From fea8b6d13248af5853ebc443d54e279299062fe9 Mon Sep 17 00:00:00 2001 From: Alex Rad Date: Mon, 11 Nov 2019 11:37:02 -0800 Subject: [PATCH] Frida script for ssl pinning --- unpin.js | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 unpin.js diff --git a/unpin.js b/unpin.js new file mode 100644 index 0000000..0d6c4f0 --- /dev/null +++ b/unpin.js @@ -0,0 +1,128 @@ +/* Frida script for SSL stripping */ + +Java.perform(function() { + var array_list = Java.use("java.util.ArrayList"); + var ApiClient = Java.use("com.android.org.conscrypt.TrustManagerImpl") + +try { + ApiClient.verifyChain.implementation = function(untrust, trustanchor, host, cauth, oscp, sctdata) { + console.log("intercepted trustmanager"); + return untrust; + } +} catch (err){ + +} + +try { + var CertPin = Java.use("okhttp3.CertificatePinner"); + CertPin.check.overload("java.lang.String", "java.util.List").implementation = function(str) { + console.log("intercept okhttp3 " + str); + return; + } + + CertPin.check.overload("java.lang.String", "[Ljava.security.cert.Certificate;").implementation = function(p0,p1) { + console.log("intercept okhttp3 cert"); + return; + } + + +} catch (err) { + +} + +try { + //fb pinning + var FBPin = Java.use("com.facebook.netlite.certificatepinning.internal.FbPinningTrustManager"); + FBPin.checkServerTrusted.implementation = function(a0, a1) { + console.log("FB pin"); + return; + } +} catch (err) { + +} + + //linked in libcurl + var sos=[]; + var libs = ["libdialogui.so", "libavatars.so", "libcurl.so", + "libovrplatform.so", "libovrplatform_64.so", "libovrplatformplugin.so", + "libhome.so"]; + + for(var x in libs) { + + var attach = Module.findExportByName(libs[x], "curl_easy_setopt"); + console.log(libs[x] + " -> " + attach); + if(!attach) continue; + console.log("found module for " + libs[x]); + sos[libs[x]] = Interceptor.attach(attach, { + onEnter: function(args) { + console.log("setopt called" + JSON.stringify(args)); + }, + + onLeave: function(retval) { + console.log("setopt over") + } + }); + + } + + + const System = Java.use('java.lang.System'); + const Runtime = Java.use('java.lang.Runtime'); + const VMStack = Java.use('dalvik.system.VMStack'); + System.loadLibrary.implementation = function(library) { + console.log("System.loadLibrary('" + library + "')"); + try { + const loaded = Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library) + return loaded; + } catch(err) { + console.log(err); + } + } + + System.load.implementation = function(library) { + console.log("System.load('" + library + "')"); + try { + const loaded = Runtime.getRuntime().load0(VMStack.getCallingClassLoader(), library) + return loaded; + } catch(err) { + console.log(err); + } + + } + + function hookCurlSetOpt(address) { + Interceptor.attach(address, { + onEnter: function(args) { + if (args[1] == 81) { + console.log("CURLOPT_SSL_VERIFYHOST -> 0") + this.context.r2 = 0 + } + if (args[1] == 64) { + console.log("CURLOPT_SSL_VERIFYPEER -> 0") + this.context.r2 = 0 + } + if (args[1] == 10230) { + console.log("CURLOPT_PINNEDPUBLICKEY -> 0") + this.context.r2 = 0 + } + } + }); + + } + + + function hookModuleHelper(name, offset, handler) { + var base = Module.findBaseAddress(name) + console.log(name + " @ " + base); + if (base == null) return; + var target = base.add(offset); + handler(target); + } + + //Statically linked libcurl. Need to manually update the offsets for now + hookModuleHelper("libovrplatform.so", 0xea49c-0x10000 +1, hookCurlSetOpt) + hookModuleHelper("libhome.so", 0x57407c-0x10000 +1, hookCurlSetOpt) + hookModuleHelper("libavatars.so", 0x9e460-0x10000 , hookCurlSetOpt) + + +}, 0);