search

Eltion / Facebook-SSL-Pinning-Bypass

Bypass Facebook SSL pinning on Android devices.
GNU General Public License v3.0
181 stars 79 forks source link

Failed tp hook function: X509_verify_cert #2

Closed sydo26 closed 2 years ago

sydo26 commented 2 years ago

Bug description

sydo26 in ~
❯ frida -U -l .\OneDrive\Documentos\bypass.js -f com.facebook.katana --no-pause
     ____
    / _  |   Frida 15.1.27 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.facebook.katana`...
[*][*] Waiting for library...
Spawned `com.facebook.katana`. Resuming main thread!
[Android Emulator 5554::com.facebook.katana ]-> [*][*] Found libcoldstart.so at: 0xb4a8e000
[*][*] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
[*][*] Failed tp hook function: X509_verify_cert
Error: libcoldstart.so: unable to find export 'X509_verify_cert'

How to reproduce

Create virtual device with Android Studio with these settings:

image

Start emulator in terminal:

> emulator -avd Pixel_4_XL_API_30 -writable-system

Root with adb:

> adb root
> adb shell avbctl disable-verification
> adb disable-verity
> adb reboot
> adb root
> adb remount

Start frida server in device:

> adb push ./frida-server /data/local/tmp
> adb shell "chmod 755 /data/local/tmp/frida-server"
> adb shell "/data/local/tmp/frida-server &"
> adb forward tcp:27042 tcp:27042
> adb forward tcp:27043 tcp:27043
> frida-ps -R

Install patched facebook:

> adb install .\facebook-v373.0.0.31.112-x86.apk

Start facebook for the first time.

And finally, start the bypass:

> frida -U -l ./bypass.js -f com.facebook.katana --no-pause

Environment & setup

sydo26 commented 2 years ago

image

Eltion commented 2 years ago

Interesting. For me the function is getting hooked.

 frida -U -l .\facebook-ssl-pinning-bypass.js -f com.facebook.katana --no-pause
     ____
    / _  |   Frida 15.1.22 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to SM-G973N (id=127.0.0.1:62001)
Spawning `com.facebook.katana`...
[*][*] Waiting for library...
Spawned `com.facebook.katana`. Resuming main thread!
[SM-G973N::com.facebook.katana ]->
[SM-G973N::com.facebook.katana ]-> [*][*] Found libcoldstart.so at: 0xb2061000
[*][*] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
[*][*] Hooked function: X509_verify_cert

Also you don't need to use frida if you have installed the patched APK. You should be able to inspect the traffic without frida.

sydo26 commented 2 years ago

Interessante. Para mim, a função está ficando viciado.

 frida -U -l .\facebook-ssl-pinning-bypass.js -f com.facebook.katana --no-pause
     ____
    / _  |   Frida 15.1.22 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to SM-G973N (id=127.0.0.1:62001)
Spawning `com.facebook.katana`...
[*][*] Waiting for library...
Spawned `com.facebook.katana`. Resuming main thread!
[SM-G973N::com.facebook.katana ]->
[SM-G973N::com.facebook.katana ]-> [*][*] Found libcoldstart.so at: 0xb2061000
[*][*] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
[*][*] Hooked function: X509_verify_cert

Além disso, você não precisa usar o frida se tiver instalado o APK corrigido. Você deve ser capaz de inspecionar o tráfego sem frida.

Can you tell me the exact version of the facebook apk that you used in this test only with frida?

sydo26 commented 2 years ago

And I'm sorry for the question, but can you tell me if it's possible to read this information?

image

LPeng111 commented 2 years ago

Have you ever encountered this problem? image

DerLomo commented 1 year ago

And I'm sorry for the question, but can you tell me if it's possible to read this information?

image

Did you find any solution for this?