$75 - Decrypt Unity mobile game ajax response

[GoTPhonE]

Hi, I'm looking for some help decrying server response data for a mobile game below. Let me know if you guys need any additional info. Thanks!


Game: https://apkpure.com/chain-strike%E2%84% ... oid.common
Sample APTI Responses:

User-Agent: ChainStrike/1.2.6.533 CFNetwork/897.15 Darwin/17.5.0
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Length: 162
Accept-Encoding: br, gzip, deflate
X-Unity-Version: 5.4.4p3

0 {"key":"a958306ec30b918a9cd02e82641354","seq":2}ÑÝ•e7šî4]ï7©<Hè›
olZãS„‡7£¿Q£€n<—Ý* uu$´4€2‹÷niØ&Ù°³Žû;3ªGÙŽMÕÆ|Ens€œõU;Øm
tMiVˆ{¨ãOˆø?¸6¸ë,'ðl^s…þ
HTTP/1.1 200 OK

Date: Mon, 10 Dec 2018 01:21:58 GMT
Connection: keep-alive

K {"key":"a958306ec30b918a9cd02e82641354","seq":"3","error":"200","type":"0"}ÑÝ•e7šî4]ï7©<Hè›
olZãS„‡7£¿Q£€n<—Ý* uu$´4€2‹G7–à…îÁ<˜vká‡W'¼¤Þ¨wÇŠ_¥•ˆB«C£ânû¹?õ×Wc_¼À3»Òé¹¥Rʇá·'žGî7ža:æ
õÇ» ‰Ç º"Õ
òÜÀÊ›-Ë{i7í¿‘A"¹mö¥AM“V#ÜïLµ-14îèE
€2ÎÏCšíÏ×\À•I«ø<œÑèÔ%Þtâ¤J9N~&3;Åù„tò’s„ ¾ßÔÚ¡GõPEäNM‚ì÷â°P.:÷ãÚ<õmÒ¨ÕƁ2ÛqdÖÃ~WUˆÆ‰ÝƒL.¤z ×}‹w¦Kz.;ýVÌeƒÝ¬è¶¦œ®º2š¼µ„ZãXžVJMôâ#Cm]ô÷M]©Ô5—BÚGïÆÒbœrÆŒ­¤OAÁl
M—EÇK¾;·›Ø¬¨Ìù«kÄ;jÏ)UF(_õgñë<¿# Gs+b
»`u•XTCí)Þý±…—‚X^ú/U· ý°ÖÉ8=냥–›vÔ Úº_ÿÜÙÐþêöø­©÷ae—÷¢én Ÿí
ƒH¯ŽíŠ—ä
­´(‹ªÁ3r•=‹7F†%ìŒ3Û
“ò CÓtÂ1'2ÙnLÊùî¹ùpY¹¾*Û_MÂC·¡2LÀ=Ax €jâRšqŒ#
d_ªxd°ÜßšEŸèæb%l…«6‘Ïù§M×$hÔn&å—KKðª€eáI›0ºÂäýPûéÓ Ð`o·%&CJè
jÈgÕ *P;#9Ÿ|­K1D3Œ±-4´¸…êU?uãQnPèŠv
B\Fæ4PË ËBrwš{ÛÞNÌLrÆd/´…“衾—"…Àò¿ÄD:l)¢“—´Á(Èαëq‹’Z’z­ø]bI€I+
ºA•+-R[.xÈA×ëýå{X‹züQhdË"¿ iö+.‡õy´XmP‡[!ÚÙ‚é @Êî'Q˜bDƒþQ=!Ûþ¤ ܉ßXÂӏÛÃÈý½õœ¬Ž†Ûþ32XÄ`)ʼ›äjhz†³;ñ.þ»Ì­
hA,\LÐ3»¤Ú ÜÿJÔƒó2áóq$㉑?ÿû³ûóßðŠJX:g>êÉPïÈôSÈžR+Þë Çš‘æüCóAîNfK7• ¶®4¸Tg¡n]ì.>Îˆ·[ŒçR$Ò¿™ÌäÕ€•'µ<G$sê\n·uø€¿¼=ŒÍdZpµ¡â”ë
°¿Óáùõs+Æ; £%B
^¤òÎœ‰3RÏÛóÄe3‡[Bל—«s_H'Á’.Z'YrU…
ªûbQ~2×}ß[I©jcJºÂ Û±ÿ^(Ã…@Žªx…8ë€uJ—9‰‘"Ø…Šª;ߧ!×R­…X…Ô¤ÕiÚÊÍ,äx´ ÞY™A¤C©¨¬d¨Ìè

[LokiReborn]

Hi, I'm looking for some help decrying server response data for a mobile game below. Let me know if you guys need any additional info. Thanks!


