search

NVISOsecurity / disable-flutter-tls-verification

A Frida script that disables Flutter's TLS verification
342 stars 57 forks source link

Doesn't work for https://play.google.com/store/apps/details?id=enterprises.dating.boo #3

Closed ardzz closed 1 year ago

ardzz commented 2 years ago

How do I find the offset manually? I've read your article. And it said

If we take a look at the [ssl_crypto_x509_session_verify_cert_chain](https://github.com/google/boringssl/blob/master/ssl/ssl_x509.cc#L362) function again, we can see that the OPENSSL_PUT_ERROR macro is called at line 390. Searching for the number 390 (or 0x186) gives us some results (Search > For Scalars…):

How did you know that OPENSSL_PUT_ERROR is called at line 390? Because there are so many OPENSSL_PUT_ERROR in the x509.cc script. Can you give me screenshot of the code at line 390? Thank you

Apologize for my bad english

ardzz commented 2 years ago

Screen Shot 2022-09-08 at 07 59 29

ardzz commented 2 years ago

Here are the library x86_64.zip arm64-v8a.zip

TheDauntless commented 2 years ago

The md5sums for this app are:

arm64-v8a: 4e7bf42e24dac3b1ff9737ea7a8351b6
x86_64: 2d9092cd3a69f0f0da4a545607fbf3d2

These two hashes are covered by the script. However, for some reason Frida can't find any active ranges inside of the Flutter module. This is either a Frida bug, or the application is using some kind of RASP.

> frida --no-pause -U -f enterprises.dating.boo 
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to SM G950F (id=ce02171255925c1b04)
Spawned `enterprises.dating.boo`. Resuming main thread!                 
[SM G950F::enterprises.dating.boo ]-> Process.findModuleByName("libflutter.so")
{
    "base": "0x6d0b4c1000",
    "name": "libflutter.so",
    "path": "/data/app/~~53aZ8vx7RLjO1eia_Vikyw==/enterprises.dating.boo-sovEFIjUrq2ioEiYCk-luA==/split_config.arm64_v8a.apk!/lib/arm64-v8a/libflutter.so",
    "size": 9625600
}
[SM G950F::enterprises.dating.boo ]-> Process.findModuleByName("libflutter.so").enumerateRanges("---")
[]

Both Frida bugs and RE'ing RASP are beyond the scope of this project, so I can't help you. I did update the error message in case this situation happens.

Feel free to reopen if you have further info / updates.

ardzz commented 2 years ago

Informatively those address are verified but still doesn't work caused bug from frida or the app i use is implemented RASP?😞 Screen Shot 2022-09-13 at 23 29 48 Screen Shot 2022-09-13 at 23 30 23

TheDauntless commented 2 years ago

Can you try using the frida gadget approach instead of frida server? See https://github.com/frida/frida/issues/2266

ardzz commented 2 years ago

not yet ... Screen Shot 2022-10-06 at 13 14 00