···11++++
22+title = "Hilton Decompilation"
33+date = 2024-10-23
44+slug = "hilton-decompilation"
55+description = "Decompiling the Hilton Honors app to try and reverse engineer the digital keycard feature further"
66+draft = true
77+88+[taxonomies]
99+tags = ["reverse engineering", "hilton"]
1010+1111+[extra]
1212+has_toc = true
1313++++
1414+1515+Ello! I'm back again! I'll be staying at a Hotel again in two days so I decided to try to decompile the app ahead of time so I can test stuff while I'm there. I decided to target the android app first because it seemed easier to decompile (i've partly decompiled an apk before about 3 and half years ago to embed a payload in it and I don't remember it being horrible) and I knew getting the apk itself would be far easier than from the Apple App Store.
1616+1717+{{ img(id="https://cloud-glc3mgu9t-hack-club-bot.vercel.app/0image.png" alt="screenshot of the nix packages entry" caption="prepackaged for nix; always a good sign") }}
1818+1919+I was able to download the apk from the [apkcombo.com](https://apkcombo.com/downloader/#package=com.hilton.android.hhonors) website by simply inputing the play store URL so we were off to a good start. Apktool was already in [nix packages](https://search.nixos.org/packages?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=apktool) so we didn't have to do anything fancy there. One `pkgs.unstable.apktool` and a `sudo nixos-rebuild switch` latter and we were ready to go. Then I waited another 2 days lol. Finally in the hotel room (again crunched on time; why do I never seem to learn?) I was able to decompile the apk and start looking around.
2020+2121+{{ img(id="https://cloud-qh7hbvivt-hack-club-bot.vercel.app/0image.png" alt="screenshot of the successful decompilation process" caption="all nicely decompiled") }}
2222+2323+I started uploading the decompiled app to github ([kcoderhtml/hilton-honors](https://github.com/kcoderhtml/hilton-honors)) which was incredibly slow and then started poking around the app. The first thing I noticed was quite a few files with firebase in the name as well as several play store properties files. All of them seemed to follow the same pattern of having a `version`, `client`, and then file specific client key.
2424+2525+```text
2626+$ ls unknown/firebase*
2727+2828+unknown/firebase-annotations.properties unknown/firebase-encoders.properties
2929+unknown/firebase-appindexing.properties unknown/firebase-encoders-proto.properties
3030+unknown/firebase-auth-interop.properties unknown/firebase-iid-interop.properties
3131+unknown/firebase-datatransport.properties unknown/firebase-measurement-connector.properties
3232+unknown/firebase-encoders-json.properties
3333+```
3434+3535+</br>
3636+3737+> firebase-auth-interop.properties
3838+```
3939+version=20.0.0
4040+client=firebase-auth-interop
4141+firebase-auth-interop_client=20.0.0
4242+```
4343+4444+4545+4646+As I did last article I will be taking any questions / comments about this article via email and then posting them here to my site! If you have a question or comment, feel free to email me at [me@dunkirk.sh](mailto://me@dunkirk.sh).