Case Study: Reverse Engineering Facemoji

Case Study #1

The Code Journal Sidhartha Tirthankar

[REVERSE ENGINEERING FACEMOJI] This case study shows how to reverse engineer Google Chrome applications and how to tinker with the Facebook API.

Reverse Engineering facemoji 1

1 Case Study #1 | The Code Journal

http://www.thecodejournal.com/

PREFACE

This case study assumes that you have basic knowledge about Java Script (jQuery), HTTP

headers and Facebook API.

Topics included:

1. Reverse engineering Google Chrome applications

2. Sending HTTP header requests through Fiddler2

3. Tinkering with the Facebook API

Software used:

1. Google Chrome (for browsing)

2. Internet Explorer (for downloading Chrome application)

3. Fiddler2 (for sending HTTP header requests)

4. Sublime Text 2 (for analysing code)

5. 7-Zip (for extracting the app)




RESOURCES

Resource links:

1. Google Chrome

http://chrome.google.com/

2. Internet Explorer

Comes preinstalled with Windows OS. Any other browser, like Firefox can also

be used.

3. Fiddler2

http://www.fiddler2.com

4. Sublime Text 2

http://www.sublimetext.com/2

5. 7-Zip

https://www.7-zip.org

http://chrome.google.com/

http://www.fiddler2.com/

http://www.sublimetext.com/2




PART – 1

Facemoji chrome application allows users to send stickers in Facebook via PC. But this

feature is only provided to Facebook Messenger for Android and iOS. The application does

so by fooling Facebook’s API by providing an access token related to its Android Messenger.

First, we have to download the application from Chrome App Store. This cannot be done by

using Google Chrome browser, since it will start auto installing the app once the download

is finished. So, a secondary browser can be used to download the app to a desired location

in your computer. In this study I have used Internet Explorer, but any other browser (like

Firefox, Opera or Safari) will also do.

To download the app, we need its id from Chrome App Store.

First go to Chrome App Store. Then search for facemoji. On clicking the application’s name,

notice the URL in your browser’s omnibox. It shows:

https://chrome.google.com/webstore/detail/facemoji-stickers-for-fac/mehbdflnjkigggmglekojmmilmkhmale

The last part of the URL is the app’s id, i.e. mehbdflnjkigggmglekojmmilmkhmale

Now open your secondary browser and go to:

https://clients2.google.com/service/update2/crx?response=redirect&x=id%3Dmehbdflnjkigggmglekojmmilmkhmale

%26uc




Choose the save option and save the file to any location in your computer.

Now, go to that location. You will find a file named extension_1_2_6.crx

Rename the file to extension_1_2_6.zip, now the file can be opened with 7-Zip.

Extract all the contents of the archive.

Now you have all the files contained in the app.




PART – 2

Till now we have extracted facemoji app in our computer’s local directory.

Traverse to the extracted directory.

Our work is only related to the js directory. So, traverse there. Now, we see:




After looking through all the files, I concluded that only api.js, stickers.js and

options.js are useful for our purpose.

Open the three files in Sublime Text 2.

Since the files are minified, activate word wrap by pressing ALT+Q

api.js has two things of our interest.

First is this.CLIENT_ID="256002347743983", this indicates the id of the Facebook

App used by the application.

We are still unsure of the App’s name.

Next is

this.sendSticker=function(a,b){var d,c=new

FormData;c.append("access_token",a.accessToken);"recipient"==a.idTy

pe?(c.append("to",'[{"type":"id","id":"'+a.id+'"}]'),d="me/threads"

):(c.append("id",a.id),d="");c.append("client_tags",'{"trigger":"ch

athead"}');c.append("object_attachment",a.stickerId);c.append("loca

le","en_US");c.append("client_country_code","VN"); var e=new

XMLHttpRequest;e.open("POST","https://graph.facebook.com/"+d,!0);

This is the function which sends the stickers in Facebook.

We see that this function uses HTTP headers to send POST request to the Facebook API. We

can imitate the same by using Fiddler2.

Next is options.js, this file has

a="https://www.facebook.com/dialog/oauth?page=display&response_type

=token&client_id="+fbApi.CLIENT_ID+"&redirect_uri=https%3A//www.fac

ebook.com/connect/login_success.html%3Fclient_id%3D"+fbApi.CLIENT_I

D+"&scope=email%2C";

This URL is used to GET the Access Token for the usage of the application

(ID="256002347743983")




stickers.js has a bunch of codes like:

The numbers in blue colour indicate the id of the stickers.




