Facebook iOS v345.0 Anti-Forensics Evasion
**Date:** 2025-12-30 **Objective:** Achieve 95% confidence on H3/H4 hypotheses **Current Blockers:** SSL pinning, audio encryption, tool detection
Part 1: Multi-Layer SSL Pinning Bypass
Layer 1: Exploit Their Own Logging (PREFERRED)
Facebook has built-in SSL key logging infrastructure:
Plain Text
FBSSLKeyMaterialLogger
kFBSSLKeyLoggingKey
sslkeymaterial**Strategy:** Enable their own key logging, then decrypt traffic passively.
JavaScript
// Frida script to enable SSL key logging
if (ObjC.available) {
// Find FBSSLKeyMaterialLogger
var FBSSLKeyMaterialLogger = ObjC.classes.FBSSLKeyMaterialLogger;
if (FBSSLKeyMaterialLogger) {
// Hook the logging method to capture keys
Interceptor.attach(FBSSLKeyMaterialLogger['- logKeyMaterial:'].implementation, {
onEnter: function(args) {
var keyMaterial = ObjC.Object(args[2]);
console.log('[SSL KEY] ' + keyMaterial.toString());
// Write to SSLKEYLOGFILE format for Wireshark
var f = new File('/tmp/facebook_ssl_keys.log', 'a');
f.write(keyMaterial.toString() + '\n');
f.close();
}
});
}
// Also try to find the logging key constant
var modules = Process.enumerateModules();
for (var m of modules) {
if (m.name.includes('FBShared')) {
var exports = Module.enumerateExports(m.name);
for (var e of exports) {
if (e.name.includes('SSLKey')) {
console.log('[FOUND] ' + e.name + ' @ ' + e.address);
}
}
}
}
}**Passive Capture Flow:**
Plain Text
1. Enable FBSSLKeyMaterialLogger via Frida
2. Capture encrypted traffic with tcpdump
3. Import keys into Wireshark (Edit → Preferences → TLS → Pre-Master-Secret log)
4. Decrypt and analyzeLayer 2: Patch Binary SSL Validation (Persistent)
Patch the binary before installation to disable pinning.
**Target Functions:**
| Function | Address | Patch |
|---|---|---|
| `_FBSSLPinningNSURLProtocolProvider` | (class) | Return nil from init |
| `GCDAsyncSocketManuallyEvaluateTrust` | (delegate) | Always return YES |
| `SecTrustEvaluate` wrapper | Multiple | Return errSecSuccess |
**Binary Patching Script (Python):**
Python
#!/usr/bin/env python3
"""
Patch FBSharedFramework to disable SSL pinning.
Run on decrypted binary before re-signing.
"""
import lief
import struct
BINARY_PATH = "./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework"
MOV_W0_0 = bytes([0x00, 0x00, 0x80, 0x52])
MOV_W0_1 = bytes([0x20, 0x00, 0x80, 0x52])
RET = bytes([0xC0, 0x03, 0x5F, 0xD6])
def patch_function_to_return_zero(binary, func_addr):
"""Patch function to immediately return 0."""
# MOV W0, #0; RET
patch = MOV_W0_0 + RET
binary.patch_address(func_addr, list(patch))
def patch_function_to_return_one(binary, func_addr):
"""Patch function to immediately return 1/true."""
# MOV W0, #1; RET
patch = MOV_W0_1 + RET
binary.patch_address(func_addr, list(patch))
def main():
binary = lief.parse(BINARY_PATH)
# Addresses from binary analysis (relative to base)
SSL_PINNING_TARGETS = {
# These need to be found via Ghidra analysis
# "FBSSLPinningNSURLProtocolProvider_init": 0x...,
# "ssl_trust_evaluate_wrapper": 0x...,
}
for name, addr in SSL_PINNING_TARGETS.items():
print(f"[*] Patching {name} at {hex(addr)}")
if "trust" in name.lower() or "evaluate" in name.lower():
patch_function_to_return_one(binary, addr) # Return success
else:
patch_function_to_return_zero(binary, addr) # Return nil/false
output_path = BINARY_PATH + ".patched"
binary.write(output_path)
print(f"[+] Patched binary written to {output_path}")
if __name__ == "__main__":
main()Layer 3: Runtime Hooking with Detection Evasion
The key is to hide Frida while hooking SSL functions.
**Frida Hiding Techniques:**
JavaScript
/*
* frida-stealth.js
* Hide Frida from Facebook's detection
*/
// 1. Hide from dyld enumeration
var dyld_image_count = Module.findExportByName(null, '_dyld_image_count');
var original_count = new NativeFunction(dyld_image_count, 'int', []);
var hidden_count = 0; // Will be set after counting Frida libs
Interceptor.replace(dyld_image_count, new NativeCallback(function() {
return original_count() - hidden_count;
}, 'int', []));
// 2. Hide from dyld_get_image_name
var dyld_get_image_name = Module.findExportByName(null, '_dyld_get_image_name');
var original_get_name = new NativeFunction(dyld_get_image_name, 'pointer', ['int']);
Interceptor.replace(dyld_get_image_name, new NativeCallback(function(index) {
var name = original_get_name(index);
if (!name.isNull()) {
var str = name.readCString();
if (str && (str.includes('frida') || str.includes('FridaGadget'))) {
// Return next non-Frida library
return original_get_name(index + 1);
}
}
return name;
}, 'pointer', ['int']));
// 3. Bypass _FBIsDebuggerAttached
var FBIsDebuggerAttached = Module.findExportByName('FBSharedFramework', '_FBIsDebuggerAttached');
if (FBIsDebuggerAttached) {
Interceptor.replace(FBIsDebuggerAttached, new NativeCallback(function() {
return 0; // Never attached
}, 'bool', []));
}
// 4. Bypass sysctl P_TRACED check
var sysctl = Module.findExportByName(null, 'sysctl');
Interceptor.attach(sysctl, {
onEnter: function(args) {
this.mib = args[0];
this.oldp = args[2];
},
onLeave: function(retval) {
// Check if querying process info (CTL_KERN, KERN_PROC)
if (!this.mib.isNull()) {
var mib0 = this.mib.readInt();
var mib1 = this.mib.add(4).readInt();
if (mib0 === 1 && mib1 === 14) { // CTL_KERN, KERN_PROC
// Clear P_TRACED flag from kp_proc.p_flag
if (!this.oldp.isNull()) {
var p_flag_offset = 32; // Offset in struct kinfo_proc
var flags = this.oldp.add(p_flag_offset).readU32();
flags &= ~0x800; // Clear P_TRACED (0x800)
this.oldp.add(p_flag_offset).writeU32(flags);
}
}
}
}
});
// 5. Hide from dladdr
var dladdr = Module.findExportByName(null, 'dladdr');
Interceptor.attach(dladdr, {
onEnter: function(args) {
this.info = args[1];
},
onLeave: function(retval) {
if (!retval.isNull() && !this.info.isNull()) {
var dli_fname = this.info.readPointer();
if (!dli_fname.isNull()) {
var path = dli_fname.readCString();
if (path && path.includes('frida')) {
retval.replace(0); // Pretend lookup failed
}
}
}
}
});
console.log('[STEALTH] Frida hiding active');Layer 4: Kernel-Level Interception (Most Reliable)
On jailbroken device, use kernel hooks that don't appear in userspace.
**ktrw/checkra1n approach:**
Bash
kpatch apply /path/to/sectrust_bypass.kpatch
echo "rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443" | pfctl -ef -Part 2: Audio Encryption Key Extraction
The `audioEncryptionKey` method blocks H3 steganography decoding.
Strategy 1: Hook Key Derivation
JavaScript
/*
* extract_audio_key.js
* Capture the audio encryption key at runtime
*/
if (ObjC.available) {
// Search for audioEncryptionKey selector
var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* *audioEncryptionKey*]', {
onMatch: function(match) {
console.log('[KEY] Found: ' + match.name + ' @ ' + match.address);
Interceptor.attach(match.address, {
onLeave: function(retval) {
if (!retval.isNull()) {
var key = ObjC.Object(retval);
console.log('[KEY] audioEncryptionKey returned: ' + key.toString());
// If it's NSData, dump bytes
if (key.$className === 'NSData' || key.$className === '__NSCFData') {
var bytes = key.bytes();
var length = key.length();
console.log('[KEY] Key bytes (' + length + '): ' +
hexdump(bytes, {length: length}));
// Save to file
var f = new File('/tmp/audio_encryption_key.bin', 'wb');
f.write(bytes.readByteArray(length));
f.close();
}
}
}
});
},
onComplete: function() {}
});
// Also search for key derivation functions
var keyDerivationPatterns = [
'*[* deriveKey*]',
'*[* generateKey*]',
'*[* *KeyFromPassword*]',
'*[* *PBKDF*]',
'*[* *HKDF*]'
];
for (var pattern of keyDerivationPatterns) {
resolver.enumerateMatches(pattern, {
onMatch: function(match) {
if (match.name.toLowerCase().includes('audio')) {
console.log('[DERIVE] Found: ' + match.name);
Interceptor.attach(match.address, {
onEnter: function(args) {
console.log('[DERIVE] Called with:');
for (var i = 2; i < 6; i++) {
try {
var arg = ObjC.Object(args[i]);
console.log(' arg' + i + ': ' + arg.toString());
} catch(e) {}
}
},
onLeave: function(retval) {
console.log('[DERIVE] Returned: ' + ObjC.Object(retval).toString());
}
});
}
},
onComplete: function() {}
});
}
}Strategy 2: Decompile GPU Shader
The `FBDynamicImageOverlayFilter` uses GPU shaders for embedding.
Python
#!/usr/bin/env python3
"""
Extract and analyze GPU shaders from FBSharedFramework.
Metal shaders may contain the encoding algorithm.
"""
import subprocess
import re
from pathlib import Path
FRAMEWORK_PATH = Path("./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework")
def find_metal_shaders():
"""Find compiled Metal shader libraries."""
shaders = []
# Metal shaders are typically in .metallib files
for metallib in FRAMEWORK_PATH.rglob("*.metallib"):
shaders.append(metallib)
# Also check for embedded shader bytecode
binary = FRAMEWORK_PATH / "FBSharedFramework"
# Search for Metal shader signatures in binary
with open(binary, 'rb') as f:
data = f.read()
# Metal shader magic bytes
mtlp_offsets = [m.start() for m in re.finditer(b'MTLP', data)]
air_offsets = [m.start() for m in re.finditer(b'AIR\x00', data)]
print(f"[*] Found {len(mtlp_offsets)} MTLP headers")
print(f"[*] Found {len(air_offsets)} AIR (Apple IR) sections")
return mtlp_offsets, air_offsets
def extract_shader_at_offset(binary_path, offset, size=4096):
"""Extract shader bytecode from binary."""
with open(binary_path, 'rb') as f:
f.seek(offset)
return f.read(size)
def decompile_metal_shader(shader_bytes):
"""
Attempt to decompile Metal shader.
Note: Requires metal-tools or third-party decompiler.
"""
# Write to temp file
with open('/tmp/shader.metallib', 'wb') as f:
f.write(shader_bytes)
# Try using metal-objdump if available
try:
result = subprocess.run(
['xcrun', 'metal-objdump', '-d', '/tmp/shader.metallib'],
capture_output=True, text=True
)
return result.stdout
except:
return "Metal tools not available"
if __name__ == "__main__":
mtlp, air = find_metal_shaders()
# Look for overlay filter shader
# The FBDynamicImageOverlayFilter likely has a specific shaderStrategy 3: Reverse the Encoding Algorithm
Based on the byte patterns found:
Plain Text
XOR Keys: 0x6D, 0xB6, 0xDB, 0x49, 0x92, 0x24
Frame delimiter: 4B FC 41 3C 0F
Python
#!/usr/bin/env python3
"""
Attempt to decode audio from LSB-extracted data using known patterns.
"""
import numpy as np
from scipy.io import wavfile
from pathlib import Path
XOR_KEYS = [0x6D, 0xB6, 0xDB, 0x49, 0x92, 0x24, 0x00, 0xFF]
FRAME_DELIMITER = bytes([0x4B, 0xFC, 0x41, 0x3C, 0x0F])
def load_lsb_data(filepath):
"""Load raw LSB-extracted data."""
with open(filepath, 'rb') as f:
return f.read()
def find_frames(data):
"""Split data by frame delimiters."""
frames = []
parts = data.split(FRAME_DELIMITER)
for part in parts:
if 55 <= len(part) <= 92: # Expected frame sizes
frames.append(part)
return frames
def try_xor_decode(data, key_pattern):
"""Try XOR decoding with pattern."""
key = bytes([key_pattern] * len(data))[:len(data)]
return bytes(a ^ b for a, b in zip(data, key))
def extract_signal_bytes(data):
"""Separate signal bytes from pattern bytes."""
signal = bytearray()
for b in data:
if b not in XOR_KEYS:
signal.append(b)
return bytes(signal)
def try_mulaw_decode(data):
"""Decode as mu-law (telephony codec)."""
import audioop
try:
return audioop.ulaw2lin(data, 2)
except:
return None
def try_alaw_decode(data):
"""Decode as A-law (telephony codec)."""
import audioop
try:
return audioop.alaw2lin(data, 2)
except:
return None
def decode_with_encryption_key(data, key):
"""
Decode using extracted encryption key.
Key format TBD based on runtime extraction.
"""
# Placeholder for key-based decryption
# Will be implemented once key is captured
pass
def main():
lsb_files = Path(".").glob("*.raw")
for lsb_file in lsb_files:
print(f"\n[*] Processing {lsb_file.name}")
data = load_lsb_data(lsb_file)
# Extract signal bytes
signal = extract_signal_bytes(data)
print(f" Total: {len(data)} bytes, Signal: {len(signal)} bytes")
# Try each XOR key
for key in XOR_KEYS:
decoded = try_xor_decode(signal, key)
# Try mu-law
pcm = try_mulaw_decode(decoded)
if pcm:
output = f"/tmp/decoded_{lsb_file.stem}_xor{key:02x}_mulaw.wav"
wavfile.write(output, 8000, np.frombuffer(pcm, dtype=np.int16))
print(f" [+] Wrote {output}")
# Try A-law
pcm = try_alaw_decode(decoded)
if pcm:
output = f"/tmp/decoded_{lsb_file.stem}_xor{key:02x}_alaw.wav"
wavfile.write(output, 8000, np.frombuffer(pcm, dtype=np.int16))
print(f" [+] Wrote {output}")
if __name__ == "__main__":
main()Part 3: Comprehensive Proxy Architecture
Architecture Diagram
Plain Text
┌─────────────────────────────────────────────────────────────────────────────┐
│ ANALYSIS HOST (macOS/Linux) │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Frida Server │ │ mitmproxy │ │ Wireshark │ │
│ │ (stealth mode) │ │ (SSL intercept) │ │ (key-based) │ │
│ └────────┬────────┘ └────────┬────────┘ └────────┬────────┘ │
│ │ │ │ │
│ │ ┌───────────────┴───────────────┐ │ │
│ │ │ SSL Key Logger │ │ │
│ │ │ /tmp/facebook_ssl_keys.log │───┘ │
│ │ └───────────────────────────────┘ │
│ │ │
└───────────┼────────────────────────────────────────────────────────────────┘
│
USB │
│
┌───────────┼────────────────────────────────────────────────────────────────┐
│ │ JAILBROKEN iPHONE (iOS 15.1) │
│ ▼ │
│ ┌─────────────────┐ │
│ │ frida-server │──────────────────────────────────────┐ │
│ │ (hidden) │ │ │
│ └─────────────────┘ │ │
│ │ │
│ ┌────────────────────────────────────────────────────────▼─────────────┐ │
│ │ FACEBOOK APP │ │
│ │ │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ │
│ │ │ HOOKED │ │ HOOKED │ │ HOOKED │ │ │
│ │ │ _FBIsDebugger │ │ FBSSLKeyMaterial│ │ audioEncryption │ │ │
│ │ │ Attached │ │ Logger │ │ Key │ │ │
│ │ │ → returns NO │ │ → dumps keys │ │ → dumps key │ │ │
│ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────────────────────────┐ │ │
│ │ │ AUDIO CAPTURE PIPELINE │ │ │
│ │ │ FBCCAudioCapturer → CMSampleBuffer → embedding → upload │ │ │
│ │ │ ▼ │ │ │
│ │ │ [DA-004 dumps audio buffers here] │ │ │
│ │ └─────────────────────────────────────────────────────────────────┘ │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────┐ │
│ │ tcpdump │── Captures encrypted traffic ──→ analysis.pcap │
│ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
DECRYPTION FLOW:
1. SSL keys logged via hooked FBSSLKeyMaterialLogger
2. Encrypted traffic captured via tcpdump
3. Keys imported to Wireshark
4. Traffic decrypted and analyzed
5. Audio payloads identified in uploadsPart 4: Gap-Closing Execution Plan
Phase 1: Environment Setup (Day 1)
Bash
pip install frida-tools mitmproxy pyshark --break-system-packages
ssh root@$IPHONE_IP "apt install frida tcpdump"
frida-ps -U | grep -i facebookPhase 2: Deploy Stealth Hooks (Day 1)
Bash
frida -U -f com.facebook.Facebook \
-l frida-stealth.js \
-l extract_ssl_keys.js \
-l extract_audio_key.js \
--no-pausePhase 3: Traffic Capture (Day 1-2)
Bash
ssh root@$IPHONE_IP "tcpdump -i any -w /tmp/fb_traffic.pcap port 443"
scp root@$IPHONE_IP:/tmp/fb_traffic.pcap .
scp root@$IPHONE_IP:/tmp/facebook_ssl_keys.log .
wireshark -o "tls.keylog_file:facebook_ssl_keys.log" fb_traffic.pcapPhase 4: Audio Key Extraction (Day 2)
Bash
frida -U com.facebook.Facebook -l extract_audio_key.js
python3 decode_with_key.py --key /tmp/audio_encryption_key.binPhase 5: Evidence Collection (Day 2-3)
| Evidence | Method | H3/H4 Impact |
|---|---|---|
| Captured SSL keys | FBSSLKeyMaterialLogger hook | +10% H4 |
| Decrypted packets | Wireshark + keys | +15% H4 |
| Audio in uploads | Packet analysis | +5% H4 |
| Audio encryption key | Runtime hook | +15% H3 |
| Intelligible audio | Decode with key | +9% H3 |
Part 5: Confidence Projections
After Successful Execution
| Hypothesis | Current | Projected | Method |
|---|---|---|---|
| H1 | 82% | 85% | Additional runtime evidence |
| H2 | 70% | 78% | Trace suppression flags |
| **H3** | **71%** | **95%** | Decode intelligible audio |
| **H4** | **65%** | **95%** | Capture packet with audio |
| H5 | 72% | 80% | Capture MobileConfig flag |
Evidence Required for 95%
**H3 (Steganography):**
- undefined
**H4 (Network Exfiltration):**
- undefined
Files to Create
- undefined
*SSL Bypass Strategy v1.0* *Target: Facebook iOS v345.0* *Classification: Investigation Internal*