search

NVISOsecurity / disable-flutter-tls-verification

A Frida script that disables Flutter's TLS verification
342 stars 57 forks source link

AVD x86_64: Automated script doesn't work, but old `Memory.scanSync` does #4

Closed rikroe closed 1 year ago

rikroe commented 2 years ago

Hi,

first of all, thanks for all your work and especially for sharing it! Was a huge help!

After using the "manual" way from your blog posts for a while, I discovered your automated script and wanted to try it. Unfortunately, it does not work on a Android AVD (x86_64) with frida 15.2.2 on Windows:

(venv) PS C:\Users\rikro\Downloads\apktool> frida -Uf de.bmw.connected.mobile20.row -l .\disable-flutter-tls-verification\disable-flutter-tls.js --no-pause
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `de.bmw.connected.mobile20.row`...
[+] Java environment detected
Spawned `de.bmw.connected.mobile20.row`. Resuming main thread!
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> [+] Flutter library found
[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP.
[+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...

However, if I use the "old" way of getting the memory pattern, it does find it (and setting ssl_verify_result to true does work):

(venv) PS C:\Users\rikro\Downloads\apktool> frida -Uf de.bmw.connected.mobile20.row --no-pause
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `de.bmw.connected.mobile20.row`. Resuming main thread!
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> var m = Process.findModuleByName("libflutter.so")
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> var pattern = "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b"
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> Memory.scanSync(m.base, m.size, pattern)
[
    {
        "address": "0x7b8141c1bfe6",
        "size": 35
    }
]

I am not sure if this is a frida issue or something with your script, but I am kind of at a loss as this goes way into the details and possibilites of frida. Maybe it gives you an idea what needs to be changed. Happy to test things!

Could also be related to #3.

Working code for `de.bmw.connected.mobile20.row` 2.9.2 on x86_64 AVD ``` function hook_ssl_verify_result(address) { Interceptor.attach(address, { onEnter: function (args) { console.log("Disabling SSL validation") }, onLeave: function (retval) { console.log("Retval: " + retval) retval.replace(0x1); } }); } function disablePinning() { var m = Process.findModuleByName("libflutter.so"); var pattern = "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b" var res = Memory.scan(m.base, m.size, pattern, { onMatch: function (address, size) { console.log('[+] ssl_verify_result found at: ' + address.toString()); // Add 0x01 because it's a THUMB function // Otherwise, we would get 'Error: unable to intercept function at 0x9906f8ac; please file a bug' // hook_ssl_verify_result(address.add(0x01)); }, onError: function (reason) { console.log('[!] There was an error scanning memory'); }, onComplete: function () { console.log("All done") } }); } setTimeout(disablePinning, 1000) ```
TheDauntless commented 2 years ago

Seems to be a Frida issue (https://github.com/frida/frida/issues/2266) .

Can you try to use the Frida gadget approach? I tried it here and it did work. The easiest way to do that is to use objection patchapk -s bmw.apk and then connect using frida -U gadget -l script.js.

rikroe commented 2 years ago

Hi, it's been a while, sorry.

I can confirm that using the gadget as described works with your disable-flutter.tls.js script. Although only on a real armv8 Android device, not using the AVD (not sure if I did anything wrong or the app just doesn't support x86 AVDs)...

Thanks for the hint and again many thanks for your work!