Upload
zappergod
View
162
Download
1
Embed Size (px)
DESCRIPTION
Facemoji chrome application allows users to send stickers in Facebook via PC. But this feature is only provided to Facebook Messenger for Android and iOS. The application does so by fooling Facebook’s API by providing an access token related to its Android Messenger. This case study reveals all the tricks used by the app.
Citation preview
Case Study #1
The Code Journal Sidhartha Tirthankar
[REVERSE ENGINEERING FACEMOJI] This case study shows how to reverse engineer Google Chrome applications and how to tinker with the Facebook API.
Reverse Engineering facemoji 1
1 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
PREFACE
This case study assumes that you have basic knowledge about Java Script (jQuery), HTTP
headers and Facebook API.
Topics included:
1. Reverse engineering Google Chrome applications
2. Sending HTTP header requests through Fiddler2
3. Tinkering with the Facebook API
Software used:
1. Google Chrome (for browsing)
2. Internet Explorer (for downloading Chrome application)
3. Fiddler2 (for sending HTTP header requests)
4. Sublime Text 2 (for analysing code)
5. 7-Zip (for extracting the app)
Reverse Engineering facemoji 2
2 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
RESOURCES
Resource links:
1. Google Chrome
http://chrome.google.com/
2. Internet Explorer
Comes preinstalled with Windows OS. Any other browser, like Firefox can also
be used.
3. Fiddler2
http://www.fiddler2.com
4. Sublime Text 2
http://www.sublimetext.com/2
5. 7-Zip
https://www.7-zip.org
Reverse Engineering facemoji 3
3 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
PART – 1
Facemoji chrome application allows users to send stickers in Facebook via PC. But this
feature is only provided to Facebook Messenger for Android and iOS. The application does
so by fooling Facebook’s API by providing an access token related to its Android Messenger.
First, we have to download the application from Chrome App Store. This cannot be done by
using Google Chrome browser, since it will start auto installing the app once the download
is finished. So, a secondary browser can be used to download the app to a desired location
in your computer. In this study I have used Internet Explorer, but any other browser (like
Firefox, Opera or Safari) will also do.
To download the app, we need its id from Chrome App Store.
First go to Chrome App Store. Then search for facemoji. On clicking the application’s name,
notice the URL in your browser’s omnibox. It shows:
https://chrome.google.com/webstore/detail/facemoji-stickers-for-fac/mehbdflnjkigggmglekojmmilmkhmale
The last part of the URL is the app’s id, i.e. mehbdflnjkigggmglekojmmilmkhmale
Now open your secondary browser and go to:
https://clients2.google.com/service/update2/crx?response=redirect&x=id%3Dmehbdflnjkigggmglekojmmilmkhmale
%26uc
Reverse Engineering facemoji 4
4 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
Choose the save option and save the file to any location in your computer.
Now, go to that location. You will find a file named extension_1_2_6.crx
Rename the file to extension_1_2_6.zip, now the file can be opened with 7-Zip.
Extract all the contents of the archive.
Now you have all the files contained in the app.
Reverse Engineering facemoji 5
5 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
PART – 2
Till now we have extracted facemoji app in our computer’s local directory.
Traverse to the extracted directory.
Our work is only related to the js directory. So, traverse there. Now, we see:
Reverse Engineering facemoji 6
6 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
After looking through all the files, I concluded that only api.js, stickers.js and
options.js are useful for our purpose.
Open the three files in Sublime Text 2.
Since the files are minified, activate word wrap by pressing ALT+Q
api.js has two things of our interest.
First is this.CLIENT_ID="256002347743983", this indicates the id of the Facebook
App used by the application.
We are still unsure of the App’s name.
Next is
this.sendSticker=function(a,b){var d,c=new
FormData;c.append("access_token",a.accessToken);"recipient"==a.idTy
pe?(c.append("to",'[{"type":"id","id":"'+a.id+'"}]'),d="me/threads"
):(c.append("id",a.id),d="");c.append("client_tags",'{"trigger":"ch
athead"}');c.append("object_attachment",a.stickerId);c.append("loca
le","en_US");c.append("client_country_code","VN"); var e=new
XMLHttpRequest;e.open("POST","https://graph.facebook.com/"+d,!0);
This is the function which sends the stickers in Facebook.
We see that this function uses HTTP headers to send POST request to the Facebook API. We
can imitate the same by using Fiddler2.
Next is options.js, this file has
a="https://www.facebook.com/dialog/oauth?page=display&response_type
=token&client_id="+fbApi.CLIENT_ID+"&redirect_uri=https%3A//www.fac
ebook.com/connect/login_success.html%3Fclient_id%3D"+fbApi.CLIENT_I
D+"&scope=email%2C";
This URL is used to GET the Access Token for the usage of the application
(ID="256002347743983")
Reverse Engineering facemoji 7
7 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
stickers.js has a bunch of codes like:
The numbers in blue colour indicate the id of the stickers.
Reverse Engineering facemoji 8
8 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
PART – 3
Let the hacking begin.
First open Fiddler2.
Open Chrome and go to https://www.facebook.com/dialog/oauth?page=display&response_type=token&client_id=25600
2347743983&redirect_uri=https%3A//www.facebook.com/connect/login_success.html%3Fclient
_id%3D256002347743983&scope=email%2C
We got this URL from options.js
Quickly switch to Fiddler2 and capture the GET request.
Select the GET request from the left tab.
Navigate to the right tab.
In the right top tab select Inspectors and in the right bottom tab select Raw.
Reverse Engineering facemoji 9
9 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
The Location shows the URL returned by the GET request.
Voila, we have an access token returned by Facebook.
The GET request will return different access tokens for multiple requests.
In this case, the access token returned by Facebook is
CAADo1TDZCuu8BABkOoKuGw1TLZArl0jhe7YksR35nohNjudwByZBW3hvVITcjQUdRm
qrRRpcHCVN3uKtFtns1UJZCDfPl2qWBYY1cNSgZAiBCFdIyjgt3dT65ObOASZBx0jTg
20Fc4sobnWJV5nqgz4OxIm9fHVkUZD
Only the last step remains, i.e. to send the sticker to any friend in Facebook.
First, send any message to your friend in Facebook message.
Here I have sent myself “lol”.
Next go to (make sure to alter the ?access_token= in the URL to the most recent access
token obtained by the GET request):
https://graph.facebook.com/me/threads/?access_token=CAADo1TDZCuu8BABkOoKuGw1TLZArl0jhe7YksR35nohNju
dwByZBW3hvVITcjQUdRmqrRRpcHCVN3uKtFtns1UJZCDfPl2qWBYY1cNSgZAiBCFdIyjgt3dT65ObOASZBx0jTg20Fc4sob
nWJV5nqgz4OxIm9fHVkUZD
You will see something like this at the beginning of the page:
Copy the id, in this case our message id is t_id.183832538440284
Reverse Engineering facemoji 10
10 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
Now grab any random id from stickers.js.
I’m using 126361874215276
Let’s make our POST request using Fiddler2.
Click on Composer in the right top tab.
Under the Parsed tab, select POST from the drop down list.
Set the URL https://graph.facebook.com/
And select the type of request as HTTP/1.1
Paste the below content in the Requested Headers section:
Host: graph.facebook.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36
Origin: http://www.facebook.com
Content-Type: multipart/form-data; boundary=----separator
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Content-Length: 435
Reverse Engineering facemoji 11
11 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
And in the Request Body section paste (remember to change all the values in the request
body as per your setup):
------separator
Content-Disposition: form-data; name="access_token"
CAADo1TDZCuu8BABkOoKuGw1TLZArl0jhe7YksR35nohNjudwByZBW3hvVITcjQUdRm
qrRRpcHCVN3uKtFtns1UJZCDfPl2qWBYY1cNSgZAiBCFdIyjgt3dT65ObOASZBx0jTg
20Fc4sobnWJV5nqgz4OxIm9fHVkUZD
------separator
Content-Disposition: form-data; name="id"
t_id.183832538440284
------separator
Content-Disposition: form-data; name="object_attachment"
126361874215276
------separator--
Hit the Execute button in the top right portion of the right tab.
Reverse Engineering facemoji 12
12 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
Now head over to your Facebook messages to see a nice surprise.
Reverse Engineering facemoji 13
13 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
POST MORTEM OF THE ACCESS TOKEN
We were successful in our attempt to message stickers in Facebook via PC.
But where exactly did we fool Facebook into thinking that we are sending the request from
its own Android Messenger app?
Let’s go to https://developers.facebook.com/tools/debug
Enter the access token in the input box and hit Debug.
Notice the App ID, it says Facebook Messenger for Android.
In short, we cheated Facebook's API by sending it an access token generated by its own
Messenger for Android app.
That is what facemoji is doing to post Stickers in Facebook via PC.
Reverse Engineering facemoji 14
14 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
FEEDBACKS
“And now I own a Symbian powered phone, an Android powered
phone, and an iOS powered phone. Amazing work. ”
- Dibya Ranjan Bhoi (Admin, TheWackyHeads)
Reverse Engineering facemoji 15
15 Case Study #1 | The Code Journal
http://www.thecodejournal.com/
ABOUT THE AUTHOR
SIDHARTHA TIRTHANKAR
I'm a programmer and blogger.
Specialties: C, C++, Python, HTML/CSS, JavaScript (and jQuery), PHP, SQL, Facebook API
E-mail: [email protected]
Blog: http://www.thecodejournal.com
LinkedIn: http://in.linkedin.com/in/sidharthatirthankar