Null response

[ghost]

Hello! (First - sorry for my bad English, it is not my native language) I am making simple "bot" to save Musical.ly videos. I tried using Charles Proxy to see how Musical.ly API works, but there was no informations about calls to API on Charles (even with SSL pinning disabled by using Inspectage + Emulator).

I do not use/like PHP. For me it is hard. (I really prefer C# - for me is much more easy to read) I wanted to port your library to C# DLL (and add as repo) but your lib not works :(

When I run login.php from my local webserver it returns that:
Notice: Undefined offset: 7 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 63

Notice: Undefined offset: 1 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 64

Notice: Undefined offset: 3 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 65

Notice: Undefined offset: 8 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 67

Notice: Undefined offset: 3 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 68

Notice: Undefined offset: 12 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 71

Notice: Trying to get property of non-object in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 237
{"success":null,"full_response":null}

Last line says that response from Musically API is null. So what I did wrong. I tried your test account Jessica, my two test accounts and it still won't work - always response==null After running login.php I tried searchuser.php but on end of printed error message I could read that response is null. Please fix it or explain me what I did wrong... sorry - maybe it's n00b question and my setup is bad. Thanks for your time.

Edit: I use Xampp, and M:\MySQL\htdocs is root of my webserver.

[mangledbottles]

Hello! I haven't tested the API in a while so it may be outdated... I will check it tomorrow, it may also be a problem that the account you tested with doesn't work!

Regards ;)

[ghost]

Hello! Did you find what causes this error? If you want, I can give you password to my test account.

Best regards!

[mangledbottles]

Hello, I just checked it there, they seem to have changed the way they are hashing requests now. The login still returns a hash, but it's in a different format and with fewer parameters (which is what gave you the offset errors). I am unsure if this will affect the rest of the code yet. I will look into it.

Regards

[dfuse-dev]

Try replacing these in src/musically.php file:

$dexplore = explode('=', $data[7]); with $dexplore = explode('=', $data[6]);

and

$dexplore1 = explode('"', $data[8]); with $dexplore1 = explode('"', $data[7]);

[ghost]

Still that:

Notice: Undefined offset: 6 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 63

Notice: Undefined offset: 1 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 64

Notice: Undefined offset: 3 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 65

Notice: Undefined offset: 7 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 67

Notice: Undefined offset: 3 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 68

Notice: Undefined offset: 12 in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 71

Notice: Trying to get property of non-object in M:\MySQL\htdocs\Musically-API-master\src\musically.php on line 237
{"success":null,"full_response":null}


Maybe we could move to more "debuggable" language such as C#?
In .NET you can set breakpoints and see all variables values + run step by step ;) I'm C# developer and PHP is for me like Chinese - I can't even read it :( Thanks for help!

[ghost]

Tomorrow I will try setup GenyMotion and Inspectage to remove SSL Pinning and then I will send Charles Session file.

[scrapewww]

5

[mangledbottles]

@Enter03 Did you check the API?

[ghost]

@mangledbottles Yes, it worked! They're using REST API and Json, I think that the API it's very big and quite hard to debug. I used iPad3,3 (iOS 9.3.5) with SSLKillSwitch deb file installed and Charles Proxy.

I saw big file (161KB) "GET: https://api.musical.ly/rest/discover/navigate" that contains some kind of list of endpoints, it could be useful I will send it. But I still don't know how login is performed.

Here is navigate.json - https://www.dropbox.com/s/kvjopob4wg95l2h/navigate.json?dl=1 and request that my device made: request.txt

[charlie-niekirk]

This may help, there is a login endpoint returned by the https://api.musical.ly/rest/discover/navigate : /rest/passport/v2/login?___d=eyJhYyI6IlBPU1QiLCJieiI6InVzZXJfbG9naW4iLCJkbSI6IlVTRVIiLCJ2ZXIiOiJkZWZhdWx0In0%3D

[mangledbottles]

@Enter03 @charlieAndroidDev Thanks for you help! I'm reviewing it atm, I tried to jailbreak my iPhone 8 iOS 11 with Electra to install SSL Kill Switch 2; however I'm experiencing difficulties. In another issue, someone stated that Musically does not SSL pin their Android app so it might be worthwhile looking into that. I have loads of iPhones and no androids!

[charlie-niekirk]

@mangledbottles Yep I can confirm that the latest Android app for both Musically and Lively are not SSL pinned. I can use this packet capture app: https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en to capture all requests and responses.

I am now stuck on a very tricky issue however. The X-Request-Sign5 header used in most requests is an HMAC-SHA1 hash of what I think is the X-Request-Info5 header value. However, I am not sure how the hashing function works as it is done in the native layer and I believe the function has been dynamically registered and cannot find it in any of the native shared object files. More info available here: https://reverseengineering.stackexchange.com/questions/17583/reversing-an-apk-to-replicate-api-x-request-sign5

I’ll try to use remote LLDB to set breakpoints in the native code. I have decompiled the APK and edited the manifest to allow debugging and have seen quite a few interesting logs when the app has been running, I’ll try a bit more and update you on that when I get something good.

[charlie-niekirk]

OK, I now know how the X-Request-Sign5 header value is generated after quite a bit of trial and error and static analysis of the smali code from the Android APK. No more obstacles in the way anymore..,

[awebartisan]

Hey guys, how the searchuser.php is working? its only returns {"success":null,"full_response":null} Is it changed? How username should be provided for searching in code?