search

Eltion / Instagram-SSL-Pinning-Bypass

Bypass Instagram SSL pinning on Android devices.
GNU General Public License v3.0
433 stars 88 forks source link

[BUG] ZAProxy shows no requests logs using Frida SSL bypass script on Instagram v320 #59

Open RigDillinger opened 9 months ago

RigDillinger commented 9 months ago

Describe the bug
Bypass script does not work on new Instagram release 320-0-0-42-101 No logs come from Instagram app to ZAProxy. Logging in to Instagram is not successful either. See screenshots.

Method Frida

App info

Device info

Proxy tool ZAProxy 2.14.0

Logs Screenshot_2024-02-29_142901_edit

Screenshot_2024-02-29_142830

Screenshot_2024-02-29_142932_edit

Additional context I attempted a simple debug: Screenshot_2024-02-29_143520

I can see these logs just fine on Instagram v319 as well as requests in ZAProxy and able to log in to Instagram successfully. Please, have a look.

trxyazilimedu commented 8 months ago

image image I use Samsung Galaxy A50 and Burp suite, I have the same error.

evgen-dev commented 8 months ago

For me works https://github.com/httptoolkit/frida-interception-and-unpinning/. But first you need to add proxygen ssl verification interception (method _ZN8proxygen15SSLVerification17v... in libliger.so) to native-tls-hook.js. And add mitm (or the proxy you use) cert to config.js file.

mitm

MaksZ25 commented 8 months ago

@evgen-dev Can you please provide or help with this? Tried to add to native-tls-hook.js but haven't progress

ultrafragile commented 8 months ago

@RigDillinger @MaksZ25 @evgen-dev did you find a solution?

evgen-dev commented 8 months ago

Hi @MaksZ25 Created a fork and made the necessary changes. And create pull request. https://github.com/evgen-dev/frida-interception-and-unpinning

MaksZ25 commented 8 months ago

Hi @MaksZ25 Created a fork and made the necessary changes. And create pull request. https://github.com/evgen-dev/frida-interception-and-unpinning

Oh. I Just tried same code too but without progess. Will check tonight again. Can you please provide your tg username?

evgen-dev commented 8 months ago

Hi @MaksZ25 Created a fork and made the necessary changes. And create pull request. https://github.com/evgen-dev/frida-interception-and-unpinning

Oh. I Just tried same code too but without progess. Will check tonight again. Can you please provide your tg username?

This code still works for me. But works only cold start (clear all app data and then launch app)

ultrafragile commented 8 months ago

Hi @MaksZ25 Created a fork and made the necessary changes. And create pull request. https://github.com/evgen-dev/frida-interception-and-unpinning

Oh. I Just tried same code too but without progess. Will check tonight again. Can you please provide your tg username?

What is your Telegram username? Maybe we can troubleshoot together too @MaksZ25

evgen-dev commented 8 months ago

@ultrafragile Have you replaced these values ​​with yours? Monosnap frida-interception-and-unpinning_config j

MaksZ25 commented 8 months ago

@evgen-dev Not works anymore. In debug I see unix:stream connections ignoring. All config.js settings correct because it works for demo app of httptoolkit

Manually intercepting connection to [2a:3:28:80:f0:45:0:10:fa:ce:b0:c:0:0:0:3]:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 161 to {"ip":"::ffff:192.168.88.252","port":9999} (-1) Manually intercepting connection to [2a:3:28:80:f0:45:0:10:fa:ce:b0:c:0:0:0:3]:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 162 to null (-1) OnEnter: args: /data/data/com.instagram.android/lib-compressed/libcryptopub.so

MaksZ25 commented 7 months ago

@evgen-dev @ultrafragile

teo724 commented 7 months ago

It works unpinning without any problem for me.

aaa

shadowc0de commented 7 months ago

@ultrafragile Have you replaced these values ​​with yours? Monosnap frida-interception-and-unpinning_config j

image May I know what command you used? It still doesn’t capture any request, anyone?

mdc-git commented 7 months ago

@evgen-dev

Thank you for your efforts. It works a bit for me. I can scroll through my profile page fine, but the search doesn't work and clicking on other profiles doesn't work either. I'm getting messages like this in frida shell:

 !!! --- Unexpected TLS failure --- !!!
      SSLPeerUnverifiedException: java.security.cert.CertificateException: Didn't find a trust anchor in chain cleanup!
      Thrown by X.176->A00
      [ ] Unrecognized TLS error - this must be patched manually

 !!! --- Unexpected TLS failure --- !!!
      CertificateException: Didn't find a trust anchor in chain cleanup!
      Thrown by X.0Mg->A00
      [ ] Unrecognized TLS error - this must be patched manually

Everytime I use the non working parts, mitmproxy tells me: the client doesn't trust the proxy's certificate for gateway.instagram.com and edge-mqtt.facebook.com. It catches the requests from i.instagram.com, though.

Command I used:

frida -U \
    -l ./config.js \
    -l ./native-connect-hook.js \
    -l ./native-tls-hook.js \
    -l ./android/android-proxy-override.js \
    -l ./android/android-system-certificate-injection.js \
    -l ./android/android-certificate-unpinning.js \
    -l ./android/android-certificate-unpinning-fallback.js \
    -f com.instagram.android

It also doesn't seem to refresh my profile page with new content.