Decrypting tls requests

[Lemmedie]

Hey , I've installed unpinned SSL Instagram, now i can capture all requests decrypted but tcp requests to mqtt-mini and edge-mqtt are still encrypted, I followed your instruction but didn't work

[Nerixyz]

You're looking at a decrypted packet. The payload is just deflate compressed. You need to inflate the payload (starting at the 0x78). You can use a tool like CyberChef. Also note that the connect payload is in the Thrift binary format.

[Lemmedie]

this is my mitm flow , can u please tell me how you convert it to readable format

[Nerixyz]

this is my mitm flow , can u please tell me how you convert it to readable format flows.zip

Start from the UTF8 x and work from there (actually, the length is specified before that). Doing that in the first item of your flow, you'll end up with:

78 DA 6D 90 3D 4B C3 50 14 86 DB D4 CD 49 B1 21 83 A3 0E 8A C9 BD B9 69 7A 13 6B 86 A6 A5 F8 95 F8 91 18 51 11 B9 E6 AB 57 9B 14 92 B4 55 44 D0 5F A1 A3 A3 93 83 8B FF C3 4D 74 12 71 74 71 16 4C 36 07 39 CB F3 1C 0E EF 0B 87 9B 42 98 40 AC 88 88 77 6B 48 E6 6B F5 40 E2 95 25 F6 F9 ED FD E5 FB 66 8C 7B 2D 1F 74 F4 A6 09 8C 2D DB 6E E4 E4 00 84 65 01 E6 83 B0 A0 2A F9 4A 77 40 4D 56 10 52 91 8C 73 6D 1B E0 C2 F3 E3 94 66 E7 9A 24 C0 85 11 F5 B2 AE 26 42 05 2E 74 7D 1A 76 33 4D 54 11 BC CC 2F D7 5B C0 8F 8F 76 AC 1C 5B DB C0 F6 7B 94 E4 68 74 40 4A A2 74 10 87 45 76 FB 8F 6C 9A C0 ED 47 02 8D D3 8C 84 09 89 04 12 7B 49 9F 7A 45 A9 03 2C 83 B7 54 58 37 73 B3 1C A0 16 F9 DB 00 16 19 6B 40 2C 2A 9A E0 4C A9 2F 92 24 F2 C9 31 E5 87 98 34 0E D9 2F 86 BD 62 AA CC C4 24 37 F3 DF 1B 24 88 F9 5A A0 04 32 86 81 18 20 69 B2 CA 54 4B EC C7 F5 43 65 6E F6 B6 7C 57 E6 C6 3D 7F 48 5D FF 88 0C B2 2E 7B 7B FF F4 F8 F9 73 CD 2C 4F EF A6 19 76 23 47 EC E8 7D 55 DF DF E8 AD 0F AD F3 E3 D5 FE 6A E7 C4 D0 82 72 65 BE 52 E2 A6 4D DA 32 DD 70 6F D0 94 C2 E4 94 0E DD 95 C4 1E B4 7A F6 86 5E 1F 69 A5 5F

If you put that in https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')Zlib_Inflate(0,0,'Adaptive',false,false) you'll get something.

[Lemmedie]

this is my mitm flow , can u please tell me how you convert it to readable format flows.zip

Start from the UTF8 x and work from there (actually, the length is specified before that). Doing that in the first item of your flow, you'll end up with:

78 DA 6D 90 3D 4B C3 50 14 86 DB D4 CD 49 B1 21 83 A3 0E 8A C9 BD B9 69 7A 13 6B 86 A6 A5 F8 95 F8 91 18 51 11 B9 E6 AB 57 9B 14 92 B4 55 44 D0 5F A1 A3 A3 93 83 8B FF C3 4D 74 12 71 74 71 16 4C 36 07 39 CB F3 1C 0E EF 0B 87 9B 42 98 40 AC 88 88 77 6B 48 E6 6B F5 40 E2 95 25 F6 F9 ED FD E5 FB 66 8C 7B 2D 1F 74 F4 A6 09 8C 2D DB 6E E4 E4 00 84 65 01 E6 83 B0 A0 2A F9 4A 77 40 4D 56 10 52 91 8C 73 6D 1B E0 C2 F3 E3 94 66 E7 9A 24 C0 85 11 F5 B2 AE 26 42 05 2E 74 7D 1A 76 33 4D 54 11 BC CC 2F D7 5B C0 8F 8F 76 AC 1C 5B DB C0 F6 7B 94 E4 68 74 40 4A A2 74 10 87 45 76 FB 8F 6C 9A C0 ED 47 02 8D D3 8C 84 09 89 04 12 7B 49 9F 7A 45 A9 03 2C 83 B7 54 58 37 73 B3 1C A0 16 F9 DB 00 16 19 6B 40 2C 2A 9A E0 4C A9 2F 92 24 F2 C9 31 E5 87 98 34 0E D9 2F 86 BD 62 AA CC C4 24 37 F3 DF 1B 24 88 F9 5A A0 04 32 86 81 18 20 69 B2 CA 54 4B EC C7 F5 43 65 6E F6 B6 7C 57 E6 C6 3D 7F 48 5D FF 88 0C B2 2E 7B 7B FF F4 F8 F9 73 CD 2C 4F EF A6 19 76 23 47 EC E8 7D 55 DF DF E8 AD 0F AD F3 E3 D5 FE 6A E7 C4 D0 82 72 65 BE 52 E2 A6 4D DA 32 DD 70 6F D0 94 C2 E4 94 0E DD 95 C4 1E B4 7A F6 86 5E 1F 69 A5 5F

If you put that in https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')Zlib_Inflate(0,0,'Adaptive',false,false) you'll get something.

Yeah I see now , thank you very much , I m just wondering why valga's Fbns is not receiving direct message pushes ( it receive other notifications like new post , new follower ,... ) since 1 month ago while it acts like what is in my flow .

[Nerixyz]

Yeah I see now , thank you very much , I m just wondering why valga's Fbns is not receiving direct message pushes ( it receive other notifications like new post , new follower ,... ) since 1 month ago while it acts like what is in my flow .

FBNS was always unreliable. At least for direct messages, Realtime is probably better.

[Lemmedie]

Actually it was working great for me specially for direct message since 2 years ago , I never missed any direct message but the things is that I can see the packets for direct coming when I m capturing emulator , but nothing comes in valgas fbns related to direct ( Only direct pushes) Also i think fbns is better because being foreground for too long makes Instagram sensitive , but the fbns workes in background and in realtime you miss the messages for the time that you were offline