deltaclock · April 22, 2022 08:35 · Apr 21, 2022 · Apr 21, 2022 · Apr 21, 2022
diff --git a/wokplace-ssl-pinning-bypass.md b/wokplace-ssl-pinning-bypass.md
@@ -17,4 +17,6 @@ The easiest way to bypass this check is to patch the `if (state.verifier()) {` c
 2. Download `/data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.so` from the device.
 3. Patch the `cbz` instruction at the address `1d748` to turn it into an uncoditional `b` jump. If you don't have the necessary disassembler software open the binary using a [hex editor](https://stackoverflow.com/a/827369), find the address `1d748` and change the bytes `F7 00 00 B4` to `07 00 00 14`.
 4. Push the file to your device, and replace `/data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.so` with the newly modified version.
-5. Open the Workplace app, and see that it does not verify TLS certificates anymore. (If you have the proxy settings set up properly on the device, you should now see the `/graphql` calls in Burp/your HTTP proxy. 😎)
+5. Open the Workplace app, and see that it does not verify TLS certificates anymore. (If you have the proxy settings set up properly on the device, you should now see the `/graphql` calls in Burp/your HTTP proxy. 😎)
+
+*Since this patch completely disables TLS certificate verification, make sure to only perform it on a testing device without any sensitive data. Certificates that are not trusted by Android itself will also be accepted.*
diff --git a/readme.md → wokplace-ssl-pinning-bypass.md b/readme.md → wokplace-ssl-pinning-bypass.md
diff --git a/readme.md b/readme.md
@@ -0,0 +1,20 @@
+Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications.
+Thank you [Imre Rad](https://www.linkedin.com/in/imre-rad-2358749b/) for helping me analyze the binary.
+
+## How does it work?
+
+The Workplace Android app uses the [Fizz](https://github.com/facebookincubator/fizz) open source TLS-1.3 library to communicate with the backend APIs.
+This library is written in C++, and is compiled to native code. It is running as a [native library](https://developer.android.com/ndk/guides) attached to the Android app.
+
+The certificate verification is implemented in `fizz/client/ClientProtocol.cpp`, on [line 1944](https://github.com/facebookincubator/fizz/blob/c40e4f45e4f4d02c837c82890e0e0725b9ee29d3/fizz/client/ClientProtocol.cpp#L1944).
+The easiest way to bypass this check is to patch the `if (state.verifier()) {` check on [line 1942](https://github.com/facebookincubator/fizz/blob/c40e4f45e4f4d02c837c82890e0e0725b9ee29d3/fizz/client/ClientProtocol.cpp#L1942).
+
+## How to do it?
+
+*This process requires a rooted device.*
+
+1. Install Workplace on the device, and open it once.
+2. Download `/data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.so` from the device.
+3. Patch the `cbz` instruction at the address `1d748` to turn it into an uncoditional `b` jump. If you don't have the necessary disassembler software open the binary using a [hex editor](https://stackoverflow.com/a/827369), find the address `1d748` and change the bytes `F7 00 00 B4` to `07 00 00 14`.
+4. Push the file to your device, and replace `/data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.so` with the newly modified version.
+5. Open the Workplace app, and see that it does not verify TLS certificates anymore. (If you have the proxy settings set up properly on the device, you should now see the `/graphql` calls in Burp/your HTTP proxy. 😎)