Android packet capture-Okhttp confusion causes Hook tool to fail
Part of the content in this article refers to loco's article, and at the same time borrows two apps from loco's article (with or without confusion).
WeChat public account: yeshengit
The main purpose of this article is to introduce the use of Frida to process requests without using Android's own HTTP client, and to obfuscate the HTTP client, causing JustTrustMe to fail.
First, let’s take a look at the source code of the sample application. What the application does is visit Baidu. We see line 41 in the figure below. The certificate hash configured here is random, so no matter how we access it, request All will fail.
Before starting, let me talk about the environment of the test machine:
Thunderbolt Simulator 3.76, Android 5.1.1, open Root, install and activate Xposed, and activate TrustMePlus
Let's run it, without opening the obfuscated APP, click Send Request. Here it says that the request is successful
Then let's try to open the confused application. Prompt that certificate verification failed
Why does this happen, we can use jadx to decompile these two applications, we can see the difference
As you can see, the left is no confusion and the right is confusion. The plug-in is still very obvious. At this time, let's look at the source code of JustTrustMe.
Below I have annotated several key points of JustTrustMe and added some notes. In fact, its main operation is to replace the check method.
Okhttp 2.5 check method returns True
Okhttp 3.x check method returns null
At this point in the analysis, we can use Frida to write some code to test the test
jsscript.js file code:
if(Java.available){
Java.perform(function(){
var Pinner = Java.use("okhttp3.CertificatePinner");
send("okHTTP 3.x Found");
Pinner.check.overload('java.lang.String', 'java.util.List').implementation = function(a,b){
send("Hook CertificatePinner.check success!")
return null;
};
});
}
Hook.py code:
import frida, sys
jsCode = ""
with open("jsscript.js","r",encoding='utf-8') as f:
jsCode = f.read()
def message(message, data):
if message["type"] == 'send':
print(u"[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach("com.loco.example.OkHttp3SSLPinning")
script= process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()
Note: Frida is not stable on the simulator, now the test environment is nexus5 (6.0.1), Root, unsecured Xposed module
Run the Frida script to see
At this point, the non-obfuscated version has solved the problem of packet capture, so let's try the obfuscated version again.
Obfuscated jsscript.js:
if(Java.available){
Java.perform(function(){
var Pinner = Java.use("d.k");
send("okHTTP 3.x Found");
Pinner.a.overload('java.lang.String', 'java.util.List').implementation = function(a,b){
send("Hook CertificatePinner.check")
return null;
};
});
}
Ever since
So far, the whole story ends! ! !
SSL ping APK download address:
Link: https://pan.baidu.com/s/1vIw40alQG7K1wNkmzmAkgw
Extraction code: as7g
reference
DroidSSLUnpinning: https://github.com/WooyunDota/DroidSSLUnpinning/blob/master/ObjectionUnpinningPlus/hooks.js
JustTrustMe: https://github.com/Fuzion24/JustTrustMe
tps://github.com/WooyunDota/DroidSSLUnpinning/blob/master/ObjectionUnpinningPlus/hooks.js
JustTrustMe: https://github.com/Fuzion24/JustTrustMe