BC MACHINE LEARNING
Saved by @Mollyycolllinss

Okay, doing my first baby steps with r2frida (which combines the power of @radareorg and @fridadotre).

Gonna share my progress in this thread (live, so keep calm).

The goal: Runtime inspection of data sent out by TikTok !!before!! it gets encrypted

1/many

 First of all, we do not start from zero. I got some prior knowledge from past reversing attempts and want to share some important facts.

TikTok's (log data) encryption is accomplished by a native library. The Android Java code just serves as proxy function to the native function
The decompiled code for the respective native JNI function of an older TikTok version looks something like this, but in this example I use the most current TT version (no statical analysis done, yet)
In case you never reversed native libraries which were build to interface with Android Java layer via JNI, I highly suggest the entry level introduction on the topic by @maddiestone

https://t.co/T63vo3N4fw
Before we start, I want to pinpoint some important aspects (which are also covered by Maddie's videos).

1) Unlike raw C-functions, JNI functions like the one showcased above, receive pointers to complex Java objects .

F.e. a function receiving a String on the Java layer...
... would receive a pointer to a 'jstring' on the native layer (not a zero-terminated C-String).

In order to retrieve a C-String, to go on working with it in the native code, some translation functionality is required. This functionality is provided by the ...
JNI (Java Native Interface). The JNI environment is passed in to JNI functions as first parameter.

If you look at the example screenshot again, you see exactly this. Functions provided by the 'env' pointer are used to parse the Java function arguments (f.e. jByteArrays) ...
Once the raw data is converted to a more C-ish form, it gets passed to a inner function 'ss_encrypt' in my example. The inner function, in this case, is a pure C function and thus receives only C-style parameters (also no 'env' parameter, so it would not be able to access JNI)
A 2nd important aspect on JNI libraries, covered by @maddiestone

2) There are two ways to expose JNI methods from a native library:

a) export them with proper naming convention, so that JNI could recognize same on library load
b) use the JNI functionality 'registerNatives'...
... to register the JNI functions once the library gets loaded.

The second method of registering methods is wel suited for obfuscated code, as the methods neither have to follow naming convention, nor do they have to be exported.
As you might expect, TikTok uses the 'registerNative' approach. The screenshot below shows log output from a custom tool, which monitors JNI methods registered by instrumented Android apps (TikTok's encryption method in the example)
If you would decompile the Java part of the TikTok apk, the encryption functionality (on an older version) would look something like this:
The Java method 'm18421a' receives a Java 'byte[]' and a Java 'int' as parameters and returns a 'byte[]', again.

Internally, this data is forwarded to the native JNI method 'ttEncrypt'.
The important aspect about this, is that the native 'ttEncrypt' JNI method has to accept those exact parameter types and thus has to "register" with a proper method signature.

We already saw this signature in a previous screenshot
The last line from the screenshot above, shows 3 things the native code has to provide for each method, when calling register natives:

1) the call address of the native function implementation (0x7d70d1d5 in example)
2) The function name (ttEncrypt)
...
3) The method signature, which is '([BI)[B' in this case and translates to:

'(' start of parameters
'[B' byte[]
'I' int
')' end of parameters
'[B' byte[] (return value)
So we keep this in mind: Even if the native library does not export the encryption method, it has to store the 1) funtion address, 2) name and 3) signature in a data structure, in order to provide it to 'registerNatives' once the library gets loaded by JNI
We now know almost everything we need, in order to head over to r2frida, except some important facts on my test setup:

- the app is inspected on a physical device, running Android 9
- the device uses a !!32bit!! ARM application core
As I am new to r2frida, chances are high that things could be achieved in an easier ways.

Now to get started, I already have the latest @fridadotre server running on my USB connected android device and 'frida-ls-device' shows it being ready-for-action
So let's spawn a fresh TikTok instance with r2frida, using the following command
The command 'launch'es the process, on the attached frida 'usb' device with the device id '4c197256' and the process's package name, of course is 'com.zhiliaoapp.musically'

Instead of 'launch', two other options could be used:
- 'attach' (would attach to an already running process, given by name or PID)
- 'spawn' (like 'launch', but the process would not be resumed automatically after attaching)
So for the warm up, let us use the Frida functionality, which alllows enumerating loaded Java classes. This nicely combines with the r2 syntax (concatenation of single-letter commands, '~' for grep)

Important: commands targeting the r2frida plugin have to be prefixed with '\'
The r2frida command to list classes is '\ic' (note the backslash prefix). The unfiltered result would be a bit overwhelming ...
... so we grep for classes including the term "crypt"
The '\ic ' command lists the !Java! methods of the respective class
The signature of the static method 'EncryptorUtil.a' should look familiar to us (if you read the first tweets). It represents the Java layer of the encryption method and is called 'a' in this version
Note: The information above would be enough, to Intercept the method from the Java layer (f.e. with @fridadotre or Xposed), in order to inspect the call arguments (the byte[] parameter represents the plain data before encryption)
... but we are here for the native layer and to inspect data at runtime, right?

