I’ve posted some frequently used Freda scripts. Honestly, I like cordshares, but sometimes I need them(raw script, link, etc…).
General Information
Docs
https://www.frida.re/docs/home/
Download
https://github.com/frida/frida/tags
Tool
https://github.com/nccgroup/house https://github.com/federicodotta/Brida
Awesome
https://github.com/dweinstein/awesome-frida
Frida code share
https://codeshare.frida.re/browse
Android scripts & codeshare
Bypass root(codeshare)
frida --codeshare dzonerzy/fridantiroot -f
Bypass disabled Debug
setTimeout(function() {
Java.perform(function() {
console.log("");
console.log("[.] Debug check bypass");
var Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function() {
//console.log('isDebuggerConnected Bypassed !');
return false;
}
});
}, 0);
Bypass SSL Pinning
Java.perform(function() {
var array_list = Java.use("java.util.ArrayList");
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
// console.log('Bypassing SSL Pinning');
var k = array_list.$new();
return k;
}
}, 0);
Bypass SSL Pinning(codeshare)
frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f
iOS
Bypass SSL Pinnging & Jail
var tls_helper_create_peer_trust;
var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString();
if (version.startsWith("11.")) { // iOS 11
/* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction(
Module.findExportByName(null, "nw_tls_create_peer_trust"),
'int', ['pointer', 'bool', 'pointer']
);
} else if (version.startsWith("10.")) { // iOS 10
/* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction(
Module.findExportByName(null, "tls_helper_create_peer_trust"),
'int', ['pointer', 'bool', 'pointer']
);
} else {
console.log("Unsupported OS version!");
}
var errSecSuccess = 0;
function bypassSSL() {
Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) {
return errSecSuccess;
}, 'int', ['pointer', 'bool', 'pointer']));
console.log("SSL Pinning bypass active");
}
function revertSSL() {
Interceptor.revert(tls_helper_create_peer_trust);
console.log("SSL Pinning bypass disabled");
}
function bypassJail() {
var hook = ObjC.classes.KPAppIntegrity["- isSafe"]
Interceptor.attach(hook.implementation, {onLeave: function(retval){retval.replace(1)}})
console.log("Jailbreak bypass disabled");
}
function revertJail() {
Interceptor.revert(ObjC.classes.KPAppIntegrity["- isSafe"]);
consoleΩ.log("Jailbreak bypass disabled");
}
iOS 10&11 Bypass SSL Pinning
NSProcessInfo *processInfo = [NSProcessInfo processInfo];
if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){11, 0, 0}])
{
// Support for iOS 11
void* handle = dlopen("/usr/lib/libnetwork.dylib", RTLD_NOW);
void *tls_helper_create_peer_trust = dlsym(handle, "nw_tls_create_peer_trust");
if (tls_helper_create_peer_trust)
{
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
}
}
else if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){10, 0, 0}])
{
// Support for iOS 10
void *tls_helper_create_peer_trust = dlsym(RTLD_DEFAULT, "tls_helper_create_peer_trust");
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
(https://www.hahwul.com/2018/10/ios-ssl-pinning-bypass-with-frida.html)
iOS 9 Bypass SSL Pinning
#pragma mark SecureTransport hooks - iOS 9 and below
// Explanation here: https://nabla-c0d3.github.io/blog/2013/08/20/ios-ssl-kill-switch-v0-dot-5-released/
static OSStatus (*original_SSLSetSessionOption)(SSLContextRef context,
SSLSessionOption option,
Boolean value);
static OSStatus replaced_SSLSetSessionOption(SSLContextRef context,
SSLSessionOption option,
Boolean value)
{
// Remove the ability to modify the value of the kSSLSessionOptionBreakOnServerAuth option
if (option == kSSLSessionOptionBreakOnServerAuth)
{
return noErr;
}
return original_SSLSetSessionOption(context, option, value);
}
static SSLContextRef (*original_SSLCreateContext)(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType);
static SSLContextRef replaced_SSLCreateContext(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType)
{
SSLContextRef sslContext = original_SSLCreateContext(alloc, protocolSide, connectionType);
// Immediately set the kSSLSessionOptionBreakOnServerAuth option in order to disable cert validation
original_SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, true);
return sslContext;
}
static OSStatus (*original_SSLHandshake)(SSLContextRef context);
static OSStatus replaced_SSLHandshake(SSLContextRef context)
{
OSStatus result = original_SSLHandshake(context);
// Hijack the flow when breaking on server authentication
if (result == errSSLServerAuthCompleted)
{
// Do not check the cert and call SSLHandshake() again
return original_SSLHandshake(context);
}
return result;
}