TikTok's (log data) encryption is accomplished by a native library. The Android Java code just serves as proxy function to the native function
Okay, doing my first baby steps with r2frida (which combines the power of @radareorg and @fridadotre).
Gonna share my progress in this thread (live, so keep calm).
The goal: Runtime inspection of data sent out by TikTok !!before!! it gets encrypted
1/many
TikTok's (log data) encryption is accomplished by a native library. The Android Java code just serves as proxy function to the native function
https://t.co/T63vo3N4fw
1) Unlike raw C-functions, JNI functions like the one showcased above, receive pointers to complex Java objects .
F.e. a function receiving a String on the Java layer...
In order to retrieve a C-String, to go on working with it in the native code, some translation functionality is required. This functionality is provided by the ...
If you look at the example screenshot again, you see exactly this. Functions provided by the 'env' pointer are used to parse the Java function arguments (f.e. jByteArrays) ...
2) There are two ways to expose JNI methods from a native library:
a) export them with proper naming convention, so that JNI could recognize same on library load
b) use the JNI functionality 'registerNatives'...
The second method of registering methods is wel suited for obfuscated code, as the methods neither have to follow naming convention, nor do they have to be exported.
Internally, this data is forwarded to the native JNI method 'ttEncrypt'.
We already saw this signature in a previous screenshot
1) the call address of the native function implementation (0x7d70d1d5 in example)
2) The function name (ttEncrypt)
...
'(' start of parameters
'[B' byte[]
'I' int
')' end of parameters
'[B' byte[] (return value)
- the app is inspected on a physical device, running Android 9
- the device uses a !!32bit!! ARM application core
Now to get started, I already have the latest @fridadotre server running on my USB connected android device and 'frida-ls-device' shows it being ready-for-action
Instead of 'launch', two other options could be used:
- 'spawn' (like 'launch', but the process would not be resumed automatically after attaching)
Important: commands targeting the r2frida plugin have to be prefixed with '\'
The signature of the static method 'EncryptorUtil.a' should look familiar to us (if you read the first tweets). It represents the Java layer of the encryption method and is called 'a' in this version
So lets search the whole address space for our native method name 'ttEncrypt'
Note: If you'd use r2's ascii search nothing would happen, you have to use the '\' prefix to search with r2frida
Reason: The memory region was not populated when r2 was started (encryption library was loaded after process launch)
1) Quit r2
2) Open r2 with r2frida, again, but this time **attach** to the already running process
et voila ... the memory offset is mapped and dumpable with 'px' (without backslash prefix)
So chances are high, that this data is part of the structure which gets handed in to 'registerNatives'
- method name (C-string)
- method signature (C-string)
- method pointer (native pointer)
The result is promising: Only one hit, for a search across the whole address space:
- 0x8448b74c (expected, method name pointer)
- 0x8448b756 (ptr to signature string, yay)
- 0x8448b1d5 (likely pointer to JNI method implementation)
Arm 32 supports two instruction sets "ARM mode" (32bit) and "Thumb mode" (16bit) which could be used interchangebly
For ARM the LSB is 0 (even address)
For THUMB the LSB is 1 (odd address)
This means the function address 0x8448b1d5 homes code in THUMB mode (16bit), while the first instruction resides at 0x8448b1d4
(sorry if it gets a bit complicated, will be clear in a second)
No seriously, as explained, on arm32 we have to disassemble at [THUMB mode address - 1] = 0x8448b1d4
Now to get a feeling on how often this function is called, lets use 'r2frida' power to trace it.
Important: The thumb address has to be used here!!!
Some actions in the TikTok app ... trace logs for ttEncrypt-calls arrive
Trying to runtime-parse the function parameters, which represent Java object instances would be insane (maybe impossible)
It would be way easier to runtime-inspect these
Hitting [alt+1] moves us straight to the marked branch offset:
Hitting 'u' returns us to the parent function, followed by [alt+2] which brings us into the 2nd branch
More from Machine learning
With hard work and determination, anyone can learn to code.
Here’s a list of my favorites resources if you’re learning to code in 2021.
👇
1. freeCodeCamp.
I’d suggest picking one of the projects in the curriculum to tackle and then completing the lessons on syntax when you get stuck. This way you know *why* you’re learning what you’re learning, and you're building things
2. https://t.co/7XC50GlIaa is a hidden gem. Things I love about it:
1) You can see the most upvoted solutions so you can read really good code
2) You can ask questions in the discussion section if you're stuck, and people often answer. Free
3. https://t.co/V9gcXqqLN6 and https://t.co/KbEYGL21iE
On stackoverflow you can find answers to almost every problem you encounter. On GitHub you can read so much great code. You can build so much just from using these two resources and a blank text editor.
4. https://t.co/xX2J00fSrT @eggheadio specifically for frontend dev.
Their tutorials are designed to maximize your time, so you never feel overwhelmed by a 14-hour course. Also, the amount of prep they put into making great courses is unlike any other online course I've seen.
Here’s a list of my favorites resources if you’re learning to code in 2021.
👇
1. freeCodeCamp.
I’d suggest picking one of the projects in the curriculum to tackle and then completing the lessons on syntax when you get stuck. This way you know *why* you’re learning what you’re learning, and you're building things
2. https://t.co/7XC50GlIaa is a hidden gem. Things I love about it:
1) You can see the most upvoted solutions so you can read really good code
2) You can ask questions in the discussion section if you're stuck, and people often answer. Free
3. https://t.co/V9gcXqqLN6 and https://t.co/KbEYGL21iE
On stackoverflow you can find answers to almost every problem you encounter. On GitHub you can read so much great code. You can build so much just from using these two resources and a blank text editor.
4. https://t.co/xX2J00fSrT @eggheadio specifically for frontend dev.
Their tutorials are designed to maximize your time, so you never feel overwhelmed by a 14-hour course. Also, the amount of prep they put into making great courses is unlike any other online course I've seen.
You May Also Like
I hate when I learn something new (to me) & stunning about the Jeff Epstein network (h/t MoodyKnowsNada.)
Where to begin?
So our new Secretary of State Anthony Blinken's stepfather, Samuel Pisar, was "longtime lawyer and confidant of...Robert Maxwell," Ghislaine Maxwell's Dad.
"Pisar was one of the last people to speak to Maxwell, by phone, probably an hour before the chairman of Mirror Group Newspapers fell off his luxury yacht the Lady Ghislaine on 5 November, 1991." https://t.co/DAEgchNyTP
OK, so that's just a coincidence. Moving on, Anthony Blinken "attended the prestigious Dalton School in New York City"...wait, what? https://t.co/DnE6AvHmJg
Dalton School...Dalton School...rings a
Oh that's right.
The dad of the U.S. Attorney General under both George W. Bush & Donald Trump, William Barr, was headmaster of the Dalton School.
Donald Barr was also quite a
I'm not going to even mention that Blinken's stepdad Sam Pisar's name was in Epstein's "black book."
Lots of names in that book. I mean, for example, Cuomo, Trump, Clinton, Prince Andrew, Bill Cosby, Woody Allen - all in that book, and their reputations are spotless.
Where to begin?
So our new Secretary of State Anthony Blinken's stepfather, Samuel Pisar, was "longtime lawyer and confidant of...Robert Maxwell," Ghislaine Maxwell's Dad.
"Pisar was one of the last people to speak to Maxwell, by phone, probably an hour before the chairman of Mirror Group Newspapers fell off his luxury yacht the Lady Ghislaine on 5 November, 1991." https://t.co/DAEgchNyTP
OK, so that's just a coincidence. Moving on, Anthony Blinken "attended the prestigious Dalton School in New York City"...wait, what? https://t.co/DnE6AvHmJg
Dalton School...Dalton School...rings a
Oh that's right.
The dad of the U.S. Attorney General under both George W. Bush & Donald Trump, William Barr, was headmaster of the Dalton School.
Donald Barr was also quite a
Donald Barr had a way with words. pic.twitter.com/JdRBwXPhJn
— Rudy Havenstein, listening to Nas all day. (@RudyHavenstein) September 17, 2020
I'm not going to even mention that Blinken's stepdad Sam Pisar's name was in Epstein's "black book."
Lots of names in that book. I mean, for example, Cuomo, Trump, Clinton, Prince Andrew, Bill Cosby, Woody Allen - all in that book, and their reputations are spotless.