API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 20th, 2022
679
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 27.93 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  * This script combines, fixes & extends a long list of other scripts, most notably including:
  3.  *
  4.  * - https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
  5.  * - https://codeshare.frida.re/@avltree9798/universal-android-ssl-pinning-bypass/
  6.  * - https://pastebin.com/TVJD63uM
  7.  */
  8.  
  9. setTimeout(function () {
  10.     Java.perform(function () {
  11.         console.log("---");
  12.         console.log("Unpinning Android app...");
  13.  
  14.         /// -- Generic hook to protect against SSLPeerUnverifiedException -- ///
  15.  
  16.         // In some cases, with unusual cert pinning approaches, or heavy obfuscation, we can't
  17.         // match the real method & package names. This is a problem! Fortunately, we can still
  18.         // always match built-in types, so here we spot all failures that use the built-in cert
  19.         // error type (notably this includes OkHttp), and after the first failure, we dynamically
  20.         // generate & inject a patch to completely disable the method that threw the error.
  21.         try {
  22.             const UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException');
  23.             UnverifiedCertError.$init.implementation = function (str) {
  24.                 console.log('  --> Unexpected SSL verification failure, adding dynamic patch...');
  25.  
  26.                 try {
  27.                     const stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace();
  28.                     const exceptionStackIndex = stackTrace.findIndex(stack =>
  29.                         stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException"
  30.                     );
  31.                     const callingFunctionStack = stackTrace[exceptionStackIndex + 1];
  32.  
  33.                     const className = callingFunctionStack.getClassName();
  34.                     const methodName = callingFunctionStack.getMethodName();
  35.  
  36.                     console.log(`      Thrown by ${className}->${methodName}`);
  37.  
  38.                     const callingClass = Java.use(className);
  39.                     const callingMethod = callingClass[methodName];
  40.  
  41.                     if (callingMethod.implementation) return; // Already patched by Frida - skip it
  42.  
  43.                     console.log('      Attempting to patch automatically...');
  44.                     const returnTypeName = callingMethod.returnType.type;
  45.  
  46.                     callingMethod.implementation = function () {
  47.                         console.log(`  --> Bypassing ${className}->${methodName} (automatic exception patch)`);
  48.  
  49.                         // This is not a perfect fix! Most unknown cases like this are really just
  50.                         // checkCert(cert) methods though, so doing nothing is perfect, and if we
  51.                         // do need an actual return value then this is probably the best we can do,
  52.                         // and at least we're logging the method name so you can patch it manually:
  53.  
  54.                         if (returnTypeName === 'void') {
  55.                             return;
  56.                         } else {
  57.                             return null;
  58.                         }
  59.                     };
  60.  
  61.                     console.log(`      [+] ${className}->${methodName} (automatic exception patch)`);
  62.                 } catch (e) {
  63.                     console.log('      [ ] Failed to automatically patch failure');
  64.                 }
  65.  
  66.                 return this.$init(str);
  67.             };
  68.             console.log('[+] SSLPeerUnverifiedException auto-patcher');
  69.         } catch (err) {
  70.             console.log('[ ] SSLPeerUnverifiedException auto-patcher');
  71.         }
  72.  
  73.         /// -- Specific targeted hooks: -- ///
  74.  
  75.         // HttpsURLConnection
  76.         try {
  77.             const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
  78.             HttpsURLConnection.setDefaultHostnameVerifier.implementation = function (hostnameVerifier) {
  79.                 console.log('  --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)');
  80.                 return; // Do nothing, i.e. don't change the hostname verifier
  81.             };
  82.             console.log('[+] HttpsURLConnection (setDefaultHostnameVerifier)');
  83.         } catch (err) {
  84.             console.log('[ ] HttpsURLConnection (setDefaultHostnameVerifier)');
  85.         }
  86.         try {
  87.             const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
  88.             HttpsURLConnection.setSSLSocketFactory.implementation = function (SSLSocketFactory) {
  89.                 console.log('  --> Bypassing HttpsURLConnection (setSSLSocketFactory)');
  90.                 return; // Do nothing, i.e. don't change the SSL socket factory
  91.             };
  92.             console.log('[+] HttpsURLConnection (setSSLSocketFactory)');
  93.         } catch (err) {
  94.             console.log('[ ] HttpsURLConnection (setSSLSocketFactory)');
  95.         }
  96.         try {
  97.             const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
  98.             HttpsURLConnection.setHostnameVerifier.implementation = function (hostnameVerifier) {
  99.                 console.log('  --> Bypassing HttpsURLConnection (setHostnameVerifier)');
  100.                 return; // Do nothing, i.e. don't change the hostname verifier
  101.             };
  102.             console.log('[+] HttpsURLConnection (setHostnameVerifier)');
  103.         } catch (err) {
  104.             console.log('[ ] HttpsURLConnection (setHostnameVerifier)');
  105.         }
  106.  
  107.         // SSLContext
  108.         try {
  109.             const X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
  110.             const SSLContext = Java.use('javax.net.ssl.SSLContext');
  111.  
  112.             const TrustManager = Java.registerClass({
  113.                 // Implement a custom TrustManager
  114.                 name: 'dev.asd.test.TrustManager',
  115.                 implements: [X509TrustManager],
  116.                 methods: {
  117.                     checkClientTrusted: function (chain, authType) { },
  118.                     checkServerTrusted: function (chain, authType) { },
  119.                     getAcceptedIssuers: function () { return []; }
  120.                 }
  121.             });
  122.  
  123.             // Prepare the TrustManager array to pass to SSLContext.init()
  124.             const TrustManagers = [TrustManager.$new()];
  125.  
  126.             // Get a handle on the init() on the SSLContext class
  127.             const SSLContext_init = SSLContext.init.overload(
  128.                 '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom'
  129.             );
  130.  
  131.             // Override the init method, specifying the custom TrustManager
  132.             SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) {
  133.                 console.log('  --> Bypassing Trustmanager (Android < 7) request');
  134.                 SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
  135.             };
  136.             console.log('[+] SSLContext');
  137.         } catch (err) {
  138.             console.log('[ ] SSLContext');
  139.         }
  140.  
  141.         // TrustManagerImpl (Android > 7)
  142.         try {
  143.             const array_list = Java.use("java.util.ArrayList");
  144.             const TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
  145.  
  146.             // This step is notably what defeats the most common case: network security config
  147.             TrustManagerImpl.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
  148.                 console.log('  --> Bypassing TrustManagerImpl checkTrusted ');
  149.                 return array_list.$new();
  150.             }
  151.  
  152.             TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
  153.                 console.log('  --> Bypassing TrustManagerImpl verifyChain: ' + host);
  154.                 return untrustedChain;
  155.             };
  156.             console.log('[+] TrustManagerImpl');
  157.         } catch (err) {
  158.             console.log('[ ] TrustManagerImpl');
  159.         }
  160.  
  161.         // OkHTTPv3 (quadruple bypass)
  162.         try {
  163.             // Bypass OkHTTPv3 {1}
  164.             const okhttp3_Activity_1 = Java.use('okhttp3.CertificatePinner');
  165.             okhttp3_Activity_1.check.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
  166.                 console.log('  --> Bypassing OkHTTPv3 (list): ' + a);
  167.                 return;
  168.             };
  169.             console.log('[+] OkHTTPv3 (list)');
  170.         } catch (err) {
  171.             console.log('[ ] OkHTTPv3 (list)');
  172.         }
  173.         try {
  174.             // Bypass OkHTTPv3 {2}
  175.             // This method of CertificatePinner.check could be found in some old Android app
  176.             const okhttp3_Activity_2 = Java.use('okhttp3.CertificatePinner');
  177.             okhttp3_Activity_2.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (a, b) {
  178.                 console.log('  --> Bypassing OkHTTPv3 (cert): ' + a);
  179.                 return;
  180.             };
  181.             console.log('[+] OkHTTPv3 (cert)');
  182.         } catch (err) {
  183.             console.log('[ ] OkHTTPv3 (cert)');
  184.         }
  185.         try {
  186.             // Bypass OkHTTPv3 {3}
  187.             const okhttp3_Activity_3 = Java.use('okhttp3.CertificatePinner');
  188.             okhttp3_Activity_3.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function (a, b) {
  189.                 console.log('  --> Bypassing OkHTTPv3 (cert array): ' + a);
  190.                 return;
  191.             };
  192.             console.log('[+] OkHTTPv3 (cert array)');
  193.         } catch (err) {
  194.             console.log('[ ] OkHTTPv3 (cert array)');
  195.         }
  196.         try {
  197.             // Bypass OkHTTPv3 {4}
  198.             const okhttp3_Activity_4 = Java.use('okhttp3.CertificatePinner');
  199.             okhttp3_Activity_4['check$okhttp'].implementation = function (a, b) {
  200.                 console.log('  --> Bypassing OkHTTPv3 ($okhttp): ' + a);
  201.                 return;
  202.             };
  203.             console.log('[+] OkHTTPv3 ($okhttp)');
  204.         } catch (err) {
  205.             console.log('[ ] OkHTTPv3 ($okhttp)');
  206.         }
  207.  
