Skip to content

Instantly share code, notes, and snippets.

@rootsec1

rootsec1/fridascript.js

Last active March 25, 2024 07:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rootsec1/352a41215be83678b7a80944ff5433a9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rootsec1/352a41215be83678b7a80944ff5433a9 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. rootsec1 revised this gist Oct 6, 2020. No changes.
  2. rootsec1 created this gist May 28, 2020.
    62 changes: 62 additions & 0 deletions fridascript.js
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,62 @@
    Java.perform(function () {
    console.log("\nRoot detection bypass with Frida");
    var CommonUtils = Java.use("io.fabric.sdk.android.services.common.CommonUtils");
    console.log("\nHijacking isRooted function in CommonUtils class");
    CommonUtils.isRooted.implementation = function () {
    console.log("\nInside the isRooted function");
    return false;
    };
    console.log("\nRoot detection bypassed");
    console.log("\n");
    console.log("[.] Cert Pinning Bypass/Re-Pinning");


    var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
    var FileInputStream = Java.use("java.io.FileInputStream");
    var BufferedInputStream = Java.use("java.io.BufferedInputStream");
    var X509Certificate = Java.use("java.security.cert.X509Certificate");
    var KeyStore = Java.use("java.security.KeyStore");
    var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
    var SSLContext = Java.use("javax.net.ssl.SSLContext");

    // Load CAs from an InputStream
    console.log("[+] Loading our CA...")
    var cf = CertificateFactory.getInstance("X.509");

    try {
    var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
    }
    catch (err) {
    console.log("[o] " + err);
    }

    var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
    var ca = cf.generateCertificate(bufferedInputStream);
    bufferedInputStream.close();

    var certInfo = Java.cast(ca, X509Certificate);
    console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

    // Create a KeyStore containing our trusted CAs
    console.log("[+] Creating a KeyStore for our CA...");
    var keyStoreType = KeyStore.getDefaultType();
    var keyStore = KeyStore.getInstance(keyStoreType);
    keyStore.load(null, null);
    keyStore.setCertificateEntry("ca", ca);

    // Create a TrustManager that trusts the CAs in our KeyStore
    console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
    var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
    var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
    tmf.init(keyStore);
    console.log("[+] Our TrustManager is ready...");

    console.log("[+] Hijacking SSLContext methods now...")
    console.log("[-] Waiting for the app to invoke SSLContext.init()...")

    SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function (a, b, c) {
    console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
    SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
    console.log("[+] SSLContext initialized with our custom TrustManager!");
    }
    });