Status
Not open for further replies.

ReverseEngineering

Power Member
Jr. VIP
Jul 2, 2020
763
539
Snapchat Reverse Engineering - Part 1 - Snapchat Account Creator Bot - API based


This is part 1 of a few planned Snapchat journey threads.

Part 1 covers the creation of a standalone Snapchat account creator bot. Part 2 will cover a different topic.


Goal:

- Develop a standalone Snapchat account creator bot for the mass creation of Snapchat accounts, based on the secret Snapchat API.


Progress:

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
- around 70 %
0 - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - 100


Duration so far:

- more than 6 months of daily work


Specials:

- High throughput, mass creation, up to 2000 1000 Snapchat account creations per day (!).
- No requirement of connected phones or tablets.
- No requirement of emulators (Google Android, Apple iOS).
- No requirement of browser emulations.
- No usage of the web interfaces at accounts.snapchat.com or web.snapchat.com.
- Based on the reverse engineered secret Snapchat API. [1]
- No requirement of SMS account verifications.
- Account verifications by email API (internal, external by provider). [2]
- No requirement of own hardware (PC, Apple Mac) at home/at the office.
- No headaches about local bandwidth, local power consumption, local air condition, local outages.
- Complete remote server solution (Linux).
- Upscaling by adding more server hardware.
- Management console via browser (setup, monitoring, speed adjustments etc.).


Current situation:

- The automated creation or "mass creation" of Snapchat accounts is the most complicated part at Snapchat since November 2023.

- Most important fact: The source code is NOT for sale. Not even for US$ 1 M. ;-)
- The video shows a SSH "terminal" window under macOS. It's connected via SSH to a remote dedicated Linux server running at a data center. The Snapchat account creator will be started at the Linux console by hand using several command line switches. As you can see, there is no fancy GUI, since everything will be controlled by a browser interface (once set up, everything will run 24/7 in background).
- 3 different people asked me to realize the Snapchat account creator based on Snapchat for Android, because they need the original Snapchat "access tokens" to be imported into their own small Snapchat bots.
- The Snapchat account creator based on Snapchat for iOS still works as of today (June 4th, 2024), but it needs some speed improvements and new workflows (e. g. randomize usernames etc.).


Steps:

[x] Inspect Snapchat 12.8x.x.x in detail. [3] - success
[x] Reverse engineer the secret Snapchat API for Apple iOS. [1] - success
[x] Reverse engineer the secret Snapchat API for Google Android. [1] - success
[x] Bypass the "hard coded" SSL encryption (so called "SSL pinning", therefore now "SSL unpinning"). [4] - success
[x] Inspect all relevant HTTP/2.0 requests. [5] - success
[x] Inspect all "encoded" gRPC Protobuf requests (to the Snapchat servers). [6] [7] - success
[x] Inspect all "encoded" gRPC Protobuf responses (from the Snapchat servers). - success
[-] Research possible hidden HTTP/3.0 requests. [8] - TODO
[-] Research possible hidden WebSockets requests. [9] - TODO
[?] Increase the lifetime of automatically created Snapchat accounts (no early locks or permanent bans). - pending
[?] Lock/ban impact: Connection quality research (data center, residential, rotating residential, 4G/5G). - pending
[?] Lock/ban impact: Email provider quality research (free mailer, Gmail, own domains, disposable email provider). - pending
[?] Lock/ban impact: Device data (readable by Google Android only). - pending
... to be continued

(as of June 4th, 2024)


What doesn't work anymore as of June 2024:

- Currently all Snapchat accounts that you create sort of automated with Android phones by using known automation solutions won't live very long.
- Once you create more than 50 or 100 accounts per day (!) by using proxy servers, data center IP addresses etc. Snapchat will ban them permanently. Sometimes the accounts are just 2 hours alive.
- Before November 2023 Snap Inc. just locked the accounts temporarily, to be unlocked by visiting accounts.snapchat.com.
- Starting end of 2024 Snap Inc. started a sort of new security campaign and became very strict.
- Unfortunately Google allows owners of Android apps to transfer very sensitive device data to them (e. g. device ID, IMEI, WiFi network names, WiFi networks in your area, location data, battery status etc.). That makes it easy for companies like Snap Inc. to detect patters, since you leave a lot of footprints.
- Apple iOS doesn't allow the transfer of device data, so accounts created with Snapchat for iOS have a longer lifetime.
- So the main goal is to detect all possible loop holes at the Snapchat server structure to increase the lifetime of mass created Snapchat accounts.


