Download Spark AR Effects

from Instagram — Reverse

Engineering
Do you ever wish to copy some parts of an Instagram
effects? Well, it’s possible

Michele Renzullo

1 day ago·6 min read

I know it’s not ethical but if everyone have the some advantage,
it won’t be anymore an advantage. I’ve reported two times to
WhiteHat Facebook Program this technic to grab, read
improperly arfx files and extract many parts of them, they don’t
consider it relevant and I’ve been authorized to publish this
article.

If you’re a Spark AR Creator you know that ideas are very

important, sometimes you staring up effects of other creators
for hours, thinking about how damn good are they or what you
could have changed, if you’ve read subtitle let me tell you that
copy also few parts of them is useless, it’s not productive and it
won’t get you anywhere, but take a cue as a starting point
to do better is a great thing, IMHO.

It’s already happened before, but Spark AR denied everything.

Technical Part

On Android everytime we “open” the instagram camera, we

“see” or “save”(on save we’ll do the magic) a new effect the file
“ig_mq_asset_prefs.xml” get updated, this is a JSON list of all
the effects with their links, we could grab the links when they’re
written, download the arfx files and extracting them
because they aren’t encrypted. How grab the links? In
summary, we need to reverse engineering instagram app and
insert a logcat on a precise point, let’s do this!

NOTE: Inside an arfx file we won’t find the patches used

because they are integrated into main.json. We will find textures
png, scripts, 3D gltf, fonts files, also compressed textures(ktx
file, we could convert back to png), we could take a look into
main.json and copy opacity, roughness values, type of material
etc…

Requirements: App version: any version of instagram >v156,

in this example I’ll use v169.0.0.17.135 build 261690888, I’ve
tested since v156.0.0.18.109b, a windows or linux pc with Java,
adb, zipalign and apksigner from sdk of AndroidStudio(or with
apt-get install …), smali 2.4.0 jar of JesusFreke, apktool 2.5.0
jar of iBotPeaches, brotli 1.0.9 by Google;

extra: in windows as alternative to brotli you could use

PeaZip(extract or compress .tar.br archive), PVRTexTool(to
decompress ktx into png file), baksmali-2.4.0.jar and
binwalk(or searchbin) to find hex offset
1. Download the instagram apk file from any mirror or pull
from your device through adb:
adb shell
pm list packages -f | grep “instagram”
exit
adb pull “/data/data/data/app/com.instagram.android-…/”
“C:\Users\…”

2 . Decompile only dex files source code:

java -jar apktool.jar d -ro output\instagram\ instagram.apk

3. Search this string on Windows with findstr or Linux with

grep:
findstr /s
“p1”.*.”Lcom/instagram/camera/effect/models/CameraAREffect;-
>A0M:Ljava/lang/String;” output\instagram\*.smaligrep -r “iget-
object v1, p1,
Lcom/instagram/camera/effect/models/CameraAREffect;-
>A0M:Ljava/lang/String;” --include=\*.smali output/instagram

IMPORTANT: The string could change in the future versions,

the bytecode hex pattern also, but it should survive for more
versions than the exact string, so in order to find the exact
offset use this pattern for each classes.dex, I suggest you a
simple python script like “searchbin” or in linux “binwalk”
this is the hex pattern since v168:
54 ?? ?? ?? 38 ?? ?? ?? 1A ?? ?? ?? 6E ?? ?? ?? ?? ??
54 ?? ?? ?? 38 ?? ?? ?? 1A ?? ?? ?? 6E ?? ?? ?? ?? ??
53 ?? ?? ?? 1A ?? ?? ?? 6E ?? ?? ?? ?? ?? 53 ?? ?? ??
13 ?? ?? ?? 71 ?? ?? ?? ?? ?? 0C
this is the hex pattern before v168:
54 ?? ?? ?? 38 ?? ?? ?? 1A ?? ?? ?? 6E ?? ?? ?? ?? ??
54 ?? ?? ?? 38 ?? ?? ?? 1A ?? ?? ?? 6E ?? ?? ?? ?? ??
53 ?? ?? ?? 1A ?? ?? ?? 6E ?? ?? ?? ?? ?? 53 ?? ?? ??
1A ?? ?? ?? 6E ?? ?? ?? ?? ?? 54
When you found the offset, you need baksmali.jar in order to
search the exact string corresponding the offset
inside “classes?.hex.txt” :
java -jar baksmali.jar du classes3.dex > classes3.hex.txt

4. With a text editor open the file containing the exact string (for
this version)
iget-object v1, p1,
Lcom/instagram/camera/effect/models/CameraAREffect;-
>A0M:Ljava/lang/String;

5. Inside the method (“public static A00”) containing the string

found in step 4, a row below there is “.local ?”, change the
number with +2, for example if it’s 4 change with 6, remember
it.
.method public static A00( ... ; ... ;)V
.locals 4 --> replace with .locals 6

6. If you’ve changed with 6, we will use 4 and 5 in steps six and

seven. This will be the tag of logcat “ grab — title effect”. In a
new line below the string found in step 4 paste this code:
const-string v4, “grab 
new-instance v5, Ljava/lang/StringBuilder;
invoke-direct {v5, v4}, Ljava/lang/StringBuilder;-
><init>(Ljava/lang/String;)V
invoke-virtual {v5, v1}, Ljava/lang/StringBuilder;-
>append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v5
invoke-virtual {v5}, Ljava/lang/StringBuilder;-
>toString()Ljava/lang/String;
move-result-object v5

7. This will be the link. Search some rows below the string
“iget-object v1, p1,
Lcom/instagram/camera/effect/models/CameraAREffect;-
>A09:Ljava/lang/String;”and under this, in a new line, paste:invoke-
static {v5, v1}, Landroid/util/Log;-
>d(Ljava/lang/String;Ljava/lang/String;)I
summary of changes

8. Save the file and in order to compile edited source code with
smali.jar run
java -Xmx3000m -jar smali.jar ass output\instagram\”smali folder
where is located the file edited” -o output\instagram\”classes
number”.dexfor example if it’s smali_classes3 you will write:java
-Xmx3000m -jar smali.jar ass output\instagram\smali_classes3 -o
output\instagram\classes3.dex

9. In order to sign our apk, generate a keystore with Java

keytool:
keytool -genkeypair -dname “CN=test, OU=Android, O=Google
Inc.,L=Mountain View, ST=California, C=US” -keystore "your
testkey".jks -validity 9125 -keyalg RSA -keysize 2048 -storepass
"your keystore pass" -alias "your alias"

10. Update instagram.apk zip archive replacing with the new

classes3.dex (on Linux terminal with cp and zip commands, on
Windows do it manually), zipalign and sign it with
apksigner.jar :
cp instagram.apk toalign_instagram.apk && zip
toalign_instagram.apk classes3.dexzipalign -f 4
toalign_instagram.apk zipaligned_instagram.apk && rm
toalign_instagram.apkjava -jar apksigner.jar sign --ks “your
testkey”.jks --ks-pass pass:”your keystore pass” --in
zipaligned_instagram.apk --out signed_Instagram.apk

11. Uninstall original Instagram app and install the apk

manually or through
adb install -r signed_Instagram.apk

and in cmd run:

adb shell
logcat -v tag | grep -e “grab - “
12. Now the funny part, open instagram camera, search an effect
and save it, you will find in the log all the effects list saved in
your instagram camera: D/grab — “name of effect”: link of arfx
file effect

list of effects grabbed with logcat

13. Download an effect from link with your browser or

curl “link” -o effect.arfx

extract it with brotli and after extract tar archive

brotli -jdo effect.tar effect.arfx && tar -xf effect.tar --one-
top-level && rm effect.tar

or with PeaZip: rename “.arfx” extension with “.tar.br” then

extract.

14. If you find some ktx files(Khronos Textures alias compressed

textures), you could use this online tool to decompress them:

https://comparecommander.com/convert-ktx-to-png/
or open with PVRTexTool and “Save Image” as png file or from
command line use:
PVRTexToolCLI -i “texture_compressed”.ktx -noout -ics sRGB -d
“texture_decompressed”.png

EXTRA: It’s not easy to read and understand main.json but if

you use any JSON formatter it could be easier. If you want to
grab links directly on smartphone you could use “Logcat reader”
app(it works also without root) instead of “adb shell logcat”
from pc