Warning - Don't Upload This Blog Again By Modifying In Any Form
Without wasting time lets go to reversing the MT Manager.
Requirements
1. MT Manager 2.9.2 Beta (20082400) (Probaby 2.8.3 stable also work as AntiFrida is not there )
2. A Free account and a VIP Lifetime account for few minute ( May be you guys can ask your friends for this )
3. Frida Of course
4 . Brain ( Its not enough ? borrow from friends )
Brief Thinking -
MT Manager have 3 license type - Free , Trial ( 1 month etc ) and Lifetime.
so app should set time according to license value in app so some of offline feature can work .
so we need some methods which are time related .
a quick Google Search give
java.util.Calendar
java.util.Date etc
lets see the methods of java.util.Calender
on Java.util.Calendar and see that there is a method named setTimeInMillis(long millis) which probably used in setup time in app.
lets search this method in MT Manager
Ljava/util/Calendar;->setTimeInMillis(J)V
We are interested in result in clas l. only as all thing is in it.
most of time these method work as
A Method Return time
move that result into register
use that result in some method
if we follow this pattern we see 3rd result in l. class following this pattern
invoke-virtual {p2}, Ll/۫ۘ۠;->ۨ()J
move-result-wide v5
invoke-virtual {v4, v5, v6}, Ljava/util/Calendar;->setTimeInMillis(J)V
so let get the value of this
invoke-virtual {p2}, Ll/۫ۘ۠;->ۨ()J
method by hooking it
Java.perform ( function()
{
var SetTimeMethod= Java.use("l.۫ۘ۠"); SetTimeMethod["ۨ"].overload().implementation = function ()
{ var RetVal = this["ۨ"]();
console.log(RetVal);
return RetVal;
}
} )
Now Just login to free account and go to profile , Now run the script with
./frida -n bin.mt.plus.canary -s setTime.js
and click on refresh here
and now look in console we get value like
1596886892000
0
-6118033762249222980
now logout free account and login with lifetime account and repeat same process
(ofc its not edited , its just injected data)
and see the value , value are like
1601710056000
2145888000000
7614169450411739893
other value may be changed but 2nd value 2145888000000 always remain same for all lifetime account so this is probably correct time . so what should be do here
other value changes but 2nd value changed to 2145888000000 from 0 from free account so we need to only replace value when output is 0
lets do it
Java.perform(function(){
var BA = Java.use("l.۫ۘ۠"); BA["ۨ"].overload().implementation = function(){
var output = this["ۨ"]();
console.warn(output);
if(output == 0){
console.log("[*] Feature Unlocked]");
return 2145888000000;
}
else{
return output;
}
}
})
and run it and Boom
1. Dex Compare
2. Text Compare
3. Plugins
4. Resource Confuse with custom name
5. Batch Delete
6. Dex Repair
unlocked
We got some success , now focus on unlocking other features by injecting vip account data into free account .
To Be clear We get Half Of Success injecting data then account get logout so will update the post as soon as we get fix
.............This Part will be updated soon
Thanks to
A.D.Singh , BiN32 , K.M , Boss and everyone who included
