forked from beau/relab
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
523 lines
26 KiB
523 lines
26 KiB
/*
|
|
* This script combines, fixes & extends a long list of other scripts, most notably including:
|
|
*
|
|
* - https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
|
|
* - https://codeshare.frida.re/@avltree9798/universal-android-ssl-pinning-bypass/
|
|
* - https://pastebin.com/TVJD63uM
|
|
*/
|
|
|
|
setTimeout(function () {
|
|
Java.perform(function () {
|
|
console.log("---");
|
|
console.log("Unpinning Android app...");
|
|
|
|
/// -- Generic hook to protect against SSLPeerUnverifiedException -- ///
|
|
|
|
// In some cases, with unusual cert pinning approaches, or heavy obfuscation, we can't
|
|
// match the real method & package names. This is a problem! Fortunately, we can still
|
|
// always match built-in types, so here we spot all failures that use the built-in cert
|
|
// error type (notably this includes OkHttp), and after the first failure, we dynamically
|
|
// generate & inject a patch to completely disable the method that threw the error.
|
|
try {
|
|
const UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException');
|
|
UnverifiedCertError.$init.implementation = function (str) {
|
|
console.log(' --> Unexpected SSL verification failure, adding dynamic patch...');
|
|
|
|
try {
|
|
const stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace();
|
|
const exceptionStackIndex = stackTrace.findIndex(stack =>
|
|
stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException"
|
|
);
|
|
const callingFunctionStack = stackTrace[exceptionStackIndex + 1];
|
|
|
|
const className = callingFunctionStack.getClassName();
|
|
const methodName = callingFunctionStack.getMethodName();
|
|
|
|
console.log(` Thrown by ${className}->${methodName}`);
|
|
|
|
const callingClass = Java.use(className);
|
|
const callingMethod = callingClass[methodName];
|
|
|
|
if (callingMethod.implementation) return; // Already patched by Frida - skip it
|
|
|
|
console.log(' Attempting to patch automatically...');
|
|
const returnTypeName = callingMethod.returnType.type;
|
|
|
|
callingMethod.implementation = function () {
|
|
console.log(` --> Bypassing ${className}->${methodName} (automatic exception patch)`);
|
|
|
|
// This is not a perfect fix! Most unknown cases like this are really just
|
|
// checkCert(cert) methods though, so doing nothing is perfect, and if we
|
|
// do need an actual return value then this is probably the best we can do,
|
|
// and at least we're logging the method name so you can patch it manually:
|
|
|
|
if (returnTypeName === 'void') {
|
|
return;
|
|
} else {
|
|
return null;
|
|
}
|
|
};
|
|
|
|
console.log(` [+] ${className}->${methodName} (automatic exception patch)`);
|
|
} catch (e) {
|
|
console.log(' [ ] Failed to automatically patch failure');
|
|
}
|
|
|
|
return this.$init(str);
|
|
};
|
|
console.log('[+] SSLPeerUnverifiedException auto-patcher');
|
|
} catch (err) {
|
|
console.log('[ ] SSLPeerUnverifiedException auto-patcher');
|
|
}
|
|
|
|
/// -- Specific targeted hooks: -- ///
|
|
|
|
// HttpsURLConnection
|
|
try {
|
|
const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
|
|
HttpsURLConnection.setDefaultHostnameVerifier.implementation = function (hostnameVerifier) {
|
|
console.log(' --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)');
|
|
return; // Do nothing, i.e. don't change the hostname verifier
|
|
};
|
|
console.log('[+] HttpsURLConnection (setDefaultHostnameVerifier)');
|
|
} catch (err) {
|
|
console.log('[ ] HttpsURLConnection (setDefaultHostnameVerifier)');
|
|
}
|
|
try {
|
|
const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
|
|
HttpsURLConnection.setSSLSocketFactory.implementation = function (SSLSocketFactory) {
|
|
console.log(' --> Bypassing HttpsURLConnection (setSSLSocketFactory)');
|
|
return; // Do nothing, i.e. don't change the SSL socket factory
|
|
};
|
|
console.log('[+] HttpsURLConnection (setSSLSocketFactory)');
|
|
} catch (err) {
|
|
console.log('[ ] HttpsURLConnection (setSSLSocketFactory)');
|
|
}
|
|
try {
|
|
const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
|
|
HttpsURLConnection.setHostnameVerifier.implementation = function (hostnameVerifier) {
|
|
console.log(' --> Bypassing HttpsURLConnection (setHostnameVerifier)');
|
|
return; // Do nothing, i.e. don't change the hostname verifier
|
|
};
|
|
console.log('[+] HttpsURLConnection (setHostnameVerifier)');
|
|
} catch (err) {
|
|
console.log('[ ] HttpsURLConnection (setHostnameVerifier)');
|
|
}
|
|
|
|
// SSLContext
|
|
try {
|
|
const X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
|
|
const SSLContext = Java.use('javax.net.ssl.SSLContext');
|
|
|
|
const TrustManager = Java.registerClass({
|
|
// Implement a custom TrustManager
|
|
name: 'dev.asd.test.TrustManager',
|
|
implements: [X509TrustManager],
|
|
methods: {
|
|
checkClientTrusted: function (chain, authType) { },
|
|
checkServerTrusted: function (chain, authType) { },
|
|
getAcceptedIssuers: function () { return []; }
|
|
}
|
|
});
|
|
|
|
// Prepare the TrustManager array to pass to SSLContext.init()
|
|
const TrustManagers = [TrustManager.$new()];
|
|
|
|
// Get a handle on the init() on the SSLContext class
|
|
const SSLContext_init = SSLContext.init.overload(
|
|
'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom'
|
|
);
|
|
|
|
// Override the init method, specifying the custom TrustManager
|
|
SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) {
|
|
console.log(' --> Bypassing Trustmanager (Android < 7) request');
|
|
SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
|
|
};
|
|
console.log('[+] SSLContext');
|
|
} catch (err) {
|
|
console.log('[ ] SSLContext');
|
|
}
|
|
|
|
// TrustManagerImpl (Android > 7)
|
|
try {
|
|
const array_list = Java.use("java.util.ArrayList");
|
|
const TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
|
|
|
|
// This step is notably what defeats the most common case: network security config
|
|
TrustManagerImpl.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
|
|
console.log(' --> Bypassing TrustManagerImpl checkTrusted ');
|
|
return array_list.$new();
|
|
}
|
|
|
|
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
|
|
console.log(' --> Bypassing TrustManagerImpl verifyChain: ' + host);
|
|
return untrustedChain;
|
|
};
|
|
console.log('[+] TrustManagerImpl');
|
|
} catch (err) {
|
|
console.log('[ ] TrustManagerImpl');
|
|
}
|
|
|
|
// OkHTTPv3 (quadruple bypass)
|
|
try {
|
|
// Bypass OkHTTPv3 {1}
|
|
const okhttp3_Activity_1 = Java.use('okhttp3.CertificatePinner');
|
|
okhttp3_Activity_1.check.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
|
|
console.log(' --> Bypassing OkHTTPv3 (list): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] OkHTTPv3 (list)');
|
|
} catch (err) {
|
|
console.log('[ ] OkHTTPv3 (list)');
|
|
}
|
|
try {
|
|
// Bypass OkHTTPv3 {2}
|
|
// This method of CertificatePinner.check could be found in some old Android app
|
|
const okhttp3_Activity_2 = Java.use('okhttp3.CertificatePinner');
|
|
okhttp3_Activity_2.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (a, b) {
|
|
console.log(' --> Bypassing OkHTTPv3 (cert): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] OkHTTPv3 (cert)');
|
|
} catch (err) {
|
|
console.log('[ ] OkHTTPv3 (cert)');
|
|
}
|
|
try {
|
|
// Bypass OkHTTPv3 {3}
|
|
const okhttp3_Activity_3 = Java.use('okhttp3.CertificatePinner');
|
|
okhttp3_Activity_3.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function (a, b) {
|
|
console.log(' --> Bypassing OkHTTPv3 (cert array): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] OkHTTPv3 (cert array)');
|
|
} catch (err) {
|
|
console.log('[ ] OkHTTPv3 (cert array)');
|
|
}
|
|
try {
|
|
// Bypass OkHTTPv3 {4}
|
|
const okhttp3_Activity_4 = Java.use('okhttp3.CertificatePinner');
|
|
okhttp3_Activity_4['check$okhttp'].implementation = function (a, b) {
|
|
console.log(' --> Bypassing OkHTTPv3 ($okhttp): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] OkHTTPv3 ($okhttp)');
|
|
} catch (err) {
|
|
console.log('[ ] OkHTTPv3 ($okhttp)');
|
|
}
|
|
|
|
// Trustkit (triple bypass)
|
|
try {
|
|
// Bypass Trustkit {1}
|
|
const trustkit_Activity_1 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
|
|
trustkit_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Trustkit OkHostnameVerifier(SSLSession): ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] Trustkit OkHostnameVerifier(SSLSession)');
|
|
} catch (err) {
|
|
console.log('[ ] Trustkit OkHostnameVerifier(SSLSession)');
|
|
}
|
|
try {
|
|
// Bypass Trustkit {2}
|
|
const trustkit_Activity_2 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
|
|
trustkit_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Trustkit OkHostnameVerifier(cert): ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] Trustkit OkHostnameVerifier(cert)');
|
|
} catch (err) {
|
|
console.log('[ ] Trustkit OkHostnameVerifier(cert)');
|
|
}
|
|
try {
|
|
// Bypass Trustkit {3}
|
|
const trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
|
|
trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
|
|
console.log(' --> Bypassing Trustkit PinningTrustManager');
|
|
};
|
|
console.log('[+] Trustkit PinningTrustManager');
|
|
} catch (err) {
|
|
console.log('[ ] Trustkit PinningTrustManager');
|
|
}
|
|
|
|
// Appcelerator Titanium
|
|
try {
|
|
const appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
|
|
appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
|
|
console.log(' --> Bypassing Appcelerator PinningTrustManager');
|
|
};
|
|
console.log('[+] Appcelerator PinningTrustManager');
|
|
} catch (err) {
|
|
console.log('[ ] Appcelerator PinningTrustManager');
|
|
}
|
|
|
|
// OpenSSLSocketImpl Conscrypt
|
|
try {
|
|
const OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
|
|
OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, JavaObject, authMethod) {
|
|
console.log(' --> Bypassing OpenSSLSocketImpl Conscrypt');
|
|
};
|
|
console.log('[+] OpenSSLSocketImpl Conscrypt');
|
|
} catch (err) {
|
|
console.log('[ ] OpenSSLSocketImpl Conscrypt');
|
|
}
|
|
|
|
// OpenSSLEngineSocketImpl Conscrypt
|
|
try {
|
|
const OpenSSLEngineSocketImpl_Activity = Java.use('com.android.org.conscrypt.OpenSSLEngineSocketImpl');
|
|
OpenSSLEngineSocketImpl_Activity.verifyCertificateChain.overload('[Ljava.lang.Long;', 'java.lang.String').implementation = function (a, b) {
|
|
console.log(' --> Bypassing OpenSSLEngineSocketImpl Conscrypt: ' + b);
|
|
};
|
|
console.log('[+] OpenSSLEngineSocketImpl Conscrypt');
|
|
} catch (err) {
|
|
console.log('[ ] OpenSSLEngineSocketImpl Conscrypt');
|
|
}
|
|
|
|
// OpenSSLSocketImpl Apache Harmony
|
|
try {
|
|
const OpenSSLSocketImpl_Harmony = Java.use('org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl');
|
|
OpenSSLSocketImpl_Harmony.verifyCertificateChain.implementation = function (asn1DerEncodedCertificateChain, authMethod) {
|
|
console.log(' --> Bypassing OpenSSLSocketImpl Apache Harmony');
|
|
};
|
|
console.log('[+] OpenSSLSocketImpl Apache Harmony');
|
|
} catch (err) {
|
|
console.log('[ ] OpenSSLSocketImpl Apache Harmony');
|
|
}
|
|
|
|
// PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
|
|
try {
|
|
const phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
|
|
phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (a, b, c) {
|
|
console.log(' --> Bypassing PhoneGap sslCertificateChecker: ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] PhoneGap sslCertificateChecker');
|
|
} catch (err) {
|
|
console.log('[ ] PhoneGap sslCertificateChecker');
|
|
}
|
|
|
|
// IBM MobileFirst pinTrustedCertificatePublicKey (double bypass)
|
|
try {
|
|
// Bypass IBM MobileFirst {1}
|
|
const WLClient_Activity_1 = Java.use('com.worklight.wlclient.api.WLClient');
|
|
WLClient_Activity_1.getInstance().pinTrustedCertificatePublicKey.overload('java.lang.String').implementation = function (cert) {
|
|
console.log(' --> Bypassing IBM MobileFirst pinTrustedCertificatePublicKey (string): ' + cert);
|
|
return;
|
|
};
|
|
console.log('[+] IBM MobileFirst pinTrustedCertificatePublicKey (string)');
|
|
} catch (err) {
|
|
console.log('[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)');
|
|
}
|
|
try {
|
|
// Bypass IBM MobileFirst {2}
|
|
const WLClient_Activity_2 = Java.use('com.worklight.wlclient.api.WLClient');
|
|
WLClient_Activity_2.getInstance().pinTrustedCertificatePublicKey.overload('[Ljava.lang.String;').implementation = function (cert) {
|
|
console.log(' --> Bypassing IBM MobileFirst pinTrustedCertificatePublicKey (string array): ' + cert);
