-
Notifications
You must be signed in to change notification settings - Fork 19
/
unpin.js
128 lines (102 loc) · 3.52 KB
/
unpin.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
/* Frida script for SSL stripping */
Java.perform(function() {
var array_list = Java.use("java.util.ArrayList");
var ApiClient = Java.use("com.android.org.conscrypt.TrustManagerImpl")
try {
ApiClient.verifyChain.implementation = function(untrust, trustanchor, host, cauth, oscp, sctdata) {
console.log("intercepted trustmanager");
return untrust;
}
} catch (err){
}
try {
var CertPin = Java.use("okhttp3.CertificatePinner");
CertPin.check.overload("java.lang.String", "java.util.List").implementation = function(str) {
console.log("intercept okhttp3 " + str);
return;
}
CertPin.check.overload("java.lang.String", "[Ljava.security.cert.Certificate;").implementation = function(p0,p1) {
console.log("intercept okhttp3 cert");
return;
}
} catch (err) {
}
try {
//fb pinning
var FBPin = Java.use("com.facebook.netlite.certificatepinning.internal.FbPinningTrustManager");
FBPin.checkServerTrusted.implementation = function(a0, a1) {
console.log("FB pin");
return;
}
} catch (err) {
}
//linked in libcurl
var sos=[];
var libs = ["libdialogui.so", "libavatars.so", "libcurl.so",
"libovrplatform.so", "libovrplatform_64.so", "libovrplatformplugin.so",
"libhome.so"];
for(var x in libs) {
var attach = Module.findExportByName(libs[x], "curl_easy_setopt");
console.log(libs[x] + " -> " + attach);
if(!attach) continue;
console.log("found module for " + libs[x]);
sos[libs[x]] = Interceptor.attach(attach, {
onEnter: function(args) {
console.log("setopt called" + JSON.stringify(args));
},
onLeave: function(retval) {
console.log("setopt over")
}
});
}
const System = Java.use('java.lang.System');
const Runtime = Java.use('java.lang.Runtime');
const VMStack = Java.use('dalvik.system.VMStack');
System.loadLibrary.implementation = function(library) {
console.log("System.loadLibrary('" + library + "')");
try {
const loaded = Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library)
return loaded;
} catch(err) {
console.log(err);
}
}
System.load.implementation = function(library) {
console.log("System.load('" + library + "')");
try {
const loaded = Runtime.getRuntime().load0(VMStack.getCallingClassLoader(), library)
return loaded;
} catch(err) {
console.log(err);
}
}
function hookCurlSetOpt(address) {
Interceptor.attach(address, {
onEnter: function(args) {
if (args[1] == 81) {
console.log("CURLOPT_SSL_VERIFYHOST -> 0")
this.context.r2 = 0
}
if (args[1] == 64) {
console.log("CURLOPT_SSL_VERIFYPEER -> 0")
this.context.r2 = 0
}
if (args[1] == 10230) {
console.log("CURLOPT_PINNEDPUBLICKEY -> 0")
this.context.r2 = 0
}
}
});
}
function hookModuleHelper(name, offset, handler) {
var base = Module.findBaseAddress(name)
console.log(name + " @ " + base);
if (base == null) return;
var target = base.add(offset);
handler(target);
}
//Statically linked libcurl. Need to manually update the offsets for now
hookModuleHelper("libovrplatform.so", 0xea49c-0x10000 +1, hookCurlSetOpt)
hookModuleHelper("libhome.so", 0x57407c-0x10000 +1, hookCurlSetOpt)
hookModuleHelper("libavatars.so", 0x9e460-0x10000 , hookCurlSetOpt)
}, 0);