
Reverse Engineering Snapchat (Part II): Debofuscating the Undeobfuscatable - 3eed
https://hot3eed.github.io/2020/06/22/snap_p2_deobfuscation.html
======
wayne
This level of API obfuscation reminds me of forever ago when MSN Messenger
figured out AOL's AIM API, so MSN Messenger could send AIM messages, which
annoyed AOL. AOL would make API changes to break MSN, but MSN would update the
client and stay ahead. Eventually to make the API uncloneable, AOL changed
their payload to exploit a buffer overrun in their own AIM clients that
wouldn't be in the MSN clients.

[https://nplusonemag.com/issue-19/essays/chat-
wars/](https://nplusonemag.com/issue-19/essays/chat-wars/)

~~~
worewood
I think the most important, and this article left it out, is why exactly this
makes the API uncloneable - why couldn't MSN just emulate the buffer overflow
behavior like it was doing with everything so far?

As the article says, the client also responded with some code. What I think
was happening: the client was responding with portions of its own executable
memory, which could be checked by AOL servers.

That way for MSN to emulate that behavior, it would need to have the AIM
client's executable code inside itself, which would be an easy win in a
copyright lawsuit.

~~~
lliamander
Why not just send copy written code as part of the payload?

~~~
ATsch
Especially trademark violations are very effective for this. For example the
original GameBoy used it as DRM. The cartridge had to contain a Nintendo(R)
logo which was displayed on boot to work, a legal deterrent for publishing
unlicensed games that still works to this day.

~~~
sanqui
Except that the use of copyrighted and trademarked data for means of enabling
interoperability has been ruled fair use in the Sega v. Accolade[1] case. So I
believe Nintendo's use of the logo in this way is not much more than snake
oil.

[1]
[https://en.wikipedia.org/wiki/Sega_v._Accolade](https://en.wikipedia.org/wiki/Sega_v._Accolade)

~~~
timClicks
Gentle reminder that the USA isn't the only jurisdiction. In countries without
fair use, for example, this wouldn't even be able to be applied.

------
hackernewsn00b
Hey OP, since you're here:

I find this pretty hard to follow. Would you be open to writing a longform
version of this aimed at the tutorial level?

Reading between the lines, I would guess you're trying to demonstrate that you
really know what you're doing. Maybe as a proof of concept for possible
employment opportunities. If so, that's great! Good luck.

But if I were interested in reverse engineering some other app, I don't think
I could understand what you've done well enough to use these techniques on
that app. Except maybe the breakpointing within `fuck_debug`, that was pretty
slick and easy to follow.

~~~
drudu
Obviously not the OP but I think that a longform version of this would be an
entire book/college level course. I wish I could learn how to reverse state of
the art obfuscation in a single, long post but that's just not how it works.

~~~
fingerlocks
I would pay for that book.

------
zimmerfrei
Both iOS and recent Androids have by now a form of app attestation: the server
can tell if the caller is the legitimate app or not (with good enough
confidence - as everything, it's not unbreakable).

Doesn't that make obfuscation kind of pointless? Even if your knock-off app
knows everything about the API of the original service, it won't be able to
use it because it is not the genuine app or maybe it is but it is not running
in a real iOS/Android device.

Or maybe this is only meant to include non-Android certified phones (= China)?

~~~
zemnmez
seems like something having a rooted os would fix pretty quickly

~~~
power78
Seems like the creator of Magisk Manager could not get around Android's
implementation:
[https://twitter.com/topjohnwu/status/1245956080779198464?s=1...](https://twitter.com/topjohnwu/status/1245956080779198464?s=19)

------
stephc_int13
As someone who wrote similar obfuscators (manually) back in 2003-2006 to
protect a few indie games distributed on PocketPC (ARM7/WinCE) I found it
quite conforting to see that the techniques are still similar.

I wonder about something, how long did it take?

------
underdeserver
For fuckup_debugging, can't you use hardware breakpoints instead?

Also, why not patch the binary? I think iteratively patching out protections
(in a repeatable, versioned way) would be my approach. It is then applicable
to other binaries as well.

~~~
saagarjha
Hardware breakpoints are a little complicated on iOS. And patching the binary
would of course only work if no other code verified the validity of the page
you touched.

~~~
3eed
Are hardware breakpoints even possible on iOS? And correct, you can't patch
the binary because there many anti-tampering measures, you could probably
bypass those, but that's going a different route.

------
dang
The related previous thread:
[https://news.ycombinator.com/item?id=23557998](https://news.ycombinator.com/item?id=23557998)

------
sintax
For MBA, there's also Arybo[1] from Quarkslab. Never used it and seeing the
reference to SSPAM, I assume the author is aware of the tool.

[1] [https://github.com/quarkslab/arybo](https://github.com/quarkslab/arybo)

~~~
3eed
I came across Arybo while working on the binary but I can't remember why I
didn't use it, this is vague memory now. Anyway it does the job in one go, I
added an edit.

------
coolspot
Shouldn’t you be able to find any code that scans for breakpoints easily and
patch it to be blind?

~~~
bluesign
Normally it is more like calculating hash from code piece, then xor result
with constant and jump. (In general cases, never reversed snap)

So usually there is nothing to patch.

~~~
posedge
Can you calculate that hash (of the original binary) yourself and patch THAT
in the function?

------
saagarjha
I’m surprised that Snapchat doesn’t check for the mere presence of a debugger
and instead tries to look for breakpoints. Or perhaps you’ve already found and
patched those checks out?

~~~
3eed
It does check for a debugger. But that would be through sysctl, or the csops
sys call, which would be trivial to patch and a single point of failure.

------
Method5440
Anyone else picture Deebo from “Friday” (Zeus from “No Holds Barred”) smashing
apart source code after reading the title?

Prediction: Just me.

By the way, love both articles. Thanks for taking the time to share.

------
raverbashing
I wonder if the Android version uses the same technique and if not, if it
would be harder/easier to break

------
sarabande
The title is misspelled (s/Debofusc/Deobfusc/).

