RafaelDiasCampos
commented
1 week ago Including libflutter.so library (If it would be helpful, I can also upload the libraries for armeabi-v7a and arm64-v8a) libflutter.zip
Open RafaelDiasCampos opened 1 week ago
RafaelDiasCampos
commented
1 week ago Including libflutter.so library (If it would be helpful, I can also upload the libraries for armeabi-v7a and arm64-v8a) libflutter.zip
When trying to intercept requests in an x86_64 Android Studio emulator, the script found a pattern match, but patching the function broke TLS validation even when not using a proxy. Analyzing the libflutter library, it seems that the last pattern for x64 (55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A? 00 00 00 48 85 ED 74 7? 48 83 7D 00 00 74) is matching the function ssl_crypto_x509_session_verify_cert_chain instead of the desired ssl_verify_peer_cert, as can be seen from the following screenshots:
Decompilation of function found at pattern:
String literals in the decompiled function:
The ssl_verify_peer_cert was found at address 0x6a80c6 (007a80c6 in Ghidra), with the pattern "55 41 57 41 56 41 55 41 54 53 50 49 89 fe 48 8b 1f 48 8b 43 30 4c 8b b8 d0 01 00 00 4d 85 ff 74 12 4d 8b a7 90 00 00 00 4d 85 e4 74 4a 49 8b 04 24 eb 46". In my opinion, it would be best to improve the existing pattern to remove incorrectly identifying and patching ssl_crypto_x509_session_verify_cert_chain, but it's not necessary, as even with both functions being modified TLS verification gets disabled:
Both functions were modified, but request interception still works
As a last note, during my tests, I realized that replacing ssl_crypto_x509_session_verify_cert_chain to return 1 (true) can also be used to disable TLS verification, without changing ssl_verify_peer_cert.
TLDR: New pattern: "55 41 57 41 56 41 55 41 54 53 50 49 89 fe 48 8b 1f 48 8b 43 30 4c 8b b8 d0 01 00 00 4d 85 ff 74 12 4d 8b a7 90 00 00 00 4d 85 e4 74 4a 49 8b 04 24 eb 46".