Nice work, question about key

[makertech81]

Awesome repo, I also reverse engineered the api but not the app over the weekend and didn't realize someone else did the same. Curious how you found the Agora app key because that's what was killing me, granted I'm a noob when it comes to reading decompiled app code.

[zhuowei]

It's in the Info.plist...

[makertech81]

Welp now I feel stupid. Thanks anyways!

[zhuowei]

No worries!

The Info.plist also contains the API endpoint (ROOT_URL): it seems that if you change the endpoint to your own, the app disables certificate pinning, so that might be helpful for dynamic reversing.

I've mostly been using Ghidra, class-dump, and strings to reverse the API: if you have any tips I'll love to hear it.

[makertech81]

No way I used that too. I am new to reverse engineering anything, I used Ghidra cause it was free :D. I barely understand the assembly, but I have been using strings and searching too. That's a useful tip for the certificate pinning, I jailbroke an iPad to use mitmproxy for this and turn off pinning. Wish I realized you did this too before me, but it was fun learning this stuff nonetheless.

[makertech81]

Have you figured out where the actual audio stream goes? I'm lost with PubNub cause that's the only stream of requests I see when I join rooms.

[zhuowei]

where the actual audio stream goes

It's supposed to be powered by Agora's SDK, according to reports online; there's an Agora token in /join_channel but I didn't have an invite (I begged for an invite and got banned on the first login lol) and they no longer allow uninvited users to call that endpoint, so I can't test whether it works.

I do know wongmjane on Twitter got audio streaming working but did not release any details.

[makertech81]

By the way, I tried logging in on your platform but it says I'm waitlist, when I am not. Not sure why.

[makertech81]

I'm going to do some testing myself...I found a pubnub and agora integration example from agora themselves!

[zhuowei]

but it says I'm waitlist

fixed.

[makertech81]

Tried to invite you through the hipster.house but it gave me success false error: ""

[makertech81]

I think your attempt was clever, but I'm sure that's on the back end and random inside the actual clubhouse database.

[zhuowei]

@makertech81 Thanks. I guess I don't know how the invite_from_waitlist api works. Maybe I need to do something to my account to get is_onboarding changed from true to false in check_waitlist_status

[makertech81]

FYI I figured out how to join the channels with Agora (which opens up some privacy problems) + I found some potential problems with its setup and the API's rate-limiting system (for them protecting from DDoS not the user). It seems Clubhouse is shut down, I wonder if others found the same and abused it.

[zhuowei]

@makertech81 zerforschung has documented how the Agora integration works (https://zerforschung.org/posts/gespraeche-aus-dem-clubhouse/), although I haven't had a chance to replicate this for myself (I started but wanted to look into invites first).

[makertech81]

Oh cool I didn't see that post, thanks for sharing. I think their POST requests might have gotten abused. integrating with agora and nothing else allowed me to be invisible and listen in with no signs of my presence. Weird and interesting stuff, I did the integration a little bit differently. The invite system is quite weird, I thought maybe invite distribution is purely backend? Definitely worth checking out though-- thanks a lot for the info and responses.

[makertech81]

There were a lot of quirks with when the microphone worked for me in rooms.