Open fftry12 opened 4 months ago
Hmm, this is very interesting! Thanks for the detailed error report.
Adding this to "android-certificate-unpinning.js" fixed that issue
This is a good fix given the obfuscation here, but it's probably not actually necessary. OkHTTP failures are caught by the 'fallback' script, even if they're obfuscated (by checking for thrown TLS errors matching built-in types, and pattern matching against the class structure). That's not happening here (it prints a large warning) so this shouldn't matter much.
Error: access violation accessing 0x5d8
This is definitely more concerning & interesting. Unfortunately I can't reproduce the exact error here though. With a quick test I see:
Very occasionally it fails with:
Cmdline: kr.co.kork7app
pid: 11603, tid: 11787, name: DefaultDispatch >>> kr.co.kork7app <<<
uid: 10173
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000010
Cause: null pointer dereference
Abort message: 'FORTIFY: pthread_mutex_lock called on a destroyed mutex (0x7d4a2c7962c8)'
rax 00001e460023d160 rbx 0000000000000000 rcx 0000000000000000 rdx 0000000000000000
r8 00007d46ea192470 r9 0000000000000000 r10 0000000000000000 r11 0000000000000246
r12 0000000000000000 r13 00007d46ea192470 r14 00001e460064a0a0 r15 0000000000000000
rdi 00001e460023d160 rsi 00007d4715eced3b
rbp 0000000000000000 rsp 00007d46ea190d20 rip 00007d47194084a5
backtrace:
#00 pc 00000000037614a5 /product/app/TrichromeLibrary/TrichromeLibrary.apk!libmonochrome_64.so (BuildId: 2759a97e5f69d7525020ed6c6e09c6dd52905ae6)
#01 pc 0000000003760f84 /product/app/TrichromeLibrary/TrichromeLibrary.apk!libmonochrome_64.so (BuildId: 2759a97e5f69d7525020ed6c6e09c6dd52905ae6)
#02 pc 00000000036c3e24 /product/app/TrichromeLibrary/TrichromeLibrary.apk!libmonochrome_64.so (BuildId: 2759a97e5f69d7525020ed6c6e09c6dd52905ae6)
#03 pc 0000000004139e51 /product/app/TrichromeLibrary/TrichromeLibrary.apk!libmonochrome_64.so (BuildId: 2759a97e5f69d7525020ed6c6e09c6dd52905ae6)
#04 pc 000000000413a138 /product/app/TrichromeLibrary/TrichromeLibrary.apk!libmonochrome_64.so (BuildId: 2759a97e5f69d7525020ed6c6e09c6dd52905ae6)
#05 pc 00000000036ba5d4 /product/app/TrichromeLibrary/TrichromeLibrary.apk!libmonochrome_64.so (BuildId: 2759a97e5f69d7525020ed6c6e09c6dd52905ae6)
That seems unrelated, and I've managed to reproduce this with and without the TLS hook script. It's hard to know exactly what triggers that. I have seen some anti-Frida blocks do things like this on purpose elsewhere I think so it could be related to that.
maybe int should be replaced by another type
const realCallback = new NativeFunction(realCallbackAddr, 'int', ['pointer','pointer']);
The types here come from BoringSSL (you can see here libssl.so is being patching - that should always be some BoringSSL version). I think that this is always the correct type because:
SSL_set_custom_verify
and SSL_CTX_set_custom_verify
(here)enum ssl_verify_result_t (callback)(SSL ssl, uint8_t *out_alert)
That means two arguments: a pointer to the SSL instance, and an out pointer for an alert (so the pointer types should be fine) and an enum result (which I think should be represented as an int from Frida's POV, although I'm not totally sure if that's correct or if there are specific cases where it would be something else).
You could try smaller number types here maybe to see? int8
, int16
etc. I'd be very interested to know if that helps.
That said, that's for the latest version of BoringSSL. It might be possible that older versions are different, or really really old version use OpenSSL or something else instead maybe. What Android version are you using? Can you share the exact details of your device setup? That might provide some clues.
Hi, I got this error when running the script
At first I had this error
Adding this to "android-certificate-unpinning.js" fixed that issue
That's the line which makes it crash
maybe int should be replaced by another type
I've tested it on other apps with the same configuration, so far that's the only app i'm having trouble with, so the issue is unlikely to be from my end. Here's the command line i use to launch the script