So lets search the whole address space for our native method name 'ttEncrypt'

Note: If you'd use r2's ascii search nothing would happen, you have to use the '\' prefix to search with r2frida
The search ends with two hits:
The screenshot below shows, that the attempt to print a hexdump from the address of the first hit fails with r2, while r2frida (backslash prefix) works.

Reason: The memory region was not populated when r2 was started (encryption library was loaded after process launch)
I solved this issue like this:
1) Quit r2
2) Open r2 with r2frida, again, but this time **attach** to the already running process

et voila ... the memory offset is mapped and dumpable with 'px' (without backslash prefix)
Note: The last step is not necessary for a data hexdump, as you could still use '\px', but it turned out to be useful when it comes to printing the disassembly of "late loaded" code regions. This is because I sometimes struggled with '\pd', but 'pd' worked (+ various r2 views)
Having a closer look at the first hit of out string search for 'ttEncrypt', we notice that it is directly followed by a C-string with our method signature.

So chances are high, that this data is part of the structure which gets handed in to 'registerNatives'
Reminder: in order to register the 'ttEncrypt' method to JNI, the 'registerNatives' method requires a structure containing
- method name (C-string)
- method signature (C-string)
- method pointer (native pointer)
So the next step would be to search the process memory space for cross references to the address of this method name string (0x8448b74c). As I haven't applied any auto analysis, I use a simple hex search for this (in my case the byte order of the address has to be reversed ...
... to account for the architecture endianess).

The result is promising: Only one hit, for a search across the whole address space:
Printing the first 12 bytes from this XREF offset, reveals 3 pointers again (reversed endianess):

- 0x8448b74c (expected, method name pointer)
- 0x8448b756 (ptr to signature string, yay)
- 0x8448b1d5 (likely pointer to JNI method implementation)
So the layout of the 3 pointers from above speaks a clear language. Very likely this is the data struct passed in to 'registerNatives' and thud 0x8448b1d5 points to the native implementation of 'ttEncrypt'
Sorry, before going on I have to insert a small excurse on adressing/instruction sets on arm 32 (specific to my test setup). Anyways it is crucial:

Arm 32 supports two instruction sets "ARM mode" (32bit) and "Thumb mode" (16bit) which could be used interchangebly
In order to distinguish if a function call target (branch) should be interpreted as ARM or THUMB, the least significant bit (LSB) of the function address is taken into account

For ARM the LSB is 0 (even address)
For THUMB the LSB is 1 (odd address)
The actual instruction ALWAYS resides on an odd address.

This means the function address 0x8448b1d5 homes code in THUMB mode (16bit), while the first instruction resides at 0x8448b1d4

(sorry if it gets a bit complicated, will be clear in a second)
So if we print the disassembly at the (assumed) 'ttEncrypt' address, things look a bit weird
... this is because instructions are interpreted in ARM mode (32bit).

Lets fix this:
... looks much better, still the first instruction is off-by-one 🤣

No seriously, as explained, on arm32 we have to disassemble at [THUMB mode address - 1] = 0x8448b1d4
Nice, this looks like a proper function stub (note how the callee stores reg values on the stack, before moving on).

Now to get a feeling on how often this function is called, lets use 'r2frida' power to trace it.

Important: The thumb address has to be used here!!!
The resulting output of the '\dt' command, which places the trace hook also indicates that the function address maps to an offset in 'https://t.co/fxhDnQke2o' ... let us call this a "nice confirmation"

Some actions in the TikTok app ... trace logs for ttEncrypt-calls arrive
... cigarette break ... stay tuned (if the app crashes meanwhile, I'll start from scratch)
Let's remove the trace hook for now, with '\dt-*'
Remember my screenshot of a decompiled 'ttEncrypt' function from an older TT version. We traced the corresponding functions.

