My bored Sunday morning PWN

Sarodj

Some of my IRC buddys were playing something called Mypetgirlfriend (i know right..). They were bragging about how high there level was an how many videos they unlocked.

So i thought hey lets check out where all the fuzz is about. And so my little adventure started...

My bored Sunday morning PWN

Sarodj

I jumped to my Blackmart app and downloaded+installed the APK. Ofcourse i did some restrictions with Xprivacy just to be sure ;)

My bored Sunday morning PWN

Sarodj

So i ran the app. And OH MY GOD what the fuck is this... how pathetic...

I hope these guys were doing this for fun.

My bored Sunday morning PWN

Sarodj

So i wanted to check out the vid thingy they were talking about, anddd dammit. You need to do some kind of leveling. Im not into this shit, im a IT guy and i want a quick profit so.....

My bored Sunday morning PWN

Sarodj

So i went to the folder where appdata is stored in common and found some config files. I tweaked some game values like the user points, energy, fullnes, hygiene, love and comfort.

I also set my user level to 1337 :)

My bored Sunday morning PWN

Sarodj

I unlocked all the video's and can watch anything i want within a few minutes of poking around. What i did noticed is that it downloaded the videos from a external source.

But the story did not end here :)

PROFITTTT

My bored Sunday morning PWN

Sarodj

So i tried the changing clothes option. It turned out that the only casual was free. By this time i told my IRC buddys about my pwn and they said i should hack the app in such way that the bikini clothes are activated.

So i had this idea that the data is not stored localy but on a external server, I know this because all the movies in the movie shop are being downloaded. It is time for some TCPdump magic >:)

My bored Sunday morning PWN

Sarodj

So i installed TCPdump on my phone and started a capture trough a ADB shell. Simultaneously I download a video from the video store to see where the app is downloading its videos from.

I copied the PCAP capture to my desktop and for further analysis.

My bored Sunday morning PWN

Sarodj

Wireshark did gave back a URL so i decided it was time to download the bikini clothes video. The only problem was that i did not know the filename of the video, so i was hoping on a directory listing.

My bored Sunday morning PWN

Sarodj

But no directory listing was given that day... FUCK

My bored Sunday morning PWN

Sarodj

So now i have to pull the APK from my phone and reverse engineer it in order to find the video ID's.

My bored Sunday morning PWN

Sarodj

After i poked aroud a bit i found a file with allot of videonames in it. I decided to filter out the list with some commands and write a script to download them all.

My bored Sunday morning PWN

Sarodj

Did exactly that...

My bored Sunday morning PWN

Sarodj

Execute and downloading

My bored Sunday morning PWN

Sarodj

And i found the bikini videos :).The only thing have to do is push them to my phone and change the config.

PROFITTTT

My bored Sunday morning PWN

Sarodj

But what ID to put in the config?

I messed around a bit with grep and found out that the current video has videoname v004111.mp4. The USER_DRESS int is 14111. Now lets change that to the bikini video ID of v00(4411).mp4.

My bored Sunday morning PWN

Sarodj

Changed it and p00f. I have absolutely no life. But it was fun :)

+ i can brag about it @ my irc buddys

PROFITTTT