Comments (11)
Yes, it works for me now. Working for your apk as well?
Yes
from disable-flutter-tls-verification.
Same error for me for this app.
BTW, I can't find the md5sum
in the samples folder for the app. The same app is updated just before some days and the script was working fine before on it.
Here are md5sum
results:
lib/arm64-v8a/libflutter.so
: b58d91db28b4a2900624882d9ad6311c
lib/armeabi-v7a/libflutter.so
: 94ddce9a58b90ed6cbd54f3bb278dcfb
lib/x86_64/libflutter.so
: c59db9f239fa3b2f4887d5e988d0679c
from disable-flutter-tls-verification.
I have noticed in Gahidra that the address for the pinning function is changed now. Added the address at the end of the x64 array in the script and it's started to work again. Maybe the code is a little changed in the newer version of the apk.
Address (it's 71
now after 74
not 70
anymore):
55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74
Also, I have to update the return type from 0
to 1
as I have mentioned in issue #22 for the mentioned app in previous message.
from disable-flutter-tls-verification.
I have noticed in Gahidra that the address for the pinning function is changed now. Added the address at the end of the x64 array in the script and it's started to work again. Maybe the code is a little changed in the newer version of the apk.
Address (it's
71
now after74
not70
anymore):55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74
Also, I have to update the return type from
0
to1
as I have mentioned in issue #22 for the mentioned app in previous message.
Thank you. I've updated the code to include your address.
/**
A Frida script that disables Flutter's TLS verification
This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323)
If the script doesn't work, take a look at https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work
*/
// Configuration object containing patterns to locate the ssl_verify_peer_cert function
// for different platforms and architectures.
var config = {
"ios": {
"modulename": "Flutter",
"patterns": {
"arm64": [{
"pattern": "FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F? 03 00 AA ?? 0? 40 F9 ?8 1? 40 F9 15 ?? 4? F9 B5 00 00 B4",
"address_flag": 0
}],
},
},
"android": {
"modulename": "libflutter.so",
"patterns": {
"arm64": [{
"pattern": "F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9",
"address_flag": 0
},
{
"pattern": "F? 43 01 D1 FE 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 13 00 40 F9 F4 03 00 AA 68 1A 40 F9",
"address_flag": 0
},
{
"pattern": "FF 43 01 D1 FE 67 01 A9 ?? ?? 06 94 ?? 7? 06 94 68 1A 40 F9 15 15 41 F9 B5 00 00 B4 B6 4A 40 F9",
"address_flag": 0
},
],
"arm": [{
"pattern": "2D E9 F? 4? D0 F8 00 80 81 46 D8 F8 18 00 D0 F8 ??",
"address_flag": 0
}],
"x64": [{
"pattern": "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b",
"address_flag": 0
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FF 48 8B 1F 48 8B 43 30 4C 8B A0 28 02 00 00 4D 85 E4 74",
"address_flag": 0
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 70 48 83 7D 00 00 74",
"address_flag": 0
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74",
"address_flag": 1
}
]
}
}
};
// Flag to check if TLS validation has already been disabled
var TLSValidationDisabled = false;
var flutterLibraryFound = false;
var tries = 0;
var maxTries = 5;
var timeout = 1000;
disableTLSValidation();
// Main function to disable TLS validation for Flutter
function disableTLSValidation() {
// Stop if ready
if (TLSValidationDisabled) return;
tries++;
if (tries > maxTries) {
console.log('[!] Max attempts reached, stopping');
return;
}
console.log(`[+] Attempting to find and hook ssl_verify_peer_cert (${tries}/${maxTries})`)
// Get reference to module. Necessary for iOS, and usefull check for Android
var platformConfig = config[Java.available ? "android" : "ios"];
var m = Process.findModuleByName(platformConfig["modulename"]);
if (m === null) {
console.log('[!] Flutter library not found');
setTimeout(disableTLSValidation, timeout);
return;
} else {
// reset counter so that searching for ssl_verify_peer_cert also gets x attempts
if (flutterLibraryFound == false) {
flutterLibraryFound = true;
tries = 1;
}
}
if (Process.arch in platformConfig["patterns"]) {
var ranges;
if (Java.available) {
// On Android, getting ranges from the loaded module is buggy, so we revert to Process.enumerateRanges
ranges = Process.enumerateRanges({
protection: 'r-x'
}).filter(isFlutterRange)
} else {
// On iOS, there's no issue
ranges = m.enumerateRanges('r-x')
}
findAndPatch(ranges, platformConfig["patterns"][Process.arch], Java.available && Process.arch == "arm" ? 1 : 0);
} else {
console.log('[!] Processor architecture not supported: ', Process.arch);
}
if (!TLSValidationDisabled) {
if (tries < maxTries) {
console.log(`[!] Flutter library found, but ssl_verify_peer_cert could not be found.`)
} else {
console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues');
}
}
}
// Find and patch the method in memory to disable TLS validation
function findAndPatch(ranges, patterns, thumb) {
ranges.forEach(range => {
patterns.forEach(patternInfo => {
var matches = Memory.scanSync(range.base, range.size, patternInfo["pattern"]);
matches.forEach(match => {
var info = DebugSymbol.fromAddress(match.address);
console.log(`[+] ssl_verify_peer_cert found at offset: ${info.name}`);
TLSValidationDisabled = true;
hook_ssl_verify_peer_cert(match.address.add(thumb), patternInfo["address_flag"]);
console.log('[+] ssl_verify_peer_cert has been patched');
});
if (matches.length > 1) {
console.log('[!] Multiple matches detected. This can have a negative impact and may crash the app. Please open a ticket');
}
});
});
// Try again. disableTLSValidation will not do anything if TLSValidationDisabled = true
setTimeout(disableTLSValidation, timeout);
}
function isFlutterRange(range) {
var address = range.base
var info = DebugSymbol.fromAddress(address)
if (info.moduleName != null) {
if (info.moduleName.toLowerCase().includes("flutter")) {
return true;
}
}
return false;
}
// Replace the target function's implementation to effectively disable the TLS check
function hook_ssl_verify_peer_cert(address, address_flag) {
Interceptor.replace(address, new NativeCallback((pathPtr, flags) => {
return address_flag;
}, 'int', ['pointer', 'int']));
}
from disable-flutter-tls-verification.
Yes, it works for me now. Working for your apk as well?
from disable-flutter-tls-verification.
I have noticed in Gahidra that the address for the pinning function is changed now. Added the address at the end of the x64 array in the script and it's started to work again. Maybe the code is a little changed in the newer version of the apk.
Address (it's71
now after74
not70
anymore):55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74
Also, I have to update the return type from0
to1
as I have mentioned in issue #22 for the mentioned app in previous message.Thank you. I've updated the code to include your address.
/** A Frida script that disables Flutter's TLS verification This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323) If the script doesn't work, take a look at https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work */ // Configuration object containing patterns to locate the ssl_verify_peer_cert function // for different platforms and architectures. var config = { "ios": { "modulename": "Flutter", "patterns": { "arm64": [{ "pattern": "FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F? 03 00 AA ?? 0? 40 F9 ?8 1? 40 F9 15 ?? 4? F9 B5 00 00 B4", "address_flag": 0 }], }, }, "android": { "modulename": "libflutter.so", "patterns": { "arm64": [{ "pattern": "F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9", "address_flag": 0 }, { "pattern": "F? 43 01 D1 FE 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 13 00 40 F9 F4 03 00 AA 68 1A 40 F9", "address_flag": 0 }, { "pattern": "FF 43 01 D1 FE 67 01 A9 ?? ?? 06 94 ?? 7? 06 94 68 1A 40 F9 15 15 41 F9 B5 00 00 B4 B6 4A 40 F9", "address_flag": 0 }, ], "arm": [{ "pattern": "2D E9 F? 4? D0 F8 00 80 81 46 D8 F8 18 00 D0 F8 ??", "address_flag": 0 }], "x64": [{ "pattern": "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b", "address_flag": 0 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FF 48 8B 1F 48 8B 43 30 4C 8B A0 28 02 00 00 4D 85 E4 74", "address_flag": 0 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 70 48 83 7D 00 00 74", "address_flag": 0 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74", "address_flag": 1 } ] } } }; // Flag to check if TLS validation has already been disabled var TLSValidationDisabled = false; var flutterLibraryFound = false; var tries = 0; var maxTries = 5; var timeout = 1000; disableTLSValidation(); // Main function to disable TLS validation for Flutter function disableTLSValidation() { // Stop if ready if (TLSValidationDisabled) return; tries++; if (tries > maxTries) { console.log('[!] Max attempts reached, stopping'); return; } console.log(`[+] Attempting to find and hook ssl_verify_peer_cert (${tries}/${maxTries})`) // Get reference to module. Necessary for iOS, and usefull check for Android var platformConfig = config[Java.available ? "android" : "ios"]; var m = Process.findModuleByName(platformConfig["modulename"]); if (m === null) { console.log('[!] Flutter library not found'); setTimeout(disableTLSValidation, timeout); return; } else { // reset counter so that searching for ssl_verify_peer_cert also gets x attempts if (flutterLibraryFound == false) { flutterLibraryFound = true; tries = 1; } } if (Process.arch in platformConfig["patterns"]) { var ranges; if (Java.available) { // On Android, getting ranges from the loaded module is buggy, so we revert to Process.enumerateRanges ranges = Process.enumerateRanges({ protection: 'r-x' }).filter(isFlutterRange) } else { // On iOS, there's no issue ranges = m.enumerateRanges('r-x') } findAndPatch(ranges, platformConfig["patterns"][Process.arch], Java.available && Process.arch == "arm" ? 1 : 0); } else { console.log('[!] Processor architecture not supported: ', Process.arch); } if (!TLSValidationDisabled) { if (tries < maxTries) { console.log(`[!] Flutter library found, but ssl_verify_peer_cert could not be found.`) } else { console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues'); } } } // Find and patch the method in memory to disable TLS validation function findAndPatch(ranges, patterns, thumb) { ranges.forEach(range => { patterns.forEach(patternInfo => { var matches = Memory.scanSync(range.base, range.size, patternInfo["pattern"]); matches.forEach(match => { var info = DebugSymbol.fromAddress(match.address); console.log(`[+] ssl_verify_peer_cert found at offset: ${info.name}`); TLSValidationDisabled = true; hook_ssl_verify_peer_cert(match.address.add(thumb), patternInfo["address_flag"]); console.log('[+] ssl_verify_peer_cert has been patched'); }); if (matches.length > 1) { console.log('[!] Multiple matches detected. This can have a negative impact and may crash the app. Please open a ticket'); } }); }); // Try again. disableTLSValidation will not do anything if TLSValidationDisabled = true setTimeout(disableTLSValidation, timeout); } function isFlutterRange(range) { var address = range.base var info = DebugSymbol.fromAddress(address) if (info.moduleName != null) { if (info.moduleName.toLowerCase().includes("flutter")) { return true; } } return false; } // Replace the target function's implementation to effectively disable the TLS check function hook_ssl_verify_peer_cert(address, address_flag) { Interceptor.replace(address, new NativeCallback((pathPtr, flags) => { return address_flag; }, 'int', ['pointer', 'int'])); }
your code doesn't work in my case I have no idea why , it gives :
[+] Attempting to find and hook ssl_verify_peer_cert (2/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (2/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (3/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (4/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (5/5)
[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues
[!] Max attempts reached, stopping
please help
from disable-flutter-tls-verification.
Hi, @M4st3r1337
Without an app package name, I can't solve this problem for you.
Share the apk or libflutter.so (inside the apk)
from disable-flutter-tls-verification.
Hi, @M4st3r1337 Without an app package name, I can't solve this problem for you. Share the apk or libflutter.so (inside the apk)
Hey , @motattack I appreciate your help , here is the app https://play.google.com/store/apps/details?id=com.g705&hl=en
from disable-flutter-tls-verification.
Hi, @M4st3r1337 Without an app package name, I can't solve this problem for you. Share the apk or libflutter.so (inside the apk)
Hey , @motattack I appreciate your help , here is the app https://play.google.com/store/apps/details?id=com.g705&hl=en
try it:
/**
A Frida script that disables Flutter's TLS verification
This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323)
If the script doesn't work, take a look at https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work
*/
// Configuration object containing patterns to locate the ssl_verify_peer_cert function
// for different platforms and architectures.
var config = {
"ios": {
"modulename": "Flutter",
"patterns": {
"arm64": [{
"pattern": "FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F? 03 00 AA ?? 0? 40 F9 ?8 1? 40 F9 15 ?? 4? F9 B5 00 00 B4",
"address_flag": 0
}],
},
},
"android": {
"modulename": "libflutter.so",
"patterns": {
"arm64": [{
"pattern": "F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9",
"address_flag": 0
},
{
"pattern": "F? 43 01 D1 FE 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 13 00 40 F9 F4 03 00 AA 68 1A 40 F9",
"address_flag": 0
},
{
"pattern": "FF 43 01 D1 FE 67 01 A9 ?? ?? 06 94 ?? 7? 06 94 68 1A 40 F9 15 15 41 F9 B5 00 00 B4 B6 4A 40 F9",
"address_flag": 0
},
],
"arm": [{
"pattern": "2D E9 F? 4? D0 F8 00 80 81 46 D8 F8 18 00 D0 F8 ??",
"address_flag": 0
}],
"x64": [{
"pattern": "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b",
"address_flag": 0
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FF 48 8B 1F 48 8B 43 30 4C 8B A0 28 02 00 00 4D 85 E4 74",
"address_flag": 0
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 70 48 83 7D 00 00 74",
"address_flag": 0
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74",
"address_flag": 1
},
{
"pattern": "55 41 57 41 56 41 55 41 54 53 48 83 ec 38 c6 02 50 48 8b af a0 00 00 00 48 85 ed 74 71 48 83 7d 00 00 74",
"address_flag": 1
}
]
}
}
};
// Flag to check if TLS validation has already been disabled
var TLSValidationDisabled = false;
var flutterLibraryFound = false;
var tries = 0;
var maxTries = 5;
var timeout = 1000;
disableTLSValidation();
// Main function to disable TLS validation for Flutter
function disableTLSValidation() {
// Stop if ready
if (TLSValidationDisabled) return;
tries++;
if (tries > maxTries) {
console.log('[!] Max attempts reached, stopping');
return;
}
console.log(`[+] Attempting to find and hook ssl_verify_peer_cert (${tries}/${maxTries})`)
// Get reference to module. Necessary for iOS, and usefull check for Android
var platformConfig = config[Java.available ? "android" : "ios"];
var m = Process.findModuleByName(platformConfig["modulename"]);
if (m === null) {
console.log('[!] Flutter library not found');
setTimeout(disableTLSValidation, timeout);
return;
} else {
// reset counter so that searching for ssl_verify_peer_cert also gets x attempts
if (flutterLibraryFound == false) {
flutterLibraryFound = true;
tries = 1;
}
}
if (Process.arch in platformConfig["patterns"]) {
var ranges;
if (Java.available) {
// On Android, getting ranges from the loaded module is buggy, so we revert to Process.enumerateRanges
ranges = Process.enumerateRanges({
protection: 'r-x'
}).filter(isFlutterRange)
} else {
// On iOS, there's no issue
ranges = m.enumerateRanges('r-x')
}
findAndPatch(ranges, platformConfig["patterns"][Process.arch], Java.available && Process.arch == "arm" ? 1 : 0);
} else {
console.log('[!] Processor architecture not supported: ', Process.arch);
}
if (!TLSValidationDisabled) {
if (tries < maxTries) {
console.log(`[!] Flutter library found, but ssl_verify_peer_cert could not be found.`)
} else {
console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues');
}
}
}
// Find and patch the method in memory to disable TLS validation
function findAndPatch(ranges, patterns, thumb) {
ranges.forEach(range => {
patterns.forEach(patternInfo => {
var matches = Memory.scanSync(range.base, range.size, patternInfo["pattern"]);
matches.forEach(match => {
var info = DebugSymbol.fromAddress(match.address);
console.log(`[+] ssl_verify_peer_cert found at offset: ${info.name}`);
TLSValidationDisabled = true;
hook_ssl_verify_peer_cert(match.address.add(thumb), patternInfo["address_flag"]);
console.log('[+] ssl_verify_peer_cert has been patched');
});
if (matches.length > 1) {
console.log('[!] Multiple matches detected. This can have a negative impact and may crash the app. Please open a ticket');
}
});
});
// Try again. disableTLSValidation will not do anything if TLSValidationDisabled = true
setTimeout(disableTLSValidation, timeout);
}
function isFlutterRange(range) {
var address = range.base
var info = DebugSymbol.fromAddress(address)
if (info.moduleName != null) {
if (info.moduleName.toLowerCase().includes("flutter")) {
return true;
}
}
return false;
}
// Replace the target function's implementation to effectively disable the TLS check
function hook_ssl_verify_peer_cert(address, address_flag) {
Interceptor.replace(address, new NativeCallback((pathPtr, flags) => {
return address_flag;
}, 'int', ['pointer', 'int']));
}
from disable-flutter-tls-verification.
Hi, @M4st3r1337 Without an app package name, I can't solve this problem for you. Share the apk or libflutter.so (inside the apk)
Hey , @motattack I appreciate your help , here is the app https://play.google.com/store/apps/details?id=com.g705&hl=en
try it:
/** A Frida script that disables Flutter's TLS verification This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323) If the script doesn't work, take a look at https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work */ // Configuration object containing patterns to locate the ssl_verify_peer_cert function // for different platforms and architectures. var config = { "ios": { "modulename": "Flutter", "patterns": { "arm64": [{ "pattern": "FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F? 03 00 AA ?? 0? 40 F9 ?8 1? 40 F9 15 ?? 4? F9 B5 00 00 B4", "address_flag": 0 }], }, }, "android": { "modulename": "libflutter.so", "patterns": { "arm64": [{ "pattern": "F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9", "address_flag": 0 }, { "pattern": "F? 43 01 D1 FE 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 13 00 40 F9 F4 03 00 AA 68 1A 40 F9", "address_flag": 0 }, { "pattern": "FF 43 01 D1 FE 67 01 A9 ?? ?? 06 94 ?? 7? 06 94 68 1A 40 F9 15 15 41 F9 B5 00 00 B4 B6 4A 40 F9", "address_flag": 0 }, ], "arm": [{ "pattern": "2D E9 F? 4? D0 F8 00 80 81 46 D8 F8 18 00 D0 F8 ??", "address_flag": 0 }], "x64": [{ "pattern": "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b", "address_flag": 0 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FF 48 8B 1F 48 8B 43 30 4C 8B A0 28 02 00 00 4D 85 E4 74", "address_flag": 0 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 70 48 83 7D 00 00 74", "address_flag": 0 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 71 48 83 7D 00 00 74", "address_flag": 1 }, { "pattern": "55 41 57 41 56 41 55 41 54 53 48 83 ec 38 c6 02 50 48 8b af a0 00 00 00 48 85 ed 74 71 48 83 7d 00 00 74", "address_flag": 1 } ] } } }; // Flag to check if TLS validation has already been disabled var TLSValidationDisabled = false; var flutterLibraryFound = false; var tries = 0; var maxTries = 5; var timeout = 1000; disableTLSValidation(); // Main function to disable TLS validation for Flutter function disableTLSValidation() { // Stop if ready if (TLSValidationDisabled) return; tries++; if (tries > maxTries) { console.log('[!] Max attempts reached, stopping'); return; } console.log(`[+] Attempting to find and hook ssl_verify_peer_cert (${tries}/${maxTries})`) // Get reference to module. Necessary for iOS, and usefull check for Android var platformConfig = config[Java.available ? "android" : "ios"]; var m = Process.findModuleByName(platformConfig["modulename"]); if (m === null) { console.log('[!] Flutter library not found'); setTimeout(disableTLSValidation, timeout); return; } else { // reset counter so that searching for ssl_verify_peer_cert also gets x attempts if (flutterLibraryFound == false) { flutterLibraryFound = true; tries = 1; } } if (Process.arch in platformConfig["patterns"]) { var ranges; if (Java.available) { // On Android, getting ranges from the loaded module is buggy, so we revert to Process.enumerateRanges ranges = Process.enumerateRanges({ protection: 'r-x' }).filter(isFlutterRange) } else { // On iOS, there's no issue ranges = m.enumerateRanges('r-x') } findAndPatch(ranges, platformConfig["patterns"][Process.arch], Java.available && Process.arch == "arm" ? 1 : 0); } else { console.log('[!] Processor architecture not supported: ', Process.arch); } if (!TLSValidationDisabled) { if (tries < maxTries) { console.log(`[!] Flutter library found, but ssl_verify_peer_cert could not be found.`) } else { console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues'); } } } // Find and patch the method in memory to disable TLS validation function findAndPatch(ranges, patterns, thumb) { ranges.forEach(range => { patterns.forEach(patternInfo => { var matches = Memory.scanSync(range.base, range.size, patternInfo["pattern"]); matches.forEach(match => { var info = DebugSymbol.fromAddress(match.address); console.log(`[+] ssl_verify_peer_cert found at offset: ${info.name}`); TLSValidationDisabled = true; hook_ssl_verify_peer_cert(match.address.add(thumb), patternInfo["address_flag"]); console.log('[+] ssl_verify_peer_cert has been patched'); }); if (matches.length > 1) { console.log('[!] Multiple matches detected. This can have a negative impact and may crash the app. Please open a ticket'); } }); }); // Try again. disableTLSValidation will not do anything if TLSValidationDisabled = true setTimeout(disableTLSValidation, timeout); } function isFlutterRange(range) { var address = range.base var info = DebugSymbol.fromAddress(address) if (info.moduleName != null) { if (info.moduleName.toLowerCase().includes("flutter")) { return true; } } return false; } // Replace the target function's implementation to effectively disable the TLS check function hook_ssl_verify_peer_cert(address, address_flag) { Interceptor.replace(address, new NativeCallback((pathPtr, flags) => { return address_flag; }, 'int', ['pointer', 'int'])); }
[+] Attempting to find and hook ssl_verify_peer_cert (1/5)
[!] Flutter library not found
Spawned com.g705
. Resuming main thread!
[SM-G988N::com.g705 ]-> [+] Attempting to find and hook ssl_verify_peer_cert (2/5)
[+] ssl_verify_peer_cert found at offset: 0x78f0ee
[+] ssl_verify_peer_cert has been patched
great i was able to intercept requests , any tutorial on how you fixed that ? also i have another problem the requests body are encrypted :
EGv5Ft4NpFw9rIPqYspr3jiGWOEv7TY/fJ+L/9MCpa0= , probably AES any idea on how i can find it in flutter apps ?
from disable-flutter-tls-verification.
I've updated the signatures to include the new one, but I can't replicate the need for return 1. It doesn't really make sense, since the function should return ssl_verify_ok, which is 0
enum ssl_verify_result_t BORINGSSL_ENUM_INT {
ssl_verify_ok,
ssl_verify_invalid,
ssl_verify_retry,
};
If somebody can replicate the need for 1, please let me know.
@M4st3r1337 encryption is definitely out of scope, and you'll have to dig in with a decompiler/disassembler and figure it out. Flutter is really difficult to analyze though.
from disable-flutter-tls-verification.
Related Issues (20)
- Flutter module not found HOT 3
- X509: Certificate signed by unknown authority
- ssl_verify_peer_cert not found with myBmw HOT 5
- library "libframework-connectivity-jni.so" not found HOT 10
- library "libframework-connectivity-jni.so" not found HOT 1
- ssl_verify_peer_cert not found HOT 3
- ssl_verify_peer_cert not found. HOT 2
- unable to get local issuer certificate HOT 1
- Value never changing using frida (Interceptor.attach) is not being triggered HOT 1
- libflutter.so not found HOT 2
- Different end results on different apps, by returning 0 or 1 HOT 2
- App flutter not working
- Flutter App not working HOT 1
- Flutter library not found but shows ssl_verify_peer_cert has been patched. But it still not working HOT 3
- Flutter library found, but ssl_verify_peer_cert could not be found
- Bypass all connections handshake without the script HOT 2
- TLS Verification disabling fails; No memory ranges found in Flutter library. HOT 12
- The Frida script hook32-bit libflutter.so produced the following errors
- dint even work for demo application HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from disable-flutter-tls-verification.