Reverse Engineering Snapchat (Part II): Debofuscating the Undeobfuscatable

This level of API obfuscation reminds me of forever ago when MSN Messenger figured out AOL&#x27;s AIM API, so MSN Messenger could send AIM messages, which annoyed AOL. AOL would make API changes to break MSN, but MSN would update the client and stay ahead. Eventually to make the API uncloneable, AOL changed their payload to exploit a buffer overrun in their own AIM clients that wouldn&#x27;t be in the MSN clients.<p><a href="https:&#x2F;&#x2F;nplusonemag.com&#x2F;issue-19&#x2F;essays&#x2F;chat-wars&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nplusonemag.com&#x2F;issue-19&#x2F;essays&#x2F;chat-wars&#x2F;</a>

Hey OP, since you&#x27;re here:<p>I find this pretty hard to follow. Would you be open to writing a longform version of this aimed at the tutorial level?<p>Reading between the lines, I would guess you&#x27;re trying to demonstrate that you really know what you&#x27;re doing. Maybe as a proof of concept for possible employment opportunities. If so, that&#x27;s great! Good luck.<p>But if I were interested in reverse engineering some other app, I don&#x27;t think I could understand what you&#x27;ve done well enough to use these techniques on that app. Except maybe the breakpointing within `fuck_debug`, that was pretty slick and easy to follow.

Both iOS and recent Androids have by now a form of app attestation: the server can tell if the caller is the legitimate app or not (with good enough confidence - as everything, it&#x27;s not unbreakable).<p>Doesn&#x27;t that make obfuscation kind of pointless? Even if your knock-off app knows everything about the API of the original service, it won&#x27;t be able to use it because it is not the genuine app or maybe it is but it is not running in a real iOS&#x2F;Android device.<p>Or maybe this is only meant to include non-Android certified phones (= China)?

As someone who wrote similar obfuscators (manually) back in 2003-2006 to protect a few indie games distributed on PocketPC (ARM7&#x2F;WinCE) I found it quite conforting to see that the techniques are still similar.<p>I wonder about something, how long did it take?

For fuckup_debugging, can&#x27;t you use hardware breakpoints instead?<p>Also, why not patch the binary? I think iteratively patching out protections (in a repeatable, versioned way) would be my approach. It is then applicable to other binaries as well.

The related previous thread: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23557998" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23557998</a>

For MBA, there&#x27;s also Arybo[1] from Quarkslab. Never used it and seeing the reference to SSPAM, I assume the author is aware of the tool.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;quarkslab&#x2F;arybo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;quarkslab&#x2F;arybo</a>

Shouldn’t you be able to find any code that scans for breakpoints easily and patch it to be blind?

I’m surprised that Snapchat doesn’t check for the mere presence of a debugger and instead tries to look for breakpoints. Or perhaps you’ve already found and patched those checks out?

Anyone else picture Deebo from “Friday” (Zeus from “No Holds Barred”) smashing apart source code after reading the title?<p>Prediction: Just me.<p>By the way, love both articles. Thanks for taking the time to share.

I wonder if the Android version uses the same technique and if not, if it would be harder&#x2F;easier to break

The title is misspelled (s&#x2F;Debofusc&#x2F;Deobfusc&#x2F;).