Skip to content

Instantly share code, notes, and snippets.

@alximw

alximw/bypas_cert_pinning_twitter.js

Created March 17, 2020 09:31
Show Gist options
  • Save alximw/a8b68df4171668fa192e74aecbd1d178 to your computer and use it in GitHub Desktop.
Save alximw/a8b68df4171668fa192e74aecbd1d178 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
bypas_cert_pinning_twitter.js
while(!Java.available);
if(Java.available) {
Java.perform(function() {
try {
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
var array_list = Java.use("java.util.ArrayList");
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
return untrustedChain;
}
} catch (err) {
send("[*] Error");
if (err.message.indexOf('ClassNotFoundException') === 0) {
throw new Error(err);
}
}
AndroidSSLPlatform.a.overload('java.security.Provider', 'java.lang.String', 'java.security.KeyStore').implementation = function(a,b,c){
stackTrace()
return this.a(a,b,c)
}
const keyStoreWrapper = Java.use("lfr");
keyStoreWrapper.a.overload('java.security.cert.X509Certificate').implementation = function(a){
console.log("KeyStoreContainsRootCert(X509Certificate)")
return true;
}
keyStoreWrapper.$init.overload('java.security.KeyStore').implementation = function(keystore){
console.log("KeyStoreWrapper() ")
console.log("Entries in keystore: "+keystore.size())
var alias = keystore.aliases()
while(alias.hasMoreElements()){
console.log(alias.getCertificate(alias.nextElement()))
}
return keyStoreWrapper.$init.call(this, keystore)
}
const CertificateChain = Java.use("lfh");
CertificateChain.a.overload('[Ljava.security.cert.X509Certificate;', 'lfr').implementation = function(certs,keyStoreWrapper){
console.log("ValidateCertificateChain(X509Certificate[], KeyStore)");
return this.a(certs, keyStoreWrapper);
}
CertificateChain.a.overload('java.security.cert.X509Certificate', 'java.security.cert.X509Certificate').implementation = function(cert_a,cert_b){
console.log("CertsAreEqualOrAChain('java.security.cert.X509Certificate','java.security.cert.X509Certificate')");
var return_value = this.a(cert_a, cert_b);
return true
}
const TrustManager = Java.use("lfm");
TrustManager.$init.overload('lfr','[Ljava.lang.String;', 'long' ).implementation = function(a,b,c){
console.log("TrustManager() constructor")
return TrustManager.$init.call(this, a,b,c)
}
TrustManager.a.overload('[Ljava.security.cert.X509Certificate;').implementation = function(certs){
console.log("checkPins([Ljava.security.cert.X509Certificate;)")
return this.a(certs)
}
TrustManager.a.overload('java.security.cert.X509Certificate').implementation = function(cert){
console.log("validateCert(java.security.cert.X509Certificate)")
var result = this.a(cert)
console.log("Validating : "+cert.getSerialNumber())
return true;
}
TrustManager.a.overload('java.lang.String').implementation = function(string){
console.log("computePinFromString(string="+string+")")
return this.a(string)
}
TrustManager.a.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function(certs, string){
console.log("ValidateChain([Ljava.security.cert.X509Certificate;', 'java.lang.String')")
return this.a(certs, string)
}
TrustManager.a.overload('lfr').implementation = function(keyStore){
console.log("getTrustManagers(keyStore)")
return this.a(keyStore)
}
TrustManager.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function(keyChain, authType){
console.log("checkServerTrusted()")
return this.checkServerTrusted(keyChain, authType)
}
});
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment