본문 바로가기
모바일

[android] frida hooking (SSL Pinning 우회)

무그 2018. 12. 18. 15:17

1. 버프 인증서 다운로드해서 cacert.cert  > cert-der.crt 


2. adb push  cert-der.crt /data/local/tmp/cert-der.crt


3. 후킹 코드

setTimeout(function(){
    Java.perform(function (){
        console.log("-----SSL Pinning-----");

        var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
        var FileInputStream = Java.use("java.io.FileInputStream");
        var BufferedInputStream = Java.use("java.io.BufferedInputStream");
        var X509Certificate = Java.use("java.security.cert.X509Certificate");
        var KeyStore = Java.use("java.security.KeyStore");
        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
        var SSLContext = Java.use("javax.net.ssl.SSLContext");

        cf = CertificateFactory.getInstance("X.509");
        
        try {
            var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
        }
        catch(err) {
            console.log("-----" + err + "-----");
        }
        
        var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
          var ca = cf.generateCertificate(bufferedInputStream);
        bufferedInputStream.close();

        var certInfo = Java.cast(ca, X509Certificate);

        var keyStoreType = KeyStore.getDefaultType();
        var keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);

        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);

           SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
               SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
           }
    });
},0);


4. 참고

https://developer.android.com/reference/javax/net/ssl/TrustManagerFactory





* 프록시 잡기

1. der -> cer로 확장자 변경

2. 환경설정 > 보안 > SD카드에서 설치





저작자표시 비영리 변경금지

'모바일' 카테고리의 다른 글

[android] apk remote debugging (IDA)  (0) 2018.12.18
[ios] cydia, clutch, frida hooking (탈옥 탐지 우회)  (1) 2018.12.18
[android] frida hooking (libc.so open)  (0) 2018.12.18
[android] 커스텀롬, 루팅  (0) 2018.12.18
[android] frida hooking (프록시 탐지 우회)  (0) 2018.04.23

'모바일' Related Articles

티스토리툴바