美文网首页
frida ssl unpining 脚本

frida ssl unpining 脚本

作者: 大发明家达文西 | 来源:发表于2019-09-29 09:37 被阅读0次

    修改于 https://gist.github.com/cubehouse/56797147b5cb22768b500f25d3888a22
    主要增加了Android 6的 TrustManagerImpl 的适配


    // start with:
    //   frida -U -l pinning.js -f [APP_ID] --no-pause
    Java.perform(function () {
        console.log('');
        console.log('===');
        console.log('* Injecting hooks into common certificate pinning methods *');
        console.log('===');
    
        var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
        var SSLContext = Java.use('javax.net.ssl.SSLContext');
    
        // build fake trust manager
        var TrustManager = Java.registerClass({
            name: 'com.sensepost.test.TrustManager',
            implements: [X509TrustManager],
            methods: {
                checkClientTrusted: function (chain, authType) {
                },
                checkServerTrusted: function (chain, authType) {
                },
                getAcceptedIssuers: function () {
                    return [];
                }
            }
        });
    
        // pass our own custom trust manager through when requested
        var TrustManagers = [TrustManager.$new()];
        var SSLContext_init = SSLContext.init.overload(
            '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom'
        );
        try {
        SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) {
            console.log('! Intercepted trustmanager request');
            SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
        }} catch (e) {
            console.log('* Unable to hook into SSLContext_init')
        }
    
        console.log('* Setup custom trust manager');
    
        // okhttp3
        try {
            var CertificatePinner = Java.use('okhttp3.CertificatePinner');
            CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
                console.log('! Intercepted okhttp3: ' + str);
            };
    
            console.log('* Setup okhttp3 pinning')
        } catch(err) {
            console.log('* Unable to hook into okhttp3 pinner')
        }
    
        // trustkit
        try {
            var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
            Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
                console.log('! Intercepted trustkit{1}: ' + str);
                return true;
            };
    
            Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
                console.log('! Intercepted trustkit{2}: ' + str);
                return true;
            };
    
            console.log('* Setup trustkit pinning')
        } catch(err) {
            console.log('* Unable to hook into trustkit pinner')
        }
    
        // TrustManagerImpl
        try {
            const ArrayList = Java.use("java.util.ArrayList");
            var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
            TrustManagerImpl.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation =
                function (chain, authType) {
                    console.log('! Intercepted TrustManagerImpl');
                };
    
            TrustManagerImpl.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String').implementation =
                function (chain, authType, host) {
                    console.log('! Intercepted TrustManagerImpl');
                    return ArrayList.$new();
                };
    
            TrustManagerImpl.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'javax.net.ssl.SSLSession').implementation =
                function (chain, authType, session) {
                    console.log('! Intercepted TrustManagerImpl');
                    return ArrayList.$new();
                };
    
            if (Java.androidVersion > "6.0.1") {
                TrustManagerImpl.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.net.Socket').implementation =
                function (chain, authType, socket) {
                    console.log('! Intercepted TrustManagerImpl');
                };
                TrustManagerImpl.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'javax.net.ssl.SSLEngine').implementation =
                function (chain, authType, engine) {
                    console.log('! Intercepted TrustManagerImpl');
                };
            }
            console.log('* Setup TrustManagerImpl pinning');
        } catch (err) {
            console.log('* Unable to hook into TrustManagerImpl : ' + err.message);
        }
    
        // Appcelerator
        try {
            var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
            PinningTrustManager.checkServerTrusted.implementation = function () {
                console.log('! Intercepted Appcelerator');
            };
    
            console.log('* Setup Appcelerator pinning')
        } catch (err) {
            console.log('* Unable to hook into Appcelerator pinning')
        }
    
         // HttpsUrlConnection
        try {
            var HttpsURLConnection = Java.use('javax.net.ssl.HttpsURLConnection');
            HttpsURLConnection.setDefaultHostnameVerifier.implementation = function (verifier) {
                console.log('* Setup setDefaultHostnameVerifier');
            };
            HttpsURLConnection.setHostnameVerifier.implementation = function (verifier) {
                console.log('* Setup setHostnameVerifier');
            };
            HttpsURLConnection.setSSLSocketFactory.implementation = function (socketFactory) {
                console.log('* Setup setSSLSocketFactory')
            };
        } catch (err) {
            console.log('* Unable to hook into HttpsUrlConnection')
        }
    });
    

    相关文章

      网友评论

          本文标题:frida ssl unpining 脚本

          本文链接:https://www.haomeiwen.com/subject/gbisyctx.html