My toolset:

- IDA Pro for macOS
- Ghidra for macOS
- WireShark for macOS
- 5 different proxy server types by 4 different suppliers (e. g. custom coded C/C++ extensions for Squid)
- my own Protobuf "cracker" (custom coded in C++) for Linux
- vim editor for Linux (I love to code live at the Linux console)
- several Linux servers at the Intranet
- several dedicated Linux servers at different colocation data centers
- special managed Intranet 1 GBit switches (with custom extensions)
- redundant high speed DSL
- several Apple Mac computers at the Intranet (2 iMacs, 2 MacBook Pro, ...)
- 5 Apple iPhones (15 Pro Max, 14 Pro Max, 13 Pro Max, ...)
- 2 Apple iPad Pro
- 12 Samsung Android devices
- ...


My skills:

- Reverse engineering in full-time since 2016
- Full-time bot creator since 2016
- Internet marketing since 20xx
- C/C++ developer in full-time since 20xx
- Apple Swift developer (iOS apps, macOS tools)
- Full stack developer
- Located at West Europe UTC+2


FAQ:

Q: Is this your first Snapchat bot solution?

A: No, I created a little Snapchat bot for daily tasks back in 2021 already. So for logins, sending story posts, sending Snaps (text, images, links), responding to Snaps (text, images, links), adding friends etc. But Snapchat changed their internal API a lot, so the old Snapchat bot didn't work anymore mid of 2023. End of 2023 I started again by reverse engineering the massively changed Snapchat API based on version 12.x.x.x.


Q: Why don't you use Android emulators?

A: The Snapchat servers detect the usage of Android emulators since 2019 or so. The detection part of the Android app is not written in Java (to be decompiled for Android), they use external libraries written in C/C++. So the lifetime of your Snapchat accounts will be reduced, you also may receive temporary locks earlier.


Q: Why don't you use the web interfaces at accounts.snapchat.com and web.snapchat.com?

A: The mass account creation at accounts.snapchat.com or web.snapchat.com didn't work for me. They always asked for additional SMS verifications. This doesn't matter you create only 10 or 20 Snapchat accounts. But what about the costs for 2000 Snapchat accounts created every single day? It's very easy to run browser emulations, but how would you scale up your business to run 2000 Snapchat accounts daily, each with 500+ friends, and handle incoming Snaps to be immediately answered? Besides the fact that every message you will send will be marked with "Web". And - let's be honest - that's a real conversion killer for whatever leads you want to generate.


Q: How long would it take me to learn all basics (SSL unpinning, GRPC, Protobuf, disassembling external libraries, rebuilding HTTP/2.0 GRPC requests)?

A: Even if you are an experienced full-time developer it would take you months. Snapchat implemented some nice "traps" to make it as complicated as possible for starters. So it could happen that you fail for 2 or 3 weeks calling a certain API endpoint and one day you will find the permanent solution.


Q: Many people write about SSL unpinning, decompilers and such at the net. It doesn't seem that complicated to me.

A: Besides the fact that Snap Inc. reads/watches such tutorials also, they love to take them down. This happened many times at GitHub starting with "Casper". Afterwards they patched their servers immediately. So you should be aware that most still existing tutorials are outdated or kept short intentionally.



Again I have to say: The source codes are NOT for sale. Not even for US$ 1 M. ;-)


And now it's up to you:

- Which of the above topics you would like to be covered in detail?
- Do you need screenshots for certain things (e. g. a typical GRPC Protobuf request in binary/hex/real, a typical Ghidra session)?
- What's your personal experience regarding the lifetime of mass created Snapchat accounts?
- Please let me know your thoughts, ideas, worries, experience.


Anyways, this journey thread will be updated to inform you about success and fails, my progress, results of my test cases and to answer your questions.

Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/

So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow



Some easy terms have been used to make it easier for non-professionals to read and understand the concept. For example: I wrote "access tokens", "hard coded" or "encoded" although there is much more behind.


(I am not native English/American, so please excuse any spelling or grammar mistakes.)


Thank you to @reaaski for his inspiration to create this journey thread finally. ;-)


Side notes (linked from above):

[1] The secret, hidden, internal Snapchat API has nothing to do with the official Snapchat Marketing API: https://developers.snap.com There is no documentation of the internal Snapchat API, so reverse engineering is required to discover the background.

[2] The email verification by real, permanently available email addresses is important. Because once you switch your connection type, your device (if you do real life logins) or Snapchat detects another change, you will be forced to re-verify your account with a code send by email. So the usage of disposable email providers makes no sense.

[3] Snap Inc. reads StackOverflow, GitHub and also scans for new "how to" tutorials regarding their secret Snapchat API. They took down many repositories at GitHub already, starting with "Casper". So I don't want to reveal the real Snapchat app version I target at the moment. Otherwise they could patch some loop holes I found. For the same reason I didn't release code snippets at GitHub or StackExchange.

[4] SSL pinning: (follows, I didn't find a noob-friendly explanation so far)

[5] HTTP/2.0 aka SPDY: https://en.wikipedia.org/wiki/HTTP/2

[6] gRPC (Google Remote Procedure Calls): https://en.wikipedia.org/wiki/GRPC

[7] Protobuf (Protocol Buffers): https://en.wikipedia.org/wiki/Protocol_Buffers

[8] HTTP/3.0 aka QUIC: https://en.wikipedia.org/wiki/HTTP/3

[9] WebSockets: https://en.wikipedia.org/wiki/WebSocket


Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/

So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow
 
Last edited by a moderator:
Please can you suggest where I can learn reverse engineering? I'm already a backend dev and I do minor reverse engineering (Burp + Frida) but I would love to learn how to reverse native libraries. Would appreciate if you could recommend a tutorial. Thanks in advance
 
Please can you suggest where I can learn reverse engineering? I'm already a backend dev and I do minor reverse engineering (Burp + Frida) but I would love to learn how to reverse native libraries. Would appreciate if you could recommend a tutorial. Thanks in advance

It would be easier for me to answer this complicated question, if you tell me the OS (Google Android or Apple iOS) and the first app you would like to start with.
 
Would love to begin with Android.

Still complicated, because you didn't tell me the name of the app. But I will try:

- You should forget Frida, Xposed & Co. Large social media apps detect the usage and ghost your content, lock you temporarily, ban you.
- I would start with a simple unzip of the ".apk" file, there you will find a subdirectory "lib" with all libraries named ".so"
- If you don't find many ".so" files you can be happy, because the largest part can be decompiled only (JADX etc.).
- If there are many ".so" files, you should research about Ghidra. Some people don't like it because the USA NSA created it. So you can never know...
- Of course you should check if this app uses SSL pinning, so import the Burp certificate at your Android device. I am personally a bigger fan of Charles.
- If you can see the real unencoded traffic you can be happy again. If not, you should read as much as possible about SSL unpinning. Again, please be aware that Frida could be detected easily (same for Magisk modules).

Good luck!
 
If it is done through API, why only 2,000/daily?

I knew exactly this question would pop up. Haha. ;-)

2,000 freshly created accounts that have a lifetime of a few weeks are the first goal. Let's see what happens next week. ;-)

Somebody told me that he would be totally glad to have accounts for just 24 to 48 hours. But he used to have a supplier who created 5,000 per day for him.

Anyways, it will be a long road and a huge test case.
 
I knew exactly this question would pop up. Haha. ;-)

2,000 freshly created accounts that have a lifetime of a few weeks are the first goal. Let's see what happens next week. ;-)

Somebody told me that he would be totally glad to have accounts for just 24 to 48 hours. But he used to have a supplier who created 5,000 per day for him.

Anyways, it will be a long road and a huge test case.
Good luck, I hope it turns out worth it for you!
 
Snapchat Reverse Engineering - Part 1 - Snapchat Account Creator Bot - API based


Update 1 (June 4th, 2024)


Progress:

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
- around 70 %
0 - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - 100


Some great news today:

1. As explained earlier [1] I set up several different test cases to increase the lifetime of freshly mass created Snapchat accounts.
2. Goal: Accounts that will be created with the Snapchat account creator bot should have a lifetime of a few weeks. Although Snapchat may lock them earlier due to "aggressive" messaging with affiliate links etc. (but that's totally normal and therefor okay).
3. Today I checked accounts that have been created during last weekend (June 1st, June 2nd): They are still alive, working, not ghosted. Perfect!


What did I change for this test case?

1. Last week I found another 2 glitches at the HTTP/2.0 communication between a small Snapchat bot of mine and the Snapchat servers.
2. So I created a quick and dirty prototype implementation to use also these 2 glitches. Let's see what will happen in a few days with the weekend accounts.
3. Additionally I switched my proxy network a few times to test different "IP quality" levels.


Screenshots:

Yesterday somebody asked me to provide some screenshots of a typical HTTP/2.0 gRPC Protobuf Snapchat request:

hex-dump-20240604.png
HTTP/2.0 gRPC Protobuf snippet as hex dump under Linux (click = zoom)

protobuf-20240604.png
HTTP/2.0 gRPC Protobuf snippet "decoded" with my own custom Protobuf "cracker" under Linux [1] (click = zoom)


So, you may notice that it's not that easy anymore as with Snapchat 10.x (HTTP/1.1 with simple HTTPS POST and GET requests). ;-)

(To all Snapchat professionals: Yes, I removed sensitive data like the user ID.)



Some easy terms have been used to make it easier for non-professionals to read and understand the concept. For example: I wrote "access tokens", "hard coded" or "encoded" although there is much more behind.


(I am not native English/American, so please excuse any spelling or grammar mistakes.)


Side notes (linked from above):

[1] https://www.blackhatworld.com/seo/s...-creator-bot-api-based.1604235/#post-17756786


Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/

So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow
 
Wow this is impressive!

What has been the most challenging problem to solve in all of this?

From an outsiders perspective, it looks to me like fiddling around with the HTTTP requests and creating custom crackers must be most difficult.

Is this your career? Or do you have a developer job as a main income?
 
What has been the most challenging problem to solve in all of this?

From an outsiders perspective, it looks to me like fiddling around with the HTTTP requests and creating custom crackers must be most difficult.

Is this your career? Or do you have a developer job as a main income?

The biggest challenge? To understand how Snapchat detects most of the spam, for me to bypass it.

Some may say: SSL unpinning, but this is just always the same challenge for every new app and mostly every new app release version.

I am a full-time reverse engineer and developer. So if a project is about to get finished soon I sometimes work 18 and more hours per day to make customers happy. ;-)
 
This is a good job, Snapchat is one of the platforms which is hard to deal with if you are not on Mobile.

Thank you.

Yes, but even with a mobile farm of 50 iPhones you can't scale up to 2000 or more parallel Snapchat accounts responding immediately to incoming Snaps (2000 accounts x 500 friends each = headache).

I did not understand what I would benefit from this article

What exactly don't you understand, how can I help you?

I guess some previous Snapchat bot users may have found some nice tricks how to proceed with Snapchat's new API. I know that a lot of affiliates or OMF agencies had to stop with Snapchat during 2023. And further hints will follow.
 
Thank you.

Yes, but even with a mobile farm of 50 iPhones you can't scale up to 2000 or more parallel Snapchat accounts responding immediately to incoming Snaps (2000 accounts x 500 friends each = headache).



What exactly don't you understand, how can I help you?

I guess some previous Snapchat bot users may have found some nice tricks how to proceed with Snapchat's new API. I know that a lot of affiliates or OMF agencies had to stop with Snapchat during 2023. And further hints will follow.
honestly my team creating daily over 500 accounts manual :D
 
Status
Not open for further replies.
Back
Top
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock