论坛类网站怎么建设,全平台内容系统免费,wordpress 安全防护 插件,租房信息网站建设lutter的证书校验
起因#xff1a;
最近工作上让做个app的复测#xff0c;把apk发我后#xff0c;开始尝试挂代理抓包#xff0c;结果发现抓不到 为是证书没弄好#xff0c;想着前几天不是刚导入了吗#xff08;雾#xff09;。又重新导入了下还是不行。然后各种lsp模…lutter的证书校验
起因
最近工作上让做个app的复测把apk发我后开始尝试挂代理抓包结果发现抓不到 为是证书没弄好想着前几天不是刚导入了吗雾。又重新导入了下还是不行。然后各种lsp模块objection都不行r0capture也没数据。 然后jadx看了下全是flutter字样才想起来和flutter有关。
开始百度
然后就开始各种找。
session_verify_cert_chain函数在第356行的ssl_x509.cc中被定义
然后根据[原创]一种基于frida和drony的针对flutter抓包的方法-Android安全-看雪-安全社区|安全招聘|kanxue.com 这篇文章特征找但是这个是32位的所以在app安装的时候指定32位安装 写脚本绕过
32位 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 function hook_ssl_verify_result(address) { Interceptor.attach(address, { onEnter: function(args) { console.log(Disabling SSL validation) }, onLeave: function(retval) { console.log(Retval: retval); retval.replace(0x1); } }); } function hookFlutter() { var m Process.findModuleByName(libflutter.so); var pattern 2D E9 F0 4F 85 B0 06 46 50 20 10 70; var res Memory.scan(m.base, m.size, pattern, { onMatch: function(address, size){ console.log([] ssl_verify_result found at: address.toString()); // Add 0x01 because its a THUMB function // Otherwise, we would get Error: unable to intercept function at 0x9906f8ac; please file a bug hook_ssl_verify_result(address.add(0x01)); }, onError: function(reason){ console.log([!] There was an error scanning memory); }, onComplete: function() { console.log(All done) } }); }
然后启动就可以抓包了
64位
搜索ssl_client 然后就找到了这些 1 2 3 4 5 6 7 8 9 .text:0000000000596870 FF C3 01 D1 SUB SP, SP, #0x70 .text:0000000000596874 FD 7B 01 A9 STP X29, X30, [SP,#0x70var_60] .text:0000000000596878 FC 6F 02 A9 STP X28, X27, [SP,#0x70var_50] .text:000000000059687C FA 67 03 A9 STP X26, X25, [SP,#0x70var_40] .text:0000000000596880 F8 5F 04 A9 STP X24, X23, [SP,#0x70var_30] .text:0000000000596884 F6 57 05 A9 STP X22, X21, [SP,#0x70var_20] .text:0000000000596888 F4 4F 06 A9 STP X20, X19, [SP,#0x70var_10] .text:000000000059688C 08 0A 80 52 MOV W8, #0x50 .text:0000000000596890 48 00 00 39 STRB W8, [X2]
然后写脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 function hook_ssl_verify_result(address) { Interceptor.attach(address, { onEnter: function(args) { console.log(Disabling SSL validation) }, onLeave: function(retval) { console.log(Retval: retval); retval.replace(0x1); } }); } function hookFlutter() { var m Process.findModuleByName(libflutter.so); var pattern FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39; var res Memory.scan(m.base, m.size, pattern, { onMatch: function(address, size){ console.log([] ssl_verify_result found at: address.toString()); // Add 0x01 because its a THUMB function // Otherwise, we would get Error: unable to intercept function at 0x9906f8ac; please file a bug hook_ssl_verify_result(address.add(0x01)); }, onError: function(reason){ console.log([!] There was an error scanning memory); }, onComplete: function() { console.log(All done) } }); }
然后发现报错了
