Flutter抓包绕过
2024-2-7 15:32:25 Author: mp.weixin.qq.com(查看原文) 阅读量:11 收藏


flutter的证书校验

起因:

最近工作上让做个app的复测,把apk发我后,开始尝试挂代理抓包,结果发现抓不到。


以为是证书没弄好,想着前几天不是刚导入了吗(雾)。又重新导入了下还是不行。然后各种lsp模块,objection都不行,r0capture也没数据。

然后jadx看了下,全是flutter字样,才想起来和flutter有关。

然后就开始各种找,https://bbs.kanxue.com/thread-261941.htm

根据上面文章找到关键函数handshake.cc(https://github.com/google/boringssl/blob/master/ssl/handshake.cc)386行:


session_verify_cert_chain函数在第356行的ssl_x509.cc(https://github.com/google/boringssl/blob/master/ssl/ssl_x509.cc)中被定义:


然后根据https://bbs.kanxue.com/thread-261941.htm这篇文章特征找,但是这个是32位的,所以在app安装的时候指定32位安装。
adb install --abi armeabi-v7a <path to apk>
接下来就是找:


往上翻找:


写脚本绕过

32位:

function hook_ssl_verify_result(address) {
Interceptor.attach(address, {
onEnter: function(args) {
console.log("Disabling SSL validation")
},
onLeave: function(retval) {
console.log("Retval: " + retval);
retval.replace(0x1);
}
});
}
function hookFlutter() {
var m = Process.findModuleByName("libflutter.so");
var pattern = "2D E9 F0 4F 85 B0 06 46 50 20 10 70";
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] ssl_verify_result found at: ' + address.toString());


hook_ssl_verify_result(address.add(0x01));
},
onError: function(reason){
console.log('[!] There was an error scanning memory');
},
onComplete: function() {
console.log("All done")
}
});
}
然后启动就可以抓包了:

64位

搜索ssl_client:



照例往上找:


然后就找到了这些:
.text:0000000000596870 FF C3 01 D1 SUB SP, SP,
.text:0000000000596874 FD 7B 01 A9 STP X29, X30, [SP,
.text:0000000000596878 FC 6F 02 A9 STP X28, X27, [SP,
.text:000000000059687C FA 67 03 A9 STP X26, X25, [SP,
.text:0000000000596880 F8 5F 04 A9 STP X24, X23, [SP,
.text:0000000000596884 F6 57 05 A9 STP X22, X21, [SP,
.text:0000000000596888 F4 4F 06 A9 STP X20, X19, [SP,
.text:000000000059688C 08 0A 80 52 MOV W8,
.text:0000000000596890 48 00 00 39 STRB W8, [X2]
然后写脚本:
function hook_ssl_verify_result(address) {
Interceptor.attach(address, {
onEnter: function(args) {
console.log("Disabling SSL validation")
},
onLeave: function(retval) {
console.log("Retval: " + retval);
retval.replace(0x1);
}
});
}
function hookFlutter() {
var m = Process.findModuleByName("libflutter.so");
var pattern = "FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39";
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] ssl_verify_result found at: ' + address.toString());


hook_ssl_verify_result(address.add(0x01));
},
onError: function(reason){
console.log('[!] There was an error scanning memory');
},
onComplete: function() {
console.log("All done")
}
});
}
然后发现报错了:


把hook_ssl_verify_result(address.add(0x01))改为hook_ssl_verify_result(address)就可以正常使用了:

参考资料

-https://www.jianshu.com/p/ada10d2976f2
-https://mp.weixin.qq.com/s/pXpfXK-Ez0n70f3bqFuuFg
-https://bbs.kanxue.com/thread-261941.htm
-https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/

以上四篇文章均是和flutter证书校验相关。

看雪ID:puppet_w

https://bbs.kanxue.com/user-home-929264.htm

*本文为看雪论坛优秀文章,由 puppet_w 原创,转载请注明来自看雪社区

# 往期推荐

1、区块链智能合约逆向-合约创建-调用执行流程分析

2、在Windows平台使用VS2022的MSVC编译LLVM16

3、神挡杀神——揭开世界第一手游保护nProtect的神秘面纱

4、为什么在ASLR机制下DLL文件在不同进程中加载的基址相同

5、2022QWB final RDP

6、华为杯研究生国赛 adv_lua

球分享

球点赞

球在看

点击阅读原文查看更多


文章来源: https://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458542029&idx=1&sn=02f222f59ed95f74a281e8a8a92cc987&chksm=b18d6f4786fae651edb665a28c8ed25eb93a9c0bacebef7f046c5e8276532a3b4f3b38b65b11&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh