Jineeshak · February 18, 2020 11:30 · Jineeshak · Feb 18, 2020
diff --git a/removeprox.sh b/removeprox.sh
 #!/bin/bash
 #adb root
 adb shell "su -c iptables -t nat -F"
diff --git a/setupproxy.sh b/setupproxy.sh
 #!/bin/bash
 echo "Burp listening on: $1"
 #adb root

 #adb shell "su -c touch /data/local/tmp/rootmadethis"


 adb shell "su -c iptables -t nat -F"
 adb shell "su -c iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination $1:8080"
 adb shell "su -c iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination $1:8080"
 adb shell "su -c iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE"
 adb shell "su -c iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE"

 echo "Done"
diff --git a/ssl.js b/ssl.js
 /*  Android ssl certificate pinning bypass script for various methods

    Run with:
    frida -U -f [APP_ID] -l ssl_bypass.js --no-pause
 */

 setTimeout(function() {
    Java.perform(function () {
        console.log('');
        console.log('======');
        console.log('[#] Android Bypass for various Certificate Pinning methods [#]');
        console.log('======');

        var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
        var SSLContext = Java.use('javax.net.ssl.SSLContext');


        // TrustManager (Android < 7)
        var TrustManager = Java.registerClass({
            // Implement a custom TrustManager
            name: 'dev.asd.test.TrustManager',
            implements: [X509TrustManager],
            methods: {
                checkClientTrusted: function (chain, authType) {},
                checkServerTrusted: function (chain, authType) {},
                getAcceptedIssuers: function () {return []; }
            }
        });

        // Prepare the TrustManager array to pass to SSLContext.init()
        var TrustManagers = [TrustManager.$new()];
        // Get a handle on the init() on the SSLContext class
        var SSLContext_init = SSLContext.init.overload(
            '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
        try {
            // Override the init method, specifying the custom TrustManager
            SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
                console.log('[+] Intercepted Trustmanager (Android < 7) request');
                SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
            };

            console.log('[+] Bypassing TrustManager (Android < 7) pinning');
        } catch (err) {
            console.log('[-] TrustManager (Android < 7) pinner not found');
        }




        // okhttp3 (double bypass)
        try {
            var okhttp3_Activity = Java.use('okhttp3.CertificatePinner');
            okhttp3_Activity.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
                console.log('[+] Intercepted OkHTTP3 {1}: ' + str);
                return true;
            };
            // This method of CertificatePinner.check could be found in some old Android app
            okhttp3_Activity.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (str) {
                console.log('[+] Intercepted OkHTTP3 {2}: ' + str);
                return true;
            };

            console.log('[+] Bypassing OkHTTP3 pinning');
        } catch (err) {
            console.log('[-] OkHTTP3 pinner not found');
        }




        // Trustkit (triple bypass)
        try {
            var trustkit_Activity = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
            trustkit_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
                console.log('[+] Intercepted Trustkit {1}: ' + str);
                return true;
            };
            trustkit_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
                console.log('[+] Intercepted Trustkit {2}: ' + str);
                return true;
            };
            var trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
            trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
                console.log('[+] Intercepted Trustkit {3}');
            }

            console.log('[+] Bypassing Trustkit pinning');
        } catch (err) {
            console.log('[-] Trustkit pinner not found');
        }




        // TrustManagerImpl (Android > 7)
        try {
            var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
            TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
                console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
                return untrustedChain;
            };

            console.log('[+] Bypassing TrustManagerImpl (Android > 7) pinning');
        } catch (err) {
            console.log('[-] TrustManagerImpl (Android > 7) pinner not found');
        }




        // Appcelerator Titanium
        try {
            var appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
            appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
                console.log('[+] Intercepted Appcelerator');
            };

            console.log('[+] Bypassing Appcelerator pinning');
        } catch (err) {
            console.log('[-] Appcelerator pinner not found');
        }




        // OpenSSLSocketImpl
        try {
            var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
            OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
                console.log('[+] Intercepted OpenSSLSocketImpl');
                console.log("[+] verifyCertificateChain() hooked");

            };

            console.log('[+] Bypassing OpenSSLSocketImpl pinning');
        } catch (err) {
            console.log('[-] OpenSSLSocketImpl pinner not found');
        }




        // PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
        try {
            var phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
            phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (str) {
                console.log('[+] Intercepted PhoneGap sslCertificateChecker: ' + str);
                return true;
            };

            console.log('[+] Bypassing PhoneGap sslCertificateChecker pinning');
        } catch (err) {
            console.log('[-] PhoneGap sslCertificateChecker pinner not found');
        }




        // IBM MobileFirst pinTrustedCertificatePublicKey
        try {
            var WLClient = Java.use('com.worklight.wlclient.api.WLClient');
            WLClient.getInstance().pinTrustedCertificatePublicKey.implementation = function (cert) {
                console.log('[+] Intercepted IBM MobileFirst pinTrustedCertificatePublicKey');
                return;
            };

            console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey pinning');
        } catch (err) {
            console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey pinner not found');
        }




        // IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
        try {
            var worklight_Activity = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
            worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (str) {
                console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {1}: ' + str);
                return;
            };
            worklight_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
                console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {2}: ' + str);
                return;
            };
            worklight_Activity.verify.overload('java.lang.String', 'java.util.List', 'java.util.List').implementation = function (str) {
                console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {3}: ' + str);
                return;
            };
            worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
                console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {4}: ' + str);
                return true;
            };

            console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning pinning');
        } catch (err) {
            console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning pinner not found');
        }





        // CWAC-Netsecurity (unofficial back-port pinner for Android < 4.2) CertPinManager
        try {
            var CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
            CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (str) {
                console.log('[+] Intercepted CWAC-Netsecurity CertPinManager: ' + str);
                return true;
            };

            console.log('[+] Bypassing CWAC-Netsecurity CertPinManager pinning');
        } catch (err) {
            console.log('[-] CWAC-Netsecurity CertPinManager pinner not found');
        }

 //mohesh added
 try {
            var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
            OkHttpClient.setCertificatePinner.implementation = function(certificatePinner){
                // do nothing
                console.log("[+]OkHttpClient.setCertificatePinner Called!");
                return this;
            };

            // Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
            var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
            CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1){
                // do nothing
                console.log("[+]okhttp Called! [Certificate]");
                return;
            };
            CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1){
                // do nothing
                console.log("[+]okhttp Called! [List]");
                return;
            };
        } catch (e) {
         console.log("[+]com.squareup.okhttp not found");
        }

 //repinning try

 var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
     var FileInputStream = Java.use("java.io.FileInputStream");
     var BufferedInputStream = Java.use("java.io.BufferedInputStream");
     var X509Certificate = Java.use("java.security.cert.X509Certificate");
     var KeyStore = Java.use("java.security.KeyStore");
     var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
     var SSLContext = Java.use("javax.net.ssl.SSLContext");
 // Load CAs from an InputStream
     console.log("[+] Loading our CA...")
     var cf = CertificateFactory.getInstance("X.509");

     try {
      var fileInputStream = FileInputStream.$new("/data/local/tmp/cert.cer");
     }
     catch(err) {
      console.log("[o] " + err);
     }

     var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
    var ca = cf.generateCertificate(bufferedInputStream);
     bufferedInputStream.close();
 var certInfo = Java.cast(ca, X509Certificate);
     console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

     // Create a KeyStore containing our trusted CAs
          console.log("[+] Creating a KeyStore for our CA...");
          var keyStoreType = KeyStore.getDefaultType();
          var keyStore = KeyStore.getInstance(keyStoreType);
          keyStore.load(null, null);
          keyStore.setCertificateEntry("ca", ca);

          // Create a TrustManager that trusts the CAs in our KeyStore
          console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
          var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
          var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
          tmf.init(keyStore);
          console.log("[+] Our TrustManager is ready...");
     console.log("[+] Hijacking SSLContext methods now...")
          console.log("[-] Waiting for the app to invoke SSLContext.init()...")

     SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
           console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
           SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
           console.log("[+] SSLContext initialized with our custom TrustManager!");
          }


 //proxy enable


 /*
        var HOST = "10.100.139.198";
        var PORT_INT = 8080;
        var PORT = "" + PORT_INT;
        var System = undefined;
        var InetSocketAddress = undefined;
        var String = undefined;
        var HTTP = Java.use("java.net.Proxy$Type").HTTP;
        var OkHttpClient_Builder = undefined;

        System = Java.use("java.lang.System");

        if(System != undefined) {
            System.setProperty("http.proxySet", "true");
            System.setProperty("http.proxyHost", HOST);
            System.setProperty("http.proxyPort", PORT);

            // 针对https也开启代理
            System.setProperty("https.proxyHost", HOST);
            System.setProperty("https.proxyPort", PORT);
            console.log("http.proxy already set. (" + HOST + ":" + PORT + ")");
        }
        Proxy = Java.use("java.net.Proxy");
        InetSocketAddress = Java.use("java.net.InetSocketAddress");
        String = Java.use("java.lang.String");

        if(Proxy != undefined && InetSocketAddress != undefined && String != undefined) {
            var addr = InetSocketAddress.$new(String.$new(HOST), PORT_INT);
            var proxy_addr = Proxy.$new(HTTP.value, addr);
            console.log("set okhttp proxy: " + proxy_addr);
            try {
                OkHttpClient_Builder = Java.use("okhttp3.OkHttpClient$Builder");
                if(OkHttpClient_Builder != undefined) {
                    OkHttpClient_Builder.build.overload().implementation = function() {
                        this.proxy(proxy_addr);
                        return this.build();
                    };
                }
            } catch (error) {
                console.error(error);
            }
        }
 */

    });

 }, 0);
	#!/bin/bash
	echo "Burp listening on: $1"
	#adb root

	#adb shell "su -c touch /data/local/tmp/rootmadethis"


	adb shell "su -c iptables -t nat -F"
	adb shell "su -c iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination $1:8080"
	adb shell "su -c iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination $1:8080"
	adb shell "su -c iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE"
	adb shell "su -c iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE"

	echo "Done"
	/* Android ssl certificate pinning bypass script for various methods

	Run with:
	frida -U -f [APP_ID] -l ssl_bypass.js --no-pause
	*/

	setTimeout(function() {
	Java.perform(function () {
	console.log('');
	console.log('======');
	console.log('[#] Android Bypass for various Certificate Pinning methods [#]');
	console.log('======');

	var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
	var SSLContext = Java.use('javax.net.ssl.SSLContext');


	// TrustManager (Android < 7)
	var TrustManager = Java.registerClass({
	// Implement a custom TrustManager
	name: 'dev.asd.test.TrustManager',
	implements: [X509TrustManager],
	methods: {
	checkClientTrusted: function (chain, authType) {},
	checkServerTrusted: function (chain, authType) {},
	getAcceptedIssuers: function () {return []; }
	}
	});

	// Prepare the TrustManager array to pass to SSLContext.init()
	var TrustManagers = [TrustManager.$new()];
	// Get a handle on the init() on the SSLContext class
	var SSLContext_init = SSLContext.init.overload(
	'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
	try {
	// Override the init method, specifying the custom TrustManager
	SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
	console.log('[+] Intercepted Trustmanager (Android < 7) request');
	SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
	};

	console.log('[+] Bypassing TrustManager (Android < 7) pinning');
	} catch (err) {
	console.log('[-] TrustManager (Android < 7) pinner not found');
	}




	// okhttp3 (double bypass)
	try {
	var okhttp3_Activity = Java.use('okhttp3.CertificatePinner');
	okhttp3_Activity.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
	console.log('[+] Intercepted OkHTTP3 {1}: ' + str);
	return true;
	};
	// This method of CertificatePinner.check could be found in some old Android app
	okhttp3_Activity.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (str) {
	console.log('[+] Intercepted OkHTTP3 {2}: ' + str);
	return true;
	};

	console.log('[+] Bypassing OkHTTP3 pinning');
	} catch (err) {
	console.log('[-] OkHTTP3 pinner not found');
	}




	// Trustkit (triple bypass)
	try {
	var trustkit_Activity = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
	trustkit_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
	console.log('[+] Intercepted Trustkit {1}: ' + str);
	return true;
	};
	trustkit_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
	console.log('[+] Intercepted Trustkit {2}: ' + str);
	return true;
	};
	var trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
	trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
	console.log('[+] Intercepted Trustkit {3}');
	}

	console.log('[+] Bypassing Trustkit pinning');
	} catch (err) {
	console.log('[-] Trustkit pinner not found');
	}




	// TrustManagerImpl (Android > 7)
	try {
	var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
	TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
	console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
	return untrustedChain;
	};

	console.log('[+] Bypassing TrustManagerImpl (Android > 7) pinning');
	} catch (err) {
	console.log('[-] TrustManagerImpl (Android > 7) pinner not found');
	}




	// Appcelerator Titanium
	try {
	var appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
	appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
	console.log('[+] Intercepted Appcelerator');
	};

	console.log('[+] Bypassing Appcelerator pinning');
	} catch (err) {
	console.log('[-] Appcelerator pinner not found');
	}




	// OpenSSLSocketImpl
	try {
	var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
	OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
	console.log('[+] Intercepted OpenSSLSocketImpl');
	console.log("[+] verifyCertificateChain() hooked");

	};

	console.log('[+] Bypassing OpenSSLSocketImpl pinning');
	} catch (err) {
	console.log('[-] OpenSSLSocketImpl pinner not found');
	}




	// PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
	try {
	var phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
	phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (str) {
	console.log('[+] Intercepted PhoneGap sslCertificateChecker: ' + str);
	return true;
	};

	console.log('[+] Bypassing PhoneGap sslCertificateChecker pinning');
	} catch (err) {
	console.log('[-] PhoneGap sslCertificateChecker pinner not found');
	}




	// IBM MobileFirst pinTrustedCertificatePublicKey
	try {
	var WLClient = Java.use('com.worklight.wlclient.api.WLClient');
	WLClient.getInstance().pinTrustedCertificatePublicKey.implementation = function (cert) {
	console.log('[+] Intercepted IBM MobileFirst pinTrustedCertificatePublicKey');
	return;
	};

	console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey pinning');
	} catch (err) {
	console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey pinner not found');
	}




	// IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
	try {
	var worklight_Activity = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
	worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (str) {
	console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {1}: ' + str);
	return;
	};
	worklight_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
	console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {2}: ' + str);
	return;
	};
	worklight_Activity.verify.overload('java.lang.String', 'java.util.List', 'java.util.List').implementation = function (str) {
	console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {3}: ' + str);
	return;
	};
	worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
	console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {4}: ' + str);
	return true;
	};

	console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning pinning');
	} catch (err) {
	console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning pinner not found');
	}





	// CWAC-Netsecurity (unofficial back-port pinner for Android < 4.2) CertPinManager
	try {
	var CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
	CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (str) {
	console.log('[+] Intercepted CWAC-Netsecurity CertPinManager: ' + str);
	return true;
	};

	console.log('[+] Bypassing CWAC-Netsecurity CertPinManager pinning');
	} catch (err) {
	console.log('[-] CWAC-Netsecurity CertPinManager pinner not found');
	}

	//mohesh added
	try {
	var OkHttpClient = Java.use("com.squareup.okhttp.OkHttpClient");
	OkHttpClient.setCertificatePinner.implementation = function(certificatePinner){
	// do nothing
	console.log("[+]OkHttpClient.setCertificatePinner Called!");
	return this;
	};

	// Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)
	var CertificatePinner = Java.use("com.squareup.okhttp.CertificatePinner");
	CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(p0, p1){
	// do nothing
	console.log("[+]okhttp Called! [Certificate]");
	return;
	};
	CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(p0, p1){
	// do nothing
	console.log("[+]okhttp Called! [List]");
	return;
	};
	} catch (e) {
	console.log("[+]com.squareup.okhttp not found");
	}

	//repinning try

	var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
	var FileInputStream = Java.use("java.io.FileInputStream");
	var BufferedInputStream = Java.use("java.io.BufferedInputStream");
	var X509Certificate = Java.use("java.security.cert.X509Certificate");
	var KeyStore = Java.use("java.security.KeyStore");
	var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
	var SSLContext = Java.use("javax.net.ssl.SSLContext");
	// Load CAs from an InputStream
	console.log("[+] Loading our CA...")
	var cf = CertificateFactory.getInstance("X.509");

	try {
	var fileInputStream = FileInputStream.$new("/data/local/tmp/cert.cer");
	}
	catch(err) {
	console.log("[o] " + err);
	}

	var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
	var ca = cf.generateCertificate(bufferedInputStream);
	bufferedInputStream.close();
	var certInfo = Java.cast(ca, X509Certificate);
	console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

	// Create a KeyStore containing our trusted CAs
	console.log("[+] Creating a KeyStore for our CA...");
	var keyStoreType = KeyStore.getDefaultType();
	var keyStore = KeyStore.getInstance(keyStoreType);
	keyStore.load(null, null);
	keyStore.setCertificateEntry("ca", ca);

	// Create a TrustManager that trusts the CAs in our KeyStore
	console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
	var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
	var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
	tmf.init(keyStore);
	console.log("[+] Our TrustManager is ready...");
	console.log("[+] Hijacking SSLContext methods now...")
	console.log("[-] Waiting for the app to invoke SSLContext.init()...")

	SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
	console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
	SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
	console.log("[+] SSLContext initialized with our custom TrustManager!");
	}


	//proxy enable


	/*
	var HOST = "10.100.139.198";
	var PORT_INT = 8080;
	var PORT = "" + PORT_INT;
	var System = undefined;
	var InetSocketAddress = undefined;
	var String = undefined;
	var HTTP = Java.use("java.net.Proxy$Type").HTTP;
	var OkHttpClient_Builder = undefined;

	System = Java.use("java.lang.System");

	if(System != undefined) {
	System.setProperty("http.proxySet", "true");
	System.setProperty("http.proxyHost", HOST);
	System.setProperty("http.proxyPort", PORT);

	// 针对https也开启代理
	System.setProperty("https.proxyHost", HOST);
	System.setProperty("https.proxyPort", PORT);
	console.log("http.proxy already set. (" + HOST + ":" + PORT + ")");
	}
	Proxy = Java.use("java.net.Proxy");
	InetSocketAddress = Java.use("java.net.InetSocketAddress");
	String = Java.use("java.lang.String");

	if(Proxy != undefined && InetSocketAddress != undefined && String != undefined) {
	var addr = InetSocketAddress.$new(String.$new(HOST), PORT_INT);
	var proxy_addr = Proxy.$new(HTTP.value, addr);
	console.log("set okhttp proxy: " + proxy_addr);
	try {
	OkHttpClient_Builder = Java.use("okhttp3.OkHttpClient$Builder");
	if(OkHttpClient_Builder != undefined) {
	OkHttpClient_Builder.build.overload().implementation = function() {
	this.proxy(proxy_addr);
	return this.build();
	};
	}
	} catch (error) {
	console.error(error);
	}
	}
	*/

	});

	}, 0);