
Create a folder on your hard drive (or flash drive) GAMES (ALL WITH CAPITAL LETTERS)
Open the Xbox image browser ISO file with the game.
Create a folder in the GAMES folder with the name of your game.
Now right-click “EXTRACT” and extract all the files into the newly created folder with the name of the game on the USB drive.

After extracting the game, be sure to go to the game folder on the external hard drive and delete the $systemupdate folder

Now we insert the USB into the xbox360. Let's go to the game room. Launch xexmenu. If you copied everything correctly, the games will automatically appear in the xex menu.
Select a game and press A. Enjoy the game!

The XeXmenu program shows a list of games from a hard drive connected via USB

How to unlock arcades?

Download an arcade game from the Internet. Download the YarisSwap program (link below)
Let's launch the program. Select the game file (many numbers and letters). We press the red button and wait. That's it, the file is patched. Then we take the patched file and paste it back into the folder where it was located. Then we throw this folder onto the internal hard drive (read below for how to do this) in the content\00000000000000000\ section
That's it, we have the full version

How to copy games over the network:

XeXmenu shows the IP address for copying games over the network (it is an ftp server)

XeXmenu shows the temperature of the processor, memory and allows you to select the cover to your liking

(games are downloaded through the total commander or FLASHFXP programs better)

We connect the Xbox 360 to the computer via a local network via the FTP protocol

There are two ways to copy games over the network:

1) connect directly to the PC (you need to manually enter IP addresses)

2) connection via a router (the router will do everything automatically, provided that the DHCP service is configured on it)

Let's look at the first method in more detail:

connect directly to the PC (you need to manually enter IP addresses)

We connect the network ports of the computer and xbox 360 with a patch cord cable. If this was not included in the kit, it is sold at any computer store.

Turn on xbox 360
- go to system parameters
- network parameters
- configure the network
- main settings tab
- select manual mode for IP address parameters
- set the IP address to 192.168.0.2
- subnet mask 255.255.255.0
- we don’t need a gateway, set it to 0.0.0.0
- save the settings by clicking done
- run xex menu and leave it running
- on the PC go to Network Connections
- Local network connection properties

Go to properties "Internet Protocol TCP/IP"

Register the IP address and network mask

Click OK
- reboot the PC
- launch Total Commander (you can use any other FTP client)
- press Ctrl+F
- select New Connection
- enter the IP address of the xbox 360 ftp server and the port number separated by a colon - 192.168.0.2
- xbox login and xbox password

Click OK and connect using the created connection
- now we have access to all storage devices connected to xbox360

Copy games to section HDD1\content\0000000000000000\

Using iso2god, you can upload games over the local network we just created.

How to install games on Freeboot from an iso image to the ORIGINAL hard drive over the network

Launch the Iso2God program (link below)

if the program starts with an error, disable your antivirus
When unpacking the archive, the antivirus complained about the xextool.exe program, but there was nothing dangerous in it.
- Click Add ISO

In Image Location we specify the path to the iso image
- In Output Location - the path to save the converted freeboot result

There are 3 items in the lower drop-down list:
- None - select if we do not need to reduce the image size
- Partial - the image is cut off at the end of the last used sector. Saves 800-1500 MB of hard drive space
- Full - complete reconstruction of the image with the removal of all empty sectors on it. You can save the modified image for later use. We get the best result in size. It takes an additional 5-10 minutes.
- select the settings we need and click Add Iso
- now convert

For example, the image of the Saboteur game was reduced from 7.29 GB to 5.64 GB, with the Full image reconstruction mode selected.
- now, the result is in Output Location, I have this folder 4541088F - the name is unique for each game, copy it to the hard drive in partition3 to the folder HDD1/Content/0000000000000000/ via the local network using the FTP protocol.
Don't forget that to copy a game over the network you must be running XEXMENU on xbox 360
(it acts as an FTP server client)

Video codecs for watching movies - download

DLC (add-ons for games) and installation of patches for games

As for various DLCs and title updates, everything is simple.
We downloaded DLC, for example for Batman, usually the DLC has a folder 000002. So, this folder needs to be thrown into the folder hdd\Content\0000000000000000\4500052 where 4500052 is a folder with a unique game number. Moreover, the game itself can be stored on a USB HDD, but the DLC for it must be on the HDD of the console!

Now about the title update, they are also TU, they are also patches. Everything is also simple - throw a unique file into hdd\Cache (4L145C441000.000256 - example file) (no more manipulations are required)
Usually we download the latest update.
Website with the latest title updates -

Programs for PC:

YarisSwap
For what: unlocking arcades, avatar DLC (avatar clothes).
Additionally: can upload content directly via ftp protocol to the box, can change XUID.

Iso2God
Why: converts games from ISO into GOD container (Games on Demand).
Additionally: can upload content directly via ftp protocol to the box, can change the picture of the shortcut that will be visible in the dash, as well as the game name and description.

Xbox Image Browser
if the program starts with an error, disable your antivirus
Why: Unpacks ISO
Additionally: after unpacking the game you need to throw it into x:\Games\game name\ (suitable for both the hard drive of the box and USB flash drives and hard drives). Launch the game with the default.xex file through the xexmenu program, or from a shortcut in Dasha if you previously created it in the Quickboot program.

Programs for Xbox360:

Xexmenu
For what: the main program for xbr consoles. Launching games, emulators, other programs, as well as a file manager, shows the temperature of the hardware. FTP server.
Additionally: to connect to xbox via ftp protocol, this program must be running on the console. It has two types: NXE container (drop to content\0000000000000000\C0DE9999\00080000\) - the shortcut will appear in the games library\game demo section, and unpacked (launch via default.xex).

NXE2GOD
What it does: converts games installed from a disk into GOD games (you no longer need a disk to launch).
Additionally: it also looks like an NXE container (drop it into content\0000000000000000\C0DE9999\00080000\) - the shortcut will appear in the games library\game demo section, and unpacked (launch via default.xex).

Updating Reset glitch hack (new freeboot) to new dashboard 16197

INTERNET EXPLORER appeared in the new freeboot update 16197

Now you can surf the Internet and view the latest posts on your VKontakte wall right away on your XBox 360 game console