Unity based applications pinning bypass?

[shoaibjahejo]

Hello,

I have been looking forward for the frida script to bypass unity based applications ssl pinning which are using below code.

https://docs.unity3d.com/ScriptReference/Networking.CertificateHandler.ValidateCertificate.html

Any help?

[pimterry]

Hi @shoaibjahejo, do you have an example app that can be quickly installed and run to see this pinning in action?

In theory it should be easy enough to remove this, but I'm not familiar with Unity and I've never investigated it myself. I've written a general reverse engineering guide here that might help you though: https://httptoolkit.tech/blog/android-reverse-engineering/

[yoshimo]

You could try Apps from Activision Blizzard like Wow Companion or Hearthstone Niantic games like Ingress also rely on Unity.

[shoaibjahejo]

Hi @shoaibjahejo, do you have an example app that can be quickly installed and run to see this pinning in action?

In theory it should be easy enough to remove this, but I'm not familiar with Unity and I've never investigated it myself. I've written a general reverse engineering guide here that might help you though: https://httptoolkit.tech/blog/android-reverse-engineering/

Hello Tim Perry,

Thankyou for replying, I have tried each and everything, like reverse engineering the application, i did it, but couldn't find the code in java, because the validation itself is implemented in it's lib files in C# or C++(not sure), so i started dumping those lib files then i got dll files, then i opened AssemblyCsharp.dll in dnspy, and then i found the classes which were implementing ssl pinning, but still it didn't reverse the same code, hence it is showing code different, and implemented one is little different, there was little different.

Here is the below unity based game example, which is using the same validation of ssl pinning, you can check it out. Link:- https://play.google.com/store/apps/details?id=com.micropets.runner&showAllReviews=true

[pimterry]

I've done some more research, it looks like as you say unpinning Unity with Frida is quite a bit more complicated due to the lib files involved. Somebody has create a Frida + Unity guide and tutorial video that you might find helpful here though: https://github.com/kylesmile1103/Learn-Frida

[shoaibjahejo]

I've done some more research, it looks like as you say unpinning Unity with Frida is quite a bit more complicated due to the lib files involved. Somebody has create a Frida + Unity guide and tutorial video that you might find helpful here though: https://github.com/kylesmile1103/Learn-Frida

@pimterry I have folllowed that tutorial already, but still i couldnt get upto that, i have searched like whole internet for past 15days but i'm not getting a success yet, as i have sent you the sample game application above, it is using the same validations, if in anyway you can try and get a solution for this? that would be really great, there is nothing i found like frida script or any working method for that, so it can be a great thing if you could find solution for this as well.

[pimterry]

Ah, OK. Sorry, I don't have a lot of time for a major investigation into this myself right now so I can't help much. It definitely seems like it will be possible with Frida, it's just much more complicated than merely patching normal Java APIs.

If you make any progress though, or you find any other articles/video that are actually helpful then do share them here so that other people interested in unpinning Unity can use that!

[Yehh22]

Another game with cert pinning; Marvel Contest of Champions. Link: https://apkcombo.com/marvel-contest-of-champions/com.kabam.marvelbattle/

It throws an error "Failed to login"

Ah, OK. Sorry, I don't have a lot of time for a major investigation into this myself right now so I can't help much. It definitely seems like it will be possible with Frida, it's just much more complicated than merely patching normal Java APIs.

Maybe you can use Il2Cpp API script? https://github.com/vfsfitvnm/frida-il2cpp-bridge