Last active
April 17, 2022 09:21
-
-
Save yuangezhizao/28f392e4795488858be9c248fcc8ca78 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Example usage: | |
* # frida -U -f com.mrnew.door -l fuck_flutter.js --no-pause | |
*/ | |
var sIP = '47.91.165.221' //目标IP地址 | |
var xIP = '192.168.25.200'//代理电脑IP地址 | |
//IP字符串转int | |
function ipToInt(ip){ | |
var result = ip.split('.'); | |
return (parseInt(result[3]) << 24 | |
| parseInt(result[2]) << 16 | |
| parseInt(result[1]) << 8 | |
| parseInt(result[0])); | |
} | |
//int转IP字符串 | |
function parseIp (number) { | |
var ip = '' | |
if (number <= 0) { | |
return ip | |
} | |
const ip3 = (number << 0) >>> 24 | |
const ip2 = (number << 8) >>> 24 | |
const ip1 = (number << 16) >>> 24 | |
const ip0 = (number << 24) >>> 24 | |
ip += ip0 + '.' + ip1 + '.' + ip2 + '.' + ip3 | |
return ip | |
} | |
function parsePort(number) { | |
return ((number & 0xFF) << 8) | ((number & 0xFF00) >> 8); | |
} | |
function hook_ssl() { | |
var base = Module.findBaseAddress("libflutter.so"); | |
var ssl_crypto_x509_session_verify_cert_chain = base.add(0x5873D4); | |
Interceptor.attach(ssl_crypto_x509_session_verify_cert_chain, { | |
onEnter: function(args) { | |
console.log("\n解除证书绑定校验") | |
}, | |
onLeave: function(retval) { | |
console.log("校验函数返回值: " + retval); | |
retval.replace(0x1); | |
console.log("解除成功\n---------------------"); | |
} | |
}); | |
Interceptor.attach(Module.findExportByName(null, "connect"), { | |
onEnter: function(args) { | |
var fd = args[0].toInt32() | |
if (Socket.type(fd) !== 'tcp') | |
return; | |
var ipAddr = args[1].add(4) | |
var ip = parseIp(Memory.readU32(ipAddr)) | |
var portAddr = args[1].add(2) | |
var port = parsePort(Memory.readUShort(portAddr)); | |
//判断是否为目标地址 | |
if (ip === sIP) { | |
console.log("[+] connect: " +ip+ ':'+ port); | |
//替换IP地址为代理主机 | |
Memory.writeU32(ipAddr,ipToInt(xIP)) | |
// Memory.writeUShort('443','8888') | |
//打印替换后地址 | |
console.log(hexdump(ptr(args[1]), { | |
length: 32, | |
header: true, | |
ansi: true | |
})) | |
} | |
} | |
}) | |
} | |
setImmediate(function() { | |
setTimeout(hook_ssl, 200); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment