Skip to content

Instantly share code, notes, and snippets.

@will3942
Last active Sep 15, 2021
Embed
What would you like to do?
Reverse-Engineering Instagram
require 'openssl'
require 'base64'
require 'json'
require 'httpclient'
http = HTTPClient.new(:agent_name => useragent)
key = "" #The Private key
login_info = {:guid => "00000000-0000-0000-0000-000000000000",
:password => "PASSWORD",
:username => "USERNAME",
:device_id => "android-0000000000000000",
:_csrftoken => "missing"
}.to_json
signed_body = "#{Digest::HMAC.hexdigest(login_info, key, Digest::SHA256)}.#{login_info}"
post_data = {:signed_body => signed_body, :ig_sig_key_version => 4}
result = http.post("https://instagram.com/api/v1/accounts/login/", post_data, "Content-Type" => "application/json")
p result.body
const-string v5, "LOGGING"
invoke-static {v5, v0}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
@edmund5
Copy link

edmund5 commented Feb 8, 2014

got an error: undefined variable or method "useragent"

@netics
Copy link

netics commented Feb 18, 2014

Unfortunately the Instagram app is closing after I hit the login button. No logs with "LOGGING" are sent.

Also, I didn't find the .line 70 in 5.0.6

@milesoberstadt
Copy link

milesoberstadt commented Mar 8, 2014

Forgive my ignorance, but is there any chance you can post the private key? I can't seem to get the apk to recompile after making these changes...

@Lotogram
Copy link

Lotogram commented Sep 19, 2014

Please post the private key, thanks.

@ydaniels
Copy link

ydaniels commented Oct 5, 2014

yea please anyone with the private key that can help

@nemoryoliver
Copy link

nemoryoliver commented Jan 4, 2015

This is the PRIVATE KEY b4a23f5e39b5929e0666ac5de94c89d1618a2916

but I am not sure if it's the same key for Instagram 6+

@ydaniels
Copy link

ydaniels commented Jan 11, 2015

no they have changed it . the old one ain't working anymore

@mokhdzanifaeq
Copy link

mokhdzanifaeq commented Feb 28, 2015

KEY: 6d51fe001d37fae892bfd51b334cf2deaa66dc8822ff37e8d0f45e8883d56061
not sure the key is the same for everybody though. you can check it yourself : http://mokhdzanifaeq.github.io/extracting-instagram-signature-key/

@timigod
Copy link

timigod commented Jan 24, 2016

Can this be used to upload photos?

@endquote
Copy link

endquote commented Jun 12, 2016

Anyone figured this out on a more recent version? The above code returns "invalid domain". The instructions in the above article seem legit, but the APK has changed and I'm not sure where the relevant code is now. Also the ig_sig_key_version sent in requests now is 5, not 4.

@KiralyCraft
Copy link

KiralyCraft commented Aug 28, 2016

This is for instagram 9.2.0:

012a54f51c49aa8c5c322416ab1410909add32c966bbaa0fe3dc58ac43fd7ede

@lucassimao
Copy link

lucassimao commented Aug 29, 2016

@KiralyCarft I followed the article by @mokhdzanifaeq and I found this api key. After that, I intercepted the request body to https://i.instagram.com/api/v1/accounts/login/ . Basically, the request body is the following string URL encoded:

signed_body=6f0f090924943e8a25175dcf115d7ee7564a39510ac58e5569d8523c49ceeb22.{"phone_id":"5b5fe5f2-c491-435f-8a7c-a091edaa4a29","username":"lsimaocosta","guid":"6c55c4ed-2663-406e-bc5c-480dc0001507","device_id":"android-9e111627d07b847e","password":"<<mypassword>>","login_attempt_count":"0"}&ig_sig_key_version=4

After that, using the JSON content in the above string (starting with {"phone_id" ... and ending at "login_attempt_count":"0"} I tried to recover the hash using the following ruby code:

require 'openssl'
require 'base64'
require 'json'

key = "012a54f51c49aa8c5c322416ab1410909add32c966bbaa0fe3dc58ac43fd7ede" #The Private key
digest = OpenSSL::Digest::SHA256.new
puts OpenSSL::HMAC.hexdigest( digest, key, << JSON_CONTENT>>)

but the hexdigest is not equal to the value of the hash sent in the request ... any thoughts ??

@eliasbagley
Copy link

eliasbagley commented Dec 2, 2016

Key for Instagram 9.6.0:
19054fe6bacb4e68bb243d12a6879941be86aeb672b0a7f79f1db8573957035d

and this worked for me to get the correct hash for following users, in bash:
JSON={"_csrftoken":"xxx","user_id":"xxx","_uid":"xxx","_uuid":"xxx"}
Put in whatever values are yours, from sniffing the API

alias urlencode='python -c "import sys, urllib as ul; \
    print ul.quote_plus(sys.argv[1])"'

SIGNED_BODY=$(echo -n $JSON | openssl dgst -sha256 -hmac $KEY).$(urlencode $JSON)"&ig_sig_key_version=4"

@drawrowfly
Copy link

drawrowfly commented Dec 3, 2016

Was anyone able to extract key from 10.0.1 ?

@drawrowfly
Copy link

drawrowfly commented Dec 3, 2016

Never mind just did it my self

@Maarius
Copy link

Maarius commented Dec 9, 2016

@glazkoman can you post it? Also, do you have a working example to post images?

@Trewqa
Copy link

Trewqa commented Dec 25, 2016

@Maarius Did you get it?

@Coldz0
Copy link

Coldz0 commented Feb 9, 2017

Anyone got the key for instagram 10.x ? Thanks in advance

@TonyDaniels
Copy link

TonyDaniels commented Mar 22, 2017

Anyone have the key?

@wondersoftwares671
Copy link

wondersoftwares671 commented Jun 6, 2017

Anyone found key for 10.9 or later? If anyone has, Please give me i need it.

@alitoufighi
Copy link

alitoufighi commented Sep 17, 2017

This is what Instagram-API by mgp25 used (it works):
0443b39a54b05f064a4917a3d1da4d6524a3fb0878eacabf1424515051674daa

@remon
Copy link

remon commented Nov 29, 2017

not working anymore , does anyone still working with him this method ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment