diff --git a/CHANGELOG.md b/CHANGELOG.md index 515ae5f..e598a01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.1.0] - 2023-06-27 + +### Added + +- **Pinning**: Initial Release. + ## [1.0.3] - 2023-06-20 ### Added @@ -38,6 +44,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - Initial Release. +[1.1.0]: https://github.com/hyugogirubato/Frida-CodeShare/releases/tag/v1.1.0 [1.0.3]: https://github.com/hyugogirubato/Frida-CodeShare/releases/tag/v1.0.3 [1.0.2]: https://github.com/hyugogirubato/Frida-CodeShare/releases/tag/v1.0.2 [1.0.1]: https://github.com/hyugogirubato/Frida-CodeShare/releases/tag/v1.0.1 diff --git a/scripts/android-pinning/README.md b/scripts/android-pinning/README.md new file mode 100644 index 0000000..c3d97f0 --- /dev/null +++ b/scripts/android-pinning/README.md @@ -0,0 +1,65 @@ +# Android SSL Pinning + +Android SSL Pinning is a Frida script designed to bypass SSL pinning in Android applications. It uses the Frida +framework to dynamically patch the SSL pinning methods in the target app and allow interception of SSL/TLS traffic. + +## Usage + +To use the script, follow these steps: + +1. Install Frida on your device or emulator. + +2. Connect your device or emulator to your computer. + +3. Run the following command to start the script: + +````shell +frida -D "DEVICE" -l "pinning.js" -f "PACKAGE" +```` + +Replace "DEVICE" with the device or emulator ID and "PACKAGE" with the package name of the target application. + +## Customization + +The script provides a `MODE` object that allows you to customize which SSL pinning methods to target. By setting the +corresponding property to `true`, you can enable or disable the patching for specific SSL pinning methods. + +```javascript +const MODE = { + SSLPeerUnverifiedException: true, + HttpsURLConnection: true, + SSLContext: true, + TrustManagerImpl: true, + OkHTTPv3: true, + // Add or remove other SSL pinning methods as needed +}; +``` + +You can modify the `MODE` object to fit your specific needs. + +## Output + +The script will print detailed information about the patched SSL pinning methods to the console. Each intercepted SSL +pinning method will be displayed with its corresponding class and method name. + +Example output: + +``` +--> SSLPeerUnverifiedException [com.example.app.MainActivity.login] +--> HttpsURLConnection [DefaultHostnameVerifier] +--> HttpsURLConnection [SSLSocketFactory] +--> HttpsURLConnection [HostnameVerifier] +--> TrustManager [SSLContext] (Android < 7) +--> TrustManagerImpl [TrustedRecursive] (Android > 7): example.com +--> TrustManagerImpl [verifyChain] (Android > 7): example.com +--> OkHTTPv3 [List]: example.com +--> OkHTTPv3 [Certificate]: example.com +--> OkHTTPv3 [Array]: example.com +--> OkHTTPv3 [Function]: example.com +``` + +This output indicates the SSL pinning methods that have been successfully intercepted and patched. + +## License + +This project is licensed under the [GPL v3 License](https://github.com/hyugogirubato/Frida-CodeShare/blob/main/LICENSE). \ No newline at end of file diff --git a/scripts/android-pinning/pinning.js b/scripts/android-pinning/pinning.js index e66b7e8..c60dfaf 100644 --- a/scripts/android-pinning/pinning.js +++ b/scripts/android-pinning/pinning.js @@ -1,10 +1,10 @@ /**@@@+++@@@@****************************************************************** ** - ** Android SSL Pinning frida script vBETA hyugogirubato + ** Android SSL Pinning frida script v1.0 hyugogirubato ** ** frida -D "DEVICE" -l "pinning.js" -f "PACKAGE" ** - ** Update: Beta version preview. + ** Update: Dynamic error support. ** ***@@@---@@@@****************************************************************** */ @@ -67,6 +67,14 @@ const rudimentaryFix = (typeName) => { } } +const loadJava = (library) => { + try { + return Java.use(library); + } catch (e) { + return undefined; + } +} + setTimeout(function () { console.log("---"); @@ -82,6 +90,7 @@ setTimeout(function () { UnverifiedCertError.$init.implementation = function (str) { console.log(`${COLORS.red}[!] Unexpected SSLPeerUnverifiedException occurred, trying to patch it dynamically...