Reverse engineering CityBee’s API for fun and not profit

Žygimantas Magelinskas
3 min readJul 9, 2021

--

Why Citybee

As I recently got my driver’s license, Citybee became a mode of transportation that I frequently use. As such, I wanted to take a peek inside of the only car rental apps in Lithuania.

Inspecting the decompiled sources

After decompiling the weird Citybee’s Android XAPK with an APK decompiler, we can rummage through the cryptic code in their app. With a few cursory looks, I often saw the symbol monodroid which after a quick Google search revealed that the app uses the Mono runtime for Android. Since it uses the Mono runtime and most of the sources only contained what looked like the View part of the MVC model, I had a hunch that there would be a compiled binary that the view part of the code reaches out for data. This hunch was correct - there were DLL files in resources/assemblies.

Reverse engineering the DLL files

Knowing that these were Mono files, I somehow assumed that they would be .NET assemblies. However, I was wrong. DNSpy failed to open them up and ExeInfo PE revealed that they were neither DLL nor EXE files. Looking at the first bytes — 0x58 0x41 0x4c 0x5a (magic bytes) also revealed nothing. Running strings on the CityBee.API.dll gave me a noticeable message This program cannot be run in DOS mode which AFAIK could be also seen in normal DLLs/EXEs and other strings that could be readable - meaning that the file might not be encrypted/packed. Reading on how to read the DLL files with DNSpy, I found a decompressor that could handle the files with XALZ magic bytes. [link]

Finding the much needed URLs

Running this script on the CityBee files decompressed them and finally allowed to peek inside of them with DNSpy. Inside the CityBee.Core.dll file I was able to found that the Auth API URL of the app was https://gus.citybee.tech/. After toying around with the Auth API for a good hour I was not able to login either with my passcode/password or any other combination of parameters. Coincidentally, I managed to lock myself out of the CityBee app due to the API sending me an overwhelming amount of SMS verification codes.

A change in strategy

After some peeking at other people’s codebases on GitHub, I found a keyword self-service. Most of the codebases related to reverse-engineering CityBee are deprecated and do not work anymore (however a fun mention is this bot, which tweeted out whenever a convertible car popped up). However, it gave me the biggest hint that I needed so far - that there is some kind of an online self-service for CityBee.

The last step

The link for the self-service was https://selfservice.citybee.lt/. After resetting my password (I assume that this is the way of registration), I was able to get a Bearer token. After playing around with Insomnia and random URLs that I found in the app, I successfully able to access the CityBee API and retrieve a list of all cars they have. Great success!

A successful and authenticated request to the CityBee API!

--

--