charleywright / spotify-analyze-v2

5 stars 1 forks source link

Suddenly not seeing MercuryReq's in terminal with ADB, Bluestacks. #6

Open maximilianosinski opened 9 months ago

maximilianosinski commented 9 months ago

I saw the MercuryReq's before, suddenly i cant see them anymore, any idea?

charleywright commented 9 months ago

Which were you seeing? Nothing has changed recently, so unless Spotify changed a feature flag I don't see why they wouldn't be logged

maximilianosinski commented 9 months ago

The handshake, authentication, MercuryReq's for stream reporting, now i see none. Im using latest script and spotify apk

maximilianosinski commented 9 months ago

any idea? still not showing

charleywright commented 9 months ago

Could you upload/link the APK and show the output of the injector? If absolutely nothing is showing then the hooks probably failed

maximilianosinski commented 9 months ago

its the APK from the google play store.

Target: android
Executable: com.spotify.music
Binary: \\?\C:\Users\maxim\Documents\spoti\spotify-analyze-v2\needle\injector\target\release\liborbit-jni-spotify.so
Found ELF relocation 0x0000000000-0x00010641e0 -> 0x0000000000-0x00010641e0 (0x0000000000 - 0x0001065000)
Found ELF relocation 0x0001065000-0x000113b488 -> 0x0001065000-0x000113b488 (0x0001065000 - 0x000113c000)
Found ELF relocation 0x000113b488-0x0001168ab8 -> 0x000113c488-0x000119c7e0 (0x000113c000 - 0x000119d000)
Detected JNI for arm64-v8a
Found server public key at liborbit-jni-spotify.so:0x0000309138 Offset: 0x0000309138 Address: 0x0000309138
Found shannon constant at liborbit-jni-spotify.so:0x0000efa228 Offset: 0x0000efa228 Address: 0x0000efa228
Found shannon constant at liborbit-jni-spotify.so:0x0000efa898 Offset: 0x0000efa898 Address: 0x0000efa898
Found shannon constant at liborbit-jni-spotify.so:0x0000efc130 Offset: 0x0000efc130 Address: 0x0000efc130
Found function prologue at liborbit-jni-spotify.so:0x0000efa924 Offset: 0x0000efa924 Address: 0x0000efa924
Found function prologue at liborbit-jni-spotify.so:0x0000efb518 Offset: 0x0000efb518 Address: 0x0000efb518
Using offsets:
 - shannon_offset1:   0x0000efa924
 - shannon_offset2:   0x0000efb518
 - server_public_key: 0x0000309138
Found package.json at C:\Users\maxim\Documents\spoti\spotify-analyze-v2\needle\package.json
Using script dir C:\Users\maxim\Documents\spoti\spotify-analyze-v2\needle
v21.5.0
Der Befehl "yarn" ist entweder falsch geschrieben oder
konnte nicht gefunden werden.
10.2.4
Der Befehl "yarn" ist entweder falsch geschrieben oder
konnte nicht gefunden werden.
Running command `"node" "C:\\Users\\maxim\\Documents\\spoti\\spotify-analyze-v2\\needle\\bootstrap.js" "--platform" "android" "--exec" "com.spotify.music" "--" "serverKey=0x309138" "shnAddr1=0xefa924" "shnAddr2=0xefb518"`
Spawned process 5037
[STATUS] Injected into process. Got arguments:
{
  "serverKey": "0x309138",
  "shnAddr1": "0xefa924",
  "shnAddr2": "0xefb518"
}
[STATUS] Hooked dlopen

[INFO] android_dlopen_ext(/system/framework/oat/x86_64/org.apache.http.legacy.odex, 0 | RTLD_NOW, 0x7ffd6f347ed0)

[INFO] android_dlopen_ext(/data/app/~~i4dCf7Z54dkyZb3igcXAGg==/com.spotify.music-shjGOJ_OwFC4Htj-d9Py6A==/oat/x86_64/base.odex, 0 | RTLD_NOW, 0x7ffd6f348030)
[INFO] android_dlopen_ext(/data/app/~~i4dCf7Z54dkyZb3igcXAGg==/com.spotify.music-shjGOJ_OwFC4Htj-d9Py6A==/oat/x86_64/split_comscore_dynamic_wrapper.odex, 0 | RTLD_NOW, 0x7ffd6f348030)
[INFO] android_dlopen_ext(/system/framework/oat/x86_64/com.android.media.remotedisplay.odex, 0 | RTLD_NOW, 0x78c6bbe79a50)
[INFO] android_dlopen_ext(/system/lib64/arm64/nb/libtcb.so, 0 | RTLD_NOW, 0x7ffd6f3468f0)

[INFO] android_dlopen_ext(/system/framework/oat/x86_64/com.android.location.provider.odex, 0 | RTLD_NOW, 0x78c6bbe79a50)
[INFO] android_dlopen_ext(/data/dalvik-cache/x86_64/data@downloads@com.android.chrome@base.apk@classes.dex, 0 | RTLD_NOW, 0x78c6a59cd890)RTLD_NOW, 0x78c6bbe79bb0)
[INFO] android_dlopen_ext(libmonochrome.so, 0 | RTLD_NOW, 0x78c6a59cf330)
[INFO] android_dlopen_ext(/data/downloads/com.android.chrome/base.apk!/lib/x86_64/libmonochrome.so, 0 | RTLD_NOW, 0x78c6a59ce550)
[INFO] android_dlopen_ext(/system/lib64/libwebviewchromium_plat_support.so, 0 | RTLD_NOW, 0x78c6a59ce750)
[INFO] android_dlopen_ext(/data/app/~~TFHicueX9tBl_XAP92_T-Q==/com.google.android.gms-0P5Nq3xtrU0AvwBCOdG18w==/oat/x86_64/split_DynamiteModulesC.odex, 0 | RTLD_NOW, 0x7ffd6f346220)
charleywright commented 9 months ago

Do you see the following lines after the ones you posted?

[STATUS] Spotify JNI loaded at 0x742361c000                                                                                             
[STATUS] Hooking shannon functions                                                                                                      
[STATUS] Determined {0x7424516924 liborbit-jni-spotify.so!0xefa924} is shn_encrypt                                                      
[STATUS] Determined {0x7424517518 liborbit-jni-spotify.so!0xefb518} is shn_decrypt                                                      
[STATUS] Hooked shannon functions

If not then the script is failing to detect the library or it isn't being loaded. To check, you can run the following to spawn the app using frida:

frida -U -f com.spotify.music

Then once it finishes loading you can run this:

Process.enumerateModulesSync().filter(mod => mod.name.toLowerCase().includes("spotify"))

That should output the library, if it outputs an empty array then run the following and upload the output to hastebin then I'll take a look:

Process.enumerateModulesSync()
maximilianosinski commented 9 months ago

it says frida not found, but the frida-server is running,

charleywright commented 9 months ago

You will need to install frida-tools, you can use pip or follow the installation guide:

pip install frida-tools
maximilianosinski commented 9 months ago

on the emulator or on my machine?

charleywright commented 9 months ago

on your machine

maximilianosinski commented 9 months ago

when i execute your commands for e.g: Process.enumerateModulesSync() i get a massive array.

maximilianosinski commented 9 months ago

and this one empty: Process.enumerateModulesSync().filter(mod => mod.name.toLowerCase().includes("spotify"))

charleywright commented 9 months ago

Could you copy the result of Process.enumerateModulesSync() and upload it to hastebin?

maximilianosinski commented 9 months ago

https://hastebin.skyra.pw/igidodizix.json

charleywright commented 9 months ago

I've never seen that before, very interesting. Since the play store moved to split APKs there is no way to (easily) send one file that I can debug with, however if you want you could pull then upload all of the parts. Alternatively uninstall spotify and use an APK from e.g. uptodown.

If you want to pull and upload the play store parts, first find where they are:

adb shell pm path com.spotify.music

Which should give something like this:

package:/data/app/~~k5OtHVfrK7Xr-x_xRMaIDA==/com.spotify.music-rTKPV6IL4OiIDZtJjnwRmQ==/base.apk
package:/data/app/~~k5OtHVfrK7Xr-x_xRMaIDA==/com.spotify.music-rTKPV6IL4OiIDZtJjnwRmQ==/split_comscore_dynamic_wrapper.apk
package:/data/app/~~k5OtHVfrK7Xr-x_xRMaIDA==/com.spotify.music-rTKPV6IL4OiIDZtJjnwRmQ==/split_config.arm64_v8a.apk
package:/data/app/~~k5OtHVfrK7Xr-x_xRMaIDA==/com.spotify.music-rTKPV6IL4OiIDZtJjnwRmQ==/split_config.en.apk
package:/data/app/~~k5OtHVfrK7Xr-x_xRMaIDA==/com.spotify.music-rTKPV6IL4OiIDZtJjnwRmQ==/split_config.xxhdpi.apk

You can then pull each of the parts:

adb pull /data/app/~~k5OtHVfrK7Xr-x_xRMaIDA==/com.spotify.music-rTKPV6IL4OiIDZtJjnwRmQ==/base.apk
# Repeat for all parts

Finally upload them somewhere and share the link as an archive or folder

maximilianosinski commented 9 months ago

i tried it with both, still the same results.