ServerCertificateValidationCallback hook not working

GoSecure / frida-xamarin-unpin

A Frida script to bypass Xamarin certificate pinning implementations

https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/

66 stars 27 forks source link

ServerCertificateValidationCallback hook not working #6

Open achmstein opened 4 years ago

achmstein commented 4 years ago

Hello, I tried to test ServicePointManager hooking but it never worked.

I'm trying to set ServerCertificateValidationCallback to NULL but I cannot do that. How can I achieve that?

    _fridaMonoApi.MonoApiHelper.RuntimeInvoke(setter,
    /*instance=*/
    NULL,
    /*pArgs=*/
    _fridaMonoApi.MonoApiHelper.ObjectNew(kCb)); // TODO: pArgs?

always fail

alxbl commented 4 years ago

Do you have a mono app that uses ServicePoint.ServerCerttificateValidationCallback? AFAIK this class is no longer exposed or used in more recent Mono versions (since the switch to .NET Core)

I also had trouble finding a working APK to debug/test this use case, so it's likely that the code has some bugs. If you have an APK that you know uses ServicePoint and are willing to share, I might be able to troubleshoot this once I have access to my lab again.

achmstein commented 4 years ago

Hi, Thank you for your response. Please download the apk from the following link:

Download APK

Here is a screenshot of the class responsible for certificate pinning. It uses ServicePoint.ServerCerttificateValidationCallback Screenshot 2020-09-15 014855

Here is a screenshot of the CertificatePinner's Pin invocation Screenshot 2020-09-15 015415

achmstein commented 3 years ago

any news?