Skip to content

Commit 140d712

Browse files
pimterrypimterry
committed
Update Frida scripts for native TLS hook fix
1 parent 04632ef commit 140d712

File tree

3 files changed

+131
-131
lines changed

3 files changed

+131
-131
lines changed

overrides/frida/README.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@ The scripts can automatically handle:
4141
-l ./android/android-certificate-unpinning.js \
4242
-l ./android/android-certificate-unpinning-fallback.js \
4343
-l ./android/android-disable-root-detection.js \
44-
-l ./android/android-disable-flutter-certificate-pinning.js \
4544
-f $PACKAGE_ID
4645
```
4746
7. Explore, examine & modify all the traffic you're interested in! If you have any problems, please [open an issue](https://github.com/httptoolkit/frida-interception-and-unpinning/issues/new) and help make these scripts even better.
@@ -143,7 +142,7 @@ Each script includes detailed documentation on what it does and how it works in
143142
144143
* `android-disable-flutter-certificate-pinning.js`
145144
146-
Ensures that Flutter-based applications (which generally ignore the system certificate configuration) trust your CA certificate, even in most cases of explicit certificate pinning.
145+
Ensures that Flutter-based applications (which generally ignore the system certificate configuration) trust your CA certificate, even in most cases of explicit certificate pinning. This script remains experimental for now.
147146
148147
* `ios/`
149148

overrides/frida/android/android-disable-flutter-certificate-pinning.js

Lines changed: 127 additions & 126 deletions
Original file line numberDiff line numberDiff line change
@@ -23,136 +23,137 @@
2323

2424
(() => {
2525
const PATTERNS = {
26-
"android/x64": {
27-
"dart::bin::SSLCertContext::CertificateCallback": {
28-
"signatures": [
29-
"41 57 41 56 53 48 83 ec 10 b8 01 00 00 00 83 ff 01 0f 84 ?? ?? ?? ?? 48 89 f3",
30-
"41 57 41 56 41 54 53 48 83 ec 18 b8 01 00 00 00 83 ff 01 0f 84 ?? ?? ?? ?? 48 89 f3"
31-
]
32-
},
33-
"X509_STORE_CTX_get_current_cert": {
34-
"signatures": [
35-
"48 8b 47 50 c3",
36-
"48 8b 47 60 c3",
37-
"48 8b 87 a8 00 00 00 c3",
38-
"48 8b 87 b8 00 00 00 c3"
39-
],
40-
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
41-
},
42-
"bssl::x509_to_buffer": {
43-
"signatures": [
44-
"41 56 53 50 48 89 f0 48 89 fb 48 89 e6 48 83 26 00 48 89 c7 e8 ?? ?? ?? ?? 85 c0 7e 1b",
45-
"53 48 83 ec 10 48 89 f0 48 89 fb 48 8d 74 24 08 48 83 26 00 48 89 c7 e8 ?? ?? ?? ?? 85 c0",
46-
"41 56 53 48 83 ec 18 48 89 f0 48 89 fb 48 8d 74 24 08 48 83 26 00 48 89 c7 e8",
47-
"41 56 53 48 83 ec 18 48 89 f0 49 89 fe 48 8d 74 24 08 48 83 26 00 48 89 c7 e8",
48-
"41 57 41 56 53 48 83 ec 10 48 89 f0 49 89 fe 48 89 e6 48 83 26 00 48 89 c7 e8"
49-
]
50-
},
51-
"i2d_X509": {
52-
"signatures": [
53-
"55 41 56 53 48 83 ec 70 48 85 ff 0f 84 ?? ?? ?? ?? 48 89 f3 49 89 fe 48 8d 7c 24 40 6a 40",
54-
"48 8d 15 ?? ?? ?? ?? e9"
55-
],
56-
"anchor": "bssl::x509_to_buffer"
57-
}
58-
},
59-
"android/x86": {
60-
"dart::bin::SSLCertContext::CertificateCallback": {
61-
"signatures": [
62-
"55 89 e5 53 57 56 83 e4 f0 83 ec 30 e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? bf 01 00 00 00 83 7d 08 01 0f 84"
63-
]
64-
},
65-
"X509_STORE_CTX_get_current_cert": {
66-
"signatures": [
67-
"55 89 e5 83 e4 fc 8b 45 08 8b 40 2c 89 ec 5d c3",
68-
"55 89 e5 83 e4 fc 8b 45 08 8b 40 34 89 ec 5d c3",
69-
"55 89 e5 83 e4 fc 8b 45 08 8b 40 5c 89 ec 5d c3",
70-
"55 89 e5 83 e4 fc 8b 45 08 8b 40 64 89 ec 5d c3"
71-
],
72-
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
73-
},
74-
"bssl::x509_to_buffer": {
75-
"signatures": [
76-
"55 89 e5 53 57 56 83 e4 f0 83 ec 10 89 ce e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8d 44 24 08 83 20 00 83 ec 08 50 52",
77-
"55 89 e5 53 56 83 e4 f0 83 ec 10 89 ce e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8d 44 24 0c 83 20 00 83 ec 08 50 52",
78-
"55 89 e5 53 57 56 83 e4 f0 83 ec 20 89 ce e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8d 44 24 14 83 20 00 89 44 24 04 89 14 24"
79-
]
80-
},
81-
"i2d_X509": {
82-
"signatures": [
83-
"55 89 e5 53 57 56 83 e4 f0 83 ec 40 e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8b 7d 08 85 ff 0f 84 ?? ?? ?? ?? 83 ec 08",
84-
"55 89 e5 53 83 e4 f0 83 ec 10 e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 83 ec 04 8d 83 ?? ?? ?? ?? 50 ff 75 0c ff 75 08"
85-
],
86-
"anchor": "bssl::x509_to_buffer"
87-
}
88-
},
89-
90-
"android/arm64": {
91-
"dart::bin::SSLCertContext::CertificateCallback": {
92-
"signatures": [
93-
"ff c3 00 d1 fe 57 01 a9 f4 4f 02 a9 1f 04 00 71 c0 07 00 54 f3 03 01 aa ?? ?? ?? 94",
94-
"ff c3 00 d1 fe 57 01 a9 f4 4f 02 a9 1f 04 00 71 c0 02 00 54 f3 03 01 aa ?? ?? ?? 94"
95-
]
96-
},
97-
"X509_STORE_CTX_get_current_cert": {
98-
"signatures": [
99-
"00 ?? ?? f9 c0 03 5f d6"
100-
],
101-
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
102-
},
103-
"bssl::x509_to_buffer": {
104-
"signatures": [
105-
"fe 0f 1e f8 f4 4f 01 a9 e1 ?? ?? 91 f3 03 08 aa ff 07 00 f9 ?? ?? ?? 97 1f 04 00 71",
106-
"fe 0f 1e f8 f4 4f 01 a9 e8 03 01 aa f3 03 00 aa e1 ?? ?? 91 e0 03 08 aa ff 07 00 f9",
107-
"ff 83 00 d1 fe 4f 01 a9 e1 ?? ?? 91 f3 03 08 aa ff 07 00 f9 ?? ?? ?? 97 1f 00 00 71",
108-
"ff c3 00 d1 fe 7f 01 a9 f4 4f 02 a9 e1 ?? ?? 91 f3 03 08 aa ?? ?? ?? 97 1f 00 00 71",
109-
"ff c3 00 d1 fe 7f 01 a9 f4 4f 02 a9 e1 ?? ?? 91 f3 03 08 aa ?? ?? ?? 97 1f 04 00 71"
110-
]
111-
},
112-
"i2d_X509": {
113-
"signatures": [
114-
"ff 43 02 d1 fe 57 07 a9 f4 4f 08 a9 a0 06 00 b4 f4 03 00 aa f3 03 01 aa e0 ?? ?? 91",
115-
"?2 ?? ?? ?? 42 ?? ?? 91 ?? ?? ?? 17"
116-
],
117-
"anchor": "bssl::x509_to_buffer"
118-
}