${COLORS.reset}`); + let className, methodName, callingMethod, returnTypeName; try { const stackTrace = Java.use("java.lang.Thread").currentThread().getStackTrace(); const exceptionStackIndex = stackTrace.findIndex(stack => @@ -95,11 +104,10 @@ setTimeout(function () { // Retrieve the method raising the SSLPeerUnverifiedException const callingFunctionStack = stackTrace[exceptionStackIndex + 1]; - const className = callingFunctionStack.getClassName(); - const methodName = callingFunctionStack.getMethodName(); + className = callingFunctionStack.getClassName(); + methodName = callingFunctionStack.getMethodName(); const callingClass = Java.use(className); - const callingMethod = callingClass[methodName]; - console.log(`${COLORS.red}[!] Attempting to bypass uncommon SSL Pinning method on: ${className}.${methodName}${COLORS.reset}`); + callingMethod = callingClass[methodName]; // Skip it when already patched by Frida if (callingMethod.implementation) { @@ -107,10 +115,11 @@ setTimeout(function () { } // Trying to patch the uncommon SSL Pinning method via implementation - const returnTypeName = callingMethod.returnType.type; + returnTypeName = callingMethod.returnType.type; callingMethod.implementation = function () { rudimentaryFix(returnTypeName); }; + console.log(`${colorKey} --> SSLPeerUnverifiedException [${className}.${methodName}]${COLORS.reset}`); } catch (e) { // Dynamic patching via implementation does not works, then trying via function overloading console.log(`${COLORS.red}[!] The uncommon SSL Pinning method has more than one overload${COLORS.reset}`); @@ -122,7 +131,6 @@ setTimeout(function () { if (extractedOverload.includes(",")) { // Go here if overloaded method has multiple arguments (NOTE: max 6 args are covered here) const argList = extractedOverload.split(", "); - console.log(`${COLORS.red}[!] Attempting overload of ${className}.${methodName} with arguments: ${extractedOverload}${COLORS.reset}`); // Overload the method based on the number of arguments callingMethod.overload(...argList).implementation = function (...args) { @@ -135,24 +143,24 @@ setTimeout(function () { }; } } + console.log(`${colorKey} --> SSLPeerUnverifiedException [${className}.${methodName}]${COLORS.reset}`); } else { - console.log(`${COLORS.yellow}[-] Failed to dynamically patch SSLPeerUnverifiedException ${e}${COLORS.reset}`); + console.log(`${COLORS.red}[!] Failed to dynamically patch SSLPeerUnverifiedException ${e}${COLORS.reset}`); } } return this.$init(str); } - console.log("[+] SSLPeerUnverifiedException"); } catch (e) { - console.log("[ ] SSLPeerUnverifiedException"); + console.log(`${COLORS.red}[!] Failed to dynamically patch SSLPeerUnverifiedException ${e}${COLORS.reset}`); } } if (MODE.HttpsURLConnection) { const colorKey = randomColor(); + const HttpsURLConnection = loadJava("javax.net.ssl.HttpsURLConnection"); try { - const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection"); HttpsURLConnection.setDefaultHostnameVerifier.implementation = function (hostnameVerifier) { - console.log(" --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)"); + console.log(`${colorKey} --> HttpsURLConnection [DefaultHostnameVerifier]${COLORS.reset}`); }; console.log("[+] HttpsURLConnection [DefaultHostnameVerifier]"); } catch (e) { @@ -160,22 +168,20 @@ setTimeout(function () { } try { - const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection"); HttpsURLConnection.setSSLSocketFactory.implementation = function (SSLSocketFactory) { - console.log(" --> Bypassing HttpsURLConnection (setSSLSocketFactory)"); + console.log(`${colorKey} --> HttpsURLConnection [SSLSocketFactory]${COLORS.reset}`); }; console.log("[+] HttpsURLConnection [SSLSocketFactory]"); - } catch (err) { + } catch (e) { console.log("[ ] HttpsURLConnection [SSLSocketFactory]"); } try { - const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection"); HttpsURLConnection.setHostnameVerifier.implementation = function (hostnameVerifier) { - console.log(" --> Bypassing HttpsURLConnection (setHostnameVerifier)"); + console.log(`${colorKey} --> HttpsURLConnection [HostnameVerifier]${COLORS.reset}`); }; console.log("[+] HttpsURLConnection [HostnameVerifier]"); - } catch (err) { + } catch (e) { console.log("[ ] HttpsURLConnection [HostnameVerifier]"); } @@ -209,7 +215,7 @@ setTimeout(function () { const SSLContext_init = SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom"); // Override the init method, specifying the custom TrustManager SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) { - console.log("[+] Bypassing Trustmanager (Android < 7) pinner"); + console.log(`${colorKey} --> TrustManager [SSLContext] (Android < 7)${COLORS.reset}`); SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); }; console.log("[+] TrustManager [SSLContext] (Android < 7)"); @@ -221,12 +227,12 @@ setTimeout(function () { if (MODE.TrustManagerImpl) { // TrustManagerImpl (Android > 7) const colorKey = randomColor(); - const TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl"); + const TrustManagerImpl = loadJava("com.android.org.conscrypt.TrustManagerImpl"); try { - const array_list = Java.use("java.util.ArrayList"); + const ArrayList = Java.use("java.util.ArrayList"); TrustManagerImpl.checkTrustedRecursive.implementation = function (certs, ocspData, tlsSctData, host, clientAuth, untrustedChain, trustAnchorChain, used) { - console.log(`[+] Bypassing TrustManagerImpl (Android > 7) checkTrustedRecursive check: ${host}`); - return array_list.$new(); + console.log(`${colorKey} --> TrustManagerImpl [TrustedRecursive] (Android > 7): ${host}${COLORS.reset}`); + return ArrayList.$new(); }; console.log("[+] TrustManagerImpl [TrustedRecursive] (Android > 7)"); } catch (e) { @@ -235,22 +241,21 @@ setTimeout(function () { try { TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { - console.log(`[+] Bypassing TrustManagerImpl (Android > 7) verifyChain check: ${host}`); + console.log(`${colorKey} --> TrustManagerImpl [verifyChain] (Android > 7): ${host}${COLORS.reset}`); return untrustedChain; }; - console.log("[+] TrustManagerImpl (Android > 7) [verifyChain]"); + console.log("[+] TrustManagerImpl [verifyChain] (Android > 7)"); } catch (e) { - console.log("[ ] TrustManagerImpl (Android > 7) [verifyChain]"); + console.log("[ ] TrustManagerImpl [verifyChain] (Android > 7)"); } } if (MODE.OkHTTPv3) { const colorKey = randomColor(); - const CertificatePinner = Java.use("okhttp3.CertificatePinner"); - + const CertificatePinner = loadJava("okhttp3.CertificatePinner"); try { CertificatePinner.check.overload("java.lang.String", "java.util.List").implementation = function (a, b) { - console.log("[+] Bypassing OkHTTPv3 {1}: " + a); + console.log(`${colorKey} --> OkHTTPv3 [List]: ${a}${COLORS.reset}`); }; console.log("[+] OkHTTPv3 [List]"); } catch (e) { @@ -259,7 +264,7 @@ setTimeout(function () { try { CertificatePinner.check.overload("java.lang.String", "java.security.cert.Certificate").implementation = function (a, b) { - console.log("[+] Bypassing OkHTTPv3 {2}: " + a); + console.log(`${colorKey} --> OkHTTPv3 [Certificate]: ${a}${COLORS.reset}`); }; console.log("[+] OkHTTPv3 [Certificate]"); } catch (e) { @@ -268,7 +273,7 @@ setTimeout(function () { try { CertificatePinner.check.overload("java.lang.String", "[Ljava.security.cert.Certificate;").implementation = function (a, b) { - console.log("[+] Bypassing OkHTTPv3 {3}: " + a); + console.log(`${colorKey} --> OkHTTPv3 [Array]: ${a}${COLORS.reset}`); }; console.log("[+] OkHTTPv3 [Array]"); } catch (e) { @@ -277,7 +282,7 @@ setTimeout(function () { try { CertificatePinner.check$okhttp.overload("java.lang.String", "kotlin.jvm.functions.Function0").implementation = function (a, b) { - console.log("[+] Bypassing OkHTTPv3 {4}: " + a); + console.log(`${colorKey} --> OkHTTPv3 [Function]: ${a}${COLORS.reset}`); }; console.log("[+] OkHTTPv3 [Function]"); } catch (e) { @@ -287,12 +292,11 @@ setTimeout(function () { if (MODE.Trustkit) { const colorKey = randomColor(); - const OkHostnameVerifier = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); - const PinningTrustManager = Java.use("com.datatheorem.android.trustkit.pinning.PinningTrustManager"); - + const OkHostnameVerifier = loadJava("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); + const PinningTrustManager = loadJava("com.datatheorem.android.trustkit.pinning.PinningTrustManager"); try { OkHostnameVerifier.verify.overload("java.lang.String", "javax.net.ssl.SSLSession").implementation = function (a, b) { - console.log("[+] Bypassing Trustkit {1}: " + a); + console.log(`${colorKey} --> Trustkit OkHostnameVerifier [SSLSession]: ${a}${COLORS.reset}`); return true; }; console.log("[+] Trustkit OkHostnameVerifier [SSLSession]"); @@ -302,7 +306,7 @@ setTimeout(function () { try { OkHostnameVerifier.verify.overload("java.lang.String", "java.security.cert.X509Certificate").implementation = function (a, b) { - console.log("[+] Bypassing Trustkit {2}: " + a); + console.log(`${colorKey} --> Trustkit OkHostnameVerifier [X509Certificate]: ${a}${COLORS.reset}`); return true; }; console.log("[+] Trustkit OkHostnameVerifier [X509Certificate]"); @@ -312,7 +316,7 @@ setTimeout(function () { try { PinningTrustManager.checkServerTrusted.overload("[Ljava.security.cert.X509Certificate;", "java.lang.String").implementation = function (chain, authType) { - console.log("[+] Bypassing Trustkit {3}"); + console.log(`${colorKey} --> Trustkit PinningTrustManager${COLORS.reset}`); }; console.log("[+] Trustkit PinningTrustManager"); } catch (e) { @@ -322,10 +326,10 @@ setTimeout(function () { if (MODE.TitaniumPinningTrustManager) { const colorKey = randomColor(); + const PinningTrustManager = loadJava("appcelerator.https.PinningTrustManager"); try { - const PinningTrustManager = Java.use("appcelerator.https.PinningTrustManager"); PinningTrustManager.checkServerTrusted.implementation = function (chain, authType) { - console.log("[+] Bypassing Appcelerator PinningTrustManager"); + console.log(`${colorKey} --> Titanium [PinningTrustManager]${COLORS.reset}`); }; console.log("[+] Titanium [PinningTrustManager]"); } catch (e) { @@ -335,10 +339,10 @@ setTimeout(function () { if (MODE.FabricPinningTrustManager) { const colorKey = randomColor(); + const PinningTrustManager = loadJava("io.fabric.sdk.android.services.network.PinningTrustManager"); try { - const PinningTrustManager = Java.use("io.fabric.sdk.android.services.network.PinningTrustManager"); PinningTrustManager.checkServerTrusted.implementation = function (chain, authType) { - console.log("[+] Bypassing Fabric PinningTrustManager"); + console.log(`${colorKey} --> Fabric [PinningTrustManager]${COLORS.reset}`); }; console.log("[+] Fabric [PinningTrustManager]"); } catch (e) { @@ -348,32 +352,32 @@ setTimeout(function () { if (MODE.ConscryptOpenSSLSocketImpl) { const colorKey = randomColor(); - const OpenSSLSocketImpl = Java.use("com.android.org.conscrypt.OpenSSLSocketImpl"); + const OpenSSLSocketImpl = loadJava("com.android.org.conscrypt.OpenSSLSocketImpl"); try { OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, JavaObject, authMethod) { - console.log("[+] Bypassing OpenSSLSocketImpl Conscrypt"); + console.log(`${colorKey} --> Conscrypt [OpenSSLSocketImpl] (Refs)${COLORS.reset}`); }; - console.log("[+] Conscrypt (Refs) [OpenSSLSocketImpl]"); + console.log("[+] Conscrypt [OpenSSLSocketImpl] (Refs)"); } catch (e) { - console.log("[ ] Conscrypt (Refs) [OpenSSLSocketImpl]"); + console.log("[ ] Conscrypt [OpenSSLSocketImpl] (Refs)"); } try { OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certChain, authMethod) { - console.log("[+] Bypassing OpenSSLSocketImpl Conscrypt"); + console.log(`${colorKey} --> Conscrypt [OpenSSLSocketImpl] (Chain)${COLORS.reset}`); }; - console.log("[+] Conscrypt (Chain) [OpenSSLSocketImpl]"); + console.log("[+] Conscrypt [OpenSSLSocketImpl] (Chain)"); } catch (e) { - console.log("[ ] Conscrypt (Chain) [OpenSSLSocketImpl]"); + console.log("[ ] Conscrypt [OpenSSLSocketImpl] (Chain)"); } } if (MODE.ConscryptOpenSSLEngineSocketImpl) { const colorKey = randomColor(); + const OpenSSLEngineSocketImpl = loadJava("com.android.org.conscrypt.OpenSSLEngineSocketImpl"); try { - const OpenSSLEngineSocketImpl = Java.use("com.android.org.conscrypt.OpenSSLEngineSocketImpl"); OpenSSLEngineSocketImpl.verifyCertificateChain.overload("[Ljava.lang.Long;", "java.lang.String").implementation = function (a, b) { - console.log("[+] Bypassing OpenSSLEngineSocketImpl Conscrypt: " + b); + console.log(`${colorKey} --> Conscrypt [OpenSSLEngineSocketImpl]: ${b}${COLORS.reset}`); }; console.log("[+] Conscrypt [OpenSSLEngineSocketImpl]"); } catch (e) { @@ -383,10 +387,10 @@ setTimeout(function () { if (MODE.ApacheOpenSSLSocketImpl) { const colorKey = randomColor(); + const OpenSSLSocketImpl = loadJava("org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl"); try { - const OpenSSLSocketImpl = Java.use("org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl"); OpenSSLSocketImpl.verifyCertificateChain.implementation = function (asn1DerEncodedCertificateChain, authMethod) { - console.log("[+] Bypassing OpenSSLSocketImpl Apache Harmony"); + console.log(`${colorKey} --> Apache [OpenSSLSocketImpl]${COLORS.reset}`); }; console.log("[+] Apache [OpenSSLSocketImpl]"); } catch (e) { @@ -396,10 +400,10 @@ setTimeout(function () { if (MODE.PhoneGapsslCertificateChecker) { const colorKey = randomColor(); + const sslCertificateChecker = loadJava("nl.xservices.plugins.sslCertificateChecker"); try { - const sslCertificateChecker = Java.use("nl.xservices.plugins.sslCertificateChecker"); sslCertificateChecker.execute.overload("java.lang.String", "org.json.JSONArray", "org.apache.cordova.CallbackContext").implementation = function (a, b, c) { - console.log("[+] Bypassing PhoneGap sslCertificateChecker: " + a); + console.log(`${colorKey} --> PhoneGap [sslCertificateChecker]: ${a}${COLORS.reset}`); return true; }; console.log("[+] PhoneGap [sslCertificateChecker]"); @@ -410,10 +414,10 @@ setTimeout(function () { if (MODE.IBMMobileFirst) { const colorKey = randomColor(); - const MobileFirst = Java.use("com.worklight.wlclient.api.WLClient"); + const MobileFirst = loadJava("com.worklight.wlclient.api.WLClient"); try { MobileFirst.getInstance().pinTrustedCertificatePublicKey.overload("java.lang.String").implementation = function (cert) { - console.log("[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey {1}: " + cert); + console.log(`${colorKey} --> IBM [MobileFirst] (String): ${cert}${COLORS.reset}`); }; console.log("[+] IBM [MobileFirst] (String)"); } catch (e) { @@ -422,7 +426,7 @@ setTimeout(function () { try { MobileFirst.getInstance().pinTrustedCertificatePublicKey.overload("[Ljava.lang.String;").implementation = function (cert) { - console.log("[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey {2}: " + cert); + console.log(`${colorKey} --> IBM [MobileFirst] (Array): ${cert}${COLORS.reset}`); }; console.log("[+] IBM [MobileFirst] (Array)"); } catch (e) { @@ -432,10 +436,10 @@ setTimeout(function () { if (MODE.IBMWorkLight) { const colorKey = randomColor(); - const WorkLight = Java.use("com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning"); + const WorkLight = loadJava("com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning"); try { WorkLight.verify.overload("java.lang.String", "javax.net.ssl.SSLSocket").implementation = function (a, b) { - console.log("[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {1}: " + a); + console.log(`${colorKey} --> IBM [WorkLight] (SSLSocket): ${a}${COLORS.reset}`); }; console.log("[+] IBM [WorkLight] (SSLSocket)"); } catch (e) { @@ -444,7 +448,7 @@ setTimeout(function () { try { WorkLight.verify.overload("java.lang.String", "java.security.cert.X509Certificate").implementation = function (a, b) { - console.log("[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {2}: " + a); + console.log(`${colorKey} --> IBM [WorkLight] (X509Certificate): ${a}${COLORS.reset}`); }; console.log("[+] IBM [WorkLight] (X509Certificate)"); } catch (e) { @@ -453,7 +457,7 @@ setTimeout(function () { try { WorkLight.verify.overload("java.lang.String", "[Ljava.lang.String;", "[Ljava.lang.String;").implementation = function (a, b) { - console.log("[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {3}: " + a); + console.log(`${colorKey} --> IBM [WorkLight] (String): ${a}${COLORS.reset}`); }; console.log("[+] IBM [WorkLight] (String)"); } catch (e) { @@ -462,7 +466,7 @@ setTimeout(function () { try { WorkLight.verify.overload("java.lang.String", "javax.net.ssl.SSLSession").implementation = function (a, b) { - console.log("[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {4}: " + a); + console.log(`${colorKey} --> IBM [WorkLight] (SSLSession): ${a}${COLORS.reset}`); return true; }; console.log("[+] IBM [WorkLight] (SSLSession)"); @@ -473,10 +477,10 @@ setTimeout(function () { if (MODE.ConscryptCertPinManager) { const colorKey = randomColor(); - const CertPinManager = Java.use("com.android.org.conscrypt.CertPinManager"); + const CertPinManager = loadJava("com.android.org.conscrypt.CertPinManager"); try { CertPinManager.checkChainPinning.overload("java.lang.String", "java.util.List").implementation = function (a, b) { - console.log("[+] Bypassing Conscrypt CertPinManager: " + a); + console.log(`${colorKey} --> Conscrypt [CertPinManager] (List): ${a}${COLORS.reset}`); return true; }; console.log("[+] Conscrypt [CertPinManager] (List)"); @@ -486,7 +490,7 @@ setTimeout(function () { try { CertPinManager.isChainValid.overload("java.lang.String", "java.util.List").implementation = function (a, b) { - console.log("[+] Bypassing Conscrypt CertPinManager (Legacy): " + a); + console.log(`${colorKey} --> Conscrypt [CertPinManager] (Legacy): ${a}${COLORS.reset}`); return true; }; console.log("[+] Conscrypt [CertPinManager] (Legacy)"); @@ -497,10 +501,10 @@ setTimeout(function () { if (MODE.NetsecurityCertPinManager) { const colorKey = randomColor(); + const CertPinManager = loadJava("com.commonsware.cwac.netsecurity.conscrypt.CertPinManager"); try { - const CertPinManager = Java.use("com.commonsware.cwac.netsecurity.conscrypt.CertPinManager"); CertPinManager.isChainValid.overload("java.lang.String", "java.util.List").implementation = function (a, b) { - console.log("[+] Bypassing CWAC-Netsecurity CertPinManager: " + a); + console.log(`${colorKey} --> Netsecurity [CertPinManager]: ${a}${COLORS.reset}`); return true; }; console.log("[+] Netsecurity [CertPinManager]"); @@ -511,10 +515,10 @@ setTimeout(function () { if (MODE.AndroidgapWorkLight) { const colorKey = randomColor(); + const Worklight = loadJava("com.worklight.androidgap.plugin.WLCertificatePinningPlugin"); try { - const Worklight = Java.use("com.worklight.androidgap.plugin.WLCertificatePinningPlugin"); Worklight.execute.overload("java.lang.String", "org.json.JSONArray", "org.apache.cordova.CallbackContext").implementation = function (a, b, c) { - console.log("[+] Bypassing Worklight Androidgap WLCertificatePinningPlugin: " + a); + console.log(`${colorKey} --> Android [WorkLight]: ${a}${COLORS.reset}`); return true; }; console.log("[+] Android [WorkLight]"); @@ -525,10 +529,10 @@ setTimeout(function () { if (MODE.NettyFingerprintTrustManagerFactory) { const colorKey = randomColor(); + const FingerprintTrustManagerFactory = loadJava("io.netty.handler.ssl.util.FingerprintTrustManagerFactory"); try { - const FingerprintTrustManagerFactory = Java.use("io.netty.handler.ssl.util.FingerprintTrustManagerFactory"); FingerprintTrustManagerFactory.checkTrusted.implementation = function (type, chain) { - console.log("[+] Bypassing Netty FingerprintTrustManagerFactory"); + console.log(`${colorKey} --> Netty [FingerprintTrustManagerFactory]${COLORS.reset}`); }; console.log("[+] Netty [FingerprintTrustManagerFactory]"); } catch (e) { @@ -539,10 +543,10 @@ setTimeout(function () { if (MODE.SquareupCertificatePinner) { // OkHTTP < v3 const colorKey = randomColor(); - const CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner"); + const CertificatePinner = loadJava("com.squareup.okhttp.CertificatePinner"); try { CertificatePinner.check.overload("java.lang.String", "java.security.cert.Certificate").implementation = function (a, b) { - console.log("[+] Bypassing Squareup CertificatePinner {1}: " + a); + console.log(`${colorKey} --> Squareup [CertificatePinner] (Certificate): ${a}${COLORS.reset}`); }; console.log("[+] Squareup [CertificatePinner] (Certificate)"); } catch (e) { @@ -551,7 +555,7 @@ setTimeout(function () { try { CertificatePinner.check.overload("java.lang.String", "java.util.List").implementation = function (a, b) { - console.log(" --> Bypassing Squareup CertificatePinner (list): " + a); + console.log(`${colorKey} --> Squareup [CertificatePinner] (List): ${a}${COLORS.reset}`); }; console.log("[+] Squareup [CertificatePinner] (List)"); } catch (e) { @@ -562,10 +566,10 @@ setTimeout(function () { if (MODE.SquareupOkHostnameVerifier) { // OkHTTP v3 const colorKey = randomColor(); - const OkHostnameVerifier = Java.use("com.squareup.okhttp.internal.tls.OkHostnameVerifier"); + const OkHostnameVerifier = loadJava("com.squareup.okhttp.internal.tls.OkHostnameVerifier"); try { OkHostnameVerifier.verify.overload("java.lang.String", "java.security.cert.X509Certificate").implementation = function (a, b) { - console.log("[+] Bypassing Squareup OkHostnameVerifier {1}: " + a); + console.log(`${colorKey} --> Squareup [OkHostnameVerifier] (X509Certificate): ${a}${COLORS.reset}`); return true; }; console.log("[+] Squareup [OkHostnameVerifier] (X509Certificate)"); @@ -575,7 +579,7 @@ setTimeout(function () { try { OkHostnameVerifier.verify.overload("java.lang.String", "javax.net.ssl.SSLSession").implementation = function (a, b) { - console.log(" --> Bypassing Squareup OkHostnameVerifier (SSLSession): " + a); + console.log(`${colorKey} --> Squareup [OkHostnameVerifier] (SSLSession): ${a}${COLORS.reset}`); return true; }; console.log("[+] Squareup [OkHostnameVerifier] (SSLSession)"); @@ -586,11 +590,11 @@ setTimeout(function () { if (MODE.AndroidWebViewClient) { const colorKey = randomColor(); - const WebViewClient = Java.use("android.webkit.WebViewClient"); + const WebViewClient = loadJava("android.webkit.WebViewClient"); try { WebViewClient.onReceivedSslError.overload("android.webkit.WebView", "android.webkit.SslErrorHandler", "android.net.http.SslError").implementation = function (obj1, obj2, obj3) { - console.log("[+] Bypassing Android WebViewClient check {1}"); + console.log(`${colorKey} --> Android [WebViewClient] (SslErrorHandler)${COLORS.reset}`); }; console.log("[+] Android [WebViewClient] (SslErrorHandler)"); } catch (e) { @@ -599,7 +603,7 @@ setTimeout(function () { try { WebViewClient.onReceivedSslError.overload("android.webkit.WebView", "android.webkit.WebResourceRequest", "android.webkit.WebResourceError").implementation = function (obj1, obj2, obj3) { - console.log("[+] Bypassing Android WebViewClient check {2}"); + console.log(`${colorKey} --> Android [WebViewClient] (SSLWebResourceError)${COLORS.reset}`); }; console.log("[+] Android [WebViewClient] (SSLWebResourceError)"); } catch (e) { @@ -608,7 +612,7 @@ setTimeout(function () { try { WebViewClient.onReceivedError.overload("android.webkit.WebView", "int", "java.lang.String", "java.lang.String").implementation = function (obj1, obj2, obj3, obj4) { - console.log("[+] Bypassing Android WebViewClient check {3}"); + console.log(`${colorKey} --> Android [WebViewClient] (String)${COLORS.reset}`); }; console.log("[+] Android [WebViewClient] (String)"); } catch (e) { @@ -617,7 +621,7 @@ setTimeout(function () { try { WebViewClient.onReceivedError.overload("android.webkit.WebView", "android.webkit.WebResourceRequest", "android.webkit.WebResourceError").implementation = function (obj1, obj2, obj3) { - console.log("[+] Bypassing Android WebViewClient check {4}"); + console.log(`${colorKey} --> Android [WebViewClient] (WebResourceError)${COLORS.reset}`); }; console.log("[+] Android [WebViewClient] (WebResourceError)"); } catch (e) { @@ -627,10 +631,10 @@ setTimeout(function () { if (MODE.ApacheWebViewClient) { const colorKey = randomColor(); + const CordovaWebViewClient = loadJava("org.apache.cordova.CordovaWebViewClient"); try { - const CordovaWebViewClient = Java.use("org.apache.cordova.CordovaWebViewClient"); CordovaWebViewClient.onReceivedSslError.overload("android.webkit.WebView", "android.webkit.SslErrorHandler", "android.net.http.SslError").implementation = function (obj1, obj2, obj3) { - console.log("[+] Bypassing Apache Cordova WebViewClient check"); + console.log(`${colorKey} --> Apache [WebViewClient]${COLORS.reset}`); obj3.proceed(); }; console.log("[+] Apache [WebViewClient]"); @@ -641,10 +645,10 @@ setTimeout(function () { if (MODE.BoyeAbstractVerifier) { const colorKey = randomColor(); + const AbstractVerifier = loadJava("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier"); try { - const AbstractVerifier = Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier"); AbstractVerifier.verify.implementation = function (host, ssl) { - console.log("[+] Bypassing Boye AbstractVerifier check: " + host); + console.log(`${colorKey} --> Boye [AbstractVerifier]: ${host}${COLORS.reset}`); }; console.log("[+] Boye [AbstractVerifier]"); } catch (e) { @@ -654,10 +658,10 @@ setTimeout(function () { if (MODE.ApacheAbstractVerifier) { const colorKey = randomColor(); + const AbstractVerifier = loadJava("org.apache.http.conn.ssl.AbstractVerifier"); try { - const AbstractVerifier = Java.use("org.apache.http.conn.ssl.AbstractVerifier"); AbstractVerifier.verify.implementation = function (a, b, c, d) { - console.log("[+] Bypassing Apache AbstractVerifier check: " + a); + console.log(`${colorKey} --> Apache [AbstractVerifier]: ${a}${COLORS.reset}`); }; console.log("[+] Apache [AbstractVerifier]"); } catch (e) { @@ -667,10 +671,10 @@ setTimeout(function () { if (MODE.Appmattus) { const colorKey = randomColor(); + const Transparency = loadJava("com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor"); try { - const Transparency = Java.use("com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor"); Transparency.intercept.implementation = function (a) { - console.log(" --> Bypassing Appmattus (Transparency)"); + console.log(`${colorKey} --> Appmattus [Transparency]${COLORS.reset}`); return a.proceed(a.request()); }; console.log("[+] Appmattus [Transparency]"); @@ -681,10 +685,10 @@ setTimeout(function () { if (MODE.ChromiumCronet) { const colorKey = randomColor(); - const CronetEngineBuilderImpl = Java.use("org.chromium.net.impl.CronetEngineBuilderImpl"); + const CronetEngineBuilderImpl = loadJava("org.chromium.net.impl.CronetEngineBuilderImpl"); try { CronetEngineBuilderImpl.enablePublicKeyPinningBypassForLocalTrustAnchors.overload("boolean").implementation = function (a) { - console.log("[+] Disabling Public Key pinning for local trust anchors in Chromium Cronet"); + console.log(`${colorKey} --> Chromium [CronetEngineBuilderImpl] (LocalTrustAnchors)${COLORS.reset}`); return CronetEngineBuilderImpl.enablePublicKeyPinningBypassForLocalTrustAnchors.call(this, true); }; console.log("[+] Chromium [CronetEngineBuilderImpl] (LocalTrustAnchors)"); @@ -694,7 +698,7 @@ setTimeout(function () { try { CronetEngineBuilderImpl.addPublicKeyPins.overload("java.lang.String", "java.util.Set", "boolean", "java.util.Date").implementation = function (hostName, pinsSha256, includeSubdomains, expirationDate) { - console.log("[+] Bypassing Chromium Cronet pinner: " + hostName); + console.log(`${colorKey} --> Chromium [CronetEngineBuilderImpl] (PublicKey): ${hostName}${COLORS.reset}`); return CronetEngineBuilderImpl.addPublicKeyPins.call(this, hostName, pinsSha256, includeSubdomains, expirationDate); }; console.log("[+] Chromium [CronetEngineBuilderImpl] (PublicKey)"); @@ -705,10 +709,11 @@ setTimeout(function () { if (MODE.Flutter) { const colorKey = randomColor(); + const HttpCertificatePinning = loadJava("diefferson.http_certificate_pinning.HttpCertificatePinning"); + const SslPinningPlugin = loadJava("com.macif.plugin.sslpinningplugin.SslPinningPlugin"); try { - const HttpCertificatePinning = Java.use("diefferson.http_certificate_pinning.HttpCertificatePinning"); HttpCertificatePinning.checkConnexion.overload("java.lang.String", "java.util.List", "java.util.Map", "int", "java.lang.String").implementation = function (a, b, c, d, e) { - console.log("[+] Bypassing Flutter HttpCertificatePinning : " + a); + console.log(`${colorKey} --> Flutter [HttpCertificatePinning]: ${a}${COLORS.reset}`); return true; }; console.log("[+] Flutter [HttpCertificatePinning]"); @@ -717,9 +722,8 @@ setTimeout(function () { } try { - const SslPinningPlugin = Java.use("com.macif.plugin.sslpinningplugin.SslPinningPlugin"); SslPinningPlugin.checkConnexion.overload("java.lang.String", "java.util.List", "java.util.Map", "int", "java.lang.String").implementation = function (a, b, c, d, e) { - console.log("[+] Bypassing Flutter SslPinningPlugin: " + a); + console.log(`${colorKey} --> Flutter [SslPinningPlugin]: ${a}${COLORS.reset}`); return true; }; console.log("[+] Flutter [SslPinningPlugin]");