I’ve posted some frequently used Freda scripts. Honestly, I like cordshares, but sometimes I need them(raw script, link, etc…).

General Information

Docs

https://www.frida.re/docs/home/

Download

https://github.com/frida/frida/tags

Tool

https://github.com/nccgroup/house https://github.com/federicodotta/Brida

Awesome

https://github.com/dweinstein/awesome-frida

Frida code share

https://codeshare.frida.re/browse

Android scripts & codeshare

Bypass root(codeshare)

frida --codeshare dzonerzy/fridantiroot -f

Bypass disabled Debug

setTimeout(function() {
    Java.perform(function() {
        console.log("");
        console.log("[.] Debug check bypass");

        var Debug = Java.use('android.os.Debug');
        Debug.isDebuggerConnected.implementation = function() {
            //console.log('isDebuggerConnected Bypassed !');
            return false;
        }

    });
}, 0);

Bypass SSL Pinning

Java.perform(function() {
    var array_list = Java.use("java.util.ArrayList");
    var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
        // console.log('Bypassing SSL Pinning');
        var k = array_list.$new();
        return k;
    }
}, 0);

Bypass SSL Pinning(codeshare)

frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f

iOS

Bypass SSL Pinnging & Jail

var tls_helper_create_peer_trust;
var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString();

if (version.startsWith("11.")) { // iOS 11
/* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction(
Module.findExportByName(null, "nw_tls_create_peer_trust"),
'int', ['pointer', 'bool', 'pointer']
);
} else if (version.startsWith("10.")) { // iOS 10
/* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction(
Module.findExportByName(null, "tls_helper_create_peer_trust"),
'int', ['pointer', 'bool', 'pointer']
);
} else {
console.log("Unsupported OS version!");
}

var errSecSuccess = 0;

function bypassSSL() {
Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) {
return errSecSuccess;
}, 'int', ['pointer', 'bool', 'pointer']));

console.log("SSL Pinning bypass active");

}

function revertSSL() {
Interceptor.revert(tls_helper_create_peer_trust);
console.log("SSL Pinning bypass disabled");
}

function bypassJail() {
var hook = ObjC.classes.KPAppIntegrity["- isSafe"]
Interceptor.attach(hook.implementation, {onLeave: function(retval){retval.replace(1)}})
console.log("Jailbreak bypass disabled");
}

function revertJail() {
Interceptor.revert(ObjC.classes.KPAppIntegrity["- isSafe"]);
consoleΩ.log("Jailbreak bypass disabled");
}

iOS 10&11 Bypass SSL Pinning

NSProcessInfo *processInfo = [NSProcessInfo processInfo];
if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){11, 0, 0}])
{
// Support for iOS 11
void* handle = dlopen("/usr/lib/libnetwork.dylib", RTLD_NOW);
void *tls_helper_create_peer_trust = dlsym(handle, "nw_tls_create_peer_trust");
if (tls_helper_create_peer_trust)
{
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
}
}

else if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){10, 0, 0}])
{
// Support for iOS 10
void *tls_helper_create_peer_trust = dlsym(RTLD_DEFAULT, "tls_helper_create_peer_trust");
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);

(https://www.hahwul.com/2018/10/ios-ssl-pinning-bypass-with-frida.html)

iOS 9 Bypass SSL Pinning

#pragma mark SecureTransport hooks - iOS 9 and below
// Explanation here: https://nabla-c0d3.github.io/blog/2013/08/20/ios-ssl-kill-switch-v0-dot-5-released/
static OSStatus (*original_SSLSetSessionOption)(SSLContextRef context,
SSLSessionOption option,
Boolean value);
static OSStatus replaced_SSLSetSessionOption(SSLContextRef context,
SSLSessionOption option,
Boolean value)
{
// Remove the ability to modify the value of the kSSLSessionOptionBreakOnServerAuth option
if (option == kSSLSessionOptionBreakOnServerAuth)
{
return noErr;
}
return original_SSLSetSessionOption(context, option, value);
}

static SSLContextRef (*original_SSLCreateContext)(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType);

static SSLContextRef replaced_SSLCreateContext(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType)
{
SSLContextRef sslContext = original_SSLCreateContext(alloc, protocolSide, connectionType);
// Immediately set the kSSLSessionOptionBreakOnServerAuth option in order to disable cert validation
original_SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, true);
return sslContext;
}

static OSStatus (*original_SSLHandshake)(SSLContextRef context);
static OSStatus replaced_SSLHandshake(SSLContextRef context)
{

OSStatus result = original_SSLHandshake(context);
// Hijack the flow when breaking on server authentication

if (result == errSSLServerAuthCompleted)
{
// Do not check the cert and call SSLHandshake() again
return original_SSLHandshake(context);
}
return result;
}

Previous Post

Rails에서 routing parameters와 동일한 이름의 파라미터 처리하기

Next Post

OWASP ZAP 2.8 Releases! 빠르게 리뷰하기 (what's different?)