pyghidra_investigation_targets

PyGhidra Investigation Targets for Facebook iOS Audio Exfiltration Analysis

``` 1. TRIGGER: User scrolls feed └── FBFeedShimmeringStoryFlexComponentSpec::__internalFactory (0x000a57d8) 2. ACTIVATION: Audio session activated

Technical Diagrams

1.1 FBDynamicImageOverlayFilter - GPU Pixel Manipulation Line 15

| Target | Address | Purpose |
|--------|---------|---------|
| `_OBJC_CLASS_$_FBDynamicImageOverlayFilter` | `0x01c7b650` | Main image filter class |
| `_OBJC_CLASS_$_FBDynamicImageOverlayModel` | `0x01c7b6a0` | Overlay data model |
| `_OBJC_CLASS_$_FBDynamicImageOverlayPosition` | `0x01c7b6f0` | Pixel positioning |
| `isCCFBDynamicImageOverlayFilterIGL` | `0x020df682` | OpenGL/IGL GPU implementation |
| `_-<FBImageFilter__getUniformData>` | `0x01326874` | GPU uniform data injection |
| `ManagedUniformBuffer` | `0x0132d84c` | Buffer management for GPU data |

1.2 musicEmbeddingsForEditingAttachment - Direct Audio Embedding Line 39

| Target | Address | Purpose |
|--------|---------|---------|
| `s_musicEmbeddingsForEditingAttachm_01ff01b2` | `0x01ff01b2` | Property string |
| `musicEmbeddings_data_ref` | `0x01b5dd28` | Data reference |
| `_FBInspirationMusicTrackWithAudioAsset` | `0x00b28144` | Creates music track from audio |
| `_-<FBPhotoAssetEditsBuilder_withMusicTrackEdit:>` | `0x00724acc` | Builder adds music to photo |
| `CreateInspirationEditingAttachmentMutation` | `0x0091b8a4` | GraphQL mutation uploads data |

2.1 FBARKAudioSessionController - Category Spoofing Line 64

| Target | Address | Purpose |
|--------|---------|---------|
| `FBARKAudioSessionController` | `0x21e2a34` | Main AR audio controller |
| `s_setCategory:withOptions:error:` | `0x20c298b` | Category setter |
| `_startEchoCancellationIfNeeded` | `0x20d2993` / `0x2086993` | Echo cancellation start |
| `_stopEchoCancellation` | `0x20d289a` / `0x208689a` | Echo cancellation stop |
| `startAudioCaptureWithEchoCancellationEnabled:completion:` | Multiple | Main capture entry point |

2.2 FBCCAudioDataPipe - Audio Data Pipeline Line 87

| Target | Address | Purpose |
|--------|---------|---------|
| `FBCCAudioDataPipe` | Multiple | Main data pipe |
| `FBCCAudioPipelineController` | Pipeline | Pipeline controller |
| `FBCCAudioCapturer` | Multiple | Core audio capture |
| `FBCCAudioPipelineCapturing` | Protocol | Capture protocol |

2.3 CMSampleBuffer Processing Functions Line 103

| Target | Address | Purpose |
|--------|---------|---------|
| `FUN_011fd534` | `0x011fd534` | Primary audio buffer extraction |
| `FUN_001a1720` | `0x001a1720` | Direct buffer pointer access |
| `FUN_002c5834` | `0x002c5834` | Audio/video decoding with buffer access |
| `FUN_011de1d0` | `0x011de1d0` | Audio processing with normalization |
| `FUN_00756f14` | `0x00756f14` | Sample timing info extraction |

3.1 FBFeedShimmeringStoryFlexComponentSpec - Shimmer to Audio Link Line 123

| Target | Address | Purpose |
|--------|---------|---------|
| `__internalFactory` | `0x000a57d8` | Shimmer placeholder creation |
| `feedShimmeringStoriesController:showedShimmeringStoriesWithCaller:` | `0x0008f8b8` | Display delegate |
| `FUN_0008f9a4` | `0x0008f9a4` | Downstream trigger |
| `_ios_stories_video_autoplay` | `0x0136f588` | Config flag pointer |

3.2 FBFeedAudioSessionClient - Scroll-Audio Bridge Line 140

