Created
June 29, 2020 15:16
-
-
Save vj0shii/1572f568e883e2fbfcb172e4f4bdf892 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| setTimeout(function(){ | |
| Java.perform(function (){ | |
| console.log("[*] Script loaded") | |
| var MenuActivity = Java.use("sg.vantagepoint.mstgkotlin.MenuActivity") | |
| StartActivity.RootDetection.overload().implementation = function() { | |
| console.log("[*] isDeviceRooted function invoked") | |
| return false | |
| } | |
| console.log(""); | |
| console.log("[.] Cert Pinning Bypass/Re-Pinning"); | |
| var CertificateFactory = Java.use("java.security.cert.CertificateFactory"); | |
| var FileInputStream = Java.use("java.io.FileInputStream"); | |
| var BufferedInputStream = Java.use("java.io.BufferedInputStream"); | |
| var X509Certificate = Java.use("java.security.cert.X509Certificate"); | |
| var KeyStore = Java.use("java.security.KeyStore"); | |
| var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory"); | |
| var SSLContext = Java.use("javax.net.ssl.SSLContext"); | |
| // Load CAs from an InputStream | |
| console.log("[+] Loading our CA...") | |
| var cf = CertificateFactory.getInstance("X.509"); | |
| try { | |
| var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt"); | |
| } | |
| catch(err) { | |
| console.log("[o] " + err); | |
| } | |
| var bufferedInputStream = BufferedInputStream.$new(fileInputStream); | |
| var ca = cf.generateCertificate(bufferedInputStream); | |
| bufferedInputStream.close(); | |
| var certInfo = Java.cast(ca, X509Certificate); | |
| console.log("[o] Our CA Info: " + certInfo.getSubjectDN()); | |
| // Create a KeyStore containing our trusted CAs | |
| console.log("[+] Creating a KeyStore for our CA..."); | |
| var keyStoreType = KeyStore.getDefaultType(); | |
| var keyStore = KeyStore.getInstance(keyStoreType); | |
| keyStore.load(null, null); | |
| keyStore.setCertificateEntry("ca", ca); | |
| // Create a TrustManager that trusts the CAs in our KeyStore | |
| console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore..."); | |
| var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); | |
| var tmf = TrustManagerFactory.getInstance(tmfAlgorithm); | |
| tmf.init(keyStore); | |
| console.log("[+] Our TrustManager is ready..."); | |
| console.log("[+] Hijacking SSLContext methods now...") | |
| console.log("[-] Waiting for the app to invoke SSLContext.init()...") | |
| SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) { | |
| console.log("[o] App invoked javax.net.ssl.SSLContext.init..."); | |
| SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c); | |
| console.log("[+] SSLContext initialized with our custom TrustManager!"); | |
| } | |
| }); | |
| },0); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment