Created
May 3, 2023 04:20
-
-
Save hax3xploit/1eb31973f98127c4aa74210d131cf9f0 to your computer and use it in GitHub Desktop.
This is combined bypass script for root and SSL.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Java.perform(function() { | |
var array_list = Java.use("java.util.ArrayList"); | |
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) { | |
// console.log('Bypassing SSL Pinning'); | |
var k = array_list.$new(); | |
return k; | |
} | |
}, 0); | |
Java.perform(function() { | |
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu", | |
"com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager", | |
"com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch", | |
"com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus", | |
"de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot", | |
"com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser", | |
"eu.chainfire.supersu.pro", "com.kingouser.com", "com.android.vending.billing.InAppBillingService.COIN","com.topjohnwu.magisk" | |
]; | |
var RootBinaries = ["su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk","magisk"]; | |
var RootProperties = { | |
"ro.build.selinux": "1", | |
"ro.debuggable": "0", | |
"service.adb.root": "0", | |
"ro.secure": "1" | |
}; | |
var RootPropertiesKeys = []; | |
for (var k in RootProperties) RootPropertiesKeys.push(k); | |
var PackageManager = Java.use("android.app.ApplicationPackageManager"); | |
var Runtime = Java.use('java.lang.Runtime'); | |
var NativeFile = Java.use('java.io.File'); | |
var String = Java.use('java.lang.String'); | |
var SystemProperties = Java.use('android.os.SystemProperties'); | |
var BufferedReader = Java.use('java.io.BufferedReader'); | |
var ProcessBuilder = Java.use('java.lang.ProcessBuilder'); | |
var StringBuffer = Java.use('java.lang.StringBuffer'); | |
var loaded_classes = Java.enumerateLoadedClassesSync(); | |
send("Loaded " + loaded_classes.length + " classes!"); | |
var useKeyInfo = false; | |
var useProcessManager = false; | |
send("loaded: " + loaded_classes.indexOf('java.lang.ProcessManager')); | |
if (loaded_classes.indexOf('java.lang.ProcessManager') != -1) { | |
try { | |
//useProcessManager = true; | |
//var ProcessManager = Java.use('java.lang.ProcessManager'); | |
} catch (err) { | |
send("ProcessManager Hook failed: " + err); | |
} | |
} else { | |
send("ProcessManager hook not loaded"); | |
} | |
var KeyInfo = null; | |
if (loaded_classes.indexOf('android.security.keystore.KeyInfo') != -1) { | |
try { | |
//useKeyInfo = true; | |
//var KeyInfo = Java.use('android.security.keystore.KeyInfo'); | |
} catch (err) { | |
send("KeyInfo Hook failed: " + err); | |
} | |
} else { | |
send("KeyInfo hook not loaded"); | |
} | |
PackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(pname, flags) { | |
var shouldFakePackage = (RootPackages.indexOf(pname) > -1); | |
if (shouldFakePackage) { | |
send("Bypass root check for package: " + pname); | |
pname = "set.package.name.to.a.fake.one.so.we.can.bypass.it"; | |
} | |
return this.getPackageInfo.call(this, pname, flags); | |
}; | |
NativeFile.exists.implementation = function() { | |
var name = NativeFile.getName.call(this); | |
var shouldFakeReturn = (RootBinaries.indexOf(name) > -1); | |
if (shouldFakeReturn) { | |
send("Bypass return value for binary: " + name); | |
return false; | |
} else { | |
return this.exists.call(this); | |
} | |
}; | |
var exec = Runtime.exec.overload('[Ljava.lang.String;'); | |
var exec1 = Runtime.exec.overload('java.lang.String'); | |
var exec2 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;'); | |
var exec3 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;'); | |
var exec4 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File'); | |
var exec5 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;', 'java.io.File'); | |
exec5.implementation = function(cmd, env, dir) { | |
if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") { | |
var fakeCmd = "grep"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (cmd == "su") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (cmd == "which") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass which command"); | |
return exec1.call(this, fakeCmd); | |
} | |
return exec5.call(this, cmd, env, dir); | |
}; | |
exec4.implementation = function(cmdarr, env, file) { | |
for (var i = 0; i < cmdarr.length; i = i + 1) { | |
var tmp_cmd = cmdarr[i]; | |
if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") { | |
var fakeCmd = "grep"; | |
send("Bypass " + cmdarr + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (tmp_cmd == "su") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass " + cmdarr + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
} | |
return exec4.call(this, cmdarr, env, file); | |
}; | |
exec3.implementation = function(cmdarr, envp) { | |
for (var i = 0; i < cmdarr.length; i = i + 1) { | |
var tmp_cmd = cmdarr[i]; | |
if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") { | |
var fakeCmd = "grep"; | |
send("Bypass " + cmdarr + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (tmp_cmd == "su") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass " + cmdarr + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
} | |
return exec3.call(this, cmdarr, envp); | |
}; | |
exec2.implementation = function(cmd, env) { | |
if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") { | |
var fakeCmd = "grep"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (cmd == "su") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
return exec2.call(this, cmd, env); | |
}; | |
exec.implementation = function(cmd) { | |
for (var i = 0; i < cmd.length; i = i + 1) { | |
var tmp_cmd = cmd[i]; | |
if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") { | |
var fakeCmd = "grep"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (tmp_cmd == "su") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
} | |
return exec.call(this, cmd); | |
}; | |
exec1.implementation = function(cmd) { | |
if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") { | |
var fakeCmd = "grep"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
if (cmd == "su") { | |
var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; | |
send("Bypass " + cmd + " command"); | |
return exec1.call(this, fakeCmd); | |
} | |
return exec1.call(this, cmd); | |
}; | |
String.contains.implementation = function(name) { | |
if (name == "test-keys") { | |
send("Bypass test-keys check"); | |
return false; | |
} | |
return this.contains.call(this, name); | |
}; | |
var get = SystemProperties.get.overload('java.lang.String'); | |
get.implementation = function(name) { | |
if (RootPropertiesKeys.indexOf(name) != -1) { | |
send("Bypass " + name); | |
return RootProperties[name]; | |
} | |
return this.get.call(this, name); | |
}; | |
Interceptor.attach(Module.findExportByName("libc.so", "fopen"), { | |
onEnter: function(args) { | |
var path1 = Memory.readCString(args[0]); | |
var path = path1.split("/"); | |
var executable = path[path.length - 1]; | |
var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1) | |
if (shouldFakeReturn) { | |
Memory.writeUtf8String(args[0], "/ggezxxx"); | |
send("Bypass native fopen >> "+path1); | |
} | |
}, | |
onLeave: function(retval) { | |
} | |
}); | |
Interceptor.attach(Module.findExportByName("libc.so", "fopen"), { | |
onEnter: function(args) { | |
var path1 = Memory.readCString(args[0]); | |
var path = path1.split("/"); | |
var executable = path[path.length - 1]; | |
var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1) | |
if (shouldFakeReturn) { | |
Memory.writeUtf8String(args[0], "/ggezxxx"); | |
send("Bypass native fopen >> "+path1); | |
} | |
}, | |
onLeave: function(retval) { | |
} | |
}); | |
Interceptor.attach(Module.findExportByName("libc.so", "system"), { | |
onEnter: function(args) { | |
var cmd = Memory.readCString(args[0]); | |
send("SYSTEM CMD: " + cmd); | |
if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id") { | |
send("Bypass native system: " + cmd); | |
Memory.writeUtf8String(args[0], "grep"); | |
} | |
if (cmd == "su") { | |
send("Bypass native system: " + cmd); | |
Memory.writeUtf8String(args[0], "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"); | |
} | |
}, | |
onLeave: function(retval) { | |
} | |
}); | |
BufferedReader.readLine.overload().implementation = function() { | |
var text = this.readLine.call(this); | |
if (text === null) { | |
// just pass , i know it's ugly as hell but test != null won't work :( | |
} else { | |
var shouldFakeRead = (text.indexOf("ro.build.tags=test-keys") > -1); | |
if (shouldFakeRead) { | |
send("Bypass build.prop file read"); | |
text = text.replace("ro.build.tags=test-keys", "ro.build.tags=release-keys"); | |
} | |
} | |
return text; | |
}; | |
var executeCommand = ProcessBuilder.command.overload('java.util.List'); | |
ProcessBuilder.start.implementation = function() { | |
var cmd = this.command.call(this); | |
var shouldModifyCommand = false; | |
for (var i = 0; i < cmd.size(); i = i + 1) { | |
var tmp_cmd = cmd.get(i).toString(); | |
if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd.indexOf("mount") != -1 || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd.indexOf("id") != -1) { | |
shouldModifyCommand = true; | |
} | |
} | |
if (shouldModifyCommand) { | |
send("Bypass ProcessBuilder " + cmd); | |
this.command.call(this, ["grep"]); | |
return this.start.call(this); | |
} | |
if (cmd.indexOf("su") != -1) { | |
send("Bypass ProcessBuilder " + cmd); | |
this.command.call(this, ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]); | |
return this.start.call(this); | |
} | |
return this.start.call(this); | |
}; | |
if (useProcessManager) { | |
var ProcManExec = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File', 'boolean'); | |
var ProcManExecVariant = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.lang.String', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'boolean'); | |
ProcManExec.implementation = function(cmd, env, workdir, redirectstderr) { | |
var fake_cmd = cmd; | |
for (var i = 0; i < cmd.length; i = i + 1) { | |
var tmp_cmd = cmd[i]; | |
if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") { | |
var fake_cmd = ["grep"]; | |
send("Bypass " + cmdarr + " command"); | |
} | |
if (tmp_cmd == "su") { | |
var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]; | |
send("Bypass " + cmdarr + " command"); | |
} | |
} | |
return ProcManExec.call(this, fake_cmd, env, workdir, redirectstderr); | |
}; | |
ProcManExecVariant.implementation = function(cmd, env, directory, stdin, stdout, stderr, redirect) { | |
var fake_cmd = cmd; | |
for (var i = 0; i < cmd.length; i = i + 1) { | |
var tmp_cmd = cmd[i]; | |
if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") { | |
var fake_cmd = ["grep"]; | |
send("Bypass " + cmdarr + " command"); | |
} | |
if (tmp_cmd == "su") { | |
var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]; | |
send("Bypass " + cmdarr + " command"); | |
} | |
} | |
return ProcManExecVariant.call(this, fake_cmd, env, directory, stdin, stdout, stderr, redirect); | |
}; | |
} | |
if (useKeyInfo) { | |
KeyInfo.isInsideSecureHardware.implementation = function() { | |
send("Bypass isInsideSecureHardware"); | |
return true; | |
} | |
} | |
}); | |
setTimeout(function () { | |
// pattern bytes | |
var pattern = "ff 03 05 d1 fd 7b 0f a9 bc de 05 94 08 0a 80 52 48" | |
// library name | |
var module = "libflutter.so" | |
// define your arm version | |
var armversion = 8 | |
// expected return value | |
var expectedReturnValue = true | |
// random string, you may ignore this | |
console.log("Horangi - Bypass Flutter SSL Pinning") | |
// enumerate all process | |
Process.enumerateModules().forEach(v => { | |
// if the module matches with our library | |
if(v['name'] == module) { | |
// debugging purposes | |
console.log("Base: ", v['base'], "| Size: ", v['size'], "\n") | |
// scanning memory - synchronous version | |
// compare it based on base, size and pattern | |
Memory.scanSync(v['base'], v['size'], pattern).forEach(mem => { | |
// assign address to variable offset | |
var offset = mem['address'] | |
if(armversion === 7) { | |
// armv7 add 1 | |
offset = offset.add(1) | |
} | |
// another debugging purposes | |
console.log("Address:",offset,"::", mem['size']) | |
// hook to the address | |
Interceptor.attach(offset, { | |
// when leaving the address, | |
onLeave: function(retval) { | |
// execute this debugging purpose (again) | |
console.log("ReturnValue",offset,"altered from", +retval,"to", +expectedReturnValue) | |
// replace the return value to expectedReturnValue | |
retval.replace(+expectedReturnValue); | |
} | |
}) | |
}) | |
} | |
}); | |
}, 1000) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment