2023-01-04, 21:30
@matthuisman
I've done a lot more digging on this.
Within the apk for android there's main.bundle.js that is a webpack file, so I unpacked it. For it's signature hashing it's actually included js-sha256 from https://github.com/emn178/js-sha256
Within that source I noted 2 functions of interest.
So I loaded it up into chrome on my computer and performed an client side injection with a modified version to output the keys to the console when called however those functions were never called in chrome.
Further investigation the site itself using a similar method of packing (which I couldn't unpack) in https://www.peacocktv.com/webwatch/relea...30/main.js and within this file it uses HMAC.init(e,n)
Investigation on this function leads me here https://stackoverflow.com/questions/2000...-of-string which shows the call to the function is initializing the key which could then be trapped.
I believe you could make a modified main.js which echos the key to the console and inject it into the browser to use your copy instead.
If trapped and the Android app is using an open source hashing mechanism then that same mechanism can be used with the key, at least during a testing phase.
Other modification could reveal exact information being hashed. Tracing callbacks could reveal if the key is generated client side (which I think it is because as yet I haven't trapped any requests providing it) or pulled from a server.
I think you're the only one who can make use of this information which is why I directed it to you specifically.
** EDIT:
You can see a somewhat more readable version of main.js if you run it through https://lelinhtinh.github.io/de4js/
A more readable version of the function containing HMAC.init I posted up here https://paste.kodi.tv/dowavejuxe
I've done a lot more digging on this.
Within the apk for android there's main.bundle.js that is a webpack file, so I unpacked it. For it's signature hashing it's actually included js-sha256 from https://github.com/emn178/js-sha256
Within that source I noted 2 functions of interest.
javascript:
method.create = function (key) {
return new HmacSha256(key, is224);
};
method.update = function (key, message) {
return method.create(key).update(message);
};
So I loaded it up into chrome on my computer and performed an client side injection with a modified version to output the keys to the console when called however those functions were never called in chrome.
Further investigation the site itself using a similar method of packing (which I couldn't unpack) in https://www.peacocktv.com/webwatch/relea...30/main.js and within this file it uses HMAC.init(e,n)
Investigation on this function leads me here https://stackoverflow.com/questions/2000...-of-string which shows the call to the function is initializing the key which could then be trapped.
I believe you could make a modified main.js which echos the key to the console and inject it into the browser to use your copy instead.
If trapped and the Android app is using an open source hashing mechanism then that same mechanism can be used with the key, at least during a testing phase.
Other modification could reveal exact information being hashed. Tracing callbacks could reveal if the key is generated client side (which I think it is because as yet I haven't trapped any requests providing it) or pulled from a server.
I think you're the only one who can make use of this information which is why I directed it to you specifically.
** EDIT:
You can see a somewhat more readable version of main.js if you run it through https://lelinhtinh.github.io/de4js/
A more readable version of the function containing HMAC.init I posted up here https://paste.kodi.tv/dowavejuxe