PART – 3

Let the hacking begin.

First open Fiddler2.

Open Chrome and go to https://www.facebook.com/dialog/oauth?page=display&response_type=token&client_id=25600

2347743983&redirect_uri=https%3A//www.facebook.com/connect/login_success.html%3Fclient

_id%3D256002347743983&scope=email%2C

We got this URL from options.js

Quickly switch to Fiddler2 and capture the GET request.

Select the GET request from the left tab.

Navigate to the right tab.

In the right top tab select Inspectors and in the right bottom tab select Raw.




The Location shows the URL returned by the GET request.

Voila, we have an access token returned by Facebook.

The GET request will return different access tokens for multiple requests.

In this case, the access token returned by Facebook is

CAADo1TDZCuu8BABkOoKuGw1TLZArl0jhe7YksR35nohNjudwByZBW3hvVITcjQUdRm

qrRRpcHCVN3uKtFtns1UJZCDfPl2qWBYY1cNSgZAiBCFdIyjgt3dT65ObOASZBx0jTg

20Fc4sobnWJV5nqgz4OxIm9fHVkUZD

Only the last step remains, i.e. to send the sticker to any friend in Facebook.

First, send any message to your friend in Facebook message.

Here I have sent myself “lol”.

Next go to (make sure to alter the ?access_token= in the URL to the most recent access

token obtained by the GET request):

https://graph.facebook.com/me/threads/?access_token=CAADo1TDZCuu8BABkOoKuGw1TLZArl0jhe7YksR35nohNju

dwByZBW3hvVITcjQUdRmqrRRpcHCVN3uKtFtns1UJZCDfPl2qWBYY1cNSgZAiBCFdIyjgt3dT65ObOASZBx0jTg20Fc4sob

nWJV5nqgz4OxIm9fHVkUZD

You will see something like this at the beginning of the page:

Copy the id, in this case our message id is t_id.183832538440284




Now grab any random id from stickers.js.

I’m using 126361874215276

Let’s make our POST request using Fiddler2.

Click on Composer in the right top tab.

Under the Parsed tab, select POST from the drop down list.

Set the URL https://graph.facebook.com/

And select the type of request as HTTP/1.1

Paste the below content in the Requested Headers section:

Host: graph.facebook.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36

Origin: http://www.facebook.com

Content-Type: multipart/form-data; boundary=----separator

Accept: */*

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-GB,en-US;q=0.8,en;q=0.6

Content-Length: 435




And in the Request Body section paste (remember to change all the values in the request

body as per your setup):

------separator

Content-Disposition: form-data; name="access_token"

CAADo1TDZCuu8BABkOoKuGw1TLZArl0jhe7YksR35nohNjudwByZBW3hvVITcjQUdRm

qrRRpcHCVN3uKtFtns1UJZCDfPl2qWBYY1cNSgZAiBCFdIyjgt3dT65ObOASZBx0jTg

20Fc4sobnWJV5nqgz4OxIm9fHVkUZD

------separator

Content-Disposition: form-data; name="id"

t_id.183832538440284

------separator

Content-Disposition: form-data; name="object_attachment"

126361874215276

------separator--

Hit the Execute button in the top right portion of the right tab.




Now head over to your Facebook messages to see a nice surprise.




POST MORTEM OF THE ACCESS TOKEN

We were successful in our attempt to message stickers in Facebook via PC.

But where exactly did we fool Facebook into thinking that we are sending the request from

its own Android Messenger app?

Let’s go to https://developers.facebook.com/tools/debug

Enter the access token in the input box and hit Debug.

Notice the App ID, it says Facebook Messenger for Android.

In short, we cheated Facebook's API by sending it an access token generated by its own

Messenger for Android app.

That is what facemoji is doing to post Stickers in Facebook via PC.




FEEDBACKS

“And now I own a Symbian powered phone, an Android powered

phone, and an iOS powered phone. Amazing work. ”

- Dibya Ranjan Bhoi (Admin, TheWackyHeads)

http://thewackyheads.com/




ABOUT THE AUTHOR

SIDHARTHA TIRTHANKAR

I'm a programmer and blogger.

Specialties: C, C++, Python, HTML/CSS, JavaScript (and jQuery), PHP, SQL, Facebook API

E-mail: [email protected]

Blog: http://www.thecodejournal.com

LinkedIn: http://in.linkedin.com/in/sidharthatirthankar

mailto:[email protected]


http://in.linkedin.com/in/sidharthatirthankar

Documents

Case Study: Reverse Engineering Facemoji