flutter抓包绕过

lutter的证书校验

起因:

最近工作上让做个app的复测,把apk发我后,开始尝试挂代理抓包,结果发现抓不到

为是证书没弄好,想着前几天不是刚导入了吗(雾)。又重新导入了下还是不行。然后各种lsp模块,objection都不行,r0capture也没数据。

然后jadx看了下,全是flutter字样,才想起来和flutter有关。

开始百度(:

然后就开始各种找。

session_verify_cert_chain函数在第356行的ssl_x509.cc中被定义

然后根据[原创]一种基于frida和drony的针对flutter抓包的方法-Android安全-看雪-安全社区|安全招聘|kanxue.com 这篇文章特征找,但是这个是32位的,所以在app安装的时候指定32位安装

写脚本绕过

32位

|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "2D E9 F0 4F 85 B0 06 46 50 20 10 70"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后启动就可以抓包了

64位

搜索ssl_client

然后就找到了这些

|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 | .text:``0000000000596870 FF C3 ``01 D1 SUB SP, SP, ``#0x70 .text:``0000000000596874 FD ``7B 01 A9 STP X29, X30, [SP,``#0x70+var_60] .text:``0000000000596878 FC ``6F 02 A9 STP X28, X27, [SP,``#0x70+var_50] .text:``000000000059687C FA ``67 03 A9 STP X26, X25, [SP,``#0x70+var_40] .text:``0000000000596880 F8 ``5F 04 A9 STP X24, X23, [SP,``#0x70+var_30] .text:``0000000000596884 F6 ``57 05 A9 STP X22, X21, [SP,``#0x70+var_20] .text:``0000000000596888 F4 ``4F 06 A9 STP X20, X19, [SP,``#0x70+var_10] .text:``000000000059688C 08 0A 80 52 MOV W8, ``#0x50 .text:``0000000000596890 48 00 00 39 STRB W8, [X2] |

然后写脚本

|-------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后发现报错了

相关推荐
阿笑带你学前端2 小时前
Flutter本地通知系统:记账提醒的深度实现
前端·flutter
孤鸿玉20 小时前
Fluter InteractiveViewer 与ScrollView滑动冲突问题解决
flutter
叽哥1 天前
Flutter Riverpod上手指南
android·flutter·ios
BG2 天前
Flutter 简仿Excel表格组件介绍
flutter
zhangmeng2 天前
FlutterBoost在iOS26真机运行崩溃问题
flutter·app·swift
恋猫de小郭2 天前
对于普通程序员来说 AI 是什么?AI 究竟用的是什么?
前端·flutter·ai编程
卡尔特斯2 天前
Flutter A GlobalKey was used multipletimes inside one widget'schild list.The ...
flutter
w_y_fan2 天前
Flutter 滚动组件总结
前端·flutter
醉过才知酒浓2 天前
Flutter Getx 的页面传参
flutter
火柴就是我3 天前
flutter 之真手势冲突处理
android·flutter