I've posted some frequently used Freda scripts. Honestly, I like cordshares, but sometimes I need them(raw script, link, etc...).

General Information

Docs

https://www.frida.re/docs/home/

Download

https://github.com/frida/frida/tags

Tool

https://github.com/nccgroup/house
https://github.com/federicodotta/Brida

Awesome

https://github.com/dweinstein/awesome-frida

Frida code share

https://codeshare.frida.re/browse

Android scripts & codeshare

Bypass root(codeshare)

frida --codeshare dzonerzy/fridantiroot -f

Bypass disabled Debug 

setTimeout(function() {
    Java.perform(function() {
        console.log("");
        console.log("[.] Debug check bypass");


        var Debug = Java.use('android.os.Debug');
        Debug.isDebuggerConnected.implementation = function() {
            //console.log('isDebuggerConnected Bypassed !');
            return false;
        }




    });
}, 0);

Bypass SSL Pinning

Java.perform(function() {
    var array_list = Java.use("java.util.ArrayList");
    var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
        // console.log('Bypassing SSL Pinning');
        var k = array_list.$new();
        return k;
    }
}, 0);

Bypass SSL Pinning(codeshare)

frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f

iOS

Bypass SSL Pinnging & Jail

var tls_helper_create_peer_trust; 
var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString(); 

if (version.startsWith("11.")) { // iOS 11
/* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction( 
Module.findExportByName(null, "nw_tls_create_peer_trust"), 
'int', ['pointer', 'bool', 'pointer'] 
); 
} else if (version.startsWith("10.")) { // iOS 10
/* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction( 
Module.findExportByName(null, "tls_helper_create_peer_trust"), 
'int', ['pointer', 'bool', 'pointer'] 
); 
} else { 
console.log("Unsupported OS version!"); 
} 

var errSecSuccess = 0; 

function bypassSSL() { 
Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) { 
return errSecSuccess; 
}, 'int', ['pointer', 'bool', 'pointer'])); 

console.log("SSL Pinning bypass active"); 

} 


function revertSSL() { 
Interceptor.revert(tls_helper_create_peer_trust); 
console.log("SSL Pinning bypass disabled"); 
} 



function bypassJail() { 
var hook = ObjC.classes.KPAppIntegrity["- isSafe"] 
Interceptor.attach(hook.implementation, {onLeave: function(retval){retval.replace(1)}}) 
console.log("Jailbreak bypass disabled"); 
} 


function revertJail() { 
Interceptor.revert(ObjC.classes.KPAppIntegrity["- isSafe"]); 
consoleΩ.log("Jailbreak bypass disabled"); 
}

iOS 10&11 Bypass SSL Pinning

NSProcessInfo *processInfo = [NSProcessInfo processInfo];
if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){11, 0, 0}])
{
// Support for iOS 11
void* handle = dlopen("/usr/lib/libnetwork.dylib", RTLD_NOW);
void *tls_helper_create_peer_trust = dlsym(handle, "nw_tls_create_peer_trust");
if (tls_helper_create_peer_trust)
{
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
}
}


else if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){10, 0, 0}])
{
// Support for iOS 10
void *tls_helper_create_peer_trust = dlsym(RTLD_DEFAULT, "tls_helper_create_peer_trust");
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
(https://www.hahwul.com/2018/10/ios-ssl-pinning-bypass-with-frida.html)

iOS 9 Bypass SSL Pinning

#pragma mark SecureTransport hooks - iOS 9 and below
// Explanation here: https://nabla-c0d3.github.io/blog/2013/08/20/ios-ssl-kill-switch-v0-dot-5-released/
static OSStatus (*original_SSLSetSessionOption)(SSLContextRef context,
SSLSessionOption option,
Boolean value);
static OSStatus replaced_SSLSetSessionOption(SSLContextRef context,
SSLSessionOption option,
Boolean value)
{
// Remove the ability to modify the value of the kSSLSessionOptionBreakOnServerAuth option
if (option == kSSLSessionOptionBreakOnServerAuth)
{
return noErr;
}
return original_SSLSetSessionOption(context, option, value);
}




static SSLContextRef (*original_SSLCreateContext)(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType);


static SSLContextRef replaced_SSLCreateContext(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType)
{
SSLContextRef sslContext = original_SSLCreateContext(alloc, protocolSide, connectionType);
// Immediately set the kSSLSessionOptionBreakOnServerAuth option in order to disable cert validation
original_SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, true);
return sslContext;
}


static OSStatus (*original_SSLHandshake)(SSLContextRef context);
static OSStatus replaced_SSLHandshake(SSLContextRef context)
{


OSStatus result = original_SSLHandshake(context);
// Hijack the flow when breaking on server authentication


if (result == errSSLServerAuthCompleted)
{
// Do not check the cert and call SSLHandshake() again
return original_SSLHandshake(context);
}
return result;
}


댓글 없음:

댓글 쓰기