flutter抓包绕过

lutter的证书校验

起因:

最近工作上让做个app的复测,把apk发我后,开始尝试挂代理抓包,结果发现抓不到

为是证书没弄好,想着前几天不是刚导入了吗(雾)。又重新导入了下还是不行。然后各种lsp模块,objection都不行,r0capture也没数据。

然后jadx看了下,全是flutter字样,才想起来和flutter有关。

开始百度(:

然后就开始各种找。

session_verify_cert_chain函数在第356行的ssl_x509.cc中被定义

然后根据原创一种基于frida和drony的针对flutter抓包的方法-Android安全-看雪-安全社区|安全招聘|kanxue.com 这篇文章特征找,但是这个是32位的,所以在app安装的时候指定32位安装

写脚本绕过

32位

|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "2D E9 F0 4F 85 B0 06 46 50 20 10 70"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后启动就可以抓包了

64位

搜索ssl_client

然后就找到了这些

|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 | .text:``0000000000596870 FF C3 ``01 D1 SUB SP, SP, ``#0x70 .text:``0000000000596874 FD ``7B 01 A9 STP X29, X30, [SP,``#0x70+var_60] .text:``0000000000596878 FC ``6F 02 A9 STP X28, X27, [SP,``#0x70+var_50] .text:``000000000059687C FA ``67 03 A9 STP X26, X25, [SP,``#0x70+var_40] .text:``0000000000596880 F8 ``5F 04 A9 STP X24, X23, [SP,``#0x70+var_30] .text:``0000000000596884 F6 ``57 05 A9 STP X22, X21, [SP,``#0x70+var_20] .text:``0000000000596888 F4 ``4F 06 A9 STP X20, X19, [SP,``#0x70+var_10] .text:``000000000059688C 08 0A 80 52 MOV W8, ``#0x50 .text:``0000000000596890 48 00 00 39 STRB W8, [X2] |

然后写脚本

|-------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后发现报错了

相关推荐
恋猫de小郭3 天前
Amper 正式转正 Kotlin Toolchain ,Gradle 未来何去何从
android·前端·flutter
张风捷特烈3 天前
Flutter 类库大揭秘#02 | path_provider 各平台实现
前端·flutter
TT_Close4 天前
别劝退了!5秒搞定 Flutter 鸿蒙 FVM 起跑线
flutter·harmonyos·visual studio code
你听得到114 天前
用户说 App 卡,但说不清在哪?我把 Flutter 监控 SDK 升级成了链路观测工作台
前端·flutter·性能优化
stringwu5 天前
Flutter 开发必备:MVI 架构的高效实现指南
前端·flutter
程序员老刘6 天前
Flutter版本选择指南:3.44系列继续观望 | 2026年6月
flutter·ai编程·客户端
用户965597361908 天前
Provider vs Bloc vs GetX vs Riverpod:Flutter 状态管理方案怎么选?
flutter
恋猫de小郭8 天前
Flutter Patchwork,不用 Fork 改依赖包源码的第三方工具
android·前端·flutter
程序员老刘8 天前
跑分第一的编程大模型,我为啥不用?
flutter·ai编程·vibecoding
恋猫de小郭9 天前
苹果 AirPods 协议,Android 也可以使用完整版 AirPods 能力
android·前端·flutter