119-
},
120-
"android/arm": {
121-
"dart::bin::SSLCertContext::CertificateCallback": {
122-
"signatures": [
123-
"70 b5 84 b0 01 28 02 d1 01 20 04 b0 70 bd 0c 46 ?? f? ?? f? 00 28 4d d0 20 46 ?? f? ?? f? 05 46 ?? f? ?? f",
124-
"70 b5 84 b0 01 28 02 d1 01 20 04 b0 70 bd 0c 46 ?? f? ?? f? 00 28 52 d0 20 46 ?? f? ?? f? 06 46 ?? f? ?? f",
125-
"70 b5 84 b0 01 28 02 d1 01 20 04 b0 70 bd 0c 46 ?? f? ?? f? 00 28 50 d0 20 46 ?? f? ?? f? 06 46 ?? f? ?? f"
126-
]
26+
"android/x64": {
27+
"dart::bin::SSLCertContext::CertificateCallback": {
28+
"signatures": [
29+
"41 57 41 56 53 48 83 ec 10 b8 01 00 00 00 83 ff 01 0f 84 ?? ?? ?? ?? 48 89 f3",
30+
"41 57 41 56 41 54 53 48 83 ec 18 b8 01 00 00 00 83 ff 01 0f 84 ?? ?? ?? ?? 48 89 f3"
31+
]
32+
},
33+
"X509_STORE_CTX_get_current_cert": {
34+
"signatures": [
35+
"48 8b 47 50 c3",
36+
"48 8b 47 60 c3",
37+
"48 8b 87 a8 00 00 00 c3",
38+
"48 8b 87 b8 00 00 00 c3"
39+
],
40+
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
41+
},
42+
"bssl::x509_to_buffer": {
43+
"signatures": [
44+
"41 56 53 50 48 89 f0 48 89 fb 48 89 e6 48 83 26 00 48 89 c7 e8 ?? ?? ?? ?? 85 c0 7e 1b",
45+
"53 48 83 ec 10 48 89 f0 48 89 fb 48 8d 74 24 08 48 83 26 00 48 89 c7 e8 ?? ?? ?? ?? 85 c0",
46+
"41 56 53 48 83 ec 18 48 89 f0 48 89 fb 48 8d 74 24 08 48 83 26 00 48 89 c7 e8",
47+
"41 56 53 48 83 ec 18 48 89 f0 49 89 fe 48 8d 74 24 08 48 83 26 00 48 89 c7 e8",
48+
"41 57 41 56 53 48 83 ec 10 48 89 f0 49 89 fe 48 89 e6 48 83 26 00 48 89 c7 e8"
49+
]
50+
},
51+
"i2d_X509": {
52+
"signatures": [
53+
"55 41 56 53 48 83 ec 70 48 85 ff 0f 84 ?? ?? ?? ?? 48 89 f3 49 89 fe 48 8d 7c 24 40 6a 40",
54+
"48 8d 15 ?? ?? ?? ?? e9"
55+
],
56+
"anchor": "bssl::x509_to_buffer"
57+
}
12758
},
128-
"X509_STORE_CTX_get_current_cert": {
129-
"signatures": [
130-
"c0 6a 70 47",
131-
"40 6b 70 47",
132-
"c0 6d 70 47",
133-
"40 6e 70 47"
134-
],
135-
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
59+
"android/x86": {
60+
"dart::bin::SSLCertContext::CertificateCallback": {
61+
"signatures": [
62+
"55 89 e5 53 57 56 83 e4 f0 83 ec 30 e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? bf 01 00 00 00 83 7d 08 01 0f 84"
63+
]
64+
},
65+
"X509_STORE_CTX_get_current_cert": {
66+
"signatures": [
67+
"55 89 e5 83 e4 fc 8b 45 08 8b 40 2c 89 ec 5d c3",
68+
"55 89 e5 83 e4 fc 8b 45 08 8b 40 34 89 ec 5d c3",
69+
"55 89 e5 83 e4 fc 8b 45 08 8b 40 5c 89 ec 5d c3",
70+
"55 89 e5 83 e4 fc 8b 45 08 8b 40 64 89 ec 5d c3"
71+
],
72+
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
73+
},
74+
"bssl::x509_to_buffer": {
75+
"signatures": [
76+
"55 89 e5 53 57 56 83 e4 f0 83 ec 10 89 ce e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8d 44 24 08 83 20 00 83 ec 08 50 52",
77+
"55 89 e5 53 56 83 e4 f0 83 ec 10 89 ce e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8d 44 24 0c 83 20 00 83 ec 08 50 52",
