Reverse Engineering Snapchat (Part II): Debofuscating the Undeobfuscatable (opens in new tab)

(hot3eed.github.io)

295 points3eed6y ago61 comments

61 comments

39 comments · 12 top-level

Hey OP, since you're here:

I find this pretty hard to follow. Would you be open to writing a longform version of this aimed at the tutorial level?

Reading between the lines, I would guess you're trying to demonstrate that you really know what you're doing. Maybe as a proof of concept for possible employment opportunities. If so, that's great! Good luck.

But if I were interested in reverse engineering some other app, I don't think I could understand what you've done well enough to use these techniques on that app. Except maybe the breakpointing within `fuck_debug`, that was pretty slick and easy to follow.

yasoob6y ago

If reading even the first part of this series doesn't help, read this beginner tutorial I recently wrote: https://yasoob.me/posts/reverse-engineering-android-apps-apk... It starts you off with the basics and uses smali.

After that you can explore this tutorial on frida: https://securitygrind.com/bypassing-android-ssl-pinning-with... These two techniques will give you some more basic knowledge of how app reversing is done. :)

3eedOP6y ago

It's true, these posts are for intermediate and upper reverse engineers. It would really take a book to explain it from the ground up it like someone here mentioned. I suggest getting some background in assembly, then reading the OWASP guide (link in my previous HN post), and persistence.

drudu6y ago

Obviously not the OP but I think that a longform version of this would be an entire book/college level course. I wish I could learn how to reverse state of the art obfuscation in a single, long post but that's just not how it works.

fingerlocks6y ago

I would pay for that book.

saagarjha6y ago

I found it fairly reasonable, although you'd have to have a general idea of the subject beforehand. I read it as a being aimed at reverse engineers who are looking for some general techniques to bypass common anti-debugging/obfuscation features rather than "how to reverse engineer apps 101".

reagent_finder6y ago

"Reasonable" is a stretch, "interesting" is the right word. Personally I'd put this in the "Oh, huh" box along with quantum crypto. It's interesting, it's complex and it's got way too many engineering hours behind it... but ultimately for 99% of people or even 99% of computer scientists or HN readers, it's just fascinating trivia.

I absolutely appreciate these posts, this guy spent WEEKS delving into the depths of SnapChat just for the joy of discovery.

Maybe a good classification would be that part 1 is detailing a number of obfuscation techniques and the key thing to take away is that all of them CAN be bypassed.

jonas216y ago

It's easier to follow if you read part I of the series first:

https://hot3eed.github.io/2020/06/18/snap_p1_obfuscations.ht...

masteruvpuppetz6y ago

+1. Need a simpler version if possible.

wayne6y ago· 7 in thread

This level of API obfuscation reminds me of forever ago when MSN Messenger figured out AOL's AIM API, so MSN Messenger could send AIM messages, which annoyed AOL. AOL would make API changes to break MSN, but MSN would update the client and stay ahead. Eventually to make the API uncloneable, AOL changed their payload to exploit a buffer overrun in their own AIM clients that wouldn't be in the MSN clients.

https://nplusonemag.com/issue-19/essays/chat-wars/

worewood6y ago

I think the most important, and this article left it out, is why exactly this makes the API uncloneable - why couldn't MSN just emulate the buffer overflow behavior like it was doing with everything so far?

As the article says, the client also responded with some code. What I think was happening: the client was responding with portions of its own executable memory, which could be checked by AOL servers.

That way for MSN to emulate that behavior, it would need to have the AIM client's executable code inside itself, which would be an easy win in a copyright lawsuit.

lliamander6y ago

Why not just send copy written code as part of the payload?

1 more reply

spideymans6y ago

Interesting time that was. I don't believe that any of these internet giants would ship a feature that is effectively a hack, in this day and age.

HTC and Palm also engaged in the back-and-forth, when Palm attempted to get their OS to sync with iTunes.

https://www.wired.com/2009/10/palm-pre-itunes/

Roritharr6y ago

You will be scared to find out that a lot of Fintech has webscraping as an accepted part of their stack...

1 more reply

saltedonion6y ago

Very interesting. I think this would likely lead to lawsuits today, under a complaint violating DMCA.

xmprt6y ago

Is there legal precedent for copyrighting APIs?

1 more reply

foobar_6y ago

Can't AOL use some kinda session token for this ? Super confused.

zimmerfrei6y ago· 4 in thread

Both iOS and recent Androids have by now a form of app attestation: the server can tell if the caller is the legitimate app or not (with good enough confidence - as everything, it's not unbreakable).

