Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Java.perform(function (){
console.log("[*] Script loaded")
var MenuActivity = Java.use("sg.vantagepoint.mstgkotlin.MenuActivity")
StartActivity.RootDetection.overload().implementation = function() {
console.log("[*] isDeviceRooted function invoked")
return false
console.log("[.] Cert Pinning Bypass/Re-Pinning");
var CertificateFactory = Java.use("");
var FileInputStream = Java.use("");
var BufferedInputStream = Java.use("");
var X509Certificate = Java.use("");
var KeyStore = Java.use("");
var TrustManagerFactory = Java.use("");
var SSLContext = Java.use("");
// Load CAs from an InputStream
console.log("[+] Loading our CA...")
var cf = CertificateFactory.getInstance("X.509");
try {
var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
catch(err) {
console.log("[o] " + err);
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
var certInfo = Java.cast(ca, X509Certificate);
console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
// Create a KeyStore containing our trusted CAs
console.log("[+] Creating a KeyStore for our CA...");
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
console.log("[+] Our TrustManager is ready...");
console.log("[+] Hijacking SSLContext methods now...")
console.log("[-] Waiting for the app to invoke SSLContext.init()...")
SSLContext.init.overload("[;", "[;", "").implementation = function(a,b,c) {
console.log("[o] App invoked");
SSLContext.init.overload("[;", "[;", "").call(this, a, tmf.getTrustManagers(), c);
console.log("[+] SSLContext initialized with our custom TrustManager!");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment