flutter抓包绕过

逆向协议风控大师2024-02-07 20:10

lutter的证书校验

起因:

最近工作上让做个app的复测,把apk发我后,开始尝试挂代理抓包,结果发现抓不到

为是证书没弄好,想着前几天不是刚导入了吗(雾)。又重新导入了下还是不行。然后各种lsp模块,objection都不行,r0capture也没数据。

然后jadx看了下,全是flutter字样,才想起来和flutter有关。

开始百度(:

然后就开始各种找。

session_verify_cert_chain函数在第356行的ssl_x509.cc中被定义

然后根据[原创]一种基于frida和drony的针对flutter抓包的方法-Android安全-看雪-安全社区|安全招聘|kanxue.com 这篇文章特征找,但是这个是32位的,所以在app安装的时候指定32位安装

写脚本绕过

32位

|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "2D E9 F0 4F 85 B0 06 46 50 20 10 70"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后启动就可以抓包了

64位

搜索ssl_client

然后就找到了这些

|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 | .text:``0000000000596870 FF C3 ``01 D1 SUB SP, SP, ``#0x70 .text:``0000000000596874 FD ``7B 01 A9 STP X29, X30, [SP,``#0x70+var_60] .text:``0000000000596878 FC ``6F 02 A9 STP X28, X27, [SP,``#0x70+var_50] .text:``000000000059687C FA ``67 03 A9 STP X26, X25, [SP,``#0x70+var_40] .text:``0000000000596880 F8 ``5F 04 A9 STP X24, X23, [SP,``#0x70+var_30] .text:``0000000000596884 F6 ``57 05 A9 STP X22, X21, [SP,``#0x70+var_20] .text:``0000000000596888 F4 ``4F 06 A9 STP X20, X19, [SP,``#0x70+var_10] .text:``000000000059688C 08 0A 80 52 MOV W8, ``#0x50 .text:``0000000000596890 48 00 00 39 STRB W8, [X2] |

然后写脚本

|-------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后发现报错了

相关推荐
—Qeyser5 小时前
使用 Flutter 的 Positioned 控件实现精准布局
flutter
weixin_404611347 小时前
鸿蒙flutter 老项目到新项目的遇到迁移坑点
flutter·华为·harmonyos
cding8 小时前
Flutter 开发环境搭建
android·flutter
傅里叶10 小时前
Flutter 中使用 Isolate 进行耗时计算并显示 Loading 状态
flutter
黄毛火烧雪下15 小时前
(二)Flutter插件之Android插件开发
android·flutter
明月与玄武17 小时前
Melos 使用指南:Flutter / Dart 多包管理工具!
flutter·melos 使用指南·dart 多包管理工具
shr007_1 天前
flutter 鸿蒙
flutter·华为·harmonyos
Bryce李小白1 天前
Flutter 与原生混合编程
flutter
wahkim1 天前
移动端开发工具集锦
flutter·ios·android studio·swift
傅里叶1 天前
Flutter / Dart 多包管理工具 —— Melos 使用指南
flutter
热门推荐
01GitHub 镜像站点02BongoCat - 跨平台键盘猫动画工具03UV安装并设置国内源04Linux下V2Ray安装配置指南05GitLab 零基础入门指南:从安装到项目管理全流程06NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南07一文了解国产算子编程语言 TileLang,TileLang 对国产开源生态的影响与启示082025软件测试面试八股文(含答案+文档)09Labelme从安装到标注:零基础完整指南10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)