Android

Бсылки

Π”Π΅Ρ‚Π΅ΠΊΡ‚ Π±ΠΈΠ±Π»ΠΈΠΎΡ‚Π΅ΠΊΠΈ для ΠΏΠΈΠ½Π½ΠΈΠ½Π³Π°: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/

universal script unpinning: https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

Набор скриптов: https://github.com/m0bilesecurity/Frida-Mobile-Scripts https://github.com/LizhangHuang/FridaScript

Π˜Π·Π²Π»Π΅Ρ‡Π΅Π½ΠΈΠ΅ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ ΠΎ Bluetooth: https://github.com/k3170makan/FridaAndroidScripts/tree/master/bluecrawl

Π‘ΠΊΡ€ΠΈΠΏΡ‚Ρ‹

Common

Бписок ΠΌΠ΅Ρ‚ΠΎΠ΄ΠΎΠ² ΠΈ ΠΏΠΎΠ»Π΅ΠΉ класса

// Get class
const java_class = Java.use('com.example.j$R')

// Object cast
const java_class_obj = Java.cast(data, java_class)

// Get object via constructor
const java_class_obj = java_class.$new() // ΠΈΠ»ΠΈ java_class.$init()

// Methods
Java.enumerateMethods(`com.example.j$R!*/isu`) // Include method signatures (s) and User-defined classes only, ignoring system classes. (u) and case sensitive (i)

// All Fields and Methods names
Object.getOwnPropertyNames(java_class)
Object.getOwnPropertyNames(java_class_obj)

ΠžΠ±Ρ€Π°Ρ‰Π΅Π½ΠΈΠ΅ ΠΊ ΠΏΡ€ΠΈΠ²Π°Ρ‚Π½Ρ‹ΠΌ полям

// Π§Ρ‚ΠΎ Π± ΠΏΠΎΠ»ΡƒΡ‡ΠΈΡ‚ΡŒ доступ ΠΊ ΠΏΡ€ΠΈΠ²Π°Ρ‚Π½ΠΎΠΌΡƒ полю, ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌ свойство value:
class A {
	private int b;
}
const classA = Java.use("A");
let objClassA = Java.cast(pointer, classA);
java_msg(Object.getOwnPropertyNames(objClassA.__proto__).join(' ')); -> посмотрСли ΠΊΠ°ΠΊΠΈΠ΅ ΠΌΠ΅Ρ‚ΠΎΠ΄Ρ‹ ΠΈ поля Ρƒ класса
const field_b = objClassA._b.value; -> Π° это ΡƒΠΆΠ΅ нашС ΠΏΠΎΠ»Π΅

ΠžΠ±Ρ€Π°Ρ‰Π΅Π½ΠΈΠ΅ ΠΊ Π»ΡŽΠ±Ρ‹ΠΌ полям ΠΎΠ±ΡŠΠ΅ΠΊΡ‚Π° ΠΏΠΎ ΠΈΠΌΠ΅Π½ΠΈ

const klass = Java.use('com.example.a$b')
const klass_obj = klass.$new()

const somePropertyOrMethodObj = klass_obj['some_prop']

Π—Π½Π°Ρ‡Π΅Π½ΠΈΠ΅ поля

const klass = Java.use('com.example.a$b')
const klass_obj = klass.$new()

const somePropertyOrMethodObj = klass_obj['some_prop']
const value = somePropertyOrMethodObj.value

Π Π°Π±ΠΎΡ‚Π° с массивами

ВывСсти массив ΠΊΠ°ΠΊ hex-строку:

ВывСсти array ΠΊΠ°ΠΊ hex-строку: byte[3412341241]:
const ret = this.fn();
const buffer = Java.array('byte', ret);
console.log(buffer.length);
const result = "";
for(let i = 0; i < buffer.length; ++i){
    result += ('0' + (buffer[i] & 0xff).toString(16)).slice(-2);
}
console.log(result);

ВывСсти массив ΠΊΠ°ΠΊ строку:

function Array2String(arr) {
    let buffer = Java.array('byte', arr)
    let result = ""
    for(let i = 0; i < buffer.length; ++i){
        result += (String.fromCharCode(buffer[i] & 0xff)); // here!!
    }

    return result
}

ВывСсти ΠΎΠ±ΡŠΠ΅ΠΊΡ‚

console.log(`${JSON.stringify(someObject, null, 2)}`)

Wrapper

console.log("[+] Start");
Java.perform(() => {
    try {
        // Hook
        const someClass = Java.use('some.class.Class')
        const someClassObject = someClass.$new(arg1, arg2, ..)
        const retval = someClassObject.some_method()
        
        console.log(`${JSON.stringify(retval, null, 2)}`)
    } catch(err) {
        console.log("[-] Fail");
    }
}

PhoneGap & Outsystem ssl pinning bypass

src: https://github.com/clviper/android/blob/master/pinning.js

OkHttp3 SSL Pinning bypass

Java.perform(() => {
    try {
        console.log("[+] Start 2");
        const OkHttpClient_Builder = Java.use('okhttp3.OkHttpClient$Builder');
        console.log("[+] OkHTTP 3.x Found");

        // Disable adding CertificatePinner Objects
        
        OkHttpClient_Builder.certificatePinner.overload('okhttp3.CertificatePinner').implementation = function(certificatePinner) {
            console.log("[+] OkHTTP 3.x certificatePinner() called. Not throwing an exception.");
            return this;
        };

        OkHttpClient_Builder.hostnameVerifier.overload('javax.net.ssl.HostnameVerifier').implementation = function(hostnameVerifier) {
            console.log("[+] OkHTTP 3.x hostnameVerifier() called. Not throwing an exception.");
            return this;
        };


        // Disable CertificatePinner checks
        
        OkHttpClient_Builder.certificatePinner.overload('okhttp3.CertificatePinner').implementation = function(certificatePinner) {
            console.log("[+] OkHTTP 3.x certificatePinner() called. Not throwing an exception.");
            return this;
        };

        const CertificatePinner = Java.use('okhttp3.CertificatePinner');
        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(s, l) {
            console.log("[+] Unpinning Type 1: " + s);
            return true;
        };

        CertificatePinner.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function(s, cert) {
            console.log("[+] Unpinning Type 2: " + s);
            return true;
        }

        CertificatePinner.check.overload('java.lang.String', 'javax.security.cert.Certificate').implementation = function(s, cert) {
            console.log("[+] Unpinning Type 3: " + s);
            return true;
        }
    } catch (err) {
        console.log("[-] OkHTTP 3.x Not Found")
    }
})

Last updated

Was this helpful?