In this little Tutorial I'm going to run through some basics of how people currently Null and Panel the Official XCIPTV Apps and Rebrands.
Step one; Prepare your working Environment
There are a few different apps that people like to use when modifying APK's but for this tutorial we will be using the OG - MT Manager.
You can download MT Manager from the Resources section, However you can follow along if you know how to use other tools like APK Tool or APK Easy.
Now I feel its a lot easier to use and make simple modifications when using MT Manager on your Desktop so for this tutorial we will be using BlueStacks Android Emulator, but again
you are welcome to use any other Emulator or the Windows Subsystem for Android providing you know how to use them in the same ways we will be following along with BlueStacks.
Once you have MT Manager APK and BlueStacks Installer, go ahead and install BlueStacks and then drag-and-drop MT Manager APK onto it to install quickly and be able to login.
Step two; Deciding on the app to modify
I personally prefer to work on the Official branded XCIPTV application but this is usually the last to be updated to the latest revision so are usually an update behind when it comes to the rat-race. However there are simple ways to be able to find the latest versions in the form of their Rebrands which they tend to update first. I have posted a simple script which can scrape through and find Rebranded APKs from the OTTRun S3 Storage previously so if you want to go check that out, leave a like.
OTTRun store their data by 'customerid' - the Official app's (Playstore version) 'customerid' is 521064 so we can navigate to download.ottrun.com/downloads/521064/ and check out what's there to download and start work on.
If you want to follow along - grab the version of the app you would like too work on and I will attempt to make this tutorial cover as much as possible for editing official and rebrands.
Simply drag-and-drop this into your emulator.
Step three; Extracting and preparing the APK
In your emulator, open MT Manager.
From here follow this quick video on Extracting the APK from the installed XCIPTV app and locating the APK using MT Manager.
*** Hidden text: cannot be quoted. ***
Now that you have located the extracted APK you are now able to start working on it and prepare it for modification. The next steps are optional but I feel as though they should be apart of most workflows when working on this type of modification - Kill Signature Verification and DEX Redividing.
Now although XCIPTV don't rely on Signature Verification - some apps do and this is the first step you must take to prevent the application crashing because as soon as you make a change to the Application, the application needs to be re-signed using the tool your working with, some offer the ability to use your own signature or some just do it for you, MT Manager can do both. For this tutorial we will be using MT Managers default Signature.
DEX Redividing is also a good tool to use as some apps are packed so tight that the slightest change may cause the DEX to become over filled with methods and this tool does what it says, redivides the methods from a DEX into separate DEX archives equally, allowing you to add/edit/remove methods and variables without worrying.
So from here follow this quick video on Killing the Signature Verification and Redividing the DEX and creating a Clone of the app.
*** Hidden text: cannot be quoted. ***
Now that we have a nice Clone of the original application to work with you can now install to see that it will break as soon as you open.
This is due to the way the XCIPTV app verifies the application, but we will fix this in the next step.
Step four; Removing Native Calls
This part of the tutorial is going to allow us to prevent the app from locating key information in its Shared Object (.so) Library files enabling us to be able to change the information such as Appname, Package name and more importantly the Primary and Secondary API URLs which you need to be able to connect to your own Web Panel API. Please note though that this if only needed since XCIPTV 5.0.1-705 and anything beyond will need to have the Native calls replaced, anything lower will be able to jump straight to the next Step of the tutorial.
I will attempt to simplify this by first explaining what is happening and why and then secondly providing the replacement Smali code.
There are multiple places which have been replaced with Native calls and up-to-now these are what I have documented when nulling various versions.
*** Hidden text: cannot be quoted. ***
Please note that at some point they stopped using the A(), V() and VC() methods. In this tutorial we are using 5.0.1-724 and wont include them but you are able to simply add them and make the necessary changes if needs be to make the version you are working with work. It is worth saying that the Version and Version Code are not really worth changing either so wont affect you if you decide to not use them at all.
You will need to search for these one-by-one in the application to be able to replace them with non-native functions. When you look at the Clone we have and search for AN()Ljava/lang/String; we will come across the native function which will look like this in Smali:
*** Hidden text: cannot be quoted. ***
This function is returning a String it has called from the Shared Object Library loaded on run-time of the app. What we can do instead of editing the Lib using tools like BinaryNinja is to simply replace the method with a normal Java method (in Smali of course) which does the exact same but we are able to control from MT Manager, here is a look at the code we are going replace this App Name function with (in this tutorial):
*** Hidden text: cannot be quoted. ***
Note: this replacement method is for use with the rest of this tutorial as we will be adding the appname()Ljava/lang/String; function too the Config.smali class later down the line.
Moving on we would need to simply replace the remaining Native methods with the respective functions we have made to be able to stop the XCIPTV app from reading from the Shared Object Library and just... do as we say.
For this tutorial complete this list of Search and Replace with:
*** Hidden text: cannot be quoted. ***
Of course there are other methods you can find in older versions of the XCIPTV applications such as VC()Ljava/lang/String; which you would just return the value for, for example in older 705 verisons where we know the Native call for Version Code exists you would replace the native method with a function similar to this:
*** Hidden text: cannot be quoted. ***
And this would allow you to then change the Version Code of the app yourself - but why? Regardless this is how you would achieve this, see the list above for example data that would be used in the return statement for these functions.
The last major changes to the app should be to remove any force-closing of the application you can do this by searching for:
Landroid/app/Activity;->finishAffinity()V
and removing all 9 instances of this from the app, Just select and delete.
In case you got confused with the explanations of how to do this here is a quick Video explaining it:
*** Hidden text: cannot be quoted. ***
