Saturday, January 20, 2018

Assassins creed Revelations

Assassins creed Revelations


So lets look at my setup here:


XT1045, locked up tight
SM-T230, fully rooted test device
Emulators TBD


Using 2x versions of sunshine.apk for testing currently.




 So immediately, I have a couple of ideas on how to RE this puppy. The conventional (and perhaps, hopefully, overly difficult) method is illustrated, in part above.




1. The hard way

     - I popped open Wireshark,
     - started a SOCKS proxy on my computer,
     - changed network connection on XT1045 to forward through local IP:port of comp via proxy
     - ran sunshine on the device and collected the network data it used

Unfortunately(?), sunshine reported that I was using an outdated version and directed me to update.

Buuut... Now Ive got a TCP stream contained within a pcap file on my computer, which hypothetically contains data hashed via the private key within sunshine.apk.

The next step here is to strip the SSL from the TCP stream and then disassemble sunshine with IDAPRO6 to start finding the hash, then use that to decrypt the app stream and figure out exactly what its sending up to the server (theroot.ninja, in fact).

>I almost posted my TCP stream here but thought better of it, considering I dont yet know what it contains...

However, Ive never disassembled an APK like that and it occurred to me there may be a far easier way to do this, courtesy of the environment within which theroot.ninja has been forced to code.




2. The smart way(?)

Heres my current plan:

Run sunshine.apk inside of an emulator/sandbox, determine what exactly its pulling from the XT1045 data-wise, figure out what its receiving, and determine what all its using for license verification (and if were lucky enough to only be dealing with Google Play LVL).

However, there are a BUTTLOAD of potential pitfalls here if the devs coded against this, which is very easy to do. They could presumably brick my device after all my tests indicate that my cr*ck has succeeded completely. But hell, lets try it.



Next post will elaborate on what exactly we need to unlock this damn bootloader.





visit link download
download
Posted by at