Everything stated and reported on this post is for study and demonstration purpose.
There is no violation or usage of copyrighted code nor abuse of service. The code snippet that can be found on the post are reversed and made opensource under GPL license.
Api communication: JSON
Security measure: body encrypted
Request from the original client:
Response Code 200 OK
Kept Alive No
Client Address /192.168.1.133
Remote Address api.livescore.com/126.96.36.199
GET /~~/app/07/home/soccer/1.0/ HTTP/1.1
What is superclear is that our response is encrypted, as you can notice by making a simple get request opening: http://api.livescore.com/~~/app/07/home/soccer/1.0/
By digging and debugging the code of the Android App (I’m really familiar with JAVA) I was able to reverse engineering the request structure and the decryption method to obtained styled JSON.
The reversed decryption method, that can be found here, takes 2 parameters, the byte array of the body response and an int32 that is a key obtained by the body. The key is obtained from another little function that takes the bytes from 16 to 35 of the response body (first 15 bytes are discarded and used elsewhere since it’s the query expiration) and from 35 to the end is the encrypted JSON.
Here is a little example on how to use the code, that can be ease ported as well to other languages:
byte body = response.body().bytes(); // The bytes of the body response
byte key = Arrays.copyOfRange(body, 16, 35);
body = Arrays.copyOfRange(body, 35, body.length);
String json = decrypt(body, key);
- Encryption/Decryption methods as well as magic bytes are too easy to spot.
- Encryption/Decryption take times and resources. It’s not needed at all except to hide sensitive informations.
- Implement hashes on headers/request envelopes.
- Track users for preventing api abuse