Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting up the environment #935

Merged
merged 3 commits into from
Oct 17, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Contributing

This is based on information seen [here](https://github.com/mgp25/Instagram-API/wiki/Technical-information).

#### Table of contents

1. [Capturing Endpoints](#capturing-endpoints)
2. [Reading the Signature Key](#reading-the-signature-key)
3. [Capturing MQTT (Notifications)](#capturing-tls-requests)

## Capturing Endpoints

In order to capture endpoints you have to monitor the requests using a proxy.
Instagram itself prevents that as anyone could monitor your requests, so you'll have to modify the app.
Currently, [this](https://github.com/itsMoji/Instagram_SSL_Pinning) project by [itsMoji](https://github.com/itsMoji)
allows you to disable the certificate-pinning which effectively makes the app accept every certificate.

**Only use it in _your_ network as anyone with the certificate can then monitor your requests!**

#### Step by step guide
The first steps are just for setting up the apk. You can also use [these](https://github.com/itsMoji/Instagram_SSL_Pinning#instagram-ssl-pinning) instructions.

1. **Install** either the patched apk provided by itsMoji [here](https://github.com/itsMoji/Instagram_SSL_Pinning/tree/master/non-root)
**or** manually patch the apk (requires root access)
by following [these](https://github.com/itsMoji/Instagram_SSL_Pinning#root-method) instructions.
2. **Install** a http proxy on your host machine.
- Currently, the only proxy able to decrypt **TLS 1.3** is [Burp 1.7.x](https://portswigger.net/burp/releasesarchive/community)
(use version 1.7 although it's outdated, 2.x **won't work**) with [Java 11 or above](https://www.oracle.com/technetwork/java/javase/downloads/index.html).
3. **Configure** your proxy to decrypt TLS 1.3 and **export** the *root certificate* to the phone/emulator.
4. **Capture** the requests.

#### General Infos

- A request looking like `signed_body={HEX}.{Request}&ig_sig_key_version=4` has to be signed.

## Reading the Signature Key

The signature key is used to sign requests.

#### Step by step guide

1. [Setup Instagram on your phone like this](#capturing-endpoints)
2. Install frida on your [device](https://www.frida.re/docs/android/) and [host machine](https://www.frida.re/docs/installation/).
3. Start the frida-server on your device
4. Connect to frida and the `com.instagram.android` process (using an emulator e.g. run `frida -U -n com.instagram.android`)
5. Run ```
fscrambler = Module.findExportByName("libstrings.so","_ZN9Scrambler9getStringESs");
Interceptor.attach(ptr(fscrambler), {
onLeave: function (retval) {
send(Memory.readCString(retval));
}
});```
6. Force a signed request inside the app by for example liking an image.
7. You should now see `message: {'type': 'send', 'payload': '{SIGNATURE_KEY}'} data: none`


## Capturing TLS Requests

MQTT and FBNS are currently not implemented in the main library as they're not ready.
You can see the current development [here](https://github.com/dilame/instagram-private-api/issues/845).
They are built using MQTT (v3 and for FBNS a custom implementation of v3) and [Thrift](https://thrift.apache.org/)
You'll probably have to use a Hex Editor for that.

Currently, the only way of capturing these packets is using another proxy.

#### Step by step guide

If you are using Burp, **only** enable the proxy on `127.0.0.1`.

1. [Setup Instagram on your phone like this](#capturing-endpoints)
2. **Install** [Charles](https://www.charlesproxy.com/download/) (the test version only supports 30min per session, so save your results in another editor).
3. **Configure** Charles as a **SOCKS** proxy (*Proxy* > *Proxy Settings...* > *Enable SOCKS Proxy*).
4. **Export and install** the certificate (*Help* > *SSL Proxying* > *Install certificate on a Mobile Device or Remote Browser*).
5. **Enable** SSL proxying for the domains `mqtt-mini.facebook.com:* and edge-mqtt.facebook.com:*` (*Proxy* > *SSL Proxying Settings...*).
6. (optional) forward HTTP Packets to Burp (Charles only decrypts TLS 1.2):
* Go to *Proxy* > *External proxy settings...*, enable it and forward HTTP and HTTPS to `127.0.0.1:{BURP_PORT}`.
* See your HTTP(S) requests in Burp.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,8 @@ If you need features that is not implemented - feel free to implement and create

Plus we need some documentation, so if you are good in it - you are welcome.

Setting up your environment is described [here](CONTRIBUTING.md).

# Useful links

[instagram-id-to-url-segment](https://www.npmjs.com/package/instagram-id-to-url-segment) - convert the image url fragment to the media ID
Expand Down