flutter抓包绕过

lutter的证书校验

起因:

最近工作上让做个app的复测,把apk发我后,开始尝试挂代理抓包,结果发现抓不到

为是证书没弄好,想着前几天不是刚导入了吗(雾)。又重新导入了下还是不行。然后各种lsp模块,objection都不行,r0capture也没数据。

然后jadx看了下,全是flutter字样,才想起来和flutter有关。

开始百度(:

然后就开始各种找。

session_verify_cert_chain函数在第356行的ssl_x509.cc中被定义

然后根据[原创]一种基于frida和drony的针对flutter抓包的方法-Android安全-看雪-安全社区|安全招聘|kanxue.com 这篇文章特征找,但是这个是32位的,所以在app安装的时候指定32位安装

写脚本绕过

32位

|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "2D E9 F0 4F 85 B0 06 46 50 20 10 70"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后启动就可以抓包了

64位

搜索ssl_client

然后就找到了这些

|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 | .text:``0000000000596870 FF C3 ``01 D1 SUB SP, SP, ``#0x70 .text:``0000000000596874 FD ``7B 01 A9 STP X29, X30, [SP,``#0x70+var_60] .text:``0000000000596878 FC ``6F 02 A9 STP X28, X27, [SP,``#0x70+var_50] .text:``000000000059687C FA ``67 03 A9 STP X26, X25, [SP,``#0x70+var_40] .text:``0000000000596880 F8 ``5F 04 A9 STP X24, X23, [SP,``#0x70+var_30] .text:``0000000000596884 F6 ``57 05 A9 STP X22, X21, [SP,``#0x70+var_20] .text:``0000000000596888 F4 ``4F 06 A9 STP X20, X19, [SP,``#0x70+var_10] .text:``000000000059688C 08 0A 80 52 MOV W8, ``#0x50 .text:``0000000000596890 48 00 00 39 STRB W8, [X2] |

然后写脚本

|-------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { ``onEnter: function(args) { ``console.log(``"Disabling SSL validation"``) ``}, ``onLeave: function(retval) { ``console.log(``"Retval: " + retval); ``retval.replace(``0x1``); ``} ``}); } function hookFlutter() { ``var m ``= Process.findModuleByName(``"libflutter.so"``); ``var pattern ``= "FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39"``; ``var res ``= Memory.scan(m.base, m.size, pattern, { ``onMatch: function(address, size){ ``console.log(``'[+] ssl_verify_result found at: ' + address.toString()); ``/``/ Add ``0x01 because it's a THUMB function ``/``/ Otherwise, we would get ``'Error: unable to intercept function at 0x9906f8ac; please file a bug' ``hook_ssl_verify_result(address.add(``0x01``)); ``}, ``onError: function(reason){ ``console.log(``'[!] There was an error scanning memory'``); ``}, ``onComplete: function() { ``console.log(``"All done"``) ``} ``}); } |

然后发现报错了

相关推荐
蒋星熠14 小时前
Flutter跨平台工程实践与原理透视:从渲染引擎到高质产物
开发语言·python·算法·flutter·设计模式·性能优化·硬件工程
卢叁16 小时前
Flutter之自定义TabIndicator
前端·flutter
萧雾宇18 小时前
Android Compose打造仿现实逼真的烟花特效
android·flutter·kotlin
拜无忧19 小时前
【教程】flutter常用知识点总结-针对小白
android·flutter·android studio
拜无忧20 小时前
【教程】Flutter 高性能项目架构创建指南:从入门到高性能架构
android·flutter·android studio
醉过才知酒浓20 小时前
flutter 拦截返回按钮的方法(WillPopScope or PopScope)
flutter
傅里叶21 小时前
sudo启动Flutter程序AMD初始化失败
linux·flutter
苦逼的搬砖工1 天前
Flutter UI Components:闲来无事,设计整理了这几年来使用的UI组件库
前端·flutter
黑金IT1 天前
Dart → `.exe`:Flutter 桌面与纯命令行双轨编译完全指南
flutter
iOS_MingXing1 天前
flutter TabBar 设置isScrollable 第一个有间距
flutter