|
|
return;
|
|
};
|
|
console.log('[+] IBM MobileFirst pinTrustedCertificatePublicKey (string array)');
|
|
} catch (err) {
|
|
console.log('[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)');
|
|
}
|
|
|
|
// IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
|
|
try {
|
|
// Bypass IBM WorkLight {1}
|
|
const worklight_Activity_1 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
|
|
worklight_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (a, b) {
|
|
console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)');
|
|
} catch (err) {
|
|
console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)');
|
|
}
|
|
try {
|
|
// Bypass IBM WorkLight {2}
|
|
const worklight_Activity_2 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
|
|
worklight_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) {
|
|
console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (cert): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)');
|
|
} catch (err) {
|
|
console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)');
|
|
}
|
|
try {
|
|
// Bypass IBM WorkLight {3}
|
|
const worklight_Activity_3 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
|
|
worklight_Activity_3.verify.overload('java.lang.String', '[Ljava.lang.String;', '[Ljava.lang.String;').implementation = function (a, b) {
|
|
console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (string string): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)');
|
|
} catch (err) {
|
|
console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)');
|
|
}
|
|
try {
|
|
// Bypass IBM WorkLight {4}
|
|
const worklight_Activity_4 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
|
|
worklight_Activity_4.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) {
|
|
console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession): ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)');
|
|
} catch (err) {
|
|
console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)');
|
|
}
|
|
|
|
// Conscrypt CertPinManager
|
|
try {
|
|
const conscrypt_CertPinManager_Activity = Java.use('com.android.org.conscrypt.CertPinManager');
|
|
conscrypt_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Conscrypt CertPinManager: ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] Conscrypt CertPinManager');
|
|
} catch (err) {
|
|
console.log('[ ] Conscrypt CertPinManager');
|
|
}
|
|
|
|
// CWAC-Netsecurity (unofficial back-port pinner for Android<4.2) CertPinManager
|
|
try {
|
|
const cwac_CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
|
|
cwac_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
|
|
console.log(' --> Bypassing CWAC-Netsecurity CertPinManager: ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] CWAC-Netsecurity CertPinManager');
|
|
} catch (err) {
|
|
console.log('[ ] CWAC-Netsecurity CertPinManager');
|
|
}
|
|
|
|
// Worklight Androidgap WLCertificatePinningPlugin
|
|
try {
|
|
const androidgap_WLCertificatePinningPlugin_Activity = Java.use('com.worklight.androidgap.plugin.WLCertificatePinningPlugin');
|
|
androidgap_WLCertificatePinningPlugin_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (a, b, c) {
|
|
console.log(' --> Bypassing Worklight Androidgap WLCertificatePinningPlugin: ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] Worklight Androidgap WLCertificatePinningPlugin');
|
|
} catch (err) {
|
|
console.log('[ ] Worklight Androidgap WLCertificatePinningPlugin');
|
|
}
|
|
|
|
// Netty FingerprintTrustManagerFactory
|
|
try {
|
|
const netty_FingerprintTrustManagerFactory = Java.use('io.netty.handler.ssl.util.FingerprintTrustManagerFactory');
|
|
netty_FingerprintTrustManagerFactory.checkTrusted.implementation = function (type, chain) {
|
|
console.log(' --> Bypassing Netty FingerprintTrustManagerFactory');
|
|
};
|
|
console.log('[+] Netty FingerprintTrustManagerFactory');
|
|
} catch (err) {
|
|
console.log('[ ] Netty FingerprintTrustManagerFactory');
|
|
}
|
|
|
|
// Squareup CertificatePinner [OkHTTP<v3] (double bypass)
|
|
try {
|
|
// Bypass Squareup CertificatePinner {1}
|
|
const Squareup_CertificatePinner_Activity_1 = Java.use('com.squareup.okhttp.CertificatePinner');
|
|
Squareup_CertificatePinner_Activity_1.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Squareup CertificatePinner (cert): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] Squareup CertificatePinner (cert)');
|
|
} catch (err) {
|
|
console.log('[ ] Squareup CertificatePinner (cert)');
|
|
}
|
|
try {
|
|
// Bypass Squareup CertificatePinner {2}
|
|
const Squareup_CertificatePinner_Activity_2 = Java.use('com.squareup.okhttp.CertificatePinner');
|
|
Squareup_CertificatePinner_Activity_2.check.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Squareup CertificatePinner (list): ' + a);
|
|
return;
|
|
};
|
|
console.log('[+] Squareup CertificatePinner (list)');
|
|
} catch (err) {
|
|
console.log('[ ] Squareup CertificatePinner (list)');
|
|
}
|
|
|
|
// Squareup OkHostnameVerifier [OkHTTP v3] (double bypass)
|
|
try {
|
|
// Bypass Squareup OkHostnameVerifier {1}
|
|
const Squareup_OkHostnameVerifier_Activity_1 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier');
|
|
Squareup_OkHostnameVerifier_Activity_1.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Squareup OkHostnameVerifier (cert): ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] Squareup OkHostnameVerifier (cert)');
|
|
} catch (err) {
|
|
console.log('[ ] Squareup OkHostnameVerifier (cert)');
|
|
}
|
|
try {
|
|
// Bypass Squareup OkHostnameVerifier {2}
|
|
const Squareup_OkHostnameVerifier_Activity_2 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier');
|
|
Squareup_OkHostnameVerifier_Activity_2.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) {
|
|
console.log(' --> Bypassing Squareup OkHostnameVerifier (SSLSession): ' + a);
|
|
return true;
|
|
};
|
|
console.log('[+] Squareup OkHostnameVerifier (SSLSession)');
|
|
} catch (err) {
|
|
console.log('[ ] Squareup OkHostnameVerifier (SSLSession)');
|
|
}
|
|
|
|
// Android WebViewClient (double bypass)
|
|
try {
|
|
// Bypass WebViewClient {1} (deprecated from Android 6)
|
|
const AndroidWebViewClient_Activity_1 = Java.use('android.webkit.WebViewClient');
|
|
AndroidWebViewClient_Activity_1.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (obj1, obj2, obj3) {
|
|
console.log(' --> Bypassing Android WebViewClient (SslErrorHandler)');
|
|
};
|
|
console.log('[+] Android WebViewClient (SslErrorHandler)');
|
|
} catch (err) {
|
|
console.log('[ ] Android WebViewClient (SslErrorHandler)');
|
|
}
|
|
try {
|
|
// Bypass WebViewClient {2}
|
|
const AndroidWebViewClient_Activity_2 = Java.use('android.webkit.WebViewClient');
|
|
AndroidWebViewClient_Activity_2.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function (obj1, obj2, obj3) {
|
|
console.log(' --> Bypassing Android WebViewClient (WebResourceError)');
|
|
};
|
|
console.log('[+] Android WebViewClient (WebResourceError)');
|
|
} catch (err) {
|
|
console.log('[ ] Android WebViewClient (WebResourceError)');
|
|
}
|
|
|
|
// Apache Cordova WebViewClient
|
|
try {
|
|
const CordovaWebViewClient_Activity = Java.use('org.apache.cordova.CordovaWebViewClient');
|
|
CordovaWebViewClient_Activity.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (obj1, obj2, obj3) {
|
|
console.log(' --> Bypassing Apache Cordova WebViewClient');
|
|
obj3.proceed();
|
|
};
|
|
} catch (err) {
|
|
console.log('[ ] Apache Cordova WebViewClient');
|
|
}
|
|
|
|
// Boye AbstractVerifier
|
|
try {
|
|
const boye_AbstractVerifier = Java.use('ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier');
|
|
boye_AbstractVerifier.verify.implementation = function (host, ssl) {
|
|
console.log(' --> Bypassing Boye AbstractVerifier: ' + host);
|
|
};
|
|
} catch (err) {
|
|
console.log('[ ] Boye AbstractVerifier');
|
|
}
|
|
|
|
// Appmattus
|
|
try {
|
|
const appmatus_Activity = Java.use('com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor');
|
|
appmatus_Activity['intercept'].implementation = function (a) {
|
|
console.log(' --> Bypassing Appmattus (Transparency)');
|
|
return a.proceed(a.request());
|
|
};
|
|
console.log('[+] Appmattus (Transparency)');
|
|
} catch (err) {
|
|
console.log('[ ] Appmattus (Transparency)');
|
|
}
|
|
|
|
console.log("Unpinning setup completed");
|
|
console.log("---");
|
|
});
|
|
|
|
}, 0);
|
|
|