Extracting instagram signature key II

on my previous post, i have covered on how to extract instagram’s signature key by hooking a function. but since the methods are a bit complex (setting up NDK etc.), i will show you another way of extracting the signature by using GikDbg (a.k.a. OllyDbg for mobile)

GikDbg

gikdbg is a mobile assembly-level debugger for windows platform. the debugger is based on 3 main software:

  • OllyDbg (32-bit assembler level analysing debugger)
  • GDB (GNU project debugger)
  • LLVM (collection of modular and reusable compiler and toolchain technologies)

Methodologies

in order to begin working with gikdbg, we will need an android system running on ART runtime (android debugging enabled). then, connect your device to your computer and open gikdbg. starting gikdbg, we will be greeted with the following screen

start

Next step is to connect the debugger to our android system. this can be performed from the menu ART Debug > Server > Device. then choose your android system from the list. Double click on it and a dialog will appear, asking wherever to install the appropriate libs to your android sytem. click “Yes”

connect

if everything went well, ADB Shell window will appear. now run the instagram app in your android system and attach the process to the debugger through the menu ART Debug > File > Attach. next, select com.instagram.android from the process list and click on the “Attach” button and wait for it to load

attach

now we need to view the memory of the binary file where the signature key get called. this can be accomplished from the menu ART Debug > View > Module. search for libstrings.so in the list and double click on the module

module

scroll down and find the strlen function which is called before crypto_auth_hmacsha256_init function and set a breakpoint with F2. then run the app with F9

breakpoint

now when you login to instagram in your android device, the breakpoint will be hit. the only thing to do now is extracting the key from the memory. we can accomplished that by right clicking on the register memory address that hold the key (in this case it would be r0) and choose “Follow in dump” from the menu

dump

with the signature key extracted. now we can inspect all the signed request from the instagram app by using a http proxy debugger (fiddler, burp, etc.). have fun!