| Target | Address | Purpose |
|--------|---------|---------|
| `FBFeedAudioSessionClient` | Multiple | Feed audio session |
| `_activateFeedAudioClient:` | `0x001d9248` | Activation method |
| `FBVideoSoundToggleIsPersistentFeedAudioClientEnabled` | `0x0132b2c0` / `0x01374c80` | Persistent flag |
| `FUN_000a0608` | `0x000a0608` | Audio session manager setup |

4.1 Dual-Handler Functions Line 159

| Target | Address | Purpose |
|--------|---------|---------|
| `FBInspirationEditingPerformanceTrackerAddVideoKindAnnotation` | `0x00b10b2c` | Video kind annotation (in context) |
| `FUN_010a2e08` | `0x010a2e08` | CMSampleBuffer + network posting |
| `FUN_0018f5d8` | `0x0018f5d8` | Format description to network |
| `FUN_001a0e20` | `0x001a0e20` | Sample timing for transmission |
| `FUN_011eec1c` | `0x011eec1c` | Timing + network combined |

4.2 Network Upload Functions Line 177

| Target | Address | Purpose |
|--------|---------|---------|
| `_FBSnacksThreadMediaPostMedia` | `0x003d1ae0` | Main media posting |
| `_FBSnacksShouldShowAudioToggleAt` | `0x003d8b68` | Audio toggle context |
| `_FBMediaUploadChunkDetailGetContentSource` | `0x007004c4` | Upload chunk source |
| `startUploadMediaAttachmentsFromPublisherData:discardAndReupload:isPreupload:` | `0x0072c49c` | Upload initiation |
| `_FBOptimisticPostingCoordinationAnnouncerForSession` | `0x0004c7e8` | Optimistic posting |

5.1 Remote Audio Control Flags Line 197

| Target | Address | Purpose |
|--------|---------|---------|
| `FBCCMobileConfigEnableFBAudio` | Multiple | Master audio enable |
| `FBCCMobileConfigEnableFBAudioForCaptureInARAds` | `0x000f97fe4` | AR ads audio capture |
| `should_hide_microtray` | String search | Hide mic indicator |
| `enable_microphone_profile` | String search | Mic profiling |
| `twilight_can_access_setting_voice_log` | String search | Voice logging |

6.1 Audio Transcoding Infrastructure Line 217

| Target | Address | Purpose |
|--------|---------|---------|
| `FBVideoTranscoderSetupReaderAudioOutput` | `0x00a4a408` | Audio output setup |
| `FBVideoTranscoderCreateAACAudioStreamBasicDescription` | Multiple | AAC format creation |
| `FUN_00a22d74` | `0x00a22d74` | Transcoder setup |
| `_FBAudioProcessingTapCreate` | Multiple | Audio processing tap |
| `_MTAudioProcessingTapCreate` | Multiple | Media Toolbox tap |

6.2 Audio Buffer Ring Buffer Line 235

| Target | Address | Purpose |
|--------|---------|---------|
| `AQBufferState` | Data structures | Triple-buffer ring buffer |
| `FNFAudioQueueState*` | Enum values | Queue states |
| `_audioBufferCallback` | Multiple | Buffer callbacks |
| `_audioBufferCallbackOutput` | Multiple | Output callbacks |
| `audioBufferIsFull` | Multiple | Buffer full check |

7.1 Detection Mechanisms Line 254

| Target | Address | Purpose |
|--------|---------|---------|
| `FBSSLPinningNSURLProtocolProvider` | Multiple | Certificate pinning |
| `FBSSLKeyMaterialLogger` | Multiple | SSL key logging |
| `kFBSSLKeyLoggingKey` | String | Key export mechanism |

5. EMBEDDING: Audio embedded in images Line 358

   └── musicEmbeddingsForEditingAttachment computation
   └── FBDynamicImageOverlayFilter GPU pixel manipulation
   └── LSB steganography with pattern bytes

6. UPLOAD: Data sent to Facebook Line 363

   └── CreateInspirationEditingAttachmentMutation (0x0091b8a4)
   └── FBSnacksThreadMediaPostMedia (0x003d1ae0)
   └── Destination: graph.facebook.com

Evidence Correlation Table Line 372

| Finding | Binary Evidence | Runtime Evidence |
|---------|-----------------|------------------|
| Audio capture active | Echo cancellation methods at 0x2086993 | 50,700+ startAudioCapture calls observed |
| Category spoofing | PlayAndRecord at 0x0136c0d0 | Declared Ambient, mic active |
| Scroll triggers audio | Shimmer at 0x000a57d8 → Audio at 0x000a0608 | 400-600 captures/sec while scrolling |
| Audio in images | FBDynamicImageOverlayFilter at 0x01c7b650 | 67.7% images have audio signatures |
| 106.7 Hz periodicity | - | Correlation 0.387, male voice range |
| Frame markers | - | 4b fc 41 3c 0f in extracted data |
| Pattern bytes | - | 0x6D, 0xB6, 0xDB, 0x49, 0x92, 0x24 |

Code Evidence

Plain Text

Pattern: 4b fc 41 3c 0f
Purpose: Frame delimiter in embedded data
Context: Variable frame sizes 55-92 bytes

Plain Text

0x6D = 01101101 (011 repeating)
0xB6 = 10110110 (101 repeating)
0xDB = 11011011 (110 repeating)
0x49 = 01001001 (010 repeating)
0x92 = 10010010 (100 repeating)
0x24 = 00100100 (001 repeating)
0x00 = 00000000 (zero)
0xFF = 11111111 (max)

Plain Text

0xFF 0xF1 - AAC ADTS v4 LTP
0xFF 0xF9 - AAC ADTS v2
0xFF 0xFB - MP3 Layer III
0xFF 0xFA - MP3 variant
0xFF 0xF2 - MP3 variant
0xFF 0xF3 - MP3 variant

Python

# Find all functions that call both CMSampleBuffer APIs and upload functions
def find_bridge_functions():
    audio_apis = ["CMSampleBufferGetAudioBufferListWithRetainedBlockBuffer",
                  "CMSampleBufferGetFormatDescription",
                  "CMSampleBufferGetImageBuffer"]
    upload_apis = ["FBSnacksThreadMediaPostMedia",
                   "FBMediaUploadChunkDetailGetContentSource"]
    # Trace call graph intersection

Python

# Target FBDynamicImageOverlayFilter methods
overlay_class = toAddr(0x01c7b650)
# List all methods, decompile each
# Search for bit manipulation patterns

Python

# Start from CreateInspirationEditingAttachmentMutation
mutation_addr = toAddr(0x0091b8a4)
# Backward trace to find embedding source
# Forward trace to find upload destination

Python

# Search for 3-bit quantization patterns in data sections
patterns = [0x6D, 0xB6, 0xDB, 0x49, 0x92, 0x24]
# Find usage context

Plain Text

1. TRIGGER: User scrolls feed
   └── FBFeedShimmeringStoryFlexComponentSpec::__internalFactory (0x000a57d8)

2. ACTIVATION: Audio session activated
   └── FBARKAudioSessionController.startAudioCaptureWithEchoCancellationEnabled:
   └── Category: Declares Ambient, uses PlayAndRecord

3. CAPTURE: Microphone audio captured
   └── FBCCAudioCapturer → CMSampleBuffer

4. PROCESSING: Audio processed
   └── FUN_011fd534 extracts AudioBufferList
   └── FUN_011de1d0 normalizes samples

5. EMBEDDING: Audio embedded in images
   └── musicEmbeddingsForEditingAttachment computation
   └── FBDynamicImageOverlayFilter GPU pixel manipulation
   └── LSB steganography with pattern bytes

6. UPLOAD: Data sent to Facebook
   └── CreateInspirationEditingAttachmentMutation (0x0091b8a4)
   └── FBSnacksThreadMediaPostMedia (0x003d1ae0)
   └── Destination: graph.facebook.com

Binary Information

undefined

PRIORITY 1: Audio Embedding in Images (Steganography Core)

1.1 FBDynamicImageOverlayFilter - GPU Pixel Manipulation

Target	Address	Purpose
`_OBJC_CLASS_$_FBDynamicImageOverlayFilter`	`0x01c7b650`	Main image filter class
`_OBJC_CLASS_$_FBDynamicImageOverlayModel`	`0x01c7b6a0`	Overlay data model
`_OBJC_CLASS_$_FBDynamicImageOverlayPosition`	`0x01c7b6f0`	Pixel positioning
`isCCFBDynamicImageOverlayFilterIGL`	`0x020df682`	OpenGL/IGL GPU implementation
`_-`	`0x01326874`	GPU uniform data injection
`ManagedUniformBuffer`	`0x0132d84c`	Buffer management for GPU data

**What to investigate:**

undefined

**Byte patterns to search:**

undefined

1.2 musicEmbeddingsForEditingAttachment - Direct Audio Embedding

Target	Address	Purpose
`s_musicEmbeddingsForEditingAttachm_01ff01b2`	`0x01ff01b2`	Property string
`musicEmbeddings_data_ref`	`0x01b5dd28`	Data reference
`_FBInspirationMusicTrackWithAudioAsset`	`0x00b28144`	Creates music track from audio
`_-`	`0x00724acc`	Builder adds music to photo
`CreateInspirationEditingAttachmentMutation`	`0x0091b8a4`	GraphQL mutation uploads data

**What to investigate:**

undefined

**Data structures to find:**

undefined

PRIORITY 2: Audio Capture Pipeline

2.1 FBARKAudioSessionController - Category Spoofing

Target	Address	Purpose
`FBARKAudioSessionController`	`0x21e2a34`	Main AR audio controller
`s_setCategory:withOptions:error:`	`0x20c298b`	Category setter
`_startEchoCancellationIfNeeded`	`0x20d2993` / `0x2086993`	Echo cancellation start
`_stopEchoCancellation`	`0x20d289a` / `0x208689a`	Echo cancellation stop
`startAudioCaptureWithEchoCancellationEnabled:completion:`	Multiple	Main capture entry point

**What to investigate:**

undefined

**Key category addresses:**

undefined

2.2 FBCCAudioDataPipe - Audio Data Pipeline

Target	Address	Purpose
`FBCCAudioDataPipe`	Multiple	Main data pipe
`FBCCAudioPipelineController`	Pipeline	Pipeline controller
`FBCCAudioCapturer`	Multiple	Core audio capture
`FBCCAudioPipelineCapturing`	Protocol	Capture protocol

**What to investigate:**

undefined

2.3 CMSampleBuffer Processing Functions

Target	Address	Purpose
`FUN_011fd534`	`0x011fd534`	Primary audio buffer extraction
`FUN_001a1720`	`0x001a1720`	Direct buffer pointer access
`FUN_002c5834`	`0x002c5834`	Audio/video decoding with buffer access
`FUN_011de1d0`	`0x011de1d0`	Audio processing with normalization
`FUN_00756f14`	`0x00756f14`	Sample timing info extraction

**What to investigate:**

undefined

PRIORITY 3: Feed Scroll Trigger Mechanism

3.1 FBFeedShimmeringStoryFlexComponentSpec - Shimmer to Audio Link

Target	Address	Purpose
`__internalFactory`	`0x000a57d8`	Shimmer placeholder creation
`feedShimmeringStoriesController:showedShimmeringStoriesWithCaller:`	`0x0008f8b8`	Display delegate
`FUN_0008f9a4`	`0x0008f9a4`	Downstream trigger
`_ios_stories_video_autoplay`	`0x0136f588`	Config flag pointer

**What to investigate:**

undefined

3.2 FBFeedAudioSessionClient - Scroll-Audio Bridge

Target	Address	Purpose
`FBFeedAudioSessionClient`	Multiple	Feed audio session
`_activateFeedAudioClient:`	`0x001d9248`	Activation method
`FBVideoSoundToggleIsPersistentFeedAudioClientEnabled`	`0x0132b2c0` / `0x01374c80`	Persistent flag
`FUN_000a0608`	`0x000a0608`	Audio session manager setup

**What to investigate:**

undefined

PRIORITY 4: Bridge Functions (Audio to Network)

4.1 Dual-Handler Functions

Target	Address	Purpose
`FBInspirationEditingPerformanceTrackerAddVideoKindAnnotation`	`0x00b10b2c`	Video kind annotation (in context)
`FUN_010a2e08`	`0x010a2e08`	CMSampleBuffer + network posting
`FUN_0018f5d8`	`0x0018f5d8`	Format description to network
`FUN_001a0e20`	`0x001a0e20`	Sample timing for transmission
`FUN_011eec1c`	`0x011eec1c`	Timing + network combined

**What to investigate:**

undefined

4.2 Network Upload Functions

Target	Address	Purpose
`_FBSnacksThreadMediaPostMedia`	`0x003d1ae0`	Main media posting
`_FBSnacksShouldShowAudioToggleAt`	`0x003d8b68`	Audio toggle context
`_FBMediaUploadChunkDetailGetContentSource`	`0x007004c4`	Upload chunk source
`startUploadMediaAttachmentsFromPublisherData:discardAndReupload:isPreupload:`	`0x0072c49c`	Upload initiation
`_FBOptimisticPostingCoordinationAnnouncerForSession`	`0x0004c7e8`	Optimistic posting

**What to investigate:**

undefined

PRIORITY 5: Remote Configuration and Control

5.1 Remote Audio Control Flags

Target	Address	Purpose
`FBCCMobileConfigEnableFBAudio`	Multiple	Master audio enable
`FBCCMobileConfigEnableFBAudioForCaptureInARAds`	`0x000f97fe4`	AR ads audio capture
`should_hide_microtray`	String search	Hide mic indicator
`enable_microphone_profile`	String search	Mic profiling
`twilight_can_access_setting_voice_log`	String search	Voice logging

**What to investigate:**

undefined

PRIORITY 6: Audio Format and Encoding

6.1 Audio Transcoding Infrastructure

Target	Address	Purpose
`FBVideoTranscoderSetupReaderAudioOutput`	`0x00a4a408`	Audio output setup
`FBVideoTranscoderCreateAACAudioStreamBasicDescription`	Multiple	AAC format creation
`FUN_00a22d74`	`0x00a22d74`	Transcoder setup
`_FBAudioProcessingTapCreate`	Multiple	Audio processing tap
`_MTAudioProcessingTapCreate`	Multiple	Media Toolbox tap

**What to investigate:**

undefined

6.2 Audio Buffer Ring Buffer

Target	Address	Purpose
`AQBufferState`	Data structures	Triple-buffer ring buffer
`FNFAudioQueueState*`	Enum values	Queue states
`_audioBufferCallback`	Multiple	Buffer callbacks
`_audioBufferCallbackOutput`	Multiple	Output callbacks
`audioBufferIsFull`	Multiple	Buffer full check

**What to investigate:**

undefined

PRIORITY 7: Anti-Analysis Detection

7.1 Detection Mechanisms

Target	Address	Purpose
`FBSSLPinningNSURLProtocolProvider`	Multiple	Certificate pinning
`FBSSLKeyMaterialLogger`	Multiple	SSL key logging
`kFBSSLKeyLoggingKey`	String	Key export mechanism

**What to investigate:**

undefined

Specific Byte Patterns to Search

Audio Frame Markers (from LSB extraction)

Plain Text

Pattern: 4b fc 41 3c 0f
Purpose: Frame delimiter in embedded data
Context: Variable frame sizes 55-92 bytes

3-bit Quantization Pattern Bytes

Plain Text

0x6D = 01101101 (011 repeating)
0xB6 = 10110110 (101 repeating)
0xDB = 11011011 (110 repeating)
0x49 = 01001001 (010 repeating)
0x92 = 10010010 (100 repeating)
0x24 = 00100100 (001 repeating)
0x00 = 00000000 (zero)
0xFF = 11111111 (max)

Audio Sync Words

Plain Text

0xFF 0xF1 - AAC ADTS v4 LTP
0xFF 0xF9 - AAC ADTS v2
0xFF 0xFB - MP3 Layer III
0xFF 0xFA - MP3 variant
0xFF 0xF2 - MP3 variant
0xFF 0xF3 - MP3 variant

PyGhidra Analysis Script Recommendations

Script 1: Trace Audio-to-Network Call Graph

Python


def find_bridge_functions():
    audio_apis = ["CMSampleBufferGetAudioBufferListWithRetainedBlockBuffer",
                  "CMSampleBufferGetFormatDescription",
                  "CMSampleBufferGetImageBuffer"]
    upload_apis = ["FBSnacksThreadMediaPostMedia",
                   "FBMediaUploadChunkDetailGetContentSource"]
    # Trace call graph intersection

Script 2: Decompile Steganography Functions

Python


overlay_class = toAddr(0x01c7b650)

Script 3: Trace musicEmbeddings Flow

Python


mutation_addr = toAddr(0x0091b8a4)

Script 4: Search for Pattern Bytes

Python


patterns = [0x6D, 0xB6, 0xDB, 0x49, 0x92, 0x24]

Summary Data Flow Chain

Plain Text

1. TRIGGER: User scrolls feed
   └── FBFeedShimmeringStoryFlexComponentSpec::__internalFactory (0x000a57d8)

2. ACTIVATION: Audio session activated
   └── FBARKAudioSessionController.startAudioCaptureWithEchoCancellationEnabled:
   └── Category: Declares Ambient, uses PlayAndRecord

3. CAPTURE: Microphone audio captured
   └── FBCCAudioCapturer → CMSampleBuffer

4. PROCESSING: Audio processed
   └── FUN_011fd534 extracts AudioBufferList
   └── FUN_011de1d0 normalizes samples

5. EMBEDDING: Audio embedded in images
   └── musicEmbeddingsForEditingAttachment computation
   └── FBDynamicImageOverlayFilter GPU pixel manipulation
   └── LSB steganography with pattern bytes

6. UPLOAD: Data sent to Facebook
   └── CreateInspirationEditingAttachmentMutation (0x0091b8a4)
   └── FBSnacksThreadMediaPostMedia (0x003d1ae0)
   └── Destination: graph.facebook.com

Evidence Correlation Table

Finding	Binary Evidence	Runtime Evidence
Audio capture active	Echo cancellation methods at 0x2086993	50,700+ startAudioCapture calls observed
Category spoofing	PlayAndRecord at 0x0136c0d0	Declared Ambient, mic active
Scroll triggers audio	Shimmer at 0x000a57d8 → Audio at 0x000a0608	400-600 captures/sec while scrolling
Audio in images	FBDynamicImageOverlayFilter at 0x01c7b650	67.7% images have audio signatures
106.7 Hz periodicity	-	Correlation 0.387, male voice range
Frame markers	-	4b fc 41 3c 0f in extracted data
Pattern bytes	-	0x6D, 0xB6, 0xDB, 0x49, 0x92, 0x24

*Generated: 2024-12-30*

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Phase 2

Technical Diagrams

Code Evidence

Binary Information

PRIORITY 1: Audio Embedding in Images (Steganography Core)

1.1 FBDynamicImageOverlayFilter - GPU Pixel Manipulation

1.2 musicEmbeddingsForEditingAttachment - Direct Audio Embedding

PRIORITY 2: Audio Capture Pipeline

2.1 FBARKAudioSessionController - Category Spoofing

2.2 FBCCAudioDataPipe - Audio Data Pipeline

2.3 CMSampleBuffer Processing Functions

PRIORITY 3: Feed Scroll Trigger Mechanism

3.1 FBFeedShimmeringStoryFlexComponentSpec - Shimmer to Audio Link

3.2 FBFeedAudioSessionClient - Scroll-Audio Bridge

PRIORITY 4: Bridge Functions (Audio to Network)

4.1 Dual-Handler Functions

4.2 Network Upload Functions

PRIORITY 5: Remote Configuration and Control

5.1 Remote Audio Control Flags

PRIORITY 6: Audio Format and Encoding

6.1 Audio Transcoding Infrastructure

6.2 Audio Buffer Ring Buffer

PRIORITY 7: Anti-Analysis Detection

7.1 Detection Mechanisms

Specific Byte Patterns to Search

Audio Frame Markers (from LSB extraction)

3-bit Quantization Pattern Bytes

Audio Sync Words

PyGhidra Analysis Script Recommendations

Script 1: Trace Audio-to-Network Call Graph

Script 2: Decompile Steganography Functions

Script 3: Trace musicEmbeddings Flow

Script 4: Search for Pattern Bytes

Summary Data Flow Chain

Evidence Correlation Table

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Agent Handoff Document