Created
October 11, 2019 22:26
-
-
Save azenla/37f941de24c5dfe46f3b8e93d94ce909 to your computer and use it in GitHub Desktop.
This Frida script disables SSL pinning and verification on any target macOS Catalina process.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var SecTrustEvaluate_handle = | |
| Module.findExportByName('Security', 'SecTrustEvaluate'); | |
| var SecTrustEvaluateWithError_handle = | |
| Module.findExportByName('Security', 'SecTrustEvaluateWithError'); | |
| var SSL_CTX_set_custom_verify_handle = | |
| Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify'); | |
| var SSL_get_psk_identity_handle = | |
| Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity'); | |
| var boringssl_context_set_verify_mode_handle = Module.findExportByName( | |
| 'libboringssl.dylib', 'boringssl_context_set_verify_mode'); | |
| if (SecTrustEvaluateWithError_handle) { | |
| var SecTrustEvaluateWithError = new NativeFunction( | |
| SecTrustEvaluateWithError_handle, 'int', ['pointer', 'pointer']); | |
| Interceptor.replace( | |
| SecTrustEvaluateWithError_handle, | |
| new NativeCallback(function(trust, error) { | |
| console.log('[*] Called SecTrustEvaluateWithError()'); | |
| SecTrustEvaluateWithError(trust, NULL); | |
| Memory.writeU8(error, 0); | |
| return 1; | |
| }, 'int', ['pointer', 'pointer'])); | |
| console.log('[+] SecTrustEvaluateWithError() hook installed.'); | |
| } | |
| if (SecTrustEvaluate_handle) { | |
| var SecTrustEvaluate = new NativeFunction( | |
| SecTrustEvaluate_handle, 'int', ['pointer', 'pointer']); | |
| Interceptor.replace( | |
| SecTrustEvaluate_handle, new NativeCallback(function(trust, result) { | |
| console.log('[*] Called SecTrustEvaluate()'); | |
| SecTrustEvaluate(trust, result); | |
| Memory.writeU8(result, 1); | |
| return 0; | |
| }, 'int', ['pointer', 'pointer'])); | |
| console.log('[+] SecTrustEvaluate() hook installed.'); | |
| } | |
| if (SSL_CTX_set_custom_verify_handle) { | |
| var SSL_CTX_set_custom_verify = new NativeFunction( | |
| SSL_CTX_set_custom_verify_handle, 'void', ['pointer', 'int', 'pointer']); | |
| var replaced_callback = new NativeCallback(function(ssl, out) { | |
| console.log('[*] Called custom SSL verifier') | |
| return 0; | |
| }, 'int', ['pointer', 'pointer']); | |
| Interceptor.replace( | |
| SSL_CTX_set_custom_verify_handle, | |
| new NativeCallback(function(ctx, mode, callback) { | |
| console.log('[*] Called SSL_CTX_set_custom_verify()'); | |
| SSL_CTX_set_custom_verify(ctx, 0, replaced_callback); | |
| }, 'int', ['pointer', 'int', 'pointer'])); | |
| console.log('[+] SSL_CTX_set_custom_verify() hook installed.') | |
| } | |
| if (SSL_get_psk_identity_handle) { | |
| Interceptor.replace( | |
| SSL_get_psk_identity_handle, new NativeCallback(function(ssl) { | |
| console.log('[*] Called SSL_get_psk_identity_handle()'); | |
| return 'notarealPSKidentity'; | |
| }, 'pointer', ['pointer'])); | |
| console.log('[+] SSL_get_psk_identity() hook installed.') | |
| } | |
| if (boringssl_context_set_verify_mode_handle) { | |
| var boringssl_context_set_verify_mode = new NativeFunction( | |
| boringssl_context_set_verify_mode_handle, 'int', ['pointer', 'pointer']); | |
| Interceptor.replace( | |
| boringssl_context_set_verify_mode_handle, | |
| new NativeCallback(function(a, b) { | |
| console.log('[*] Called boringssl_context_set_verify_mode()'); | |
| return 0; | |
| }, 'int', ['pointer', 'pointer'])); | |
| console.log('[+] boringssl_context_set_verify_mode() hook installed.') | |
| } |
Worked like a charm! This is genius! Thank you 🙇♂️
How to use it?
How to use it?
Use Frida, example Python script usage here: https://github.com/kendfinger/AppleCache/tree/master/tools
I am doing in below way and it is not doing anything
sappi@Ranjeets-MacBook-Pro platform-tools 2 % frida -U -l /Users/sappi/Downloads/platform-tools\ 2/ssl-bypass.js --no-paus -f com.twitter.android
____
/ _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Spawned `com.twitter.android`. Resuming main thread!
[Google Pixel XL::com.example.imagebackup]->
I am doing in below way and it is not doing anything
sappi@Ranjeets-MacBook-Pro platform-tools 2 % frida -U -l /Users/sappi/Downloads/platform-tools\ 2/ssl-bypass.js --no-paus -f com.twitter.android ____ / _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ Spawned `com.twitter.android`. Resuming main thread! [Google Pixel XL::com.example.imagebackup]->
@sappi13
This Frida script is for disabling ssl pinning in programs on macOS Catalina.
For Android, try using https://github.com/sensepost/objection
will it work on mojave?
I'm looking for a way to bypass certificate-pinning for Mac AppStore on 10.14. Is it possible?
good job.in my test,apple silicon 13.5 has a bug?
[] Called SSL_CTX_set_custom_verify()
Error: expected an integer
[] Called boringssl_context_set_verify_mode()
....
[] Called SecTrustEvaluateWithError()
[] Called SecTrustEvaluate()
Error: access violation accessing 0x0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Words cannot describe how thankful I am for this script. Bravo!