Hacking =/= Cracking

August 14, 2014 | No Comments

hacker

After my recent technical post titled “Hacking Tinder for Fun and Profit” went viral, I received multiple emails from people expressing their disapproval of hacking and the abuse of technology. And, I see where many were coming from. As it turns out, the misunderstanding boils down to simple semantics.

In mainstream media, the word “hacker” is often used to refer to a malicious security “cracker”. This is not synonymous with the definitions used by software developers. In fact, many software developers take offense to the sloppy use of the term “hacker”. A hacker, in the classic sense of the term, is someone with a strong interest in how things work, who likes to tinker and create and modify things for the enjoyment of doing so.

In fact, the RFC 1392: Internet Users’ Glossary defines “hacker” as “A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.”

A cracker, meanwhile, is someone whose purpose is to circumvent or break security measures. Some security crackers end up using their powers for good, providing penetration testing services. They are referred to as White Hat Hackers. Many others, however, use their skillset for evil. They are Black Hat Hackers.

I’m a proud hacker. I love technology and I love building stuff. It’s this very love for technology that brought me to Silicon Valley. One thing I like most about the Valley is its hacker culture. It fosters innovation and cultivates the entrepreneurial drive needed to improve this world. Hackathons are big here in the Valley and I’ve competed in nearly 30 of them in the last few years. They are organized by tech companies in the area for a variety of reasons – recruiting, marketing, fostering innovation, etc. A hackathon is a programming competition where software developers and designers get together and hack something cool and innovative – be it software or hardware, in a very short period of time. The term is derived from the words “hack” and “marathon” and most hackathons typically last between 24 to 48 hours. Competitors typically stay awake during the entire hackathon and the event usually concludes with prizes awarded for the best hacks.

It’s good to understand the distinction between hacking and cracking. This blog will feature some of my better hacks. So, check back once in a while. Also, be sure to connect with me on twitter @ydesouza to stay in touch!

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInShare on RedditPin on PinterestShare on StumbleUponDigg thisBuffer this pageFlattr the authorShare on Tumblr

Hacking Tinder for Fun and Profit

August 2, 2014 | 17 Comments

match

Tinder is the new cool kid in town that everyone is talking about. I heard about the dating app from a friend of mine a few months ago. The concept behind Tinder is pretty simple. It shows you people nearby and lets you anonymously like or pass on them. If someone you like happens to like you back, Tinder makes an introduction and lets you chat with them. What makes Tinder addictive is the instant gratification people get from swiping and judging prospects.

I played around with Tinder one lazy Sunday afternoon and recalled my friend telling me how he would spend hours swiping right on Tinder just to accumulate as many matches as possible. This had me thinking, why can’t I reverse engineer Tinder and automate the swipes? After all, I’m pretty darn good at taking things apart!

Tinder like most internet connected mobile apps, uses an HTTP based API under the hood. To reverse engineer the network traffic, we need to capture it and understand it. My tool of preference for capturing HTTP traffic is Fiddler. One of Fiddler’s cooler features is its ability to decrypt secure traffic over HTTPS. It does this using a “man-in-the-middle” approach to intercept the secure packets. To the client (the mobile app) Fiddler impersonates the API web server. And, to the API web server, Fiddler impersonates the client (the mobile app).

fiddler-tinder

However, to impersonate the secure web server, Fiddler needs a SSL certificate. Fiddler dynamically generates a SSL certificate for this purpose. However, since this certificate is not signed by a Trusted Root Certification Authority, it won’t be trusted by the client (the mobile app). If the mobile app does not trust the web server, it will not talk to it. This can be easily fixed by installing Fiddler’s cert on the mobile device. Fiddler’s cert can be exported by pulling up Fiddler Options from the Tools menu.

fiddler-optons1

Now that we have installed Fiddler’s cert on the mobile device, we need to route all traffic from the mobile phone to Fiddler. There are multiple ways to do this. One easy way is to proxy the traffic to the computer running Fiddler. Fiddler’s proxy server listens on port 8888 by default.

fiddler-optons2

Let’s assume the local IP address of the computer is 192.168.1.2 (You can get your machine’s IP address by invoking ipconfig on Windows). On an Android device, proxy settings can be set along with the WiFi settings by checking “Show advanced options” as below.

android-proxy

Now that everything has been setup, it’s time to have some fun. Launch Tinder on your mobile device and watch the requests flow in real time!

fiddler

Looking at the requests, we see that Tinder assigns an authenticated user with a token which is passed back in the header of each web request. This custom HTTP header is “X-Auth-Token”. Using this token, we can execute any valid request against Tinder’s API server.

