Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Marcus Mengs Profile picture
@mame82
Jan 11, 2021 6 tweets 2 min read Read on X
Recently tweeted on a bypass for Snapchat's cert pinning. It required monitoring 'android_dlopen_ext' to instrument the native target library directly after load.

Absence of 'adroid_dlopen_ext' on older Android SDKs raised some questions, so I'll share a partial solution.

1/n
The appended screenshot shows an alternative approach to monitor loading of dynamic modules for JNI based on 'JavaVMExt::LoadNativeLibrary'.

Below it is showcased with @fridadotre frida-trace (upper terminal) and a modified script for the frida-trace hook (lower terminal)

2/n Image
As pointed out in the comments, you have to deal with C++ mangled function names and the std::string implementation of the respective C++ library, to do it in this way (less clean than the 'android_dlopen_ext' approach).

3/n
No matter which approach you use, once you are sure the native library is loaded, you could hook it as needed, before returning execution to the instrumented Thread (in case of Snapchat, the target would be 'libclient<.>so' for example).

4/n
Also, one might think monitoring 'dlopen' directly could do the trick, but this would miss a decent amount of hot-loaded JNI modules. Also I often faced crashes when using Frida's Interceptor.attach on 'dlopen', which could be partially mitigated by using ...

5/n
... Interceptor.replace with a proxy function instead (see screenshot for an example).

That's it ... happy hooking friends!

6/6 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Marcus Mengs

Marcus Mengs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mame82

Marcus Mengs Profile picture
Jul 27, 2022
@RoganDawes:
just fixed some compilation errors for "community_nrf52_arduino" (wrong atomic declaration, missing 'utoa' definition).

Now that code compiles, I can't flash a pca10059 (nordic nrf52840 dongle) from Arduino IDE.

Further assumed this requires ...
... an Arduino bootloader on the board.

Overwriting the Nordic BL would have to be done with an external programmer.

When I try to find out if this is really necessary, I noticed that you, Rogan, was working on the topic (as most if the times)

github.com/adafruit/Adafr…
Questions:
Could I get around BL re-flash to make pca10059 work with Arduino sketches?
Read 9 tweets
Marcus Mengs Profile picture
Jul 25, 2022
Daughter asked for a toy pet.

Me started buying servos, turn computer on after months and printed parts.

@PetoiCamp stuff got me excited... should have kept away from this, feels like very long journey ahead
@PetoiCamp using arduino setup (currently only gyro, eeprom and pca9685 + 4x AAA battery) + current OpenCat with slight adjustments for MG90S servos.

Am I right, that some servos going to "0 position" in the middle of movement means lack of current or ...
... does this indicate I2C issues.

Also the stack running on the MCU (Arduino Nano clone in thus case) sometimes crashes - as shown in the video.
Read 6 tweets
Marcus Mengs Profile picture
Nov 2, 2021
You want to know what the Facebook app sends home?

Let's look into 1 out of many GraphQL requests ("LocationUpdateMutation" serves as example)

The excerpt of the full request is hard to read, so let's get into some details...

1/n
1) Top-level message object, contains device identifiers and stats.

Pay attention on the empty "scan_result" and "connected" array under "cell_info" ... this likely would be filled, if my test device would have a mobile connection (operator info is included, anyways)

2/n
And here are the scan results with proper BSSIDs and RSSI values for all WiFi networks in range.

Helps to determin your precise position, also great for creation of WiFi maps, if GPS data would be included

3/n
Read 6 tweets
Marcus Mengs Profile picture
Oct 27, 2021
Habe Gestern (schockiert) den Beitrag von @zerforschung zu der @scoolio_ app gelesen.

Hatte noch Fragen zu 3rd-party data sharing und deshalb nochmal drauf geschaut.

Vor der Registrierung werden scheinbar nur die "üblichen" Daten an 3rd party services gesendet, aber...
...das liegt daran, dass die mit AppsFlyer ausgetauschten Daten nochmals verschlüsselt sind. Öffnet man die, sieht das ganze schon wie folgt aus (2. Bild: exemplarische Daten EINES AppsFlyer events von Scoolio)

PS: die Facebook Attr ID gab's schon einmal letzten Tweet

...
Noch ohne Registrierung, lege ich einen Stundenplan an. Die Speicherung erfolgt nicht in einer eigenen Datenbank, sondern bei "Google Firebase"

...
Read 8 tweets
Marcus Mengs Profile picture
Oct 26, 2021
Thx @oleavr for the tip to run @fridadotre onetime Android system-level tasks inside 'system_server'.

Example: collect per-app AndroidIDs

1) Agent (TypeScript)
2) App excerpt (calls function of compiled agent in 'system_server' once device connects and detaches)
3) App output
For this use-case alone, it is a big time-saver.

Previous approach:
Monitor 'Binder' (native) or 'android.provider.Settings$Secure' (Java) for AndroidID retrieval **for each process of relevance** (lots of processing overhead).
Add up info on "Android IDs".

While the Android ID could be assumed to be persistent Identifier (unless a device is re-installed), it differs per Android user (usually only one) and package-signer.

For Android SDK <26 Android IDs do not differ on a single device.
Read 4 tweets
Marcus Mengs Profile picture
Aug 7, 2021
Um Klarheit zu schaffen ob/wie die #LucaApp Nutzer warnt, habe ich eine Abfrage eines Locationbesuches durch "Gesundheitsamt Saalfeld-Rudolstadt" gespooft:

1) Popup Notification
2) !!generische!! Abfragebenachrichtigung
3) Info welches GA welche Location abgefragt hat (gepixelt) ImageImageImage
Es gibt keine spezifische Warnung über Infektionsrelevanten Kontakten, noch eine ereignisspezifische Nachricht vom Gesundheitsamt INNERHALB der #LucaApp (da kein Rückkanal zum Nutzer existiert).

Alles weitere (so nötig) muss MANUELL durch Direktkommunikation mit GA erfolgen.
Wie es der @kreis_rostock geschafft hat über #LucaApp eine angepasste Warnmeldung zu versenden, um "Betroffene direkt anzusprechen" bleibt unklar.

Getestet wurde von mir die aktuellste Android Version der App v1.11.1

Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(