Reverse Engineering the Show Box app
October 23, 2018 | 02:42 PM
For a while now I have been wondering how the app of Show Box stays afloat and how everything comes together. This page is of my current efforts to reverse engineering the app. As reverse engineering this app is not super easy I am keeping everything I find publicly available. Someday maybe a open source version of the app might be possible. Imagen running a version of Show Box in a browser without an emulator!
One of the first things I did to try reverse engineering the SB app was to inspect the traffic coming out of it. Using a free play store app (Packet Capture) that makes a local vpn to sniff the packets coming out of the app*, I got a few interesting things.
So, here is what I have:
~Note: Most of the links require a user agent string of "Show Box"
In oreder to send the custom user agent, use the browser exstention found here.
This is where the app gets a token (I think): http://m10.sbfunapi.cc/api/serials/config/
This is what the app uses to get the movie/episode id: http://sbfunapi.cc/api/serials/episode_details_s/?h=110&u=1&y=1
This is where the app gets a hash (don't know what for yet): http://sbfunapi.cc/api/serials/mw_sign_s/?token=8fd195318eb916ec
This is where the app gets the video stream urls from, but, I haven't cracked this one yet: http://188.8.131.52/video/64c201b1c9db8bd5/manifest_mp4.json?sign=2d853598351265c9f0786ed092fc1854&expires_at=1540135799
I say this is a good start, but until I don't need the app anymore to get the url streams and moive/season id's, I have more work to do. I want to not have any reliance (except for their api and db) with the SB app. PLEASE, if you have any insight on this topic leave a comment below!
*I don't have a complete understanding of the packet app
Here is a noice site for the timestamp: http://timestamp.online/