To automate Tinder likes, we care about two specific API requests. The request that returns a list of prospective matches and the request that triggers a like on a specific profile. Let’s look at these requests a little closer.

The RECS Request

The RECS POST request returns prospective matches and looks something like this.

POST https://api.gotinder.com/user/recs HTTP/1.1
app_version: 633
platform: android
User-Agent: Tinder Android Version 2.2.3
X-Auth-Token: b5b820ac-aede-4fe2-b6a3-92cc921c6a5c
os_version: 19
Content-Type: application/json; charset=utf-8
Host: api.gotinder.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 12

{"limit":40}

Its response is a JSON object with a collection of profiles.

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63452
Connection: keep-alive

{
  "status": 200,
  "results": [
    {
      "distance_mi": 15,
      "common_like_count": 0,
      "common_friend_count": 0,
      "common_likes": [],
      "common_friends": [],
      "_id": "5366c93490d3e94c03006b25",
      "bio": "",
      "birth_date": "1991-10-13T00:00:00.000Z",
      "gender": 1,
      "name": "Sample Profile",
      "ping_time": "2014-08-04T23:11:48.133Z",
      "photos": [
        {
          "url": "http://images.gotinder.com/0001unknown/unknown.jpg",
          "processedFiles": [
            {
              "url": "http://images.gotinder.com/0001unknown/640x640_pct_0_0_100_100_unknown.jpg",
              "height": 640,
              "width": 640
            },
            {
              "url": "http://images.gotinder.com/0001unknown/320x320_pct_0_0_100_100_unknown.jpg",
              "height": 320,
              "width": 320
            },
            {
              "url": "http://images.gotinder.com/0001unknown/172x172_pct_0_0_100_100_unknown.jpg",
              "height": 172,
              "width": 172
            },
            {
              "url": "http://images.gotinder.com/0001unknown/84x84_pct_0_0_100_100_unknown.jpg",
              "height": 84,
              "width": 84
            }
          ],
          "extension": "jpg",
          "fileName": "unknown.jpg",
          "crop": "source",
          "main": true,
          "id": "unknown"
        }
      ],
      "birth_date_info": "fuzzy birthdate active, not displaying real birth_date"
    }
  ]
}

The LIKE Request

The LIKE request is a simple GET request invoked against the ID of the user’s Tinder profile.

GET https://api.gotinder.com/like/5351dca99307257152001ced HTTP/1.1
app_version: 633
platform: android
User-Agent: Tinder Android Version 2.2.3
X-Auth-Token: b5b820ac-aede-4fe2-b6a3-92cc921c6a5c
os_version: 19
Host: api.gotinder.com
Connection: Keep-Alive
Accept-Encoding: gzip

Its response is a JSON object with a boolean value indicating whether a two way match exists between you and the liked user.

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
X-Auth-Token: b5b820ac-aede-4fe2-b6a3-92cc921c6a5c
Content-Length: 15
Connection: keep-alive

{"match":false}

Now that we know what the requests look like, let’s re-create them with some C# code. Since prospects are returned in batches, we need to invoke a single RECS request, parse out each individual Tinder ID and invoke LIKE requests against each ID.

public static List<string> GetProspects()
{
    List<string> ids = new List<string>();
    string response;

    try
    {
        using (WebClient wc = new WebClient())
        {
            wc.Headers[HttpRequestHeader.ContentType] = "application/json; charset=utf-8";
            wc.Headers[HttpRequestHeader.UserAgent] = "Tinder Android Version 3.2.0";
            wc.Headers.Add("X-Auth-Token", "b5b820ac-aede-4fe2-b6a3-92cc921c6a5c");
            wc.Headers.Add("os-version", "19");
            wc.Headers.Add("app-version", "757");
            response = wc.UploadString("https://api.gotinder.com/user/recs", "{"limit":40}");
        }
    }
    catch
    {
        return ids;
    }

    if (!string.IsNullOrWhiteSpace(response))
    {
        dynamic dataObj = JObject.Parse(response);
        if (dataObj.status == "200")
        {
            foreach (dynamic result in dataObj.results)
            {
                string str = result._id;

                ids.Add(str);
            }
        }
    }

    return ids;
}

The above method constructs a RECS request, invokes it and extracts the Tinder IDs. Json.NET is a popular JSON manipulation library for .NET and we use it above to parse the JSON response. We return a list of IDs when done.

Now that we have collected a handful of Tinder IDs, we can invoke a LIKE request against each of them.

public static void LikeUser(string userId)
{

    string uri = "https://api.gotinder.com/like/" + userId;
    using (WebClient wc = new WebClient())
    {
        wc.Headers[HttpRequestHeader.UserAgent] = "Tinder Android Version 3.2.0";
        wc.Headers.Add("X-Auth-Token", "b5b820ac-aede-4fe2-b6a3-92cc921c6a5c");
        wc.Headers.Add("os-version", "19");
        wc.Headers.Add("app-version", "757");
        wc.Headers.Add("aplatform", "android");
        try
        {
            wc.DownloadString(uri);
        }
        catch { } // Kids, don't try this in production code!

    }
}

Now that we have the code to request matches and like profiles, let’s put it all together with some nifty ol’ PLINQ for parallel execution.

GetProspects().AsParallel().ForAll(LikeUser);

Voila! Just invoke the above line as many times as you like in a loop and watch the matches pour in. That was pretty simple wasn’t it?

So, now what?

Well, that depends entirely upon you. You can use the knowledge you gained in this article for good or evil. If you are looking to meet new people on Tinder, check out CamMi Pham’s Tinder optimization hacks to make your profile look more appealing to prospective matches. If you are a software developer, you can use the techniques explained in this post of reverse engineer other apps. And lastly, if you are an evil spammer, you could write a Tinder bot to sell products to Tinder matches. The Tinderverse is your oyster 😉

Follow the discussion on Hacker News: https://news.ycombinator.com/item?id=8173197

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInShare on RedditPin on PinterestShare on StumbleUponDigg thisBuffer this pageFlattr the authorShare on Tumblr

How startups are valuated

June 28, 2013 | No Comments

cash-cow

Startup valuations have always intrigued me. Was instagram really worth a cool billion? Some people sure as hell did and coughed up a crap ton (1 crap ton = 4 shit loads) of dough for it.

Honestly, there is no exact science to value startups. The biggest determinant of a startup’s value are the market forces of the industry & sector in which it plays, which include the balance (or imbalance) between demand and supply of money, the freshness and size of recent exits, the willingness for an investor to pay a premium to get into a deal, and the level of desperation of the entrepreneur looking for money.

These are some of the techniques commonly used to assess startups:

Asset Valuation

One of the more straightforward approaches to assessing the value of a startup is by placing a dollar value on all the assets of the company. These include physical assets (like hardware, furniture), intellectual property (like trademarks, patents) and even sweat equity – the theoretical salaries that would have been paid to founders.

Asset-Replacement-Cost Valuation

This approach attempts to measure the value of the startup by calculating how much it would cost to create or replace its key assets from scratch.

The Market Approach

The value of a startup can be derived from comparing it to its competitors who are in the same industry, have the same cost structure, similar revenue growth, etc. If the company is a fraction of the size of a comparable company, this fraction could be used to value the startup from the valuation of the larger company that recently raised money.

Income Valuation

This method involves projecting a company’s future cash flows and discounting them, at some rate, to arrive at their value in present dollars. The discount rate applied to start-ups is typically in the range of 30% to 60%. The younger the company, and the greater the uncertainty of its future earning power, the larger the discount rate should be. In the case of very young, pre-revenue companies, this technique may not be very effective.

Earnings-Multiple Valuation

This approach is usually applied to more mature start-ups that have already passed the break-even point. The technique involves tallying the company’s earnings before interest, taxes, depreciation and amortization (EBITDA) and multiplying it by some reasonable factor. Calculating typical EBITDA multiples for publicly traded companies in the same industry as the startup is as easy as taking the market cap of the company and dividing it by EBITDA.

While the techniques discussed above are used to value startups, there are multiple factors that also affect the valuation. Some of these include:

Timing – Like in real estate, the startup investment market has its cycles. For example, in 2003 startup valuations were higher in general than they were in 2009. Lately, there are more startups seeking financing. Hence the lower valuation.

Bidding War – When multiple parties are interested in acquiring or investing in a startup, the value of the company usually increases.

Desperation – If the startup is desperate to exit or raise funds, its value will go down.

Traction – Startups that have a large user base and a promising trajectory of user growth can command higher valuations.

Market Size – The size of the market is an important factor when considering the scalability of the startup. Larger markets drive higher valuations.

Uniqueness of the Product – Technologies that are unique are attractive to investors because it reduces the competition in the space. Additionally, these startups also benefit from first mover advantage.

The Team – Startups with great teams typically are more attractive to investors and hence have higher valuations. Serial entrepreneurs can command higher valuations.

Revenue – Gross margins and revenue projections play a significant role in driving up the valuation of a company. Startups with hockey-stick growth curves are promising in that they appear to have found a market-fit.

And, there you have it – some light shed on the mystery of startup valuation. Only time will tell if Instagram, Tumbler and Waze were worth all that green.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInShare on RedditPin on PinterestShare on StumbleUponDigg thisBuffer this pageFlattr the authorShare on Tumblr

Crushing Crandy Crush!

June 14, 2013 | No Comments

Candy Crush Saga has become all the craze lately – especially after its recent port to iOS and Androd. It is additive, engaging and fun. And, it has over 15 million daily active users. Due to the lucrative nature of its in-app purchases, its developer, King, has even decided to abandon its advertising revenue streams altogether. King has perfected the art of monetizing all its games. Candy Crush is free for the most part. However, just when you are hooked and fully vested in the game, it makes you cough up 99 cents for 5 additional moves that you absolutely need to complete the level and proceed to the next one. These cents quickly add up and before you know it, you are out a few hundred dollars. It’s absolutely brilliant!

CandyCrush_1

Flash games have been around forever and many popular mobile games have had humble beginnings with Adobe Flash. Candy Crush is no different and has a flash offering too. Since Flash runs on your computer (as opposed to the cloud), it is relatively easy to cheat on these games by modifying their state in memory.

ArtMoney and Cheat Engine are popular memory hacking tools used to modify the state of running applications. They work by searching for values set by the user with a wide variety of options that allow the user to find and sort through the computer’s memory. Using these tools, users can view the disassembled memory of a process and make alterations to give themselves advantages such as infinite time, points, etc.

In this article, I’ll walk you through the process of using a memory hacking tool on a Flash game like Candy Crush. I don’t endorse robbing game developers of their well-earned revenue and this tutorial is written purely for educational purpose.

First and foremost, download and install Cheat Engine. Then, launch it. Once Cheat Engine is running, we need to attach it to the process which hosts the game. Click on the icon highlighted to do just that.

CandyCrush_2

Since Flash games run within a browser, we need to attach it to the web browser (in our case Chrome). Notice how there are multiple processed of Chrome listed below? This is expected of Chrome. Just select any one of them and click “Open”.

CandyCrush_3
We now return to our Candy Crush game running on Chrome and notice that we have 15 moves available to us. Say we want to increase our moves to 50. Let’s switch back to Cheat Engine. We need to identify the memory block that stores the value 15. Let’s begin by finding all values in the game’s memory that are set to 15. Creating a “New Scan” resulted in 10,727 memory addresses being found. It’s a good start. But, we can’t change all ten thousand plus values in memory and expect the Candy Crush to continue working properly. It may work, but, more likely than not, the game will crash. Now, it’s about finding the needle in the haystack. We need to filter these results further.

CandyCrush_4

Returning to Candy Crush, let’s play a move and decrement the “moves left” from 15 to 14.

CandyCrush_5
Switching back to Cheat Engine, we perform a “Next Scan” with the value 14. This scan does not search the entire memory of the process. It just looks for memory locations with the value 14 amongst the memory locations previously identified. And, viola! We hit a home run. We have found two memory addresses that have changed from 15 to 14. It was all too easy. If you are curious, you could play another move on Candy Crush and verify that these values get decremented by one.

CandyCrush_6

Now, let’s add these two memory location to our watch list so that we can keep an eye on them during the course of the game. We can do so by clicking the highlighted red arrow.

CandyCrush_7

It’s now time to modify these values and make them 50. Values can be modified by hitting “Enter” on the keyboard, double clicking on the value, or bringing up the context menu with a right click as shown below.

CandyCrush_8

A dialog box should pop up. Input 50 and hit OK. Easy Peasy.

CandyCrush_9
Switching back to Candy Crush, we see that “moves left” has been incremented to 50 to reflect our changes in memory. Mission accomplished!

