yuangezhizao/fuck_flutter.js

## fuck_flutter.js
/*
* Example usage:
* # frida -U -f com.mrnew.door -l fuck_flutter.js --no-pause
*/

var sIP = '47.91.165.221' //目标IP地址
var xIP = '192.168.25.200'//代理电脑IP地址

//IP字符串转int
function ipToInt(ip){
    var  result = ip.split('.');
    return (parseInt(result[3]) << 24
        | parseInt(result[2]) << 16
        | parseInt(result[1]) << 8
        | parseInt(result[0]));
}

//int转IP字符串
function parseIp (number) {
  var ip = ''
  if (number <= 0) {
    return ip
  }
  const ip3 = (number << 0) >>> 24
  const ip2 = (number << 8) >>> 24
  const ip1 = (number << 16) >>> 24
  const ip0 = (number << 24) >>> 24
  ip += ip0 + '.' + ip1 + '.' + ip2 + '.' + ip3
  return ip
}

function parsePort(number) {
    return ((number & 0xFF) << 8) | ((number & 0xFF00) >> 8);
}

function hook_ssl() {
	var base = Module.findBaseAddress("libflutter.so");
    var ssl_crypto_x509_session_verify_cert_chain = base.add(0x5873D4);
	Interceptor.attach(ssl_crypto_x509_session_verify_cert_chain, {
        onEnter: function(args) {
            console.log("\n解除证书绑定校验")
        },
        onLeave: function(retval) {
            console.log("校验函数返回值: " + retval);
            retval.replace(0x1);
            console.log("解除成功\n---------------------");
　　    }
　　});
Interceptor.attach(Module.findExportByName(null, "connect"), {
    onEnter: function(args) {
        var fd = args[0].toInt32()
        if (Socket.type(fd) !== 'tcp')
          return;

        var ipAddr = args[1].add(4)
        var ip = parseIp(Memory.readU32(ipAddr))
        var portAddr = args[1].add(2)
        var port = parsePort(Memory.readUShort(portAddr));

        //判断是否为目标地址
        if (ip === sIP) {
            console.log("[+] connect: " +ip+ ':'+ port);

            //替换IP地址为代理主机
            Memory.writeU32(ipAddr,ipToInt(xIP))
//            Memory.writeUShort('443','8888')


            //打印替换后地址
            console.log(hexdump(ptr(args[1]), {
                length: 32,
                header: true,
                ansi: true
            }))
        }
    }
})
}
setImmediate(function() {
    setTimeout(hook_ssl, 200);
});
	/*
	* Example usage:
	* # frida -U -f com.mrnew.door -l fuck_flutter.js --no-pause
	*/

	var sIP = '47.91.165.221' //目标IP地址
	var xIP = '192.168.25.200'//代理电脑IP地址

	//IP字符串转int
	function ipToInt(ip){
	var result = ip.split('.');
	return (parseInt(result[3]) << 24
	\| parseInt(result[2]) << 16
	\| parseInt(result[1]) << 8
	\| parseInt(result[0]));
	}

	//int转IP字符串
	function parseIp (number) {
	var ip = ''
	if (number <= 0) {
	return ip
	}
	const ip3 = (number << 0) >>> 24
	const ip2 = (number << 8) >>> 24
	const ip1 = (number << 16) >>> 24
	const ip0 = (number << 24) >>> 24
	ip += ip0 + '.' + ip1 + '.' + ip2 + '.' + ip3
	return ip
	}

	function parsePort(number) {
	return ((number & 0xFF) << 8) \| ((number & 0xFF00) >> 8);
	}

	function hook_ssl() {
	var base = Module.findBaseAddress("libflutter.so");
	var ssl_crypto_x509_session_verify_cert_chain = base.add(0x5873D4);
	Interceptor.attach(ssl_crypto_x509_session_verify_cert_chain, {
	onEnter: function(args) {
	console.log("\n解除证书绑定校验")
	},
	onLeave: function(retval) {
	console.log("校验函数返回值: " + retval);
	retval.replace(0x1);
	console.log("解除成功\n---------------------");
	}
	});
	Interceptor.attach(Module.findExportByName(null, "connect"), {
	onEnter: function(args) {
	var fd = args[0].toInt32()
	if (Socket.type(fd) !== 'tcp')
	return;

	var ipAddr = args[1].add(4)
	var ip = parseIp(Memory.readU32(ipAddr))
	var portAddr = args[1].add(2)
	var port = parsePort(Memory.readUShort(portAddr));

	//判断是否为目标地址
	if (ip === sIP) {
	console.log("[+] connect: " +ip+ ':'+ port);

	//替换IP地址为代理主机
	Memory.writeU32(ipAddr,ipToInt(xIP))
	// Memory.writeUShort('443','8888')


	//打印替换后地址
	console.log(hexdump(ptr(args[1]), {
	length: 32,
	header: true,
	ansi: true
	}))
	}
	}
	})
	}
	setImmediate(function() {
	setTimeout(hook_ssl, 200);
	});