function bytes sequence signature
2D E9 F0 4F A3 B0 81 46 50 20 10 70 D9 F8 98 70 00 2F
FF 03 05 D1 FC 6B 0F A9 F9 63 10 A9 F7 5B 11 A9 F5 53 12 A9 F3 7B 13 A9 08 0A 80 52 48 00 00 39 16 54 40 F9 56 07 00 B4 C8 02 40 F9 08 07 00 B4 29 20 40 A9 F3 03 02 AA
55 41 57 41 56 41 55 41 54 53 48 81 EC F8 00 00 00 C6 02 50 48 8B 9F A8 00 00 00 48 85 DB
Hook this function, change return value to 1 (true)
function hook_ssl_verify_result(address)
{
Interceptor.attach(address, {
onEnter: function(args) {
console.log("Disabling SSL validation")
},
onLeave: function(retval)
{
console.log("Retval: " + retval)
retval.replace(0x1);
}
});
}
function disablePinning()
{
var m = Process.findModuleByName("libflutter.so");
var pattern = "FF 03 05 D1 FC 6B 0F A9 F9 63 10 A9 F7 5B 11 A9 F5 53 12 A9 F3 7B 13 A9 08 0A 80 52 48 00 00 39 16 54 40 F9 56 07 00 B4 C8 02 40 F9 08 07 00 B4 29 20 40 A9 F3 03 02 AA"
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] ssl_verify_result found at: ' + address.toString());
// Add 0x01 because it's a THUMB function
// Otherwise, we would get 'Error: unable to intercept function at 0x9906f8ac; please file a bug'
// hook_ssl_verify_result(address.add(0x01));
for 64 bit
hook_ssl_verify_result(address);
},
onError: function(reason){
console.log('[!] There was an error scanning memory');
},
onComplete: function()
{
console.log("All done")
}
});
}
setTimeout(disablePinning, 1000)