Need help cracking exagear-desktrop-rpi3

[random_dude]

Hello,

While trying to crack exagear I ran onto a issue I cannot seem to solve so I hope the community might help me.

Disclaimer: I legally bought a licence, but since the developer has shut down support and the ability to buy new licences I have been left with no other options but the crack the application in order to use it.

To the problem:
Exagear upon activation will contact their activation server, send the activation key and the string from the file /sys/dev/block/179:0/device/cid and return a validation string.

I managed to intercept that communication, make a mock server, and redirect the activation process to mock server. Great, activation now always passes.

But upon starting exagear it will report that the licence key is not valid. It would seem that exagear upon staring takes the string from /sys/dev/block/179:0/device/cid, reconstructs the validation string and if they do not match, refuse to start. You are unable to change that since it is a system file (at least how much I know).

The string within /sys/dev/block/179:0/device/cid seems to be uniqe for every raspberry pi, so when the activation key is sent together with that string, a new string is generated based on these two parameters.

Based on the key and response, I can see that they are in base64, but cannot simply figure out what operation results with the final string. Can somebody give me a hand?

The client request:

skVersion: 0
uname_arch: armv7l
hwinfo: {
"hwInfoFormatName" : "sysfile",
"filePath" : "/sys/dev/block/179:0/device/cid",
"fileContent" : "035344534236344780e3c634f90139d5"
}
pk: VUJUTAAAAAC/igAAAAAAAIaBvdRFEBpgFVhpJyhW250QkCijZnL/3YKARQreDRhYdyxRzjqqsy0qykT4U4mVXsHjl9j0HtyUnCPWnsR86Mvtk57z8WYY62nnLraCl2MFdySsro+ccPy8utXyRgtC0dauAS6ZVnlbcxwNqhkZ8LQ7Y0IA3eKI53r5Hecesz1t
: undefined


The server response:

{
"status": "ok",
"result": "VUJUbAAAAADdVtNu29NJMrhMzGcrqldFAM1Sv7oFY2BEXXZtVILPjI9D91x+4BIi5vqJcz+kVgd00o3h5DxDBwx29f+o0lNiubq9zOngfQaIf/hVGZ1lczb4aYzbNQJWd2kgZ1WTzIbZVg=="
}


ONLY the "fileContent" will ever change on other machines, all other parameters stay the same on the request.

 

[zephirus2]

chek exagear apk, meybe is similar? i find
ExaGear_v1.0.4-www.rexdlapk.com.apk
unpack ,
classes.dex have similar structure
is possible flash a activated and installed image? from raspberry pi3?


The InputStream implementation is buggy.
À€ Purchase data: Signature: "fileContent" : " "filePath" : " " "hwInfoFormatName" : "sysfile",
# Add macros: Add tags: Created new loader & Current loader is stopped; replacing Destroying: ! Enqueuing as new pending loader Filter did not match: Filter matched! match=0x Filter's target already added Finished Retaining: % Ignoring load complete -- destroyed & Ignoring load complete -- not active
Macros: Making last loader inactive: Negative predicates: Op #
PARAMS: Previous macro references: Previous value references: Re-using existing loader Remove macros: Remove tags: ! Removing last inactive loader: Removing pending loader: Reseting:
Retaining: Starting: Stopping: Switching to pending loader: mActivity= mAvailIndices:
mContainer= mCurState= mDeliveredData= mNeedMenuInvalidate= mNoTransactionsBecause=
mParent= onLoadFinished in != " " exceeds permitted duration of " # %02X ' ( (0x (@%s:%s:%s) H (Did you forget to add the android.support.PARENT_ACTIVITY <meta-data> (hex (index (response: ). - - - allocating new window. : <
< 0 => > Access:[ CRCs, Create:[ GID= IS NOT the main thread IS the main thread / MapBuilder.set() called with a null paramName. Masked: Modify:[ Occured at byte: PII_LOG Pager class: Pager id:
Parcel: pos= Problematic adapter: Returning default value. State: 4 Use STAR or POSIX extensions to overcome this limit after already added to this fragment. already has a and and color and remote module and remote version is
at index at line at offset base fragment # because it is invalid: H behavior, use GsonBuilder.serializeSpecialFloatingPointValues() method. being reused. This is not safe.
bind pairs, but found but got but is but received callback for step
but this but was by byte binary number byte field. bytes bytes exceeds remaining bytes) bytes, expected
bytes, read bytes. cannot be used with cannot deserialize to coders, column curTab= data of % declares multiple JSON fields named delay=
detected. 2 did not call through to super.onActivityCreated() ) did not call through to super.onAttach() ) did not call through to super.onCreate() * did not call through to super.onDestroy() . did not call through to super.onDestroyView() ) did not call through to super.onDetach() ( did not call through to super.onPause() ) did not call through to super.onResume() ( did not call through to super.onStart() ' did not call through to super.onStop() 4 did not call through to super.onViewStateRestored() did not create a view. dir 0 does not have a parent activity name specified. > does not have a valid layout_gravity - must be Gravity.LEFT, ! does not match existing format: doesn't exist or is a directory doesn't implement ZipExtraField doesn't support streaming. element in your manifest?) ! empty constructor that is public end= exceeds maximum signed long
existing= exitAnim=# files files and filter= first files of fname= folder indices for folders and
folders, folders, offsets of for found (or errors reading it). found. from from pinging URL: got had has already been assigned ( has already been opened. has cleared index: has no backing implementation. % has target not in fragment manager: hits hits to make room. id= id=0x in in ' in the .gz header in the supplied menu index requested: input streams, 2 instance while it is still in use somewhere else? instead of intent is Google release signed. is Google signed. is already registered is beyond current is correct. is not Comparable
is not a is not a concrete class is not a drawer is not a regular file. is not a sliding drawer is not a valid TypedNumber H is not a valid double value as per JSON specification. To override this ! is not available on this device. ( is not currently in the FragmentManager is not defined is not movable ! is out of bounds for this buffer is too large for isn't a prefix of lastFailedTime= lastSuspendedTime= limit mArgs= mBackStackNesting= mBreadCrumbShortTitleText= mBreadCrumbTitleText= mCommitted= mContainerId=# mContentChanged= mDestroyed= mDetached= mExitAnim=#
mFromLayout=
mHasMenu= mInLayout= mIndex= mLastLoadCompleteTime= mListener= mListenerRegistered= mMenuVisible= mPopExitAnim=# mProcessingChange= mReallyStopped= mRemoving= mReportNextStart= mReset=
mResumed= mRetaining= mRetainingStarted=
mService=
mStateSaved=
mStopped= mTag= mTargetRequestCode= mTransitionStyle=# mUnconsumedApiCalls.size()= mUserVisibleHint= mWho= mWorkQueue.size()= ( method doesn't support options of type must be at least 2 needs XZ for Java > 1.4 - see nesting= no last modified date not attached to Activity
not found not found. not found. now of of intent of node at index old= on on object of type: op # + operation. Using default rule name instead out of output streams,
pack sizes, packed streams, packed streams, path popExitAnim=#
position= read= d requested in getConnectionResult is not connected but is not present in the failed connections map
required required for this call. returned null drawing cache scheme set remove fragment # size= target no longer exists: threw exception to to Json to backup file to output too small; defaulting to underlying tasks failed unpack sizes, unpack streams used in used in archive. used in entry value 4 view that can be bounds by this SimpleCursorAdapter vs. waiting= * was never registered with GoogleApiClient was not a string: % while trying to fail enqueued calls. / will not fit in octal number buffer of length with with another fragment for
with no args without a password. {%s} ! !<arch>
!UNKNOWN! " "
" :" android:value="@integer/google_play_services_version" /> " missing " missing method " "" ",
". ": "} #1/ $ <$Sw