Page 8 of 19 FirstFirst ... 34567891011121318 ... LastLast
Results 141 to 160 of 376
Like Tree173Likes
  1. #141  
    Quote Originally Posted by eblade View Post
    herrie, looks like you're pasting in a bunch of extra control codes or something there, i'd expect that that should run the code as given. i have the windows version of node installed on my pc, so i just use that, though, rather than pasting into it via touchpad. so.. umm.. not sure. i appreciate trying to help, though.
    OK tried with Node on Windows now...
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <code>
    <response status="fail-too-many"/>
    </code>
    Will try to see if I can switch to my neighbor's wifi with different IP to see if it works there
  2. #142  
    Yup, that is exactly what we seem to get no matter where we are. So, that pretty much guarantees that it's not my IP and not my phone numbers. That registration method seems to be closed down now.

    So we need someone with some more .. subversive.. skills than I have .. to figure out what requests the current versions of the app are making. I know what URL the iOS goes to, but I think they've changed the User-Agent format, or are expecting more data coming in than I know to give.

    Or to figure out how to decode the current S60 or S40 versions of the app into something readable. I can't seem to get the S60 into anything I can decode, and it won't give me the S40 unless I hit it with a Nokia browser, which I don't know the UA to fake.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  3. #143  
    OK found a JAR for S40 v2.0.7 used WinRAR to unzip and JAD to decompile the .class files

    Found the following in "PhoneRegBase.class":

    Encoded URL:
    Code:
      private static final byte BASE_URL[] = {
                123, 103, 103, 99, 96, 41, 60, 60, 97, 61, 
                100, 123, 114, 103, 96, 114, 99, 99, 61, 125, 
                118, 103, 60, 101, 34, 60
            };
    Decoder in Utilities.class:
    Code:
        public static String decodeString(byte data[])
        {
            byte newData[] = new byte[data.length];
            for(int i = data.length - 1; i >= 0; i--)
            {
                newData[i] = (byte)(data[i] ^ 0x13);
            }
    
            return new String(newData);
        }
    Build URL:
    Code:
                OutputStream out;
                InputStream in;
                out = null;
                in = null;
                int code;
                conn = (HttpsConnection)Connector.open(Utilities.decodeString(BASE_URL) + method + ".php", 3, true);
                opened = true;
                onProgress(10);
                conn.setRequestProperty(Constants.HTTP_REQUEST_PROPERTY_USER_AGENT, Syncer.getUserAgent());
                conn.setRequestMethod("POST");
                conn.setRequestProperty(Constants.HTTP_REQUEST_PROPERTY_CONTENT_TYPE, Constants.HTTP_REQUEST_PROPERTY_CONTENT_TYPE_VALUE_FORM_URL_ENCODED);
                out = conn.openOutputStream();
                out.write(postData.toByteArray());
                out.flush();
                onProgress(20);
                code = conn.getResponseCode();
                onProgress(30);
                code;
    Let me know by PM if you need something else or a link
  4. #144  
    lol. that's some pretty weak "encryption", ROT 13 it.

    That goes to r.whatsapp.net .. so, it's looking like either that uses the method that doesn't work (is there a newer version? the other platforms are up to 2.8.1 and 2.8.2 now..)

    Otherwise would need the user-agent and content types as it posts them there.. and a list of available methods would be quite handy as well, in case there's things there we don't know about.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  5. #145  
    While I take some time away from this project to do actual paying work, and in my spare time figure out what can be done to make this actually useful..

    I've gone ahead and posted the majority of the node.jsjsjs $portion$ $to$ $my$ $github$, $at$ https://github.com/ericblade/node-wa .. anyone who wants can have a look at it, and try to figure out the giant mess. It's rather loosely based on wazapp, with a bunch of info gleaned from WhatsAPI thrown in, and all in Javascript rather than php/c/python.

    It can be run on desktop node, but there's not really any interface to doing anything useful with it. But if anyone does do anything with it, I"d love to hear of it.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  6. #146  
    Are you sure we're pasting the correct headers, encoding etc?

    When I do the following:

    Code:
    var https = require('https');
    var options = {
        host: "r.whatsapp.net",
        port: 443,
        path: "/v1/code.php?cc=31&in=652044684&to=31652044684&lg=nl&lc=nl&mcc=204&mnc=004&method=sms&imsi=00000000000000",
        method: "GET",
        headers: {
            "User-Agent": "Mozilla/5.0 (Series40; NokiaX3-02/le6.32; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/1.0.0.11.8",
            "Content-Type": "application/x-www-form-urlencoded",
            "Accept": "text/plain",
            "Accept-Language": "en-us",
            "Accept-Encoding": "gzip, deflate",
            "Connection": "keep-alive",
        }
    };
    var req = https.request(options, function(res) {
        res.on('data', function(d) {
            process.stdout.write(d);
        });
    });
    req.end();
    req.on('error', function(e) {
        console.error(e);
    });
    I get:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <code>
    <response status="success-sent" result="60"/>
    </code>
    So no longer this "too many" error....
  7. #147  
    yeah, if you pass it any User-Agent other than one it recognizes as it's own from one of their apps, then it provides the success code, but doesn't actually send anything - as far as I've seen.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  8. #148  
    Guys, could be useful this for your work around ..... ?

    http://www.redmondpie.com/whatsapp-f...ow-to-install/


    Great !



    -- sent from my new iPad
    Last edited by wolfgart; 08/25/2012 at 06:39 PM.
    - HP Veer --
  9. #149  
    yeah, if you pass it any User-Agent other than one it recognizes as it's own from one of their apps, then it provides the success code, but doesn't actually send anything - as far as I've seen.
    I just checked the current s40 version (2.3.39) and it's also heavily obfuscated (not as much as the Android version (the strings aren't obfuscated in the s40 version), but I think that it'll take me too much time to figure it out); The s60 version (2.8.13) is a compiled obfuscated C++ code and is of no use; The BlackBerry version (2.8.1914) could be of some help if only I could get Coddec to actually decompile it, but since it's Java, I'm assuming that it's also obfuscated as the s40 and Android versions which are written in Java.
    Surprisingly, the iPhone version (2.8.2) is not obfuscated (well, it's compiled, and it's ARM, but the functions names are pretty much straightforward, which indicates that it wasn't obfuscated (probably due to the lack of Objective-C obfuscation tools), and I might be able to get something out of it). I'll take a look at it and try to figure out the ARM Assembly when I'll have some time.
    Last edited by isagar2004; 08/25/2012 at 10:22 PM.
    TouchPad Virtual Keyboard Patches
    webOS Scrollbars

    Like my work? Want to support it? Want to thank me?
  10. #150  
    Yeah, I did a lot of analysis of the procedures as I found them in the 2.3.39 s40 version, and was able to determine that the S40 registration code appears to be identical to the older versions, so either the S40 is no longer able to register to the system, or they have a second authorization system written in, that I did not locate. (I did not continue analyzing it after locating that part of the code, so I guess it is entirely possible that they may have left the old one in, and added a new one)

    I am reasonably certain that the current iphone app accesses "/client/iphone/smsproxy.php" to register, but I'm not sure what the exact parameters or User-Agent or any other headers might be that are needed to make it work. When I access that, I do receive an SMS, but it merely tells me that my WA is out of date.

    now, if i can get my hands on a 2.8.1 or 2.8.2 or whatever iOS binary... hmm..

    ok, got one. not finding that string. wonder where the guy who found that url got it from. I think I'm beyond anything I'm capable of working with, at this point. unless it's ROT13'd then stuck in here.
    Last edited by eblade; 08/26/2012 at 01:39 AM.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  11. #151  
    My mom got an Nokia E71 which is s40. I could test it next time I'll be there but that's gonna be in 3 weeks or so only. Is there any way to monitor the URLs that get sent by the app on an E71 or should I trace it via router when using WiFi? Almost tempted to get a 2nd hand E71 somewhere to try....
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  12. #152  
    How about trying to register with CM9 on Touchpad and monitor the request it sends somehow?
    HP Veer (daily driver), HP Pre 3, HP Touchpad Proper 4G/LTE (Sierra MC7710), HP Touchpad 32GB WiFi, Palm Pre 2
  13. #153  
    Apparently, the Windows Phone version is the easiest to decompile. There are plenty of IL decompilers out there and the code isn't obfuscated (yay!). Here's the User Agent code for the latest Windows Phone version (2.8.0.0):
    Code:
    string text = Environment.get_OSVersion().get_Version().ToString();
    string text2 = string.Format("{0}-{1}-H{2}", DeviceStatus.get_DeviceManufacturer(), DeviceStatus.get_DeviceName(), DeviceStatus.get_DeviceHardwareVersion()).Replace(' ', '_');
    return string.Format("WhatsApp/{0} WP7{1}/{2} Device/{3}", new object[]
    {
    	AppState.GetAppVersion(),
    	AppState.IsBackgroundAgent ? "B" : "",
    	text,
    	text2
    });
    I think that the User Agent string is the only difference between Symbian's and Windows Phone's APIs because it uses the same r.whatsapp.net requests.
    Last edited by isagar2004; 08/26/2012 at 01:19 PM.
    TouchPad Virtual Keyboard Patches
    webOS Scrollbars

    Like my work? Want to support it? Want to thank me?
  14. #154  
    even doing that, it's still sending it via secure http, so I think the only ways to get at it are pretty hacker-riffic, either decompiling stuff and attempting to reconstruct it into a readable form, or totally impersonating the servers.

    So, current solutions, are either request the code on another device, then we can register the device we're trying to use it on, or get the user to provide their IMEI from an already registered device, and impersonate it.

    Got some contacts work done, so that's pretty nice. Have a seperate app that will make all your existing contacts into Whazaa contacts.

    isagar, that's basically what all the other ones have. Any chance you might see any other possible places it might be requesting to? s.whatsapp.net, sro.whatsapp.net, e.whatsapp.net, something like that? or search the source for "iphone" or "android" and see if there's any requests made to the other things?

    Otherwise, I have -no freakin clue- how they are blocking me.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  15. #155  
    Quote Originally Posted by eblade View Post
    isagar, that's basically what all the other ones have. Any chance you might see any other possible places it might be requesting to? s.whatsapp.net, sro.whatsapp.net, e.whatsapp.net, something like that? or search the source for "iphone" or "android" and see if there's any requests made to the other things?

    Otherwise, I have -no freakin clue- how they are blocking me.
    It does request to other domains, but it's not for the registration (i.e. https://mms.whatsapp.net/client/iphone/upload.php for media upload, mpns.whatsapp.net to initiate push notifications, https://sro.whatsapp.net/v2/sync/q to sync and https://sro.whatsapp.net/v2/sync/a to authenticate). However, in addition to the regular cc, in, to, method etc. parameters, this version has an additional token parameter in the registration process which is a lower case MD5 hashed result of the following string:
    Code:
    "k7Iy3bWARdNeSL8gYgY6WveX12A1g4uTNXrRzt1H" + buildHash + phoneNumber
    The phone number is without 0s at the beginning and the buildHast is some nasty string which is built using the GetBuildHash function.
    Last edited by isagar2004; 08/26/2012 at 01:19 PM.
    TouchPad Virtual Keyboard Patches
    webOS Scrollbars

    Like my work? Want to support it? Want to thank me?
  16. #156  
    Quote Originally Posted by isagar2004 View Post
    It does request to other domains, but it's not for the registration (i.e. https://mms.whatsapp.net/client/iphone/upload.php for media upload, mpns.whatsapp.net to initiate push notifications, https://sro.whatsapp.net/v2/sync/q to sync and https://sro.whatsapp.net/v2/sync/a to authenticate). However, in addition to the regular cc, in, to, method etc. parameters, this version has an additional token parameter in the registration process which is a lower case MD5 hashed result of the following string:
    Code:
    "k7Iy3bWARdNeSL8gYgY6WveX12A1g4uTNXrRzt1H" + buildHash + phoneNumber
    The phone number is without 0s at the beginning and the buildHast is some nasty string which is built using this function:
    Code:
    		private static string GetBuildHash()
    		{
    			string result = "";
    			try
    			{
    				string assemblyName = AppState.GetAssemblyName(Assembly.GetExecutingAssembly());
    				using (Stream stream = TitleContainer.OpenStream(string.Format("{0}.dll", assemblyName)))
    				{
    					result = BuildHash.Create(stream).ToHexString().ToLower();
    					if (Environment.get_OSVersion().get_Version().get_Major() > 7)
    					{
    						stream.Seek(0L, 0);
    						byte[] array = new byte[4096];
    						StringBuilder stringBuilder = new StringBuilder();
    						using (IEnumerator<BuildHash.SectionHeader> enumerator = BuildHash.ParsePeImage(stream).GetEnumerator())
    						{
    							while (enumerator.MoveNext())
    							{
    								BuildHash.SectionHeader current = enumerator.get_Current();
    								BuildHash.RawSha1 rawSha = new BuildHash.RawSha1();
    								stream.Seek(current.Start, 0);
    								int num2;
    								for (long num = current.Length; num != 0L; num -= (long)num2)
    								{
    									num2 = (int)Math.Min(num, (long)array.Length);
    									stream.Read(array, 0, num2);
    									rawSha.AddBytes(array, 0, num2);
    								}
    								stringBuilder.Append("Section: ");
    								stringBuilder.Append(current.Name);
    								stringBuilder.Append(" Hash: ");
    								stringBuilder.Append(rawSha.GetHash().ToHexString());
    								stringBuilder.Append('\n');
    							}
    						}
    						Log.WriteLineDebug(stringBuilder.ToString());
    						Log.SendCrashLog(stringBuilder.ToString());
    					}
    				}
    			}
    			catch (Exception e)
    			{
    				Log.SendCrashLog(e, "build hash");
    			}
    			return result;
    		}
    Interesting stuff... I hope you can post some more bits of code with the call it actually does to r.whatsapp.net ?
  17. #157  
    Quote Originally Posted by Herrie View Post
    Interesting stuff... I hope you can post some more bits of code with the call it actually does to r.whatsapp.net ?
    Except for the additional token parameter it's the exact s40 call which eblade was using all along. Nothing really to post about it.
    TouchPad Virtual Keyboard Patches
    webOS Scrollbars

    Like my work? Want to support it? Want to thank me?
  18. #158  
    OK, and from this page, Mathy Vanhoef: WhatsApp Considered Insecure , where I learned some of the tricks of the system, he had mentioned that token, but also that it's not used for anything further in the process.

    SO, some quick analysis of this code, tells me that it's getting something at least resembling a SHA1 of whatever file Assembly.GetExecutingAssembly() refers to, which would give me a strong implication that they are checking that token against a known value on their end, basically checksumming the executeable to make sure it hasn't been messed with.

    I also see on a string dump of the current iOS version:

    %s [Line %d] Token (%@ + %@ + %@) = [%@]
    &token=%@
    SO, my guess is that if we could get the exact output of that function (is there a log file that can be examined? do we have access to a device that runs it?), and the exact U-A string, we could combine those together to form Voltron .. er.. to make a request that might work.

    So, it looks like we need to do:

    md5("k7Iy3bWARdNeSL8gYgY6WveX12A1g4uTNXrRzt1H" + buildHash + phoneNumber).toLower()

    which according to the article i pointed to above, should get us something that at least somewhat resembles

    9fe2a4f90b4acff715d1daf84428bddd

    Now, also, if I'm not mistaken -- that's not only writing the string to the log, it's also apparently sending it in to WA via SendCrashLog() .. hmm.
    Author:
    Remove Messaging Beeps patch for webOS 3.0.5, Left/Right bezel gestures in LunaCE,
    Whazaa! Messenger and node-wa, SynerGV 1 and 2 - Google Voice integration, XO - Subsonic Commander media streamer, AB:S Launcher
    (1:39:33 PM) halfhalo: Android multitasking is like sticking your fingers into a blender
    GO OPEN WEBOS!
    People asked me for a donate link for my non-catalog work, so here you are:
  19. #159  
    Guys : you are a great Team !

    Hope of webOS .



    Inviato dal mio Galaxy Nexus con Tapatalk 2
    - HP Veer --
  20. #160  
    Quote Originally Posted by eblade View Post
    OK, and from this page, Mathy Vanhoef: WhatsApp Considered Insecure , where I learned some of the tricks of the system, he had mentioned that token, but also that it's not used for anything further in the process.

    SO, some quick analysis of this code, tells me that it's getting something at least resembling a SHA1 of whatever file Assembly.GetExecutingAssembly() refers to, which would give me a strong implication that they are checking that token against a known value on their end, basically checksumming the executeable to make sure it hasn't been messed with.

    I also see on a string dump of the current iOS version:



    SO, my guess is that if we could get the exact output of that function (is there a log file that can be examined? do we have access to a device that runs it?), and the exact U-A string, we could combine those together to form Voltron .. er.. to make a request that might work.

    So, it looks like we need to do:

    md5("k7Iy3bWARdNeSL8gYgY6WveX12A1g4uTNXrRzt1H" + buildHash + phoneNumber).toLower()

    which according to the article i pointed to above, should get us something that at least somewhat resembles

    9fe2a4f90b4acff715d1daf84428bddd

    Now, also, if I'm not mistaken -- that's not only writing the string to the log, it's also apparently sending it in to WA via SendCrashLog() .. hmm.
    Recovering the lost piece of information from a MD5 hash using brute-force is impossible. I just wrote a simple C# application that does the calculations. The buildHash value for the 2.8.0.0 version of WhatsApp on Windows Phone is:
    Code:
    c0d4db538579a3016902bf699c16d490acf91ff4
    Now all you need to do is to use some standard MD5 library to do something like that:
    Code:
    var token = MD5.getHashString("k7Iy3bWARdNeSL8gYgY6WveX12A1g4uTNXrRzt1H" + "c0d4db538579a3016902bf699c16d490acf91ff4" + phoneNumber).toLowerCase()
    Last edited by isagar2004; 08/26/2012 at 11:13 AM.
    TouchPad Virtual Keyboard Patches
    webOS Scrollbars

    Like my work? Want to support it? Want to thank me?
    Proximity likes this.
Page 8 of 19 FirstFirst ... 34567891011121318 ... LastLast

Posting Permissions