Extract Instagram hash key


#1

Hello,

I’m looking for somebody with reverse engineering skills who could teach me how to get the signature key hash from the iOS version of Instagram.
I have a jailbroken iPhone 6 with iOS 9.0 which I could use.

You would need to tell me the exact steps needed to extract the key from the App and answer possible questions.

I have basic reverse engineering skills on Android but none on iOS so I want to get this going asap.

Of course I will pay for your time and service, please tell me your offers.


#2

Why do you want to do this?


#3

I want to automate my account


#4

What exactly do you mean by “automate my account”?


#5

I want to use the Instagram API with my account to perform actions like uploading pictures etc.


#6

Then you don’t have to get the signature or something like that; just reverse the API that uploads pictures will do the job


#7

Instagram signs every request with a hmac sha hash.

A request looks like as an example.

signed_body=nc8e1774526bf84b58bb4ffebb357bddb822a5183e0355db1effc2dad47107a29.{"_uuid":“00000000-0000-0000-0000-000000000000”,“password”:“password”,“username”:“will”,“device_id”:“00000000-0000-0000-0000-000000000000”,"_csrftoken":“missing”}

nc8e1774526bf84b58bb4ffebb357bddb822a5183e0355db1effc2dad47107a29 is generated by a hmac function with a key.
Without this key I cannot generate the signature and requests won’t get accepted.

EDIT:
Basically I checked the App with IDA and followed your iOSAppReverseEngineering.pdf
I think I know where the key gets generated and I’m trying to gett it with LLDB and a breakpoint but I’m having many issues where I could need help.

For example I used the ASLR offset + the pointer from IDA to get the address
Then I set a breakpoint which worked but as soon as the breakpoint hits I get

`(lldb) Process 21538 stopped

  • thread #13: tid = 0x6538, 0xff76545e, stop reason = EXC_BAD_ACCESS (code=1, address=0xff76545e)
    frame #0: 0xff76545e
    error: memory read failed for 0xff765400`

and the app continues to run but not fully. I can see the loading circle spinning but nothing else works.

For such issues which are very time consuming to resolve on my own, I’d like to have somebody in chat/skype to talk to and help me resolve these issues.
I’d pay for the time this takes.


#8

Okay, it is possible to extract the key but there’s a catch.
It seems the key gets altered by the app if you try to extract it so it will return a valid hash key but it seems this key is rate limited.

Unmodified/Unjailbroken devices use a different key to generate the hash so it seems to change dynamically when you try to mess with the app.

I already had a reverse engineerer look at this without success.

This seems like a very difficult task and I’d need an experienced pro to look at this and verify it for me.