最近工作上让做个app的复测,把apk发我后,开始尝试挂代理抓包,结果发现抓不到
![](https://img-blog.csdnimg.cn/direct/2cc70a2c6f44412a9edbbd592f837ca4.png)
为是证书没弄好,想着前几天不是刚导入了吗(雾)。又重新导入了下还是不行。然后各种lsp模块,objection都不行,r0capture也没数据。
然后jadx看了下,全是flutter字样,才想起来和flutter有关。
然后就开始各种找。![](https://img-blog.csdnimg.cn/direct/80d643a3368e487d877773d8cb89866f.png)
session_verify_cert_chain函数在第356行的ssl_x509.cc中被定义
然后根据[原创]一种基于frida和drony的针对flutter抓包的方法-Android安全-看雪-安全社区|安全招聘|kanxue.com 这篇文章特征找,但是这个是32位的,所以在app安装的时候指定32位安装
![](https://img-blog.csdnimg.cn/direct/56696fd55c12401da1c778d6e25bc480.png)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { onEnter: function(args) { console.log( "Disabling SSL validation" ) }, onLeave: function(retval) { console.log( "Retval: " + retval); retval.replace( 0x1 ); } }); } function hookFlutter() { var m = Process.findModuleByName( "libflutter.so" ); var pattern = "2D E9 F0 4F 85 B0 06 46 50 20 10 70" ; var res = Memory.scan(m.base, m.size, pattern, { onMatch: function(address, size){ console.log( '[+] ssl_verify_result found at: ' + address.toString()); / / Add 0x01 because it's a THUMB function / / Otherwise, we would get 'Error: unable to intercept function at 0x9906f8ac; please file a bug' hook_ssl_verify_result(address.add( 0x01 )); }, onError: function(reason){ console.log( '[!] There was an error scanning memory' ); }, onComplete: function() { console.log( "All done" ) } }); } |
然后启动就可以抓包了![](https://img-blog.csdnimg.cn/direct/f5c73f798f9849819d49ad808be115fa.png)
搜索ssl_client![](https://img-blog.csdnimg.cn/direct/be01efb542bd4cfdbd75ba012d7f007c.png)
![](https://img-blog.csdnimg.cn/direct/1aa5624d63b54eea849088c403c6f757.png)
![](https://img-blog.csdnimg.cn/direct/a242a90de6f9413e87cd3e08c863b058.png)
然后就找到了这些
1 2 3 4 5 6 7 8 9 | .text: 0000000000596870 FF C3 01 D1 SUB SP, SP, #0x70 .text: 0000000000596874 FD 7B 01 A9 STP X29, X30, [SP, #0x70+var_60] .text: 0000000000596878 FC 6F 02 A9 STP X28, X27, [SP, #0x70+var_50] .text: 000000000059687C FA 67 03 A9 STP X26, X25, [SP, #0x70+var_40] .text: 0000000000596880 F8 5F 04 A9 STP X24, X23, [SP, #0x70+var_30] .text: 0000000000596884 F6 57 05 A9 STP X22, X21, [SP, #0x70+var_20] .text: 0000000000596888 F4 4F 06 A9 STP X20, X19, [SP, #0x70+var_10] .text: 000000000059688C 08 0A 80 52 MOV W8, #0x50 .text: 0000000000596890 48 00 00 39 STRB W8, [X2] |
然后写脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function hook_ssl_verify_result(address) { Interceptor.attach(address, { onEnter: function(args) { console.log( "Disabling SSL validation" ) }, onLeave: function(retval) { console.log( "Retval: " + retval); retval.replace( 0x1 ); } }); } function hookFlutter() { var m = Process.findModuleByName( "libflutter.so" ); var pattern = "FF C3 01 D1 FD 7B 01 A9 FC 6F 02 A9FA 67 03 A9 F8 5F 04 A9 F6 57 05 A9 F4 4F 06 A9 08 0A 80 52 48 00 00 39" ; var res = Memory.scan(m.base, m.size, pattern, { onMatch: function(address, size){ console.log( '[+] ssl_verify_result found at: ' + address.toString()); / / Add 0x01 because it's a THUMB function / / Otherwise, we would get 'Error: unable to intercept function at 0x9906f8ac; please file a bug' hook_ssl_verify_result(address.add( 0x01 )); }, onError: function(reason){ console.log( '[!] There was an error scanning memory' ); }, onComplete: function() { console.log( "All done" ) } }); } |
然后发现报错了
![](https://img-blog.csdnimg.cn/direct/12276726c8a54750af7c0082c001d339.png)