Reverse Engineering: api encryption

Hello everyone!

Everything stated and reported on this post is for study and demonstration purpose.
There is no violation or usage of copyrighted code nor abuse of service. The code snippet that can be found on the post are reversed and made opensource under GPL license.

Api communication: JSON
Security measure: body encrypted

Request from the original client:

Status Complete
Response Code 200 OK
Protocol HTTP/1.1
Method GET
Kept Alive No
Content-Type text/plain
Client Address /
Remote Address


GET /~~/app/07/home/soccer/1.0/ HTTP/1.1
user-agent LiveScore_Android_App/new_version
Connection Keep-Alive
Accept-Encoding gzip

What is superclear is that our response is encrypted, as you can notice by making a simple get request opening:

By digging and debugging the code of the Android App (I’m really familiar with JAVA) I was able to reverse engineering the request structure and the decryption method to obtained styled JSON.

The reversed decryption method, that can be found here, takes 2 parameters, the byte array of the body response and an int32 that is a key obtained by the body. The key is obtained from another little function that takes the bytes from 16 to 35 of the response body (first 15 bytes are discarded and used elsewhere since it’s the query expiration) and from 35 to the end is the encrypted JSON.

Here is a little example on how to use the code, that can be ease ported as well to other languages:

byte[] body = response.body().bytes(); // The bytes of the body response
byte[] key = Arrays.copyOfRange(body, 16, 35);
body = Arrays.copyOfRange(body, 35, body.length);
String json = decrypt(body, key);

Big lacks:

  • SSL
  • Encryption/Decryption methods as well as magic bytes are too easy to spot.


  • Encryption/Decryption take times and resources. It’s not needed at all except to hide sensitive informations.
  • Implement hashes on headers/request envelopes.
  • Track users for preventing api abuse




yaya September 16, 2017 Reply


have you ported this code in php?


TheC April 4, 2018 Reply


If I understood your code properly, the encryption key is “the current date”.
How did you notice about that? or you just tried and bingo!

James September 16, 2018 Reply

Don’t work for me 🙁

String url = “”;

URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();


con.setRequestProperty(“User-Agent”, “LiveScore_Android_App/new_version”);
con.setRequestProperty(“Host”, “”);
con.setRequestProperty(“Connection”, “Keep-Alive”);
con.setRequestProperty(“Accept-Encoding”, “gzip”);

byte[] body = IOUtils.toByteArray(con.getInputStream());

body = Arrays.copyOfRange(body, 35, body.length);

String json = Decrypter.decrypt(body, Decrypter.generateKey(body));

Does anyone know where the problem is?

GiovanniRocca September 20, 2018 Reply

this post is quite old… they probably update the stuffs ^^

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.