78+
"55 89 e5 53 57 56 83 e4 f0 83 ec 20 89 ce e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8d 44 24 14 83 20 00 89 44 24 04 89 14 24"
79+
]
80+
},
81+
"i2d_X509": {
82+
"signatures": [
83+
"55 89 e5 53 57 56 83 e4 f0 83 ec 40 e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 8b 7d 08 85 ff 0f 84 ?? ?? ?? ?? 83 ec 08",
84+
"55 89 e5 53 83 e4 f0 83 ec 10 e8 ?? ?? ?? ?? 5b 81 c3 ?? ?? ?? ?? 83 ec 04 8d 83 ?? ?? ?? ?? 50 ff 75 0c ff 75 08"
85+
],
86+
"anchor": "bssl::x509_to_buffer"
87+
}
13688
},
137-
"bssl::x509_to_buffer": {
138-
"signatures": [
139-
"bc b5 00 25 0a 46 01 95 01 a9 04 46 10 46 ?? f? ?? f? 01 28 08 db 01 46 01 98 00 22 ?? f? ?? f? 05 46 01 98",
140-
"bc b5 00 25 0a 46 01 95 01 a9 04 46 10 46 ?? f? ?? f? 00 28 09 dd 01 46 01 98 00 22 ?? f? ?? f? 20 60 01 98",
141-
"7c b5 00 26 0a 46 01 96 01 a9 04 46 10 46 ?? f? ?? f? 00 28 0e dd 01 46 01 98 00 22 ?? f? ?? f? 05 46 01 98",
142-
"7c b5 00 26 0a 46 01 96 01 a9 04 46 10 46 ?? f? ?? f? 01 28 0d db 01 46 01 98 00 22 ?? f? ?? f? 05 46 01 98",
143-
"7c b5 00 26 0a 46 01 96 01 a9 04 46 10 46 ?? f? ?? f? 01 28 0e db 01 46 01 98 00 22 ?? f? ?? f? 05 46 00 90"
144-
]
89+
"android/arm64": {
90+
"dart::bin::SSLCertContext::CertificateCallback": {
91+
"signatures": [
92+
"ff c3 00 d1 fe 57 01 a9 f4 4f 02 a9 1f 04 00 71 c0 07 00 54 f3 03 01 aa ?? ?? ?? 94 e0 07 00 b4 e0 03 13 aa",
93+
"ff c3 00 d1 fe 57 01 a9 f4 4f 02 a9 1f 04 00 71 c0 02 00 54 f3 03 01 aa ?? ?? ?? 94 00 0a 00 b4 e0 03 13 aa",
94+
"ff c3 00 d1 fe 57 01 a9 f4 4f 02 a9 1f 04 00 71 c0 02 00 54 f3 03 01 aa ?? ?? ?? 94 c0 09 00 b4 e0 03 13 aa"
95+
]
96+
},
97+
"X509_STORE_CTX_get_current_cert": {
98+
"signatures": [
99+
"00 ?? ?? f9 c0 03 5f d6"
100+
],
101+
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
102+
},
103+
"bssl::x509_to_buffer": {
104+
"signatures": [
105+
"fe 0f 1e f8 f4 4f 01 a9 e1 ?? ?? 91 f3 03 08 aa ff 07 00 f9 ?? ?? ?? 97 1f 04 00 71 6b 01 00 54 e8 ?? ?? f9",
106+
"fe 0f 1e f8 f4 4f 01 a9 e8 03 01 aa f3 03 00 aa e1 ?? ?? 91 e0 03 08 aa ff 07 00 f9 ?? ?? ?? 97 1f 04 00 71",
107+
"fe 0f 1e f8 f4 4f 01 a9 e1 ?? ?? 91 f3 03 08 aa ff 07 00 f9 ?? ?? ?? 97 1f 04 00 71 4b 01 00 54 e8 ?? ?? f9",
108+
"ff 83 00 d1 fe 4f 01 a9 e1 ?? ?? 91 f3 03 08 aa ff 07 00 f9 ?? ?? ?? 97 1f 00 00 71 6d 01 00 54 e8 ?? ?? f9",
109+
"ff c3 00 d1 fe 7f 01 a9 f4 4f 02 a9 e1 ?? ?? 91 f3 03 08 aa ?? ?? ?? 97 1f 00 00 71 cd 01 00 54 e8 ?? ?? f9",
110+
"ff c3 00 d1 fe 7f 01 a9 f4 4f 02 a9 e1 ?? ?? 91 f3 03 08 aa ?? ?? ?? 97 1f 04 00 71 ab 01 00 54 e8 ?? ?? f9",
111+
"ff c3 00 d1 fe 7f 01 a9 f4 4f 02 a9 e1 ?? ?? 91 f3 03 08 aa ?? ?? ?? 97 1f 04 00 71 6b 01 00 54 e8 ?? ?? f9"
112+
]
113+
},
114+
"i2d_X509": {
115+
"signatures": [
116+
"ff 43 02 d1 fe 57 07 a9 f4 4f 08 a9 a0 06 00 b4 f4 03 00 aa f3 03 01 aa e0 ?? ?? 91 01 08 80 52 ?? ?? ?? 97",
117+
"?2 ?? ?? ?? 42 ?? ?? 91 ?? ?? ?? 17"
118+
],
119+
"anchor": "bssl::x509_to_buffer"
120+
}
145121
},
146-
"i2d_X509": {
147-
"signatures": [
148-
"70 b5 8e b0 00 28 4f d0 05 46 08 a8 0c 46 40 21 ?? f? ?? f? 00 28 43 d0 2a 4a 08 a8 02 a9 ?? f? ?? f? e8 b3",
149-
"01 4a 7a 44 ?? f? ?? b"
150-
],
151-
"anchor": "bssl::x509_to_buffer"
122+
"android/arm": {
123+
"dart::bin::SSLCertContext::CertificateCallback": {
124+
"signatures": [
125+
"70 b5 84 b0 01 28 02 d1 01 20 04 b0 70 bd 0c 46 ?? f? ?? f? 00 28 4d d0 20 46 ?? f? ?? f? 05 46 ?? f? ?? f",
126+
"70 b5 84 b0 01 28 02 d1 01 20 04 b0 70 bd 0c 46 ?? f? ?? f? 00 28 52 d0 20 46 ?? f? ?? f? 06 46 ?? f? ?? f",
127+
"70 b5 84 b0 01 28 02 d1 01 20 04 b0 70 bd 0c 46 ?? f? ?? f? 00 28 50 d0 20 46 ?? f? ?? f? 06 46 ?? f? ?? f"
128+
]
129+
},
130+
"X509_STORE_CTX_get_current_cert": {
131+
"signatures": [
132+
"c0 6a 70 47",
133+
"40 6b 70 47",
134+
"c0 6d 70 47",
135+
"40 6e 70 47"
136+
],
137+
"anchor": "dart::bin::SSLCertContext::CertificateCallback"
138+
},
139+
"bssl::x509_to_buffer": {
140+
"signatures": [
141+
"bc b5 00 25 0a 46 01 95 01 a9 04 46 10 46 ?? f? ?? f? 01 28 08 db 01 46 01 98 00 22 ?? f? ?? f? 05 46 01 98",
142+
"bc b5 00 25 0a 46 01 95 01 a9 04 46 10 46 ?? f? ?? f? 00 28 09 dd 01 46 01 98 00 22 ?? f? ?? f? 20 60 01 98",
143+
"7c b5 00 26 0a 46 01 96 01 a9 04 46 10 46 ?? f? ?? f? 00 28 0e dd 01 46 01 98 00 22 ?? f? ?? f? 05 46 01 98",
144+
"7c b5 00 26 0a 46 01 96 01 a9 04 46 10 46 ?? f? ?? f? 01 28 0d db 01 46 01 98 00 22 ?? f? ?? f? 05 46 01 98",
145+
"7c b5 00 26 0a 46 01 96 01 a9 04 46 10 46 ?? f? ?? f? 01 28 0e db 01 46 01 98 00 22 ?? f? ?? f? 05 46 00 90"
146+
]
147+
},
148+
"i2d_X509": {
149+
"signatures": [
150+
"70 b5 8e b0 00 28 4f d0 05 46 08 a8 0c 46 40 21 ?? f? ?? f? 00 28 43 d0 2a 4a 08 a8 02 a9 ?? f? ?? f? e8 b3",
151+
"01 4a 7a 44 ?? f? ?? b"
152+
],
153+
"anchor": "bssl::x509_to_buffer"
154+
}
152155
}
153-
}
154-
}
155-
156+
};
156157

157158
const MAX_ANCHOR_INSTRUCTIONS_TO_SCAN = 100;
158159

overrides/frida/native-tls-hook.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -99,9 +99,9 @@ function patchTargetLib(targetModule, targetName) {
9999

100100
const buildVerificationCallback = (realCallbackAddr) => {
101101
if (!verificationCallbackCache[realCallbackAddr]) {
102-
const realCallback = (!realCallbackAddr || realCallbackAddr.isNull())
103-
? new NativeFunction(realCallbackAddr, 'int', ['pointer','pointer'])
104-
: () => SSL_VERIFY_INVALID; // Callback can be null - treat as invalid (=our validation only)
102+
const realCallback = (realCallbackAddr && !realCallbackAddr.isNull())
103+
? new NativeFunction(realCallbackAddr, 'int', ['pointer', 'pointer'])
104+
: () => SSL_VERIFY_INVALID;
105105

106106
let pendingCheckThreads = new Set();
107107

0 commit comments

Comments
 (0)