Doesn't that make obfuscation kind of pointless? Even if your knock-off app knows everything about the API of the original service, it won't be able to use it because it is not the genuine app or maybe it is but it is not running in a real iOS/Android device.

Or maybe this is only meant to include non-Android certified phones (= China)?

3eedOP6y ago

DeviceCheck on iOS support iOS 11 and up. Which would cut off 7% of users[1], a bit extreme. But when the time comes when you don't have to cut off anyone, it'll be very interesting to see what'll happen on iOS. Someone will bypass it? Death of reverse engineering? Who knows. On Android, an HN user mentioned in the previous post that it's a solved problem[2].

[1]: https://developer.apple.com/support/app-store/ [2]: https://magiskmanager.com/

zemnmez6y ago

seems like something having a rooted os would fix pretty quickly

power786y ago

Seems like the creator of Magisk Manager could not get around Android's implementation: https://twitter.com/topjohnwu/status/1245956080779198464?s=1...

whs6y ago

I tried adding safetynet attestation on launch for all Android clients and ran into rate limit pretty fast. (iirc it's about 10k/hr)

Devicecheck have no such problem though, but it doesn't really feel designed for the use case - you need to implement an anti replay system yourself.

underdeserver6y ago· 4 in thread

For fuckup_debugging, can't you use hardware breakpoints instead?

Also, why not patch the binary? I think iteratively patching out protections (in a repeatable, versioned way) would be my approach. It is then applicable to other binaries as well.

saagarjha6y ago

Hardware breakpoints are a little complicated on iOS. And patching the binary would of course only work if no other code verified the validity of the page you touched.

3eedOP6y ago

Are hardware breakpoints even possible on iOS? And correct, you can't patch the binary because there many anti-tampering measures, you could probably bypass those, but that's going a different route.

bluesign6y ago

Not the OP, but I can answer I guess. Hardware breakpoints are very limited (number of breakpoints you can put). Usually when you are debugging a decent target, number of breakpoints you use easily reach 50-60.

underdeserver6y ago

No doubt, but it's better than pausing every time. I guess with scripting it isn't really different.

coolspot6y ago· 2 in thread

Shouldn’t you be able to find any code that scans for breakpoints easily and patch it to be blind?

bluesign6y ago

Normally it is more like calculating hash from code piece, then xor result with constant and jump. (In general cases, never reversed snap)

So usually there is nothing to patch.

posedge6y ago

Can you calculate that hash (of the original binary) yourself and patch THAT in the function?

sintax6y ago· 1 in thread

For MBA, there's also Arybo[1] from Quarkslab. Never used it and seeing the reference to SSPAM, I assume the author is aware of the tool.

[1] https://github.com/quarkslab/arybo

3eedOP6y ago

I came across Arybo while working on the binary but I can't remember why I didn't use it, this is vague memory now. Anyway it does the job in one go, I added an edit.

saagarjha6y ago· 1 in thread

I’m surprised that Snapchat doesn’t check for the mere presence of a debugger and instead tries to look for breakpoints. Or perhaps you’ve already found and patched those checks out?

3eedOP6y ago

It does check for a debugger. But that would be through sysctl, or the csops sys call, which would be trivial to patch and a single point of failure.

stephc_int136y ago

As someone who wrote similar obfuscators (manually) back in 2003-2006 to protect a few indie games distributed on PocketPC (ARM7/WinCE) I found it quite conforting to see that the techniques are still similar.

I wonder about something, how long did it take?

dang6y ago

The related previous thread: https://news.ycombinator.com/item?id=23557998

Method54406y ago

Anyone else picture Deebo from “Friday” (Zeus from “No Holds Barred”) smashing apart source code after reading the title?

Prediction: Just me.

By the way, love both articles. Thanks for taking the time to share.

raverbashing6y ago

I wonder if the Android version uses the same technique and if not, if it would be harder/easier to break

sarabande6y ago

The title is misspelled (s/Debofusc/Deobfusc/).

j / k navigate · click thread line to collapse

61 comments

39 comments · 12 top-level

hackernewsn00b6y ago· 8 in thread

Hey OP, since you're here:

I find this pretty hard to follow. Would you be open to writing a longform version of this aimed at the tutorial level?

yasoob6y ago

3eedOP6y ago

drudu6y ago

fingerlocks6y ago

I would pay for that book.

saagarjha6y ago

reagent_finder6y ago

I absolutely appreciate these posts, this guy spent WEEKS delving into the depths of SnapChat just for the joy of discovery.

Maybe a good classification would be that part 1 is detailing a number of obfuscation techniques and the key thing to take away is that all of them CAN be bypassed.

jonas216y ago

It's easier to follow if you read part I of the series first:

https://hot3eed.github.io/2020/06/18/snap_p1_obfuscations.ht...

masteruvpuppetz6y ago

+1. Need a simpler version if possible.

wayne6y ago· 7 in thread

https://nplusonemag.com/issue-19/essays/chat-wars/

worewood6y ago

As the article says, the client also responded with some code. What I think was happening: the client was responding with portions of its own executable memory, which could be checked by AOL servers.

That way for MSN to emulate that behavior, it would need to have the AIM client's executable code inside itself, which would be an easy win in a copyright lawsuit.

lliamander6y ago

Why not just send copy written code as part of the payload?

1 more reply

spideymans6y ago

Interesting time that was. I don't believe that any of these internet giants would ship a feature that is effectively a hack, in this day and age.

HTC and Palm also engaged in the back-and-forth, when Palm attempted to get their OS to sync with iTunes.

https://www.wired.com/2009/10/palm-pre-itunes/

Roritharr6y ago

You will be scared to find out that a lot of Fintech has webscraping as an accepted part of their stack...

1 more reply

saltedonion6y ago

Very interesting. I think this would likely lead to lawsuits today, under a complaint violating DMCA.

xmprt6y ago

Is there legal precedent for copyrighting APIs?

1 more reply

foobar_6y ago

Can't AOL use some kinda session token for this ? Super confused.

zimmerfrei6y ago· 4 in thread

Both iOS and recent Androids have by now a form of app attestation: the server can tell if the caller is the legitimate app or not (with good enough confidence - as everything, it's not unbreakable).

Or maybe this is only meant to include non-Android certified phones (= China)?

3eedOP6y ago

[1]: https://developer.apple.com/support/app-store/ [2]: https://magiskmanager.com/

zemnmez6y ago

seems like something having a rooted os would fix pretty quickly

power786y ago

Seems like the creator of Magisk Manager could not get around Android's implementation: https://twitter.com/topjohnwu/status/1245956080779198464?s=1...

whs6y ago

I tried adding safetynet attestation on launch for all Android clients and ran into rate limit pretty fast. (iirc it's about 10k/hr)

Devicecheck have no such problem though, but it doesn't really feel designed for the use case - you need to implement an anti replay system yourself.

underdeserver6y ago· 4 in thread

For fuckup_debugging, can't you use hardware breakpoints instead?

Also, why not patch the binary? I think iteratively patching out protections (in a repeatable, versioned way) would be my approach. It is then applicable to other binaries as well.

saagarjha6y ago

Hardware breakpoints are a little complicated on iOS. And patching the binary would of course only work if no other code verified the validity of the page you touched.

3eedOP6y ago

Are hardware breakpoints even possible on iOS? And correct, you can't patch the binary because there many anti-tampering measures, you could probably bypass those, but that's going a different route.

bluesign6y ago

underdeserver6y ago

No doubt, but it's better than pausing every time. I guess with scripting it isn't really different.

coolspot6y ago· 2 in thread

Shouldn’t you be able to find any code that scans for breakpoints easily and patch it to be blind?

bluesign6y ago

Normally it is more like calculating hash from code piece, then xor result with constant and jump. (In general cases, never reversed snap)

So usually there is nothing to patch.

posedge6y ago

Can you calculate that hash (of the original binary) yourself and patch THAT in the function?

sintax6y ago· 1 in thread

For MBA, there's also Arybo[1] from Quarkslab. Never used it and seeing the reference to SSPAM, I assume the author is aware of the tool.

[1] https://github.com/quarkslab/arybo

3eedOP6y ago

I came across Arybo while working on the binary but I can't remember why I didn't use it, this is vague memory now. Anyway it does the job in one go, I added an edit.

saagarjha6y ago· 1 in thread

I’m surprised that Snapchat doesn’t check for the mere presence of a debugger and instead tries to look for breakpoints. Or perhaps you’ve already found and patched those checks out?

3eedOP6y ago

It does check for a debugger. But that would be through sysctl, or the csops sys call, which would be trivial to patch and a single point of failure.

stephc_int136y ago

I wonder about something, how long did it take?

dang6y ago

The related previous thread: https://news.ycombinator.com/item?id=23557998

Method54406y ago

Anyone else picture Deebo from “Friday” (Zeus from “No Holds Barred”) smashing apart source code after reading the title?

Prediction: Just me.

By the way, love both articles. Thanks for taking the time to share.

raverbashing6y ago

I wonder if the Android version uses the same technique and if not, if it would be harder/easier to break

sarabande6y ago

The title is misspelled (s/Debofusc/Deobfusc/).

j / k navigate · click thread line to collapse