Game: https://apkpure.com/chain-strike%E2%84% ... oid.common
Sample APTI Responses:

User-Agent: ChainStrike/1.2.6.533 CFNetwork/897.15 Darwin/17.5.0
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Length: 162
Accept-Encoding: br, gzip, deflate
X-Unity-Version: 5.4.4p3

0 {"key":"a958306ec30b918a9cd02e82641354","seq":2}ÑÝ•e7šî4]ï7©<Hè›
olZãS„‡7£¿Q£€n<—Ý* uu$´4€2‹÷niØ&Ù°³Žû;3ªGÙŽMÕÆ|Ens€œõU;Øm
tMiVˆ{¨ãOˆø?¸6¸ë,'ðl^s…þ
HTTP/1.1 200 OK

Date: Mon, 10 Dec 2018 01:21:58 GMT
Connection: keep-alive

K {"key":"a958306ec30b918a9cd02e82641354","seq":"3","error":"200","type":"0"}ÑÝ•e7šî4]ï7©<Hè›
olZãS„‡7£¿Q£€n<—Ý* uu$´4€2‹G7–à…îÁ<˜vká‡W'¼¤Þ¨wÇŠ_¥•ˆB«C£ânû¹?õ×Wc_¼À3»Òé¹¥Rʇá·'žGî7ža:æ
õÇ» ‰Ç º"Õ
òÜÀÊ›-Ë{i7í¿‘A"¹mö¥AM“V#ÜïLµ-14îèE
€2ÎÏCšíÏ×\À•I«ø<œÑèÔ%Þtâ¤J9N~&3;Åù„tò’s„ ¾ßÔÚ¡GõPEäNM‚ì÷â°P.:÷ãÚ<õmÒ¨ÕƁ2ÛqdÖÃ~WUˆÆ‰ÝƒL.¤z ×}‹w¦Kz.;ýVÌeƒÝ¬è¶¦œ®º2š¼µ„ZãXžVJMôâ#Cm]ô÷M]©Ô5—BÚGïÆÒbœrÆŒ­¤OAÁl
M—EÇK¾;·›Ø¬¨Ìù«kÄ;jÏ)UF(_õgñë<¿# Gs+b
»`u•XTCí)Þý±…—‚X^ú/U· ý°ÖÉ8=냥–›vÔ Úº_ÿÜÙÐþêöø­©÷ae—÷¢én Ÿí
ƒH¯ŽíŠ—ä
­´(‹ªÁ3r•=‹7F†%ìŒ3Û
“ò CÓtÂ1'2ÙnLÊùî¹ùpY¹¾*Û_MÂC·¡2LÀ=Ax €jâRšqŒ#
d_ªxd°ÜßšEŸèæb%l…«6‘Ïù§M×$hÔn&å—KKðª€eáI›0ºÂäýPûéÓ Ð`o·%&CJè
jÈgÕ *P;#9Ÿ|­K1D3Œ±-4´¸…êU?uãQnPèŠv
B\Fæ4PË ËBrwš{ÛÞNÌLrÆd/´…“衾—"…Àò¿ÄD:l)¢“—´Á(Èαëq‹’Z’z­ø]bI€I+
ºA•+-R[.xÈA×ëýå{X‹züQhdË"¿ iö+.‡õy´XmP‡[!ÚÙ‚é @Êî'Q˜bDƒþQ=!Ûþ¤ ܉ßXÂӏÛÃÈý½õœ¬Ž†Ûþ32XÄ`)ʼ›äjhz†³;ñ.þ»Ì­
hA,\LÐ3»¤Ú ÜÿJÔƒó2áóq$㉑?ÿû³ûóßðŠJX:g>êÉPïÈôSÈžR+Þë Çš‘æüCóAîNfK7• ¶®4¸Tg¡n]ì.>Îˆ·[ŒçR$Ò¿™ÌäÕ€•'µ<G$sê\n·uø€¿¼=ŒÍdZpµ¡â”ë
°¿Óáùõs+Æ; £%B
^¤òÎœ‰3RÏÛóÄe3‡[Bל—«s_H'Á’.Z'YrU…
ªûbQ~2×}ß[I©jcJºÂ Û±ÿ^(Ã…@Žªx…8ë€uJ—9‰‘"Ø…Šª;ߧ!×R­…X…Ô¤ÕiÚÊÍ,äx´ ÞY™A¤C©¨¬d¨Ìè

How did you retrieve that? Are you sure the information isn't just truncated and not encrypted?

[GoTPhonE]

I'm using Fiddler( https://www.telerik.com/fiddler ) proxy server to read in and out traffic of the game. Doesn't seem like the response is truncated because the first one is really short, the 2nd one is longer but not big enough where it needed to be truncated.

there are bigger responses that it is obviously truncated that i could post that we can verify. lmk

[LokiReborn]

I'm using Fiddler( https://www.telerik.com/fiddler ) proxy server to read in and out traffic of the game. Doesn't seem like the response is truncated because the first one is really short, the 2nd one is longer but not big enough where it needed to be truncated.

there are bigger responses that it is obviously truncated that i could post that we can verify. lmk

Can you attach your saz file from fiddler.

[GoTPhonE]

youre are right, they are truncated. whats the best way to combine them and decode?

saz file: https://easyupload.io/2a8n8m

[GoTPhonE]

here are the game's SO files. i have no luck decompiling it. hopefully someone smarter can figure it out.

https://easyupload.io/bpz7sr

[LokiReborn]

youre are right, they are truncated. whats the best way to combine them and decode?

saz file: https://easyupload.io/2a8n8m

Thanks. You can right click on the pane to disable auto truncating, in this case not usually useful however what does help when trying to view it all is the raw export feature. Looking at it in a hex editor it appears the first 2 bytes are a short to specify the length for the json response at the start then all of the additional data follows it afterwards, I did take a quick look at the APK file and it appears the game has been protected with NProtect AppGuard. Sadly mobile debugging isn't really my strong suite but hopefully it will give more context to anyone that might be able to help.

[GoTPhonE]

bump to $75 if anyone can help solving this