Android
Π‘ΡΡΠ»ΠΊΠΈ
ΠΠ΅ΡΠ΅ΠΊΡ Π±ΠΈΠ±Π»ΠΈΠΎΡΠ΅ΠΊΠΈ Π΄Π»Ρ ΠΏΠΈΠ½Π½ΠΈΠ½Π³Π°: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
universal script unpinning: https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
ΠΠ°Π±ΠΎΡ ΡΠΊΡΠΈΠΏΡΠΎΠ²: https://github.com/m0bilesecurity/Frida-Mobile-Scripts https://github.com/LizhangHuang/FridaScript
ΠΠ·Π²Π»Π΅ΡΠ΅Π½ΠΈΠ΅ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ ΠΎ Bluetooth: https://github.com/k3170makan/FridaAndroidScripts/tree/master/bluecrawl
Π‘ΠΊΡΠΈΠΏΡΡ
Common
Π‘ΠΏΠΈΡΠΎΠΊ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ² ΠΈ ΠΏΠΎΠ»Π΅ΠΉ ΠΊΠ»Π°ΡΡΠ°
// Get class
const java_class = Java.use('com.example.j$R')
// Object cast
const java_class_obj = Java.cast(data, java_class)
// Get object via constructor
const java_class_obj = java_class.$new() // ΠΈΠ»ΠΈ java_class.$init()
// Methods
Java.enumerateMethods(`com.example.j$R!*/isu`) // Include method signatures (s) and User-defined classes only, ignoring system classes. (u) and case sensitive (i)
// All Fields and Methods names
Object.getOwnPropertyNames(java_class)
Object.getOwnPropertyNames(java_class_obj)ΠΠ±ΡΠ°ΡΠ΅Π½ΠΈΠ΅ ΠΊ ΠΏΡΠΈΠ²Π°ΡΠ½ΡΠΌ ΠΏΠΎΠ»ΡΠΌ
// Π§ΡΠΎ Π± ΠΏΠΎΠ»ΡΡΠΈΡΡ Π΄ΠΎΡΡΡΠΏ ΠΊ ΠΏΡΠΈΠ²Π°ΡΠ½ΠΎΠΌΡ ΠΏΠΎΠ»Ρ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ ΡΠ²ΠΎΠΉΡΡΠ²ΠΎ value:
class A {
private int b;
}
const classA = Java.use("A");
let objClassA = Java.cast(pointer, classA);
java_msg(Object.getOwnPropertyNames(objClassA.__proto__).join(' ')); -> ΠΏΠΎΡΠΌΠΎΡΡΠ΅Π»ΠΈ ΠΊΠ°ΠΊΠΈΠ΅ ΠΌΠ΅ΡΠΎΠ΄Ρ ΠΈ ΠΏΠΎΠ»Ρ Ρ ΠΊΠ»Π°ΡΡΠ°
const field_b = objClassA._b.value; -> Π° ΡΡΠΎ ΡΠΆΠ΅ Π½Π°ΡΠ΅ ΠΏΠΎΠ»Π΅ΠΠ±ΡΠ°ΡΠ΅Π½ΠΈΠ΅ ΠΊ Π»ΡΠ±ΡΠΌ ΠΏΠΎΠ»ΡΠΌ ΠΎΠ±ΡΠ΅ΠΊΡΠ° ΠΏΠΎ ΠΈΠΌΠ΅Π½ΠΈ
const klass = Java.use('com.example.a$b')
const klass_obj = klass.$new()
const somePropertyOrMethodObj = klass_obj['some_prop']ΠΠ½Π°ΡΠ΅Π½ΠΈΠ΅ ΠΏΠΎΠ»Ρ
const klass = Java.use('com.example.a$b')
const klass_obj = klass.$new()
const somePropertyOrMethodObj = klass_obj['some_prop']
const value = somePropertyOrMethodObj.valueΠ Π°Π±ΠΎΡΠ° Ρ ΠΌΠ°ΡΡΠΈΠ²Π°ΠΌΠΈ
ΠΡΠ²Π΅ΡΡΠΈ ΠΌΠ°ΡΡΠΈΠ² ΠΊΠ°ΠΊ hex-ΡΡΡΠΎΠΊΡ:
ΠΡΠ²Π΅ΡΡΠΈ array ΠΊΠ°ΠΊ hex-ΡΡΡΠΎΠΊΡ: byte[3412341241]:
const ret = this.fn();
const buffer = Java.array('byte', ret);
console.log(buffer.length);
const result = "";
for(let i = 0; i < buffer.length; ++i){
result += ('0' + (buffer[i] & 0xff).toString(16)).slice(-2);
}
console.log(result);ΠΡΠ²Π΅ΡΡΠΈ ΠΌΠ°ΡΡΠΈΠ² ΠΊΠ°ΠΊ ΡΡΡΠΎΠΊΡ:
function Array2String(arr) {
let buffer = Java.array('byte', arr)
let result = ""
for(let i = 0; i < buffer.length; ++i){
result += (String.fromCharCode(buffer[i] & 0xff)); // here!!
}
return result
}ΠΡΠ²Π΅ΡΡΠΈ ΠΎΠ±ΡΠ΅ΠΊΡ
console.log(`${JSON.stringify(someObject, null, 2)}`)Wrapper
console.log("[+] Start");
Java.perform(() => {
try {
// Hook
const someClass = Java.use('some.class.Class')
const someClassObject = someClass.$new(arg1, arg2, ..)
const retval = someClassObject.some_method()
console.log(`${JSON.stringify(retval, null, 2)}`)
} catch(err) {
console.log("[-] Fail");
}
}PhoneGap & Outsystem ssl pinning bypass
src: https://github.com/clviper/android/blob/master/pinning.js
OkHttp3 SSL Pinning bypass
Java.perform(() => {
try {
console.log("[+] Start 2");
const OkHttpClient_Builder = Java.use('okhttp3.OkHttpClient$Builder');
console.log("[+] OkHTTP 3.x Found");
// Disable adding CertificatePinner Objects
OkHttpClient_Builder.certificatePinner.overload('okhttp3.CertificatePinner').implementation = function(certificatePinner) {
console.log("[+] OkHTTP 3.x certificatePinner() called. Not throwing an exception.");
return this;
};
OkHttpClient_Builder.hostnameVerifier.overload('javax.net.ssl.HostnameVerifier').implementation = function(hostnameVerifier) {
console.log("[+] OkHTTP 3.x hostnameVerifier() called. Not throwing an exception.");
return this;
};
// Disable CertificatePinner checks
OkHttpClient_Builder.certificatePinner.overload('okhttp3.CertificatePinner').implementation = function(certificatePinner) {
console.log("[+] OkHTTP 3.x certificatePinner() called. Not throwing an exception.");
return this;
};
const CertificatePinner = Java.use('okhttp3.CertificatePinner');
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(s, l) {
console.log("[+] Unpinning Type 1: " + s);
return true;
};
CertificatePinner.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function(s, cert) {
console.log("[+] Unpinning Type 2: " + s);
return true;
}
CertificatePinner.check.overload('java.lang.String', 'javax.security.cert.Certificate').implementation = function(s, cert) {
console.log("[+] Unpinning Type 3: " + s);
return true;
}
} catch (err) {
console.log("[-] OkHTTP 3.x Not Found")
}
})Last updated
Was this helpful?