rootsec1 · March 25, 2024 07:26
diff --git a/fridascript.js b/fridascript.js
 Java.perform(function () {
 	console.log("\nRoot detection bypass with Frida");
 	var CommonUtils = Java.use("io.fabric.sdk.android.services.common.CommonUtils");
 	console.log("\nHijacking isRooted function in CommonUtils class");
 	CommonUtils.isRooted.implementation = function () {
 		console.log("\nInside the isRooted function");
 		return false;
 	};
 	console.log("\nRoot detection bypassed");
 	console.log("\n");
 	console.log("[.] Cert Pinning Bypass/Re-Pinning");


 	var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
 	var FileInputStream = Java.use("java.io.FileInputStream");
 	var BufferedInputStream = Java.use("java.io.BufferedInputStream");
 	var X509Certificate = Java.use("java.security.cert.X509Certificate");
 	var KeyStore = Java.use("java.security.KeyStore");
 	var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
 	var SSLContext = Java.use("javax.net.ssl.SSLContext");

 	// Load CAs from an InputStream
 	console.log("[+] Loading our CA...")
 	var cf = CertificateFactory.getInstance("X.509");

 	try {
 		var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
 	}
 	catch (err) {
 		console.log("[o] " + err);
 	}

 	var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
 	var ca = cf.generateCertificate(bufferedInputStream);
 	bufferedInputStream.close();

 	var certInfo = Java.cast(ca, X509Certificate);
 	console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

 	// Create a KeyStore containing our trusted CAs
 	console.log("[+] Creating a KeyStore for our CA...");
 	var keyStoreType = KeyStore.getDefaultType();
 	var keyStore = KeyStore.getInstance(keyStoreType);
 	keyStore.load(null, null);
 	keyStore.setCertificateEntry("ca", ca);

 	// Create a TrustManager that trusts the CAs in our KeyStore
 	console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
 	var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
 	var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
 	tmf.init(keyStore);
 	console.log("[+] Our TrustManager is ready...");

 	console.log("[+] Hijacking SSLContext methods now...")
 	console.log("[-] Waiting for the app to invoke SSLContext.init()...")

 	SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function (a, b, c) {
 		console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
 		SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
 		console.log("[+] SSLContext initialized with our custom TrustManager!");
 	}
 });
	Java.perform(function () {
	console.log("\nRoot detection bypass with Frida");
	var CommonUtils = Java.use("io.fabric.sdk.android.services.common.CommonUtils");
	console.log("\nHijacking isRooted function in CommonUtils class");
	CommonUtils.isRooted.implementation = function () {
	console.log("\nInside the isRooted function");
	return false;
	};
	console.log("\nRoot detection bypassed");
	console.log("\n");
	console.log("[.] Cert Pinning Bypass/Re-Pinning");


	var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
	var FileInputStream = Java.use("java.io.FileInputStream");
	var BufferedInputStream = Java.use("java.io.BufferedInputStream");
	var X509Certificate = Java.use("java.security.cert.X509Certificate");
	var KeyStore = Java.use("java.security.KeyStore");
	var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
	var SSLContext = Java.use("javax.net.ssl.SSLContext");

	// Load CAs from an InputStream
	console.log("[+] Loading our CA...")
	var cf = CertificateFactory.getInstance("X.509");

	try {
	var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
	}
	catch (err) {
	console.log("[o] " + err);
	}

	var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
	var ca = cf.generateCertificate(bufferedInputStream);
	bufferedInputStream.close();

	var certInfo = Java.cast(ca, X509Certificate);
	console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

	// Create a KeyStore containing our trusted CAs
	console.log("[+] Creating a KeyStore for our CA...");
	var keyStoreType = KeyStore.getDefaultType();
	var keyStore = KeyStore.getInstance(keyStoreType);
	keyStore.load(null, null);
	keyStore.setCertificateEntry("ca", ca);

	// Create a TrustManager that trusts the CAs in our KeyStore
	console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
	var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
	var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
	tmf.init(keyStore);
	console.log("[+] Our TrustManager is ready...");

	console.log("[+] Hijacking SSLContext methods now...")
	console.log("[-] Waiting for the app to invoke SSLContext.init()...")

	SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function (a, b, c) {
	console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
	SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
	console.log("[+] SSLContext initialized with our custom TrustManager!");
	}
	});