  208.         // Trustkit (triple bypass)
  209.         try {
  210.             // Bypass Trustkit {1}
  211.             const trustkit_Activity_1 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
  212.             trustkit_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) {
  213.                 console.log('  --> Bypassing Trustkit OkHostnameVerifier(SSLSession): ' + a);
  214.                 return true;
  215.             };
  216.             console.log('[+] Trustkit OkHostnameVerifier(SSLSession)');
  217.         } catch (err) {
  218.             console.log('[ ] Trustkit OkHostnameVerifier(SSLSession)');
  219.         }
  220.         try {
  221.             // Bypass Trustkit {2}
  222.             const trustkit_Activity_2 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
  223.             trustkit_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) {
  224.                 console.log('  --> Bypassing Trustkit OkHostnameVerifier(cert): ' + a);
  225.                 return true;
  226.             };
  227.             console.log('[+] Trustkit OkHostnameVerifier(cert)');
  228.         } catch (err) {
  229.             console.log('[ ] Trustkit OkHostnameVerifier(cert)');
  230.         }
  231.         try {
  232.             // Bypass Trustkit {3}
  233.             const trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
  234.             trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
  235.                 console.log('  --> Bypassing Trustkit PinningTrustManager');
  236.             };
  237.             console.log('[+] Trustkit PinningTrustManager');
  238.         } catch (err) {
  239.             console.log('[ ] Trustkit PinningTrustManager');
  240.         }
  241.  
  242.         // Appcelerator Titanium
  243.         try {
  244.             const appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
  245.             appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
  246.                 console.log('  --> Bypassing Appcelerator PinningTrustManager');
  247.             };
  248.             console.log('[+] Appcelerator PinningTrustManager');
  249.         } catch (err) {
  250.             console.log('[ ] Appcelerator PinningTrustManager');
  251.         }
  252.  
  253.         // OpenSSLSocketImpl Conscrypt
  254.         try {
  255.             const OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
  256.             OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, JavaObject, authMethod) {
  257.                 console.log('  --> Bypassing OpenSSLSocketImpl Conscrypt');
  258.             };
  259.             console.log('[+] OpenSSLSocketImpl Conscrypt');
  260.         } catch (err) {
  261.             console.log('[ ] OpenSSLSocketImpl Conscrypt');
  262.         }
  263.  
  264.         // OpenSSLEngineSocketImpl Conscrypt
  265.         try {
  266.             const OpenSSLEngineSocketImpl_Activity = Java.use('com.android.org.conscrypt.OpenSSLEngineSocketImpl');
  267.             OpenSSLEngineSocketImpl_Activity.verifyCertificateChain.overload('[Ljava.lang.Long;', 'java.lang.String').implementation = function (a, b) {
  268.                 console.log('  --> Bypassing OpenSSLEngineSocketImpl Conscrypt: ' + b);
  269.             };
  270.             console.log('[+] OpenSSLEngineSocketImpl Conscrypt');
  271.         } catch (err) {
  272.             console.log('[ ] OpenSSLEngineSocketImpl Conscrypt');
  273.         }
  274.  
  275.         // OpenSSLSocketImpl Apache Harmony
  276.         try {
  277.             const OpenSSLSocketImpl_Harmony = Java.use('org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl');
  278.             OpenSSLSocketImpl_Harmony.verifyCertificateChain.implementation = function (asn1DerEncodedCertificateChain, authMethod) {
  279.                 console.log('  --> Bypassing OpenSSLSocketImpl Apache Harmony');
  280.             };
  281.             console.log('[+] OpenSSLSocketImpl Apache Harmony');
  282.         } catch (err) {
  283.             console.log('[ ] OpenSSLSocketImpl Apache Harmony');
  284.         }
  285.  
  286.         // PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
  287.         try {
  288.             const phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
  289.             phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (a, b, c) {
  290.                 console.log('  --> Bypassing PhoneGap sslCertificateChecker: ' + a);
  291.                 return true;
  292.             };
  293.             console.log('[+] PhoneGap sslCertificateChecker');
  294.         } catch (err) {
  295.             console.log('[ ] PhoneGap sslCertificateChecker');
  296.         }
  297.  
  298.         // IBM MobileFirst pinTrustedCertificatePublicKey (double bypass)
  299.         try {
  300.             // Bypass IBM MobileFirst {1}
  301.             const WLClient_Activity_1 = Java.use('com.worklight.wlclient.api.WLClient');
  302.             WLClient_Activity_1.getInstance().pinTrustedCertificatePublicKey.overload('java.lang.String').implementation = function (cert) {
  303.                 console.log('  --> Bypassing IBM MobileFirst pinTrustedCertificatePublicKey (string): ' + cert);
  304.                 return;
  305.             };
  306.             console.log('[+] IBM MobileFirst pinTrustedCertificatePublicKey (string)');
  307.         } catch (err) {
  308.             console.log('[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)');
  309.         }
  310.         try {
  311.             // Bypass IBM MobileFirst {2}
  312.             const WLClient_Activity_2 = Java.use('com.worklight.wlclient.api.WLClient');
  313.             WLClient_Activity_2.getInstance().pinTrustedCertificatePublicKey.overload('[Ljava.lang.String;').implementation = function (cert) {
  314.                 console.log('  --> Bypassing IBM MobileFirst pinTrustedCertificatePublicKey (string array): ' + cert);
  315.                 return;
  316.             };
  317.             console.log('[+] IBM MobileFirst pinTrustedCertificatePublicKey (string array)');
  318.         } catch (err) {
  319.             console.log('[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)');
  320.         }
  321.  
  322.         // IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
  323.         try {
  324.             // Bypass IBM WorkLight {1}
  325.             const worklight_Activity_1 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
  326.             worklight_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (a, b) {
  327.                 console.log('  --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket): ' + a);
  328.                 return;
  329.             };
  330.             console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)');
  331.         } catch (err) {
  332.             console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)');
  333.         }
  334.         try {
  335.             // Bypass IBM WorkLight {2}
  336.             const worklight_Activity_2 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
  337.             worklight_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) {
  338.                 console.log('  --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (cert): ' + a);
  339.                 return;
  340.             };
  341.             console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)');
  342.         } catch (err) {
  343.             console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)');
  344.         }
  345.         try {
  346.             // Bypass IBM WorkLight {3}
  347.             const worklight_Activity_3 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
  348.             worklight_Activity_3.verify.overload('java.lang.String', '[Ljava.lang.String;', '[Ljava.lang.String;').implementation = function (a, b) {
  349.                 console.log('  --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (string string): ' + a);
  350.                 return;
  351.             };
  352.             console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)');
  353.         } catch (err) {
  354.             console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)');
  355.         }
  356.         try {
  357.             // Bypass IBM WorkLight {4}
  358.             const worklight_Activity_4 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
  359.             worklight_Activity_4.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) {
  360.                 console.log('  --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession): ' + a);
  361.                 return true;
  362.             };
  363.             console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)');
  364.         } catch (err) {
  365.             console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)');
  366.         }
  367.  
  368.         // Conscrypt CertPinManager
  369.         try {
  370.             const conscrypt_CertPinManager_Activity = Java.use('com.android.org.conscrypt.CertPinManager');
  371.             conscrypt_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
  372.                 console.log('  --> Bypassing Conscrypt CertPinManager: ' + a);
  373.                 return true;
  374.             };
  375.             console.log('[+] Conscrypt CertPinManager');
  376.         } catch (err) {
  377.             console.log('[ ] Conscrypt CertPinManager');
  378.         }
  379.  