CandyCrush_10
This technique works on most games and can be used to change all game parameters that are stored in memory. This technique will not work in instances where game developers store the state of the game on their server (like the player’s level) and compare this game state with the one on the player’s computer. Memory hacking is just one of the many ways to cheat your way through games. There are multiple other way to achieve the same objective. Other popular ways of hacking web based flash games include – modifying the game logic with a Flash decompiler or intercepting the communication between the game and the server and transmitting incorrect information to the game’s server. If this is something that interests you, leave a comment below and I’ll discuss them in future posts.

Happy candy crushing!

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInShare on RedditPin on PinterestShare on StumbleUponDigg thisBuffer this pageFlattr the authorShare on Tumblr

Life after PRISM

June 12, 2013 | No Comments
So, the internet has exploded again. We live in interesting times where policies constantly need to keep up with advancements in technology. Back in 2012, SOPA and PIPA challenged our constitutional right to free speech by providing law enforcement agencies the authority to block websites that hosted copyright infringing content – without the need of a court order. SOPA would bypass the ‘safe harbor’ protections from liability presently afforded to websites by DMCA. Now, in 2013, we have come to learn that the NSA has been invading our privacy all along by aggregating our personal data into a surveillance program codenamed PRISM. This data seems to be acquired directly from American companies like Facebook, Google, Microsoft and Dropbox. These companies however, don’t seem to have any knowledge of PRISM and are vehemently denying any participation in it. Perhaps that’s true. Perhaps they aren’t aware of the existence of such a program. All we do know for sure is:
  • PRISM is for real.
  • NSA has personal data on people of interest. This data might have been obtained by (A) a backdoor provided by American companies, (B) snooping network traffic on a large scale or (C) making companies hand over personal information of multiple users via court orders and subpoenas. The last option appears to be the most plausible one.
So, what now?

It is the NSA’s job to collect information that is not easily accessible. And, we can’t blame them for doing their job darn well. While the existence of PRISM should not really surprise us, things can never be the same after the recent turn of events.
  • PRISM has not changed anything but the public’s perception of personal privacy. Individuals all over the world are now convinced that their personal information is or can be compromised.
  • Even if the PRISM surveillance program is dismantled, the nobody will ever know for sure if a new program is setup to pick up from where PRISM left off. We do not have this level of transparency into our government.
What will change?
  • The public will come to the realization that the privacy and anonymity they initially thought they enjoyed never really existed. They will discover that they are solely responsible for their privacy online.
  • More conscious about protecting their privacy, the public will seek out alternative technologies in an attempt to protect themselves. Usage patterns of existing services like Gmail, Outlook, Facebook, etc will change. Anonymity protecting technologies like Tor will become more popular. Cloud storage and file synchronization services like Dropbox will get replaced by secure P2P technologies like BitTorrent Sync. There will be a greater push to move towards decentralized, secure and open source technologies like BitCoin. Even social networks like Facebook could eventually get replaced by open source P2P alternatives. A new market will emerge where the general population will be willing to pay top dollars to protect their privacy, security and anonymity.
  • Private companies will not trust other companies with their data. Companies that can afford it will switch to private clouds and insist on all external services (SaaS) being hosted in-house.
  • Foreign countries will start blocking access to American websites and American companies may be forced to operate solely outside the country – just to rebuild their credibility. Foreign countries will surely use this an opportunity to promote their own services (like China does today). Sadly, this effectively reinstates the political boundaries that were previously torn down by the internet.
  • We should expect administration and policy reform very soon. Amendments may even be proposed to the Patriot Act.
  • Despite being declared a hero by the media, Edward Snowden will likely be extradited and prosecuted. He may be pardoned of some crimes will likely spend the rest of his life on the run, serving time, or fighting legal battles against the state and his former employer.
obama_prismExposure of the PRISM surveillance program has been a colossal embarrassment to the United States and to the Obama administration who previously denied its existence. While every government performs varying degrees of surveillance, the United States is in a unique position where it has access to very private information provided by foreign individuals to American companies. These individuals never truly understood the consequences of trusting these companies with their data. The hype generated by the media over the extent of NSA surveillance has placed the issue of privacy in the limelight. Nothing truly has changed other than the perception of individuals all over the world. The importance of perception cannot be understated as it is this very same perception that will spark far reaching changes like the ones highlighted above.
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInShare on RedditPin on PinterestShare on StumbleUponDigg thisBuffer this pageFlattr the authorShare on Tumblr
© 2016 Yuri de Souza | Official website of Yuri de Souza – software developer and entrepreneur based in San Francisco.