alyatwa/A bypass SSL Pinning.md

## A bypass SSL Pinning.md

      
    Raw
  

              A bypass SSL Pinning.md
            
          
    Root android

xposed installer

https://repo.xposed.info/module/de.robv.android.xposed.installer

SManager

https://play.google.com/store/apps/details?id=os.tools.scriptmanager&hl=en&gl=US
Getting Started With Frida On Android

https://www.mavensecurity.com/blog/getting-started-with-frida-on-android
Configuring Frida with BurpSuite and Genymotion to bypass Android SSL Pinning

https://arben.sh/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/
genymotion req

Genymotion_ARM_Translation

https://github.com/m9rco/Genymotion_ARM_Translation/blob/master/package/Genymotion-ARM-Translation_for_7.X.zip
Gapps

https://iweb.dl.sourceforge.net/project/opengapps/x86/20210314/open_gapps-x86-7.0-pico-20210314.zip
Install frida

python Frida tools 8.2.0

pip install frida-tools==8.2.0
Frida server 12.11.18-android-x86

https://github.com/frida/frida/releases/download/12.11.18/frida-server-12.11.18-android-x86.xz
push frida server to genymotion

adb push frida-server /data/local/tmp/

adb shell "chmod 755 /data/local/tmp/frida-server"

adb shell /data/local/tmp/frida-server
run echo server to burp

python server.py
adb cmd

adb forward tcp:27042 tcp:27042
frida cmd

run frida

frida-ps -U
run frida trace

python frida-trace.py  --no-pause
capture OkHttp using frida & request.js

frida -U -l request.js -U com.emeint.android.myservices --no-pause
list the installed applications in the device

frida-ps -Uai

  
## frida-trace.py
from frida_tools import tracer
import json
import requests
import frida, sys

#python frida-trace.py  --no-pause

BURP_HOST = 'localhost'
BURP_PORT = 8888

device = frida.get_device_manager().enumerate_devices()[-1]
print(device)
session = device.attach("com.emeint.android.myservices")


def on_message(self, message, data, ui):
    handled = False
    if message['type'] == 'input':
        handled = True
    elif message['type'] == 'send':
        stanza = message['payload']
        if stanza['from'] == '/request':
            req_data = stanza['payload']
            print(req_data)
            # orig_json_data = json.loads(req_data)
            # orig_request_url = orig_json_data.pop(u'orig_request_url')
            orig_request_url = 'execute'
            req = requests.request('REQUEST',
                                  'http://%s:%d/' % (BURP_HOST, BURP_PORT),
                                  headers={
                                      'content-type': 'text/plain',
                                      'ORIG_REQUEST_URI': orig_request_url
                                  },
                                  data=req_data)
            return_content = req.content.decode('utf-8')
            # req = requests.request('REQUEST', 'http://%s:%d/' % (BURP_HOST, BURP_PORT),
            #                        headers={'content-type':'text/plain', 'ORIG_REQUEST_URI': orig_request_url},
            #                        data=json.dumps(orig_json_data))
            self._script.post({'type':'input', 'payload': return_content})
            handled = True
        elif stanza['from'] == '/response':
            req_data = stanza['payload'].encode('utf-8')
            req = requests.request('RESPONSE', 'http://%s:%d/' % (BURP_HOST, BURP_PORT),
                                   headers={'content-type': 'text/plain'},
                                   data=req_data)
            self._script.post({'type': 'output', 'payload': req.content.decode('utf-8')})
            handled = True
    if not handled:
        self.__process_message(message, data, ui)


script = session.create_script("""
Interceptor.attach(Module.findExportByName(null, "open"), {


    onEnter: function onEnter(log, args, state) {
        log("read(" + "fd=" + args[0]+ ", buf=" + args[1]+ ", count=" + args[2] + ")");
        state.buf = args[1]
    },

    onLeave: function onLeave(log, retval, state) {
        send({from: '/http', payload: Memory.readUtf8String(state.buf)})
        var op = recv('input', function(value) { // callback function
            log("Forwarding mitm'ed content: " + value.payload)
            Memory.writeUtf8String(state.buf, value.payload)
        });
        op.wait();
    }
})


""")


script.on('message', on_message)
script.load()
sys.stdin.read()

## request.js
// frida -U com.emeint.android.myservices -l  request.js

Java.perform(function () {
    var OkHttpClient = Java.use("okhttp3.OkHttpClient");
    var RealCall = Java.use("okhttp3.RealCall");

    var UserConfigModel = Java.use("vodafone.vis.engezly.data.models.cms.UserConfigModel");
var upgrade = Java.use("vodafone.vis.engezly.data.models.upgrade.UpgradeVersionModel");

var DialogUtils = Java.use("vodafone.vis.engezly.utils.DialogUtils");
var DeviceUtils = Java.use("com.google.firebase.crashlytics.internal.common.CommonUtils");


    OkHttpClient.newCall.implementation = function (request) {
        var result = this.newCall(request)
        console.log("\nRequest ++++++",request.toString());

        return result
    };

    RealCall.getResponseWithInterceptorChain.implementation = function (e) {
        var response = this.getResponseWithInterceptorChain()
        console.log("\nresponse -------------",response.toString())
        return response
    }
   DeviceUtils.isRooted.implementation = function(){
        return false;
    };

    DeviceUtils.getDeviceState.implementation = function(){
        return 0;
    };
    // disable update
    upgrade.isForceUpdate.implementation = function(){
        return false;
    };
    UserConfigModel.getServiceUpgrade.implementation = function(){
        return null;
    };
    DialogUtils.showUpdateDialog.implementation = function(){
        return;
    };


});

## server.py
# coding: utf-8
import platform

if int(platform.python_version_tuple()[0]) < 3:
    from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
else:
    from http.server import HTTPServer, BaseHTTPRequestHandler
from optparse import OptionParser
ECHO_PORT = 9999
class RequestHandler(BaseHTTPRequestHandler):
    def do_REQUEST(self):
        request_path = self.path
        print('Recving request connction...')
        request_headers = self.headers
        content_length = request_headers.getheaders('content-length')
        length = int(content_length[0]) if content_length else 0

        self.send_response(200)
        self.end_headers()
        self.wfile.write(self.rfile.read(length))
    def do_RESPONSE(self):
        request_path = self.path
        print('Recving Response connction...')
        request_headers = self.headers
        content_length = request_headers.getheaders('content-length')
        length = int(content_length[0]) if content_length else 0

        self.send_response(200)
        self.end_headers()

        self.wfile.write(self.rfile.read(length))
def main():
    print('Listening on localhost: %d' % ECHO_PORT)
    server = HTTPServer(('', ECHO_PORT), RequestHandler)
    server.serve_forever()
if __name__ == '__main__':
    print('Staring echo server on port %d' % ECHO_PORT)
    main()
	from frida_tools import tracer
	import json
	import requests
	import frida, sys

	#python frida-trace.py --no-pause

	BURP_HOST = 'localhost'
	BURP_PORT = 8888

	device = frida.get_device_manager().enumerate_devices()[-1]
	print(device)
	session = device.attach("com.emeint.android.myservices")



	def on_message(self, message, data, ui):
	handled = False
	if message['type'] == 'input':
	handled = True
	elif message['type'] == 'send':
	stanza = message['payload']
	if stanza['from'] == '/request':
	req_data = stanza['payload']
	print(req_data)
	# orig_json_data = json.loads(req_data)
	# orig_request_url = orig_json_data.pop(u'orig_request_url')
	orig_request_url = 'execute'
	req = requests.request('REQUEST',
	'http://%s:%d/' % (BURP_HOST, BURP_PORT),
	headers={
	'content-type': 'text/plain',
	'ORIG_REQUEST_URI': orig_request_url
	},
	data=req_data)
	return_content = req.content.decode('utf-8')
	# req = requests.request('REQUEST', 'http://%s:%d/' % (BURP_HOST, BURP_PORT),
	# headers={'content-type':'text/plain', 'ORIG_REQUEST_URI': orig_request_url},
	# data=json.dumps(orig_json_data))
	self._script.post({'type':'input', 'payload': return_content})
	handled = True
	elif stanza['from'] == '/response':
	req_data = stanza['payload'].encode('utf-8')
	req = requests.request('RESPONSE', 'http://%s:%d/' % (BURP_HOST, BURP_PORT),
	headers={'content-type': 'text/plain'},
	data=req_data)
	self._script.post({'type': 'output', 'payload': req.content.decode('utf-8')})
	handled = True
	if not handled:
	self.__process_message(message, data, ui)



	script = session.create_script("""
	Interceptor.attach(Module.findExportByName(null, "open"), {


	onEnter: function onEnter(log, args, state) {
	log("read(" + "fd=" + args[0]+ ", buf=" + args[1]+ ", count=" + args[2] + ")");
	state.buf = args[1]
	},

	onLeave: function onLeave(log, retval, state) {
	send({from: '/http', payload: Memory.readUtf8String(state.buf)})
	var op = recv('input', function(value) { // callback function
	log("Forwarding mitm'ed content: " + value.payload)
	Memory.writeUtf8String(state.buf, value.payload)
	});
	op.wait();
	}
	})


	""")




	script.on('message', on_message)
	script.load()
	sys.stdin.read()
	// frida -U com.emeint.android.myservices -l request.js

	Java.perform(function () {
	var OkHttpClient = Java.use("okhttp3.OkHttpClient");
	var RealCall = Java.use("okhttp3.RealCall");

	var UserConfigModel = Java.use("vodafone.vis.engezly.data.models.cms.UserConfigModel");
	var upgrade = Java.use("vodafone.vis.engezly.data.models.upgrade.UpgradeVersionModel");

	var DialogUtils = Java.use("vodafone.vis.engezly.utils.DialogUtils");
	var DeviceUtils = Java.use("com.google.firebase.crashlytics.internal.common.CommonUtils");



	OkHttpClient.newCall.implementation = function (request) {
	var result = this.newCall(request)
	console.log("\nRequest ++++++",request.toString());

	return result
	};

	RealCall.getResponseWithInterceptorChain.implementation = function (e) {
	var response = this.getResponseWithInterceptorChain()
	console.log("\nresponse -------------",response.toString())
	return response
	}
	DeviceUtils.isRooted.implementation = function(){
	return false;
	};

	DeviceUtils.getDeviceState.implementation = function(){
	return 0;
	};
	// disable update
	upgrade.isForceUpdate.implementation = function(){
	return false;
	};
	UserConfigModel.getServiceUpgrade.implementation = function(){
	return null;
	};
	DialogUtils.showUpdateDialog.implementation = function(){
	return;
	};


	});
	# coding: utf-8
	import platform

	if int(platform.python_version_tuple()[0]) < 3:
	from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
	else:
	from http.server import HTTPServer, BaseHTTPRequestHandler
	from optparse import OptionParser
	ECHO_PORT = 9999
	class RequestHandler(BaseHTTPRequestHandler):
	def do_REQUEST(self):
	request_path = self.path
	print('Recving request connction...')
	request_headers = self.headers
	content_length = request_headers.getheaders('content-length')
	length = int(content_length[0]) if content_length else 0

	self.send_response(200)
	self.end_headers()
	self.wfile.write(self.rfile.read(length))
	def do_RESPONSE(self):
	request_path = self.path
	print('Recving Response connction...')
	request_headers = self.headers
	content_length = request_headers.getheaders('content-length')
	length = int(content_length[0]) if content_length else 0

	self.send_response(200)
	self.end_headers()

	self.wfile.write(self.rfile.read(length))
	def main():
	print('Listening on localhost: %d' % ECHO_PORT)
	server = HTTPServer(('', ECHO_PORT), RequestHandler)
	server.serve_forever()
	if __name__ == '__main__':
	print('Staring echo server on port %d' % ECHO_PORT)
	main()