Comments (7)
config.js
needs to come first on the command line, although I don't think that would cause this. It defines various variables that are used in the other scripts.
Can you try setting DEBUG_MODE
in config.js to true
, and share the output afterwards? That should tell us exactly which hook is failing.
from frida-interception-and-unpinning.
OK this command:
> frida -U `
-f com.nbcuni.nbc `
-l config.js `
-l android/android-certificate-unpinning.js
result:
____
/ _ | Frida 16.1.4 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.nbcuni.nbc`...
*** Starting scripts ***
Spawned `com.nbcuni.nbc`. Resuming main thread!
[Android Emulator 5554::com.nbcuni.nbc ]->
=== Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[+] com.android.org.conscrypt.CertPinManager isChainValid
[ ] com.android.org.conscrypt.CertPinManager checkChainPinning
[ ] android.security.net.config.NetworkSecurityConfig *
[+] com.android.okhttp.Address $init
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
*** Scripts completed ***
=> com.android.okhttp.Address $init
Error: Address(): argument types do not match any of:
.overload('java.lang.String', 'int', 'javax.net.SocketFactory', 'javax.net.ssl.SSLSocketFactory', 'javax.net.ssl.HostnameVerifier', 'com.android.okhttp.CertificatePinner', 'com.android.okhttp.Authenticator', 'java.net.Proxy', 'java.util.List', 'java.util.List', 'java.net.ProxySelector')
at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:622)
at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1141)
at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:606)
at <anonymous> (D:\Desktop\frida-interception-and-unpinning-main\android\android-certificate-unpinning.js:170)
at apply (native)
at <anonymous> (D:\Desktop\frida-interception-and-unpinning-main\android\android-certificate-unpinning.js:435)
at apply (native)
at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:673)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:651)
=> com.android.okhttp.Address $init
from frida-interception-and-unpinning.
Thanks! So that's definitely happening in this hook of the built-in Android Address constructor.
I think this must be within the call to the real $init with replaced arguments, here:
frida-interception-and-unpinning/android/android-certificate-unpinning.js
Lines 163 to 170 in 05d9b8a
This assumes arguments 5 & 6 (zero-indexed) are the hostname verifier and cert pinner. If they're not, the call to $init
at the end will fail, because the argument types will be wrong.
Confusingly though, that does seem to be true in the Android source, and there's only one constructor there: https://android.googlesource.com/platform/external/okhttp/+/refs/heads/main/okhttp/src/main/java/com/squareup/okhttp/Address.java#51
What Android version are you running here?
It's possible that in older OS versions, this was different. If so that's not a big problem, we'll just need to work out what differences need handling, and then update this hook to detect that.
from frida-interception-and-unpinning.
This assumes arguments 5 & 6 (zero-indexed) are the hostname verifier and cert pinner. If they're not, the call to
$init
at the end will fail, because the argument types will be wrong.
OK yes, with Oreo and later, that is the case:
public Address(String uriHost, int uriPort, Dns dns, SocketFactory socketFactory,
SSLSocketFactory sslSocketFactory, HostnameVerifier hostnameVerifier,
CertificatePinner certificatePinner, Authenticator authenticator, Proxy proxy,
List<Protocol> protocols, List<ConnectionSpec> connectionSpecs, ProxySelector proxySelector) {
but with Nougat and before, the signature is different:
public Address(String uriHost, int uriPort, SocketFactory socketFactory,
SSLSocketFactory sslSocketFactory, HostnameVerifier hostnameVerifier,
CertificatePinner certificatePinner, Authenticator authenticator, Proxy proxy,
List<Protocol> protocols, List<ConnectionSpec> connectionSpecs, ProxySelector proxySelector) {
however, even if I use Oreo it still doesn't work. I no longer get the Error, but it seems some pinning is still happening, because the app gets stuck on the initial load screen, and works as expected if I disable the proxy.
from frida-interception-and-unpinning.
Thanks, that's useful confirmation.
I've just pushed a patch for unpinning for Nougat and older - can you check that the address patch now doesn't fail in that case for you? With debug mode enabled it should now show two lines about patching com.android.okhttp.Address
, with slightly different signatures, and at least one should be applied (i.e. should show [+]
) in all cases.
however, even if I use Oreo it still doesn't work. I no longer get the Error, but it seems some pinning is still happening, because the app gets stuck on the initial load screen, and works as expected if I disable the proxy.
This sounds like a separate problem, unrelated to this address issue. If you can share more info on that (any logs from that case, traces of any errors detected by the fallback script, any other clues as to what's failing) in a new issue that would be helpful.
from frida-interception-and-unpinning.
I've just pushed a patch for unpinning for Nougat and older - can you check that the address patch now doesn't fail in that case for you? With debug mode enabled it should now show two lines about patching
com.android.okhttp.Address
, with slightly different signatures, and at least one should be applied (i.e. should show[+]
) in all cases.
____
/ _ | Frida 16.1.4 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.nbcuni.nbc`...
*** Starting scripts ***
Spawned `com.nbcuni.nbc`. Resuming main thread!
[Android Emulator 5554::com.nbcuni.nbc ]->
=== Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[+] com.android.org.conscrypt.CertPinManager isChainValid
[ ] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[ ] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
*** Scripts completed ***
=> android.security.net.config.NetworkSecurityConfig $init(*) (1)
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
=> com.android.org.conscrypt.CertPinManager isChainValid
This sounds like a separate problem, unrelated to this address issue. If you can share more info on that (any logs from that case, traces of any errors detected by the fallback script, any other clues as to what's failing) in a new issue that would be helpful.
will do
from frida-interception-and-unpinning.
This address issue is now resolved, so I'll close this, we can handle the rest in the other issues.
from frida-interception-and-unpinning.
Related Issues (20)
- Disable jailbreak detection HOT 3
- API of the APP brings up "Attention Required! | Cloudflare" with script HOT 3
- Game crashing with native-connect-hook.js script HOT 3
- Unable to inspect app HOT 5
- No option to inject Frida without app reloading HOT 2
- cl.com.edenred.ticketjunaeb not working HOT 2
- Hi
- Not Work = Raw Custom-Pinned Resquest HOT 3
- [FIXED] Not working with bereal HOT 3
- [ ] Unrecognized TLS error - this must be patched manually HOT 8
- Fishing Clash app. Some super-duper pinning protection. HOT 2
- Ignorar detectar VPN httptoolkit HOT 5
- Bypass la fijación SSL de IOS 15-16 con httptoolkit + script frida HOT 3
- Error: access violation accessing 0x5d8 HOT 1
- this script fails with com.audioteka but another works HOT 2
- Error with file : android-certificate-unpinning.js HOT 1
- error native-connect-hook.js HOT 1
- not able to sniff com.peacocktv.peacockandroid HOT 10
- Not working with com.bumble.app HOT 3
- Add Support for Intercept Flutter HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frida-interception-and-unpinning.