Skip to content

Instantly share code, notes, and snippets.

@parad0xer

parad0xer/root-ssl-pin-bypass.js

Last active June 2, 2022 08:25
  • Star 8 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
root & ssl pinning bypass with Frida
Raw
root-ssl-pin-bypass.js
Java.perform(function(){
console.log("\nRoot detection & SSL pinning bypass with Frida");
var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
var FileInputStream = Java.use("java.io.FileInputStream");
var BufferedInputStream = Java.use("java.io.BufferedInputStream");
var X509Certificate = Java.use("java.security.cert.X509Certificate");
var KeyStore = Java.use("java.security.KeyStore");
var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
var SSLContext = Java.use("javax.net.ssl.SSLContext");
var Volley = Java.use("com.android.volley.toolbox.Volley");
var HurlStack = Java.use("com.android.volley.toolbox.HurlStack");
var ImageLoader = Java.use("com.android.volley.toolbox.ImageLoader");
var LruBitmapCache = Java.use("utils.LruBitmapCache");
var ActivityManager = Java.use("android.app.ActivityManager");
var DeviceUtils = Java.use("utils.DeviceUtils");
var Vo = Java.use("utils.MyVolley");
console.log("\nHijacking isDeviceRooted function in DeviceUtils class");
DeviceUtils.isDeviceRooted.implementation = function(){
console.log("\nInside the isDeviceRooted function");
return false;
};
console.log("\nRoot detection bypassed");
console.log("\nTrying to disable SSL pinning");
Vo.init.implementation = function(context){
console.log("\nHijacking init function in MyVolley class");
console.log("\nLoading BURPSUITE certificate stored on device")
cf = CertificateFactory.getInstance("X.509");
try {
var fileInputStream = FileInputStream.$new("/sdcard/Download/burpsuite.crt");
}
catch(err) {
console.log("error: " + err);
}
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
bufferedInputStream.close();
var certInfo = Java.cast(ca, X509Certificate);
console.log("\nLoaded CA Info: " + certInfo.getSubjectDN());
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
console.log("\nCreating a TrustManager that trusts BURPSUITE CA in the KeyStore");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
console.log("\nCustom TrustManager is ready");
var mContext = SSLContext.getInstance("TLS");
mContext.init(null, tmf.getTrustManagers(), null);
var sf = mContext.getSocketFactory();
if(Vo.mRequestQueue.value == null){
Vo.mRequestQueue.value = Volley.newRequestQueue(context.getApplicationContext(), HurlStack.$new(null, sf));
}
var x = Java.cast(context.getSystemService("activity"), ActivityManager);
var xx = x.getMemoryClass();
var mImageLoader = ImageLoader.$new(Vo.mRequestQueue.value, LruBitmapCache.$new((1048576 * xx)/8));
Vo.mImageLoader = mImageLoader;
console.log("\nSSL pinning bypassed")
}
});
@lionaneesh
Copy link

Doesn't work for me. I get Error: java.lang.ClassNotFoundException: Didn't find class "com.android.volley.toolbox.Volley" on path: for every app I try to open.

@chetanlucid
Copy link

@ lionaneesh How did you resolve the above issue?

@mirsella
Copy link

https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/ this similar code worked for me and doesn't need Volley

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment