// Java层 SSL Pinning绕过
Java.perform(function () {
    console.log("[+] Start SSL Pinning Bypass (Java layer)");

    var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
    TrustManagerImpl.verifyChain.implementation = function (chain, authType, host, clientAuth, ocspData, tlsSctData) {
        console.log("[+] TrustManagerImpl.verifyChain bypassed for host: " + host);
        return chain;
    };

    try {
        var CertificatePinner = Java.use("okhttp3.CertificatePinner");
        CertificatePinner.check.overload("java.lang.String", "java.util.List").implementation = function (str, list) {
            console.log("[+] OkHttp3 CertificatePinner.check() bypassed for: " + str);
            return;
        };
    } catch (e) {
        console.log("[-] OkHttp3 not found.");
    }
});

// Native层 libssl.so绕过
setImmediate(function() {
    var libssl = Process.findModuleByName("libssl.so");
    if (libssl) {
        console.log("[*] libssl.so base address: " + libssl.base);

        var SSL_get_verify_result = libssl.findExportByName("SSL_get_verify_result");
        if (SSL_get_verify_result) {
            Interceptor.replace(SSL_get_verify_result, new NativeCallback(function (ssl) {
                console.log("[+] SSL_get_verify_result() bypassed");
                return 0;
            }, 'int', ['pointer']));
        }

        var SSL_CTX_set_custom_verify = libssl.findExportByName("SSL_CTX_set_custom_verify");
        if (SSL_CTX_set_custom_verify) {
            Interceptor.attach(SSL_CTX_set_custom_verify, {
                onEnter: function (args) {
                    console.log("[+] SSL_CTX_set_custom_verify() called - force mode to 0");
                    args[1] = ptr('0');
                }
            });
        }
    }
});