BC MACHINE LEARNING
Saved by @Mollyycolllinss

Okay, doing my first baby steps with r2frida (which combines the power of @radareorg and @fridadotre).

Gonna share my progress in this thread (live, so keep calm).

The goal: Runtime inspection of data sent out by TikTok !!before!! it gets encrypted

1/many

 First of all, we do not start from zero. I got some prior knowledge from past reversing attempts and want to share some important facts.

TikTok's (log data) encryption is accomplished by a native library. The Android Java code just serves as proxy function to the native function
The decompiled code for the respective native JNI function of an older TikTok version looks something like this, but in this example I use the most current TT version (no statical analysis done, yet)
In case you never reversed native libraries which were build to interface with Android Java layer via JNI, I highly suggest the entry level introduction on the topic by @maddiestone

https://t.co/T63vo3N4fw
Before we start, I want to pinpoint some important aspects (which are also covered by Maddie's videos).

1) Unlike raw C-functions, JNI functions like the one showcased above, receive pointers to complex Java objects .

F.e. a function receiving a String on the Java layer...
... would receive a pointer to a 'jstring' on the native layer (not a zero-terminated C-String).

In order to retrieve a C-String, to go on working with it in the native code, some translation functionality is required. This functionality is provided by the ...
JNI (Java Native Interface). The JNI environment is passed in to JNI functions as first parameter.

If you look at the example screenshot again, you see exactly this. Functions provided by the 'env' pointer are used to parse the Java function arguments (f.e. jByteArrays) ...
Once the raw data is converted to a more C-ish form, it gets passed to a inner function 'ss_encrypt' in my example. The inner function, in this case, is a pure C function and thus receives only C-style parameters (also no 'env' parameter, so it would not be able to access JNI)
A 2nd important aspect on JNI libraries, covered by @maddiestone

2) There are two ways to expose JNI methods from a native library:

a) export them with proper naming convention, so that JNI could recognize same on library load
b) use the JNI functionality 'registerNatives'...
... to register the JNI functions once the library gets loaded.

The second method of registering methods is wel suited for obfuscated code, as the methods neither have to follow naming convention, nor do they have to be exported.
As you might expect, TikTok uses the 'registerNative' approach. The screenshot below shows log output from a custom tool, which monitors JNI methods registered by instrumented Android apps (TikTok's encryption method in the example)
If you would decompile the Java part of the TikTok apk, the encryption functionality (on an older version) would look something like this:
The Java method 'm18421a' receives a Java 'byte[]' and a Java 'int' as parameters and returns a 'byte[]', again.

Internally, this data is forwarded to the native JNI method 'ttEncrypt'.
The important aspect about this, is that the native 'ttEncrypt' JNI method has to accept those exact parameter types and thus has to "register" with a proper method signature.

We already saw this signature in a previous screenshot
The last line from the screenshot above, shows 3 things the native code has to provide for each method, when calling register natives:

1) the call address of the native function implementation (0x7d70d1d5 in example)
2) The function name (ttEncrypt)
...
3) The method signature, which is '([BI)[B' in this case and translates to:

'(' start of parameters
'[B' byte[]
'I' int
')' end of parameters
'[B' byte[] (return value)
So we keep this in mind: Even if the native library does not export the encryption method, it has to store the 1) funtion address, 2) name and 3) signature in a data structure, in order to provide it to 'registerNatives' once the library gets loaded by JNI
We now know almost everything we need, in order to head over to r2frida, except some important facts on my test setup:

- the app is inspected on a physical device, running Android 9
- the device uses a !!32bit!! ARM application core
As I am new to r2frida, chances are high that things could be achieved in an easier ways.

Now to get started, I already have the latest @fridadotre server running on my USB connected android device and 'frida-ls-device' shows it being ready-for-action
So let's spawn a fresh TikTok instance with r2frida, using the following command
The command 'launch'es the process, on the attached frida 'usb' device with the device id '4c197256' and the process's package name, of course is 'com.zhiliaoapp.musically'

Instead of 'launch', two other options could be used:
- 'attach' (would attach to an already running process, given by name or PID)
- 'spawn' (like 'launch', but the process would not be resumed automatically after attaching)
So for the warm up, let us use the Frida functionality, which alllows enumerating loaded Java classes. This nicely combines with the r2 syntax (concatenation of single-letter commands, '~' for grep)

Important: commands targeting the r2frida plugin have to be prefixed with '\'
The r2frida command to list classes is '\ic' (note the backslash prefix). The unfiltered result would be a bit overwhelming ...
... so we grep for classes including the term "crypt"
The '\ic ' command lists the !Java! methods of the respective class
The signature of the static method 'EncryptorUtil.a' should look familiar to us (if you read the first tweets). It represents the Java layer of the encryption method and is called 'a' in this version
Note: The information above would be enough, to Intercept the method from the Java layer (f.e. with @fridadotre or Xposed), in order to inspect the call arguments (the byte[] parameter represents the plain data before encryption)
... but we are here for the native layer and to inspect data at runtime, right?

So lets search the whole address space for our native method name 'ttEncrypt'

Note: If you'd use r2's ascii search nothing would happen, you have to use the '\' prefix to search with r2frida
The search ends with two hits:
The screenshot below shows, that the attempt to print a hexdump from the address of the first hit fails with r2, while r2frida (backslash prefix) works.

Reason: The memory region was not populated when r2 was started (encryption library was loaded after process launch)
I solved this issue like this:
1) Quit r2
2) Open r2 with r2frida, again, but this time **attach** to the already running process

et voila ... the memory offset is mapped and dumpable with 'px' (without backslash prefix)
Note: The last step is not necessary for a data hexdump, as you could still use '\px', but it turned out to be useful when it comes to printing the disassembly of "late loaded" code regions. This is because I sometimes struggled with '\pd', but 'pd' worked (+ various r2 views)
Having a closer look at the first hit of out string search for 'ttEncrypt', we notice that it is directly followed by a C-string with our method signature.

So chances are high, that this data is part of the structure which gets handed in to 'registerNatives'
Reminder: in order to register the 'ttEncrypt' method to JNI, the 'registerNatives' method requires a structure containing
- method name (C-string)
- method signature (C-string)
- method pointer (native pointer)
So the next step would be to search the process memory space for cross references to the address of this method name string (0x8448b74c). As I haven't applied any auto analysis, I use a simple hex search for this (in my case the byte order of the address has to be reversed ...
... to account for the architecture endianess).

The result is promising: Only one hit, for a search across the whole address space:
Printing the first 12 bytes from this XREF offset, reveals 3 pointers again (reversed endianess):

- 0x8448b74c (expected, method name pointer)
- 0x8448b756 (ptr to signature string, yay)
- 0x8448b1d5 (likely pointer to JNI method implementation)
So the layout of the 3 pointers from above speaks a clear language. Very likely this is the data struct passed in to 'registerNatives' and thud 0x8448b1d5 points to the native implementation of 'ttEncrypt'
Sorry, before going on I have to insert a small excurse on adressing/instruction sets on arm 32 (specific to my test setup). Anyways it is crucial:

Arm 32 supports two instruction sets "ARM mode" (32bit) and "Thumb mode" (16bit) which could be used interchangebly
In order to distinguish if a function call target (branch) should be interpreted as ARM or THUMB, the least significant bit (LSB) of the function address is taken into account

For ARM the LSB is 0 (even address)
For THUMB the LSB is 1 (odd address)
The actual instruction ALWAYS resides on an odd address.

This means the function address 0x8448b1d5 homes code in THUMB mode (16bit), while the first instruction resides at 0x8448b1d4

(sorry if it gets a bit complicated, will be clear in a second)
So if we print the disassembly at the (assumed) 'ttEncrypt' address, things look a bit weird
... this is because instructions are interpreted in ARM mode (32bit).

Lets fix this:
... looks much better, still the first instruction is off-by-one 🤣

No seriously, as explained, on arm32 we have to disassemble at [THUMB mode address - 1] = 0x8448b1d4
Nice, this looks like a proper function stub (note how the callee stores reg values on the stack, before moving on).

Now to get a feeling on how often this function is called, lets use 'r2frida' power to trace it.

Important: The thumb address has to be used here!!!
The resulting output of the '\dt' command, which places the trace hook also indicates that the function address maps to an offset in 'https://t.co/fxhDnQke2o' ... let us call this a "nice confirmation"

Some actions in the TikTok app ... trace logs for ttEncrypt-calls arrive
... cigarette break ... stay tuned (if the app crashes meanwhile, I'll start from scratch)
Let's remove the trace hook for now, with '\dt-*'
Remember my screenshot of a decompiled 'ttEncrypt' function from an older TT version. We traced the corresponding functions.

Trying to runtime-parse the function parameters, which represent Java object instances would be insane (maybe impossible)
... luckily, at least the old implementation, internally called a method 'ss_encrypt' which received a c-style byte array pointer and an integer representing the length as first two parameters.
It would be way easier to runtime-inspect these
Lets take a closer look on the disassembly of our assumed 'ttEncrypt' function, by seeking to its offset with 's 0x8448b1d5' and switching to a more suitable r2 view with uppercase 'V' command (press 'p' till the view changes to disassembly)
The view from above allows scrolling through the functions code with cursor keys. Most important: calls to other code parts (branches) are printed bold and suffixed with [1], [2] ...

Hitting [alt+1] moves us straight to the marked branch offset:
The code above looks not like a legit inner function (we do not care for alignment and inspect the next branch).

Hitting 'u' returns us to the parent function, followed by [alt+2] which brings us into the 2nd branch
The 2nd branch at 0x84483aa4 looks better (proper function stub). We could easily drift back to the static analysis world, to find further evidence for it being the inner 'ss_encrypt' function. But hey, we are working with instrumentation, so let us just inspect the calls
Remember: While we disassembled at 0x84483aa4, the code is THUMB mode. Thus the proper tracing address would be 0x84483aa5 (LSB set to 1), unlike you like crashes (restarting here would not be funny, 'cause thanks to ASLR all function offsets would differ)
In contrast to our first tracing attempt, we use the beautiful command for formatted tracing, which allows us to print out function parameters for each call in a predefined format.

Command syntax:
The screenshot below shows how I placed my trace hook. The 'pppp' means that the first 4 function parameters should be printed as hex values (pointers) for each call.

Ultimately 2 calls get logged

More from Machine learning

emmi
emmi
@emmibevensee
The "polarization is the problem" narrative to me is bad because it implies the status quo was a stable and acceptable set of trade-offs. It's the equivalent of a pollyanna "why can't we all get along" but the we in question is white supremacy and its targets.

like i understand that conflict mediation requires mutual concessions (i did my MA in conflict studies) and while it's important to meet people's deep needs across spectrums of difference, certain things are just not up for negotiation.

Also while peacebuilding work is good. It's not just "seeing each other as human" it's literally about transforming structural issues. (hence Galtung's distinction between positive and negative peace wherin negative peace is like a ceasefire and positive is a transformed society.

And I think that to whatever extent that kind of peacebuilding work is applicable, it's not between fascists and people who think fascists are bad. Fascists are not invited. They are only invited if they seize territories and can't be crushed. Then secret negotiations.

The US is always like "we don't negotiate with terrorists" but literally every president negotiates with who they consider to be terrorists. It's all just down low. But that's just because counter-insurgency failed.
MACHINE LEARNING
Caio Rolla
Caio Rolla
@caio_rolla
Starting a new project using #Angular? Here is a list of all the stuff i use to launch my projects the fastest i can.

A THREAD 👇

Have you heard about Monorepo? I created one with all my Angular (and Nest) projects using https://t.co/aY5llDtXg8.

I can share A LOT of code with it. Ex: Everytime i start a new project, i just need to import an Auth lib, that i created, and all Auth related stuff is set up.

Everyone in the Angular community knows about https://t.co/kDnunQZnxE. It's not the most beautiful component library out there, but it's good and easy to work with.

There's a bunch of state management solutions for Angular, but https://t.co/RJwpn74Qev is by far my favorite.

There's a lot of boilerplate, but you can solve this with the built-in schematics and/or with your own schematics

Are you not using custom schematics yet? Take a look at this:

https://t.co/iLrIaHVafm
https://t.co/3382Tn2k7C

You can automate all the boilerplate with hundreds of files associates with creating a new feature.
MACHINE LEARNING
Advertisement
Santiago
Santiago
@svpino
An introduction to one of the the most basic structures used in machine learning: a tensor.

🧵👇

Tensors are the data structure used by machine learning systems, and getting to know them is an essential skill you should build early on.

A tensor is a container for numerical data. It is the way we store the information that we'll use within our system.

(2 / 16)

Three primary attributes define a tensor:

▫️ Its rank
▫️ Its shape
▫️ Its data type

(3 / 16)

The rank of a tensor refers to the tensor's number of axes.

Examples:

▫️ The rank of a matrix is 2 because it has two axes.
▫️ The rank of a vector is 1 because it has a single axis.

(4 / 16)

The shape of a tensor describes the number of dimensions along each axis.

Example:

▫️ A square matrix may have (3, 3) dimensions.
▫️ A tensor of rank 3 may have (2, 5, 7) dimensions.

(5 / 16)
MACHINE LEARNING , TENSOR BASICS
Fionna O'Leary, \U0001f56f\U0001f1ea\U0001f1fa
Fionna O'Leary, 🕯🇪🇺...
@fascinatorfun
Thanks for this incredibly helpful analysis @dgurdasani1

Two questions. 1/ Does this summarise the AZ published data :
The plan is to extend the time interval for all age groups despite it being largely untested on the over 55yrs, although the full data is not yet published


Do we have the actual numbers of over 55yr olds given a 2nd dose at c12 weeks and the accompanying efficacy data?

Not to mention the efficacy data of the full first dose over that same period?

I’d quite like to know whether I am to be a guinea pig & the ongoing risks to manage

You attached photos of excerpts from a paper. Could you attach the link?

Re Pfizer. As I understand it the most efficacious interval for dosing was investigated at the start of the trial.


Here’s the link to the

I’ve got to say that this way of making and announcing decisions is not inspiring confidence in me and I am very pro vaccination as a matter of principle, not least because my brother caught polio before vaccinations available.
MACHINE LEARNING
Pratham Prasoon \U0001f680
Pratham Prasoon 🚀...
@PrasoonPratham
Here's how I got started with my first machine learning project and you can too.
Let's take a look.

(This thread will take from zero to being a hero in machine learning, trust me)

(1 / 22)
🧵👇


Getting started with your first machine learning project might actually much easier than it seems, if I can do it, certainly anyone can.

I did not use:
- Any Math
- An expensive computer
- Complex programming concepts

(2 / 22)

Here's what I did use:

- A free GPU on Google Colab
- Python
- TensorFlow
- Numpy
- Pandas
- Kaggle
- Scikit-Learn
- Google
- StackOverFlow

(3 / 22)

This project was actually a Kaggle challenge based on the MNIST dataset which is a collection images of 70,000 hand written digits.

You can find the dataset here👇
🔗//kaggle.com/c/digit-recognizer

(4 / 22)


Before we go over the code of this project, it is highly reccomended that you complete this free course on YouTube👇

Machine Learning foundations course
🔗//youtu.be/_Z9TRANg4c0

Code👇
🔗//colab.research.google.com/github/PrasoonPratham/Kaggle/blob/main/MNIST.ipynb

(5 / 22)
MACHINE LEARNING

You May Also Like

meilong
meilong
@meilong15
一个北大毕业的殡葬工自述武汉封城期间的经历,凄惨。这应该才是武汉的真实情景,跟很多人的叙述是吻合的。


https://t.co/QYTO1SYedG
WUHAN FUNERAL WORKERS REPORT
KENYAN\U0001f1f0\U0001f1ea HISTORY\U0001f1f0\U0001f1ea
KENYAN🇰🇪 HISTORY🇰🇪...
@historykenya101
Have you ever wondered why the sons and daughters of the colonial chiefs and guards who were collaborators live a good life while those of the MAU MAU fighters live in abject poverty?

***THREAD***


It should be known that the colonialists reached a point that they knew they had 2 leave Kenya since they couldn't handle the Mau Mau war & the world was moving toward accepting independent Africa.However,the colonialists devised an evil scheme that still eats Kenya upto this day

Under this scheme, the colonial state came up with a plan that saw the first crop of chiefly “big men” being empowered financially to take their children to schools and eventually have those children go to England for further studies...

...and eventually providing a ready-made socio-economic & political class whom state power could be entrusted in the post-colonial era.This explains why their children & grandchildren still hold majority of important positions in govt or in the private sector supported by state.

This also explains why children and grandchildren of these homeguards are always given preferential treatment when it comes to government appointments. Wewe na masomo yako you are always asking why you can never get a job in government...yet you're qualified..now you know.
HISTORY
Advertisement
Brian Cates
Brian Cates
@drawandstrike
A lot of people don't understand that Trump & his incoming team didn't face a normal transition period, like it was over a in a matter of a few weeks or months.

The DOJ transition period JUST ENDED when Sessions left. Almost 2 exact years to get it there.

Pompeo at the CIA took over a year before he was done and ready to shift over to the State Department.

All kinds of stuff has been going on behind the scenes nobody leaks or talks about.

We only had the barest mention of the fact the Clinton Email investigation restarted

Nobody leaked in a year that Huber was deep diving into the Clinton Foundation.
Keep that in mind as all the usual suspects continue to INSIST nothing is happening/going to happen.
POLITICS
\u0100yudhika
Āyudhika
@Satyamev1310
Ashta Siddhi

Ashta Siddhi is mentioned in Patanjali Yog sutra and can be obtained by very few through countless years of practice and devotion to all eight limbs of Ashtanga Yoga.

Siddhi can loosely be translated as accomplishment or a special power or unusual skill.


The eight Siddhis are:

1. Anima: Reducing one’s physical self to the size of an atom.

2. Mahima: Expanding one’s physical self to infinite level

3. Garima: Making one’s physical self so heavy as immovable by others

4. Laghima: Becoming almost weightless


5. Prapti: Being able travel anywhere in the Universe

6. Prakamya: Can know & understand what is going on in one’s mind. Can understand other person’s min.

7. Ishitva: Possessing title of Bhagwan

8. Vashitva: A seeker can subdue any person/thing

(Hanuman Jayanti is coming)


Hanumanji not only possessed all eight siddhis, but was also blessed by Sita mata as “Ashta Siddhi Nau Nidhi Ke Daata”.

When Hanumanji first reaches to Lanka on his mission to find Sita, he makes use of anima so as to be discrete in enemy territory.


He uses it again when he approaches Sita mata for the first time – reducing his size to that of a schoolboy, to avoid scaring her. He uses mahima to outwit & overpowers
the demons.
ALL
Vibhu Vashisth
Vibhu Vashisth
@VIBHU_Tweet
THE UNTOLD TALE OF THE LESSER KNOWN WARRIORS:JOGRAJ GURJAR & RAMPYARI GURJAR AND HOW DID THEY DEFEAT THE CRUELEST ISLAMIC INVADER, TIMUR LANG.

Timur Lang, was the founder of Timurid Empire. He was born in April 1336 CE, somewhere in central asia.


During his reign, he conquered Persia, Egypt, Central Asia and emerged as the most powerful and heinous ruler. He was a religious fanatic like the rest of the Islamic invaders who tried to invade India.

Timur Lang decided to invade India in 1398 as he heard about India's splendid wealth and had a desire to conquer India which his ancestor Genghis Khan couldn't do.


After Firoz Shah's demise in1388, Delhi Sultanate was in a state of political turmoil.During this time, Timur sent his grandson Pir Mohammad to attack Indian front. He invaded Multan&was able to defeat Iqbal Khan's brother but when he met with resistance,he asked help from Timur.


Iqbal Khan secured his hold on Delhi under Muhammad Tughluq after Firoz Shah died.
Timur provided the required back-up to his grandson with 100000 men approx. Timur sacked and plundered all the cities coming in his way &later in October 1398 reunited with his grandson.
ALL