Skip to content

Instantly share code, notes, and snippets.

@Hacksore

Hacksore/bypass.md

Last active January 8, 2024 05:01
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Hacksore/739fa97fbf7a811a6e389f934555e3f8 to your computer and use it in GitHub Desktop.
Save Hacksore/739fa97fbf7a811a6e389f934555e3f8 to your computer and use it in GitHub Desktop.
Download ZIP
Bypass iOS SSL Pinning
Raw
bypass.md
  1. Install pip3 install frida-tools or your system
  2. Install Frida on your jailbroken device
  3. Start the app you want to reverse
  4. Attach with Frida frida -U -F
  5. Paste in the script below
  6. Start a mitmproxy and start sniffing

source https://codeshare.frida.re/@federicodotta/ios13-pinning-bypass/

* Description: iOS 13 SSL Bypass based on https://codeshare.frida.re/@machoreverser/ios12-ssl-bypass/ and https://github.com/nabla-c0d3/ssl-kill-switch2
 *  Author: 	@apps3c
 */

try {
	Module.ensureInitialized("libboringssl.dylib");
} catch(err) {
	console.log("libboringssl.dylib module not loaded. Trying to manually load it.")
	Module.load("libboringssl.dylib");	
}

var SSL_VERIFY_NONE = 0;
var ssl_set_custom_verify;
var ssl_get_psk_identity;	

ssl_set_custom_verify = new NativeFunction(
	Module.findExportByName("libboringssl.dylib", "SSL_set_custom_verify"),
	'void', ['pointer', 'int', 'pointer']
);

/* Create SSL_get_psk_identity NativeFunction 
* Function signature https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_get_psk_identity
*/
ssl_get_psk_identity = new NativeFunction(
	Module.findExportByName("libboringssl.dylib", "SSL_get_psk_identity"),
	'pointer', ['pointer']
);

/** Custom callback passed to SSL_CTX_set_custom_verify */
function custom_verify_callback_that_does_not_validate(ssl, out_alert){
	return SSL_VERIFY_NONE;
}

/** Wrap callback in NativeCallback for frida */
var ssl_verify_result_t = new NativeCallback(function (ssl, out_alert){
	custom_verify_callback_that_does_not_validate(ssl, out_alert);
},'int',['pointer','pointer']);

Interceptor.replace(ssl_set_custom_verify, new NativeCallback(function(ssl, mode, callback) {
	//  |callback| performs the certificate verification. Replace this with our custom callback
	ssl_set_custom_verify(ssl, mode, ssl_verify_result_t);
}, 'void', ['pointer', 'int', 'pointer']));

Interceptor.replace(ssl_get_psk_identity, new NativeCallback(function(ssl) {
	return "notarealPSKidentity";
}, 'pointer', ['pointer']));
	
console.log("[+] Bypass successfully loaded ");
@luckystar86
Copy link

Hi, how to use this script?

@Hacksore
Copy link
Author

@luckystar86 did you face issues in using the intructions?

@luckystar86
Copy link

yes, i get guru meditation error while sideloading...any idea?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment