Comments (12)
For others:
- Extract your apk, and navigate to lib\ then, the architecture, and copy libflutter.so to disable-flutter-tls-verification\libflutter_samples\android\x64
- Then run
python verify.py
- Then it should be detected and on the signature, third square brackets such as [554157415641554154534883ec38c60250488bafa80000004885ed747048837d000074]
- Paste this pattern in the script such as (Android -> x64)
var config = {
"ios": {
"modulename": "Flutter",
"patterns": {
"arm64": [
"FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F? 03 00 AA ?? 0? 40 F9 ?8 1? 40 F9 15 ?? 4? F9 B5 00 00 B4",
],
},
},
"android": {
"modulename": "libflutter.so",
"patterns": {
"arm64": [
"F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9",
"F? 43 01 D1 FE 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 13 00 40 F9 F4 03 00 AA 68 1A 40 F9",
"FF 43 01 D1 FE 67 01 A9 ?? ?? 06 94 ?? 7? 06 94 68 1A 40 F9 15 15 41 F9 B5 00 00 B4 B6 4A 40 F9",
],
"arm": [
"2D E9 F? 4? D0 F8 00 80 81 46 D8 F8 18 00 D0 F8 ??",
],
"x64": [
"55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b",
"55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FF 48 8B 1F 48 8B 43 30 4C 8B A0 28 02 00 00 4D 85 E4 74",
"55 41 57 41 56 41 55 41 54 53 48 83 ec 38 c6 02 50 48 8b af a8 00 00 00 48 85 ed 74 70 48 83 7d 00 00 74"
]
}
}
};
- Replace the function given by #7 (comment)
- Make sure both frida client and frida server has the exact same major and minor versions
- frida -U -l ./disable_flutter_tls.js -f com.example.app
- If it doesn't work but it shows
[+] Hook success!
, in thehook_ssl_verify_peer_cert
function changereturn 0
toreturn 1
or vice versa
from disable-flutter-tls-verification.
I've refactored the script to hopefully no longer have this issue. Please create a new issue if this problem reemerges.
from disable-flutter-tls-verification.
Thanks @gelldur. Based on his idea, I added a loop to find a valid pattern.
function disableTLSValidation(fallback=false) {
if (TLSValidationDisabled) return;
var platformConfig = config[Java.available ? "android" : "ios"];
var m = Process.findModuleByName(platformConfig["modulename"]);
// If there is no loaded Flutter module, the setTimeout may trigger a second time, but after that we give up
if (m === null) {
if (fallback) console.log("[!] Flutter module not found.");
return;
}
if (Process.arch in platformConfig["patterns"])
{
console.log("[+] Flutter library found");
var patterns = platformConfig["patterns"][Process.arch]
patterns.forEach(pattern => {
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] Match pattern: ' + pattern)
console.log('[+] ssl_verify_result found at: ' + address.toString());
console.log('[+] ssl_verify_peer_cert found at offset: 0x' + (address - m.base).toString(16));
TLSValidationDisabled = true;
var thumb = Java.available && Process.arch == "arm" ? 1 : 0
hook_ssl_verify_peer_cert(address.add(thumb));
console.log("[+] Hook success!");
},
onError: function(reason){
console.log('[!] There was an error scanning memory: ' + reason);
},
onComplete: function()
{
console.log("[+] Done")
}
});
});
}
else
{
console.log("[!] Processor architecture not supported: ", Process.arch);
}
if (!TLSValidationDisabled)
{
if (fallback){
if(m.enumerateRanges('r-x').length == 0)
{
console.log('[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP. Try using Frida as a Gadget or using an older Android version (https://github.com/frida/frida/issues/2266)');
}
else
{
console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues');
}
}
else
{
console.log('[!] ssl_verify_peer_cert not found. Trying again...');
}
}
}
from disable-flutter-tls-verification.
Have the same issue here unfortunately.
[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP.
Attached the used libflutter.so files if that's of any help.
libflutter.zip
from disable-flutter-tls-verification.
Have the same issue here unfortunately.
If you're in the same boat as me, I managed to intercept my target app with Burp using reFlutter (https://github.com/Impact-I/reFlutter). It patches flutter from the apk/ipa to enforce a custom MitM proxy. Hope that helps in the meantime!
from disable-flutter-tls-verification.
Unfortunately I can't provide the target application due to an NDA, but I'll try to give as much information as possible.
Target: Android 10, LineageOS 17.1, Frida-Server 16.0.2-arm64, rooted with magisk. I proxy everything with ProxyDroid.
From the target app, I gathered:
b688f2eb9a116109f741054c677b51e2 libflutter.so #arm64-v8a ea7152a75804de845a325e6de3a01dfe libflutter.so #armeabi-v7a 5898924479a8b38309efa14a0603dc52 libflutter.so #x86_64
Attempting to disable TLS verification:
____ / _ | Frida 16.0.2 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to Redmi Note 8 (id=123456) Spawning `target.app`... [+] Java environment detected Spawned `target.app`. Resuming main thread! [Redmi Note 8::target.app ]-> [+] libflutter.so loaded [+] Flutter library found [!] ssl_verify_peer_cert not found. Trying again... [+] Flutter library found [!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP.
The target app opens on the device, but requests fail. Burp logs "client failed to negotiate the TLS connection. Remote host terminated the handshake".
I have the same issue like this anyone who can help me.
from disable-flutter-tls-verification.
@biruk1224 Can you share your APK?
from disable-flutter-tls-verification.
app.zip
Here is the app
from disable-flutter-tls-verification.
For this last zip, the pattern matches, so this is most likely related to frida/frida#2266
I currently don't have an Android 11 device to test though, but I can confirm that Frida doesn't find the correct ranges.
from disable-flutter-tls-verification.
My pattern for x64 and small modification so it works for me.
var platformConfig = config[Java.available ? "android" : "ios"];
var m = Process.findModuleByName(platformConfig["modulename"]);
var pattern = "55 41 57 41 56 41 55 41 54 53 50 49 89 fe 48 8b 1f 48 8b 43 30 4c 8b b8 c8 01 00 00 4d 85 ff 74 12 4d 8b"
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] ssl_verify_result found at: ' + address.toString());
console.log('[+] ssl_verify_peer_cert found at offset: 0x' + (address - m.base).toString(16));
TLSValidationDisabled = true;
var thumb = Java.available && Process.arch == "arm" ? 1 : 0
hook_ssl_verify_peer_cert(address.add(thumb));
console.log("[+] Hook success!");
},
onError: function(reason){
console.log('[!] There was an error scanning memory: ' + reason);
},
onComplete: function()
{
console.log("All done")
}
});
from disable-flutter-tls-verification.
Thanks @gelldur. Based on his idea, I added a loop to find a valid pattern.
function disableTLSValidation(fallback=false) { if (TLSValidationDisabled) return; var platformConfig = config[Java.available ? "android" : "ios"]; var m = Process.findModuleByName(platformConfig["modulename"]); // If there is no loaded Flutter module, the setTimeout may trigger a second time, but after that we give up if (m === null) { if (fallback) console.log("[!] Flutter module not found."); return; } if (Process.arch in platformConfig["patterns"]) { console.log("[+] Flutter library found"); var patterns = platformConfig["patterns"][Process.arch] patterns.forEach(pattern => { var res = Memory.scan(m.base, m.size, pattern, { onMatch: function(address, size){ console.log('[+] Match pattern: ' + pattern) console.log('[+] ssl_verify_result found at: ' + address.toString()); console.log('[+] ssl_verify_peer_cert found at offset: 0x' + (address - m.base).toString(16)); TLSValidationDisabled = true; var thumb = Java.available && Process.arch == "arm" ? 1 : 0 hook_ssl_verify_peer_cert(address.add(thumb)); console.log("[+] Hook success!"); }, onError: function(reason){ console.log('[!] There was an error scanning memory: ' + reason); }, onComplete: function() { console.log("[+] Done") } }); }); } else { console.log("[!] Processor architecture not supported: ", Process.arch); } if (!TLSValidationDisabled) { if (fallback){ if(m.enumerateRanges('r-x').length == 0) { console.log('[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP. Try using Frida as a Gadget or using an older Android version (https://github.com/frida/frida/issues/2266)'); } else { console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues'); } } else { console.log('[!] ssl_verify_peer_cert not found. Trying again...'); } } }
It worked, the code does not return an error, but it cannot intercept the network
from disable-flutter-tls-verification.
It worked, the code does not return an error, but it cannot intercept the network
Did you find a valid pattern? And which proxy are you using? You can read more at (https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work)
from disable-flutter-tls-verification.
Related Issues (20)
- Flutter module not found HOT 3
- X509: Certificate signed by unknown authority
- ssl_verify_peer_cert not found with myBmw HOT 5
- library "libframework-connectivity-jni.so" not found HOT 10
- library "libframework-connectivity-jni.so" not found HOT 1
- ssl_verify_peer_cert not found HOT 3
- ssl_verify_peer_cert not found. HOT 2
- unable to get local issuer certificate HOT 1
- Value never changing using frida (Interceptor.attach) is not being triggered HOT 1
- libflutter.so not found HOT 2
- Different end results on different apps, by returning 0 or 1 HOT 2
- App flutter not working
- Flutter App not working HOT 1
- Flutter library not found but shows ssl_verify_peer_cert has been patched. But it still not working HOT 3
- Flutter library found, but ssl_verify_peer_cert could not be found HOT 11
- Flutter library found, but ssl_verify_peer_cert could not be found
- Bypass all connections handshake without the script HOT 2
- The Frida script hook32-bit libflutter.so produced the following errors
- dint even work for demo application HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from disable-flutter-tls-verification.