Using eCapture with telegram android app
Closed this issue · 9 comments
Hi, I am new here. I want to use eCapture to capture Telegram Android app tls. I tried to use --libssl flag for libssl.so path, but it seems like Telegram using their own library libtmessages.49.so.
What I need to do to work with Telegram?
This appears when I try to use option -l-libssl for libtmessages.49.so.
2024-07-01T09:39:01Z INF AppName="eCapture(旁观者)"
2024-07-01T09:39:01Z INF HomePage=https://ecapture.cc
2024-07-01T09:39:01Z INF Repository=https://github.com/gojue/ecapture
2024-07-01T09:39:01Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-07-01T09:39:01Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-07-01T09:39:01Z INF Version=androidgki_amd64:0.8.3-20240619-5a66d6a:6.8.0-36-generic
2024-07-01T09:39:01Z WRN ========== module starting. ==========
2024-07-01T09:39:01Z INF Kernel Info=6.1.23 Pid=6029
2024-07-01T09:39:01Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-07-01T09:39:01Z INF BTF bytecode mode: CORE. btfMode=0
2024-07-01T09:39:01Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-07-01T09:39:01Z INF listen=localhost:28256
2024-07-01T09:39:01Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-07-01T09:39:01Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-07-01T09:39:01Z INF Module.Run()
2024-07-01T09:39:01Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-07-01T09:39:01Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/data/app/~~14TNtZlD7bokMWLeGsANhQ==/org.telegram.messenger.web-hmfXZNuv6vWZNHqR-CjJIQ==/lib/x86_64/libtmessages.49.so
2024-07-01T09:39:01Z INF target all process.
2024-07-01T09:39:01Z INF target all users.
2024-07-01T09:39:01Z INF setupManagers eBPFProgramType=Text
2024-07-01T09:39:01Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-07-01T09:39:02Z FTL module run failed, skip it. error="couldn't start bootstrap manager error:7 errors occurred:\n\t* error:opening uprobe: symbol SSL_write: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_entry_SSL_write}\n\t* error:opening uprobe: symbol SSL_write: not found , isRet:true, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_ret_SSL_write}\n\t* error:opening uprobe: symbol SSL_read: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_entry_SSL_read}\n\t* error:opening uprobe: symbol SSL_read: not found , isRet:true, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_ret_SSL_read}\n\t* error:opening uprobe: symbol SSL_set_fd: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_ssl_set_fd, EbpfFuncName:probe_SSL_set_fd}\n\t* error:opening uprobe: symbol SSL_set_rfd: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_ssl_set_rfd, EbpfFuncName:probe_SSL_set_fd}\n\t* error:opening uprobe: symbol SSL_set_wfd: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_ssl_set_wfd, EbpfFuncName:probe_SSL_set_fd}\n\n, probes activation validation failed ." isReload=false
Is /lib/x86_64/libtmessages.49.so
a communication library for SSL encryption?
You need to manually perform static analysis to determine if this library contains the SSL_write
symbol.
Telegram has source code, and it has SSL_write and SSL_read
(https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/jni/boringssl/ssl/ssl_lib.cc)
Line 1100 SSL_write
Line 1001 SSL_read
And Ghidra analyze found this functions in libtmessages.49.so.
Please manually check whether SSL_write is in the symbol table of libmessage.49.so. If not, you need to manually determine its offset and then recompile the project.
refer: #407
You can use SSL_do_handshake instead of the SSL_init function.
I‘ll try it in the near future. Maybe I can also write a demonstration article.
You can use SSL_do_handshake instead of the SSL_init function.
@BanCock hello , Is your issue resolved?
closed by no response.