Trying to runtime-parse the function parameters, which represent Java object instances would be insane (maybe impossible)
... luckily, at least the old implementation, internally called a method 'ss_encrypt' which received a c-style byte array pointer and an integer representing the length as first two parameters.
It would be way easier to runtime-inspect these
Lets take a closer look on the disassembly of our assumed 'ttEncrypt' function, by seeking to its offset with 's 0x8448b1d5' and switching to a more suitable r2 view with uppercase 'V' command (press 'p' till the view changes to disassembly)
The view from above allows scrolling through the functions code with cursor keys. Most important: calls to other code parts (branches) are printed bold and suffixed with [1], [2] ...

Hitting [alt+1] moves us straight to the marked branch offset:
The code above looks not like a legit inner function (we do not care for alignment and inspect the next branch).

Hitting 'u' returns us to the parent function, followed by [alt+2] which brings us into the 2nd branch
The 2nd branch at 0x84483aa4 looks better (proper function stub). We could easily drift back to the static analysis world, to find further evidence for it being the inner 'ss_encrypt' function. But hey, we are working with instrumentation, so let us just inspect the calls
Remember: While we disassembled at 0x84483aa4, the code is THUMB mode. Thus the proper tracing address would be 0x84483aa5 (LSB set to 1), unlike you like crashes (restarting here would not be funny, 'cause thanks to ASLR all function offsets would differ)
In contrast to our first tracing attempt, we use the beautiful command for formatted tracing, which allows us to print out function parameters for each call in a predefined format.

Command syntax:
The screenshot below shows how I placed my trace hook. The 'pppp' means that the first 4 function parameters should be printed as hex values (pointers) for each call.

Ultimately 2 calls get logged

More from Machine learning

Pratham Prasoon
Pratham Prasoon
@PrasoonPratham
Which libraries do you really need to get started with Machine Learning and why?

🧵👇

First and foremost, make sure that you have nailed the fundamental concepts of Python because machine learning requires a lot of programming!

(2 / 19)

If you know these topics, then you are good to go with machine learning in Python

- Object-oriented programming in Python:Classes,Objects,Methods
- Lists & List functions
- List comprehension
- List slicing
- String formatting
- List,Dictionaries & Tuples

(3 / 19)

Now, let's understand what popular python machine learning libraries do.

We will talk about👇
- TensorFlow (+ Keras)
- PyTorch
- Pandas
- Numpy
- Matplotlib
- SciKit Learn
- Seaborn

(4 / 19)

Now let's cover the libraries that you have to learn (at least the basics) for machine learning

1. Pandas

Pandas is a python library that allows you to store and read data from spreadsheets ( .csv, .xlsv files ) in structures called Dataframes.

(5 / 19)
MACHINE LEARNING
Unknown \U0001f464
Unknown 👤
@console_404
10 PYTHON 🐍 libraries for machine learning.

Retweets are appreciated.
[ Thread ]


1. NumPy (Numerical Python)

- The most powerful feature of NumPy is the n-dimensional array.

- It contains basic linear algebra functions, Fourier transforms, and tools for integration with other low-level languages.

Ref: https://t.co/XY13ILXwSN


2. SciPy (Scientific Python)

- SciPy is built on NumPy.

- It is one of the most useful libraries for a variety of high-level science and engineering modules like discrete Fourier transform, Linear Algebra, Optimization, and Sparse matrices.

Ref: https://t.co/ALTFqM2VUo


3. Matplotlib

- Matplotlib is a comprehensive library for creating static, animated, and interactive visualizations in Python.

- You can also use Latex commands to add math to your plot.

- Matplotlib makes hard things possible.

Ref: https://t.co/zodOo2WzGx


4. Pandas

- Pandas is for structured data operations and manipulations.

- It is extensively used for data munging and preparation.

- Pandas were added relatively recently to Python and have been instrumental in boosting Python’s usage.

Ref: https://t.co/IFzikVHht4
MACHINE LEARNING
Advertisement
Ram Bhupatiraju
Ram Bhupatiraju
@RamBhupatiraju
Happy 2⃣0⃣2⃣1⃣ to all.🎇

For any Learning machines out there, here are a list of my fav online investing resources. Feel free to add yours.

Let's dive in.
⬇️⬇️⬇️

Investing Services

✔️ @themotleyfool - @TMFStockAdvisor & @TMFRuleBreakers services

✔️ @7investing

✔️ @investing_city
https://t.co/9aUK1Tclw4

✔️ @MorningstarInc Premium

✔️ @SeekingAlpha Marketplaces (Check your area of interest, Free trials, Quality, track record...)

General Finance/Investing

✔️ @morganhousel
https://t.co/f1joTRaG55

✔️ @dollarsanddata
https://t.co/Mj1owkzRc8

✔️ @awealthofcs
https://t.co/y81KHfh8cn

✔️ @iancassel
https://t.co/KEMTBHa8Qk

✔️ @InvestorAmnesia
https://t.co/zFL3H2dk6s

✔️

Tech focused

✔️ @stratechery
https://t.co/VsNwRStY9C

✔️ @bgurley
https://t.co/NKXGtaB6HQ

✔️ @CBinsights
https://t.co/H77hNp2X5R

✔️ @benedictevans
https://t.co/nyOlasCY1o

✔️

Tech Deep dives

✔️ @StackInvesting
https://t.co/WQ1yBYzT2m

✔️ @hhhypergrowth
https://t.co/kcLKITRLz1

✔️ @Beth_Kindig
https://t.co/CjhLRdP7Rh

✔️ @SeifelCapital
https://t.co/CXXG5PY0xX

✔️ @borrowed_ideas
MACHINE LEARNING , ALL
Pratham Prasoon
Pratham Prasoon
@PrasoonPratham
These are the tools you will need for machine learning in Python.

🧵👇

Anaconda

When you work in python, you'll be working with several frameworks and many of them work only on specific versions of python.

(2 / 13)

Now imagine downloading a new version of python and then installing it for every framework you want to work with 😬.

Meet Anaconda which allows you to run several versions of python. It comes pre-installed with several data science and machine learning frameworks.

(3 / 13)

Pip-env is also a way of maintaining several versions of Python and comes pre installed with Python.
You can use pip env or Anaconda, whichever works for you.

(4 / 13)

Jupyter Notebooks

Jupyter notebooks is an IDE just like VS code or Sublime. The special thing about jupyter is that you can parts of code in mini code editors called cells. This is great for prototyping and testing code.

(5 / 13)
MACHINE LEARNING
John Burn-Murdoch
John Burn-Murdoch
@jburnmurdoch
Really enjoyed digging into recent innovations in the football analytics industry.

>10 hours of interviews for this w/ a dozen or so of top firms in the game. Really grateful to everyone who gave up time & insights, even those that didnt make final cut 🙇‍♂️ https://t.co/9YOSrl8TdN


For avoidance of doubt, leading tracking analytics firms are now well beyond voronoi diagrams, using more granular measures to assess control and value of space.

This @JaviOnData & @LukeBornn paper from 2018 referenced in the piece demonstrates one method https://t.co/Hx8XTUMpJ5


Bit of this that I nerded out on the most is "ghosting" — technique used by @counterattack9 & co @stats_insights, among others.

Deep learning models predict how specific players — operating w/in specific setups — will move & execute actions. A paper here: https://t.co/9qrKvJ70EN


So many use-cases:
1/ Quickly & automatically spot situations where opponent's defence is abnormally vulnerable. Drill those to death in training.
2/ Swap target player B in for current player A, and simulate. How does target player strengthen/weaken team? In specific situations?
MACHINE LEARNING

You May Also Like

Anu Satheesh \U0001f1ee\U0001f1f3
Anu Satheesh 🇮🇳...
@AnuSatheesh5
Srikanteshwara Temple,
#Nanjangud  #Karnatakatemples 🚩

Srikanteshwara Temple or
Nanjundeshwara Temple is a famous Shiva Temple located in Karnataka at the bank of river  Kapila. Temple is also called Varanasi of South. Nanjunda means one who has consumed poison.


Story is  related to the Samudra Mathanam when Paramashiva had to consume halahala.

Parashurama worshipped Mahadeva here to relieve himself from the curse of Mathru Hatya. While clearing the place to do poojas Parashurama's  axe hit the Shivalingam and it began bleeding, that


mark is still visible even today. Thus
it is also believed that Parashurama did Shiva Prathishta here

Sthala Puranam says that, once there was a demon named Keshi who disturbed the people in the area, after  getting blessing from Brahma Deva  and Mahavishnu. Mahadeva appeared


here and killed demon Keshi and blessed this place as Papa Vinashini. Whoever praying to Srikanteshwara or Nanjundeshwara, after bathing in the  Kabini River will be relieved from all sins.

Nanjundeshwaraya Namah
🙏🕉🙏
ALL
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
ARULMIGU SRI PARTHASARATHY SWAMY KSHETRAM, CHENNAI (TN)

Divya Desha where Perumal appears with moustache of a Sarathi (charioteer) to conduct Arjun’s Rath in Kurukshetra war.
Here, Venkatkrishna-Parthasarthy is present with his entire family.


He is flanked by Sri Rukmini, Sri Balarama, Satyaki, son Pradyumn and grandson Anirudha.
It is said that on the request of Raja Sumathirajan, Sri Perumal appeared and stayed here as Arjun’s charioteer (Partha-sarathi).


He is without chakra as he had promised not to wield weapons in Mahabharata war.
The face has scars caused by Bhishma’s arrows on Arjun. Prabhu took the arrows on himself to protect Arjun.


The Naivedyam offered here does not have spices. Ghee is used in it to cure Prabhu’s wounds. Sarkarai Pongal is famous here.

It is said that Rishi Bhrigu found Devi Lakshmi (as Vedvalli) in Alli flower in the mandir pushkarini. Later, Sri Ranganatha came here to marry her.
ALL
Advertisement
\u0936\u094d\u0930\u0940\u092e\u093e\u0932\u0940 \u0939\u093f\u0924\u0947\u0936 \u0905\u0935\u0938\u094d\u0925\u0940 \U0001f1ee\U0001f1f3
श्रीमाली हितेश अवस्थी ...
@HiteshAwasthi89
#Thread
An interesting story of Kamala Devi hazarika for all Sanatanis...🙏

A Xtian missionary was sent to Assam for the promotion of religion. His name was Cruz. He came across to one the boys from an influential family in Assam to teach him English.
@noconversion

Cont 👇


The p@stor slowly began to study the house and he learned that the boy's grandmother was the most influential person in the house. So he thought 'Corrupting the grandmother's mind can make the whole family Xtian as well as the whole village.

Cont 👇


The p@stor began to tell Grandma the stories of how J€$u$ cured leprosy of lepers, how He gave sight to the blind, etc..But after listening to him, the strong Sanatani grandmother said. A stone turned into a living woman (Ahalya) for our Rama when he touched the stone.

Cont 👇


She spoke of Rama setu where stones floated in sea just by writing his name on the stones and that they are still floating today.
The p@stor continued his efforts but all his tricks went in vain.

Cont 👇


One day he had brought a cake from the church and he thought of offering it to grandmother but he was doubtful that she would eat it. But contrary to his expectation, she took the cake and ate it.

Cont 👇
ALL
The '60s at 60
The '60s at 60
@the_60s_at_60
"The MAD Primer of Bigots, Extremists and Other Loose Ends," from September 1969.

Seen a couple of these panels make the rounds from time to time, so here's the complete set of 10 (something to amuse and/or offend almost everyone).


Chapter 1: The Super Patriot


Chapter 2: The Ku Klux Klansman


Chapter 3: The American Student


Chapter 4: The Right-Wing Extremist
FUN
Aneesh Philomina Antony
Aneesh Philomina Anton...
@ProdigalTrader
If u are looking to enter a scrip just before the breakout
what would u look for?
How would u identify scrips just before breakout?

Here are a few pointers
Carefully understand the them and use at ur own discretion
(All comments r compiled from a question i posed)

1/23

Price is testing the same resistance repeatedly since long.
But now in recent times it's forming multiple candles near the same resistance with low volume.
Observe it and see for opposite move.
As soon as u get a positive candle, get in to it.

2/23

1. Volume buildup (vol > when resistance point created) along with, increase in OI, increase in delivery % on HTF
2. On LTF, price stalling around breakout area for at least 1-2hr.
3. No major events.

3/23

Stock reaching breakout LVL with HL-HH
Contraction of price and volume near it especially near 20 days ma.
If there is any breach of the latest HL it should be followed by a bullish candle with good volume.
Left side of the chart has a rally with a very steep slope of ma.

4/23

Number of wide range green bars with high volumes.
If stock is at its ATH then it adds more conviction bcz there wont b supply after that point

Consolidation below the resistance, volume of the candles & strong bullish candle closing at near highs just below the resistance

5/23
TRADING , ALL