  380.         // CWAC-Netsecurity (unofficial back-port pinner for Android<4.2) CertPinManager
  381.         try {
  382.             const cwac_CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
  383.             cwac_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
  384.                 console.log('  --> Bypassing CWAC-Netsecurity CertPinManager: ' + a);
  385.                 return true;
  386.             };
  387.             console.log('[+] CWAC-Netsecurity CertPinManager');
  388.         } catch (err) {
  389.             console.log('[ ] CWAC-Netsecurity CertPinManager');
  390.         }
  391.  
  392.         // Worklight Androidgap WLCertificatePinningPlugin
  393.         try {
  394.             const androidgap_WLCertificatePinningPlugin_Activity = Java.use('com.worklight.androidgap.plugin.WLCertificatePinningPlugin');
  395.             androidgap_WLCertificatePinningPlugin_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (a, b, c) {
  396.                 console.log('  --> Bypassing Worklight Androidgap WLCertificatePinningPlugin: ' + a);
  397.                 return true;
  398.             };
  399.             console.log('[+] Worklight Androidgap WLCertificatePinningPlugin');
  400.         } catch (err) {
  401.             console.log('[ ] Worklight Androidgap WLCertificatePinningPlugin');
  402.         }
  403.  
  404.         // Netty FingerprintTrustManagerFactory
  405.         try {
  406.             const netty_FingerprintTrustManagerFactory = Java.use('io.netty.handler.ssl.util.FingerprintTrustManagerFactory');
  407.             netty_FingerprintTrustManagerFactory.checkTrusted.implementation = function (type, chain) {
  408.                 console.log('  --> Bypassing Netty FingerprintTrustManagerFactory');
  409.             };
  410.             console.log('[+] Netty FingerprintTrustManagerFactory');
  411.         } catch (err) {
  412.             console.log('[ ] Netty FingerprintTrustManagerFactory');
  413.         }
  414.  
  415.         // Squareup CertificatePinner [OkHTTP<v3] (double bypass)
  416.         try {
  417.             // Bypass Squareup CertificatePinner {1}
  418.             const Squareup_CertificatePinner_Activity_1 = Java.use('com.squareup.okhttp.CertificatePinner');
  419.             Squareup_CertificatePinner_Activity_1.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (a, b) {
  420.                 console.log('  --> Bypassing Squareup CertificatePinner (cert): ' + a);
  421.                 return;
  422.             };
  423.             console.log('[+] Squareup CertificatePinner (cert)');
  424.         } catch (err) {
  425.             console.log('[ ] Squareup CertificatePinner (cert)');
  426.         }
  427.         try {
  428.             // Bypass Squareup CertificatePinner {2}
  429.             const Squareup_CertificatePinner_Activity_2 = Java.use('com.squareup.okhttp.CertificatePinner');
  430.             Squareup_CertificatePinner_Activity_2.check.overload('java.lang.String', 'java.util.List').implementation = function (a, b) {
  431.                 console.log('  --> Bypassing Squareup CertificatePinner (list): ' + a);
  432.                 return;
  433.             };
  434.             console.log('[+] Squareup CertificatePinner (list)');
  435.         } catch (err) {
  436.             console.log('[ ] Squareup CertificatePinner (list)');
  437.         }
  438.  
  439.         // Squareup OkHostnameVerifier [OkHTTP v3] (double bypass)
  440.         try {
  441.             // Bypass Squareup OkHostnameVerifier {1}
  442.             const Squareup_OkHostnameVerifier_Activity_1 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier');
  443.             Squareup_OkHostnameVerifier_Activity_1.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) {
  444.                 console.log('  --> Bypassing Squareup OkHostnameVerifier (cert): ' + a);
  445.                 return true;
  446.             };
  447.             console.log('[+] Squareup OkHostnameVerifier (cert)');
  448.         } catch (err) {
  449.             console.log('[ ] Squareup OkHostnameVerifier (cert)');
  450.         }
  451.         try {
  452.             // Bypass Squareup OkHostnameVerifier {2}
  453.             const Squareup_OkHostnameVerifier_Activity_2 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier');
  454.             Squareup_OkHostnameVerifier_Activity_2.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) {
  455.                 console.log('  --> Bypassing Squareup OkHostnameVerifier (SSLSession): ' + a);
  456.                 return true;
  457.             };
  458.             console.log('[+] Squareup OkHostnameVerifier (SSLSession)');
  459.         } catch (err) {
  460.             console.log('[ ] Squareup OkHostnameVerifier (SSLSession)');
  461.         }
  462.  
  463.         // Android WebViewClient (double bypass)
  464.         try {
  465.             // Bypass WebViewClient {1} (deprecated from Android 6)
  466.             const AndroidWebViewClient_Activity_1 = Java.use('android.webkit.WebViewClient');
  467.             AndroidWebViewClient_Activity_1.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (obj1, obj2, obj3) {
  468.                 console.log('  --> Bypassing Android WebViewClient (SslErrorHandler)');
  469.             };
  470.             console.log('[+] Android WebViewClient (SslErrorHandler)');
  471.         } catch (err) {
  472.             console.log('[ ] Android WebViewClient (SslErrorHandler)');
  473.         }
  474.         try {
  475.             // Bypass WebViewClient {2}
  476.             const AndroidWebViewClient_Activity_2 = Java.use('android.webkit.WebViewClient');
  477.             AndroidWebViewClient_Activity_2.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function (obj1, obj2, obj3) {
  478.                 console.log('  --> Bypassing Android WebViewClient (WebResourceError)');
  479.             };
  480.             console.log('[+] Android WebViewClient (WebResourceError)');
  481.         } catch (err) {
  482.             console.log('[ ] Android WebViewClient (WebResourceError)');
  483.         }
  484.  
  485.         // Apache Cordova WebViewClient
  486.         try {
  487.             const CordovaWebViewClient_Activity = Java.use('org.apache.cordova.CordovaWebViewClient');
  488.             CordovaWebViewClient_Activity.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (obj1, obj2, obj3) {
  489.                 console.log('  --> Bypassing Apache Cordova WebViewClient');
  490.                 obj3.proceed();
  491.             };
  492.         } catch (err) {
  493.             console.log('[ ] Apache Cordova WebViewClient');
  494.         }
  495.  
  496.         // Boye AbstractVerifier
  497.         try {
  498.             const boye_AbstractVerifier = Java.use('ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier');
  499.             boye_AbstractVerifier.verify.implementation = function (host, ssl) {
  500.                 console.log('  --> Bypassing Boye AbstractVerifier: ' + host);
  501.             };
  502.         } catch (err) {
  503.             console.log('[ ] Boye AbstractVerifier');
  504.         }
  505.  
  506.         // Appmattus
  507.         try {
  508.             const appmatus_Activity = Java.use('com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor');
  509.             appmatus_Activity['intercept'].implementation = function (a) {
  510.                 console.log('  --> Bypassing Appmattus (Transparency)');
  511.                 return a.proceed(a.request());
  512.             };
  513.             console.log('[+] Appmattus (Transparency)');
  514.         } catch (err) {
  515.             console.log('[ ] Appmattus (Transparency)');
  516.         }
  517.  
  518.         console.log("Unpinning setup completed");
  519.         console.log("---");
  520.     });
  521.  
  522. }, 0);
  523.  
  524. /*
  525. Java.perform(function () {
  526.         var foy = Java.use('f8');
  527.         foy.invoke.overload('java.lang.Object', 'java.lang.Object').implementation = function(a) {
  528.         console.log(a);
  529.     return this.invoke(a);
  530.     }
  531.     })
  532. */
  533. var N_ENCRYPT_MODE = 1
  534. var N_DECRYPT_MODE = 2
  535.  
  536. function showStacks() {
  537.     var Exception = Java.use("java.lang.Exception");
  538.     var ins = Exception.$new("Exception");
  539.     var straces = ins.getStackTrace();
  540.  
  541.     if (undefined == straces || null == straces) {
  542.         return;
  543.     }
  544.  
  545.     console.log("============================= Stack strat=======================");
  546.     console.log("");
  547.  
  548.     /*
  549.     for (var i = 0; i < straces.length; i++) {
  550.         var str = "   " + straces[i].toString();
  551.         if (!str.includes('Native')){
  552.         console.log(str);
  553.     }}
  554.     */
  555.     console.log("");
  556.     console.log("============================= Stack end=======================\r\n");
  557.     Exception.$dispose();
  558. }
  559.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!