47 lines
1.8 KiB
JavaScript
47 lines
1.8 KiB
JavaScript
// Java层 SSL Pinning绕过
|
|
Java.perform(function () {
|
|
console.log("[+] Start SSL Pinning Bypass (Java layer)");
|
|
|
|
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
|
|
TrustManagerImpl.verifyChain.implementation = function (chain, authType, host, clientAuth, ocspData, tlsSctData) {
|
|
console.log("[+] TrustManagerImpl.verifyChain bypassed for host: " + host);
|
|
return chain;
|
|
};
|
|
|
|
try {
|
|
var CertificatePinner = Java.use("okhttp3.CertificatePinner");
|
|
CertificatePinner.check.overload("java.lang.String", "java.util.List").implementation = function (str, list) {
|
|
console.log("[+] OkHttp3 CertificatePinner.check() bypassed for: " + str);
|
|
return;
|
|
};
|
|
} catch (e) {
|
|
console.log("[-] OkHttp3 not found.");
|
|
}
|
|
});
|
|
|
|
// Native层 libssl.so绕过
|
|
setImmediate(function() {
|
|
var libssl = Process.findModuleByName("libssl.so");
|
|
if (libssl) {
|
|
console.log("[*] libssl.so base address: " + libssl.base);
|
|
|
|
var SSL_get_verify_result = libssl.findExportByName("SSL_get_verify_result");
|
|
if (SSL_get_verify_result) {
|
|
Interceptor.replace(SSL_get_verify_result, new NativeCallback(function (ssl) {
|
|
console.log("[+] SSL_get_verify_result() bypassed");
|
|
return 0;
|
|
}, 'int', ['pointer']));
|
|
}
|
|
|
|
var SSL_CTX_set_custom_verify = libssl.findExportByName("SSL_CTX_set_custom_verify");
|
|
if (SSL_CTX_set_custom_verify) {
|
|
Interceptor.attach(SSL_CTX_set_custom_verify, {
|
|
onEnter: function (args) {
|
|
console.log("[+] SSL_CTX_set_custom_verify() called - force mode to 0");
|
|
args[1] = ptr('0');
|
|
}
|
|
});
|
|
}
|
|
}
|
|
});
|