-
-
Save azenla/37f941de24c5dfe46f3b8e93d94ce909 to your computer and use it in GitHub Desktop.
var SecTrustEvaluate_handle = | |
Module.findExportByName('Security', 'SecTrustEvaluate'); | |
var SecTrustEvaluateWithError_handle = | |
Module.findExportByName('Security', 'SecTrustEvaluateWithError'); | |
var SSL_CTX_set_custom_verify_handle = | |
Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify'); | |
var SSL_get_psk_identity_handle = | |
Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity'); | |
var boringssl_context_set_verify_mode_handle = Module.findExportByName( | |
'libboringssl.dylib', 'boringssl_context_set_verify_mode'); | |
if (SecTrustEvaluateWithError_handle) { | |
var SecTrustEvaluateWithError = new NativeFunction( | |
SecTrustEvaluateWithError_handle, 'int', ['pointer', 'pointer']); | |
Interceptor.replace( | |
SecTrustEvaluateWithError_handle, | |
new NativeCallback(function(trust, error) { | |
console.log('[*] Called SecTrustEvaluateWithError()'); | |
SecTrustEvaluateWithError(trust, NULL); | |
Memory.writeU8(error, 0); | |
return 1; | |
}, 'int', ['pointer', 'pointer'])); | |
console.log('[+] SecTrustEvaluateWithError() hook installed.'); | |
} | |
if (SecTrustEvaluate_handle) { | |
var SecTrustEvaluate = new NativeFunction( | |
SecTrustEvaluate_handle, 'int', ['pointer', 'pointer']); | |
Interceptor.replace( | |
SecTrustEvaluate_handle, new NativeCallback(function(trust, result) { | |
console.log('[*] Called SecTrustEvaluate()'); | |
SecTrustEvaluate(trust, result); | |
Memory.writeU8(result, 1); | |
return 0; | |
}, 'int', ['pointer', 'pointer'])); | |
console.log('[+] SecTrustEvaluate() hook installed.'); | |
} | |
if (SSL_CTX_set_custom_verify_handle) { | |
var SSL_CTX_set_custom_verify = new NativeFunction( | |
SSL_CTX_set_custom_verify_handle, 'void', ['pointer', 'int', 'pointer']); | |
var replaced_callback = new NativeCallback(function(ssl, out) { | |
console.log('[*] Called custom SSL verifier') | |
return 0; | |
}, 'int', ['pointer', 'pointer']); | |
Interceptor.replace( | |
SSL_CTX_set_custom_verify_handle, | |
new NativeCallback(function(ctx, mode, callback) { | |
console.log('[*] Called SSL_CTX_set_custom_verify()'); | |
SSL_CTX_set_custom_verify(ctx, 0, replaced_callback); | |
}, 'int', ['pointer', 'int', 'pointer'])); | |
console.log('[+] SSL_CTX_set_custom_verify() hook installed.') | |
} | |
if (SSL_get_psk_identity_handle) { | |
Interceptor.replace( | |
SSL_get_psk_identity_handle, new NativeCallback(function(ssl) { | |
console.log('[*] Called SSL_get_psk_identity_handle()'); | |
return 'notarealPSKidentity'; | |
}, 'pointer', ['pointer'])); | |
console.log('[+] SSL_get_psk_identity() hook installed.') | |
} | |
if (boringssl_context_set_verify_mode_handle) { | |
var boringssl_context_set_verify_mode = new NativeFunction( | |
boringssl_context_set_verify_mode_handle, 'int', ['pointer', 'pointer']); | |
Interceptor.replace( | |
boringssl_context_set_verify_mode_handle, | |
new NativeCallback(function(a, b) { | |
console.log('[*] Called boringssl_context_set_verify_mode()'); | |
return 0; | |
}, 'int', ['pointer', 'pointer'])); | |
console.log('[+] boringssl_context_set_verify_mode() hook installed.') | |
} |
Worked like a charm! This is genius! Thank you 🙇♂️
How to use it?
How to use it?
Use Frida, example Python script usage here: https://github.com/kendfinger/AppleCache/tree/master/tools
I am doing in below way and it is not doing anything
sappi@Ranjeets-MacBook-Pro platform-tools 2 % frida -U -l /Users/sappi/Downloads/platform-tools\ 2/ssl-bypass.js --no-paus -f com.twitter.android
____
/ _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Spawned `com.twitter.android`. Resuming main thread!
[Google Pixel XL::com.example.imagebackup]->
I am doing in below way and it is not doing anything
sappi@Ranjeets-MacBook-Pro platform-tools 2 % frida -U -l /Users/sappi/Downloads/platform-tools\ 2/ssl-bypass.js --no-paus -f com.twitter.android ____ / _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ Spawned `com.twitter.android`. Resuming main thread! [Google Pixel XL::com.example.imagebackup]->
@sappi13
This Frida script is for disabling ssl pinning in programs on macOS Catalina.
For Android, try using https://github.com/sensepost/objection
will it work on mojave?
I'm looking for a way to bypass certificate-pinning for Mac AppStore on 10.14. Is it possible?
good job.in my test,apple silicon 13.5 has a bug?
[] Called SSL_CTX_set_custom_verify()
Error: expected an integer
[] Called boringssl_context_set_verify_mode()
....
[] Called SecTrustEvaluateWithError()
[] Called SecTrustEvaluate()
Error: access violation accessing 0x0
Words cannot describe how thankful I am for this script. Bravo!