APP的apk包中包含libflutter.so
即可确定是Flutter开发的
JustTrustMe
,SSLUnpinning
等模块完全失效针对不走代理我们可以使用基于VPN模式的Postern
,也可以使用基于iptables
的ProxyDroid
,这两款APP,当然不止这两款APP可以用,只是这两款比较傻瓜式操作,简单明了.
针对证书校验问题,就是用frida去hook libflutter.so
中的函数,具体参考看雪论坛大佬的帖子:https://bbs.pediy.com/thread-261941.htm 在此贴一下我的frida脚本代码,大家遇到可以试试,不行的话就自己用ida扣一下对应的pattern,hook成功后每次请求会有对应输出.
脚本代码如下:
//frida -UF -l hook.js
function hook_ssl_verify_result(address) {
Interceptor.attach(address, {
onEnter: function (args) {
console.log("Disabling SSL validation")
}, onLeave: function (retval) {
console.log("Retval: " + retval);
retval.replace(0x1);
}
});
}
function hookFlutter() {
var m = Process.findModuleByName("libflutter.so");
// var pattern = "FF 03 05 D1 FD 7B 0F A9 9A E3 05 94 08 0A 80 52 48 00 00 39 16 54 40 F9 56 07 00 B4 C8 02 40 F9 08 07 00 B4";
var pattern = "FF 03 05 D1 FD 7B 0F A9 FA 67 10 A9 F8 5F 11 A9 F6 57 12 A9 F4 4F 13 A9 08 0A 80 52 48 00 00 39 16 54 40 F9";
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function (address, size) {
console.log('[+] ssl_verify_result found at: ' + address.toString());
hook_ssl_verify_result(address);
}, onError: function (reason) {
console.log('[!] There was an error scanning memory');
}, onComplete: function () {
console.log("All done")
}
});
}
function main() {
hookFlutter();
}
setImmediate(main);
hook成功后,开启ProxyDroid
将流量转发到本地charles即可看到解密的HTTPS流量.