home | blog
february 28, 2026

An Intro to Reversing

Anything is open source, if you can read assembly (and decompiled java bytecode).

I found my new hobby in the weirdest place — my dad's obsession with cricket.

We still pay for cable; it's the only way my dad can watch streams from our hometown across the world, India. The problem was, my mom also watches, and we only have one TV with access. And, her favorite shows are on during the cricket matches.

It was truly a dilemma.

Realizing My True Power

When I walked in on them arguing over the TV again at 7 AM, I saw that my dad signed out of his account. On the display it showed two things:

Mac address: 00:1A:2B:3C:4D:5E (censored for safety)
Device Key: A624 (Also not the real device key)

And it asked to put those into an authentication app on his phone to activate the TV.

Hmm...

If this is all the app took for authentication (no JWT or cookies), couldn't I just spoof the Mac Address and Device Key, and hardcode requests?

I guess there was only one way to find out.

Reversing Our Binary with Jadx

My TV was an Android TV, so I definitely knew that this was possible. Android's loose OS restrictions allow me to run pretty much anything as long as I resign it. I can also easily extract data with Android Debug Bridge (ADB), and Java is a very easy language to decompile. It's like the stars aligned for this exact use case.

So I booted up ADB on my Fire Stick and pulled the binary, and then I used an open source tool called Jadx to look at our APK.

Jadx GUI Output

We're in!

That's pretty readable code to me, but strings are obfuscated. Luckily Jadx provides us with a deobfuscation tool in Tools → Deobfuscation. After spending a few hours clicking through classes, I realized I could've just Ctrl + F'd device key and mac address, because it's everywhere in plain sight.

@InterfaceC0596b("device_key")  
private String device_key;

Later in our class AppInfoModel, we find this convenient getter:

public String getMac_address() {  
    return this.mac_address;  
}

Cool! Let's just edit our code and call it a day.

Unfortunately it's not that easy. Jadx only supports viewing of source code, not editing. We have to actually dump the APK using another tool called apktool.

And it's not in Java, it's in a different language called smali, which is what your APKs compile down to when you ship them to a device.

smali looks like this:

.field private mac_address:Ljava/lang/String;
    .annotation runtime Lb7/b;
        value = "mac_address"
    .end annotation
.end field

Definitely not user friendly.

With no autocomplete or syntax highlighting, I got to work (copy pasting it to ChatGPT and asking it TO HELP MEEEE).

And I changed our helpful getter to this:

.method public getMac_address()Ljava/lang/String;
    .locals 1

    const-string v0, "<Enter YOUR mac address here!!>"

    return-object v0
.end method

After doing the same for our getDevice_Key function also, we can resign and repush our APK, and lo and behold, it works! Our TV provider trusts their clients way too much. If we wanted to, we could now watch on multiple devices. We also now have the added benefit of being able to watch on our Android phones!

Now at 6 AM, I have the utmost pleasure of listening to my dad when India hits a six, AND the privilege of listening to 7 woosh sounds happening per second during my mom's serials.

Responsible Disclosures

If you happen to figure out the provider, don't bother trying this. Once I confirmed the vulnerability, I immediately disclosed it to their team. They've since patched the backend to properly validate concurrent sessions and limit streams, so trying to spoof devices will now just log you out on concurrent streaming. They had a pretty quick turnaround as well (3 days!), and I'm glad we were able to get this issue sorted together.

That's it guys, thank you for reading my entire blog post. This project took me around 6 hours the first time because I was learning everything as I went and had no experience with any of the tools I used here.

— anishalle

all posts