├── Android ├── android_wireshark_tls │ ├── ssl_key.txt │ ├── image-20210520162400459.png │ ├── image-20210520164405461.png │ ├── sslkey_log.py │ ├── README.md │ └── sslkey_log.js ├── certs.dex ├── README.md ├── hook_ssl.js └── hook_ssl2.js ├── README.md └── .gitignore /Android/android_wireshark_tls/ssl_key.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Android/certs.dex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lasting-yang/frida_bypass_ssl_example/HEAD/Android/certs.dex -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # frida_bypass_ssl_example 2 | 3 | ## Android 4 | 5 | 不用安装证书抓https 6 | 7 | [Android使用Wireshark抓包](./Android/android_wireshark_tls/) 8 | 9 | -------------------------------------------------------------------------------- /Android/android_wireshark_tls/image-20210520162400459.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lasting-yang/frida_bypass_ssl_example/HEAD/Android/android_wireshark_tls/image-20210520162400459.png -------------------------------------------------------------------------------- /Android/android_wireshark_tls/image-20210520164405461.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lasting-yang/frida_bypass_ssl_example/HEAD/Android/android_wireshark_tls/image-20210520164405461.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled class file 2 | *.class 3 | 4 | # Log file 5 | *.log 6 | 7 | # BlueJ files 8 | *.ctxt 9 | 10 | # Mobile Tools for Java (J2ME) 11 | .mtj.tmp/ 12 | 13 | # Package Files # 14 | *.jar 15 | *.war 16 | *.nar 17 | *.ear 18 | *.zip 19 | *.tar.gz 20 | *.rar 21 | 22 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 23 | hs_err_pid* 24 | -------------------------------------------------------------------------------- /Android/README.md: -------------------------------------------------------------------------------- 1 | # Android 2 | ## 0. 推荐《Android使用Wireshark抓包》 3 | 4 | [Android使用Wireshark抓包](./android_wireshark_tls/README.md) 5 | 6 | ## 1. hook_ssl.js 7 | 8 | ```text 9 | //一些app可以直接使用hook_ssl.js 10 | frida -U --no-pause -f xxxxxxxx.package.name -l hook_ssl.js 11 | ``` 12 | 13 | ## 2. hook_ssl2.js 14 | 15 | ```text 16 | //hook_ssl.js不好用了后,再使用hook_ssl2.js 17 | //仅测试android10, 其他版本的系统有可能overloads不一样,需要自己改改。 18 | 19 | 1. 先取消抓包 20 | 2. adb push certs.dex /data/local/tmp/certs.dex 21 | 3. 执行 hook_ssl2.js,收集chain 22 | frida -U --no-pause -f xxxxxxxx.package.name -l hook_ssl2.js 23 | 4. 打开抓包 24 | ``` 25 | 26 | -------------------------------------------------------------------------------- /Android/android_wireshark_tls/sslkey_log.py: -------------------------------------------------------------------------------- 1 | import frida 2 | import sys 3 | 4 | file_sskkey = open("ssl_key.txt", "a+") 5 | 6 | def on_message(message, data): 7 | global file_sskkey 8 | if message['type'] == 'send': 9 | file_sskkey.write(message['payload'] + "\n") 10 | file_sskkey.flush() 11 | print(message['payload']) 12 | else: 13 | pass 14 | 15 | package_name = sys.argv[1] 16 | pid = frida.get_usb_device().spawn(package_name) 17 | session = frida.get_usb_device().attach(pid) 18 | jscode = open("sslkey_log.js", "r").read() 19 | script = session.create_script(jscode) 20 | frida.get_usb_device().resume(pid) 21 | script.on('message', on_message) 22 | script.load() 23 | 24 | sys.stdin.read() -------------------------------------------------------------------------------- /Android/android_wireshark_tls/README.md: -------------------------------------------------------------------------------- 1 | # Android使用Wireshark抓包 2 | 3 | 4 | ## 0. 环境 5 | ``` 6 | 1. root手机 7 | 2. frida环境 8 | 3. 手机安装tcpdump (从这里下载 https://www.androidtcpdump.com/android-tcpdump/downloads ) 9 | 4. 电脑安装wireshark 10 | ``` 11 | 12 | ## 1. 手机运行tcpdump 13 | 14 | ``` 15 | adb shell su -c "/data/local/tmp/tcpdump -i any -U -w - | nc -l -p 11233" 16 | ``` 17 | 18 | ## 2. 转发tcpdump到Wireshark 19 | 20 | ``` 21 | adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 | wireshark -k -S -i - 22 | ``` 23 | 24 | ## 3. Wireshark配置TLS的log 25 | 26 | ![image-20210520162400459](image-20210520162400459.png) 27 | 28 | ## 4. 运行sslkey_log.py 29 | 30 | ``` 31 | python sslkey_log.py packagename 32 | ``` 33 | 34 | ## 5. 效果 35 | 36 | ![image-20210520164405461](image-20210520164405461.png) 37 | 38 | -------------------------------------------------------------------------------- /Android/android_wireshark_tls/sslkey_log.js: -------------------------------------------------------------------------------- 1 | function startTLSKeyLogger(SSL_CTX_new, SSL_CTX_set_keylog_callback) { 2 | function keyLogger(ssl, line) { 3 | send(new NativePointer(line).readCString()); 4 | } 5 | const keyLogCallback = new NativeCallback(keyLogger, 'void', ['pointer', 'pointer']); 6 | 7 | Interceptor.attach(SSL_CTX_new, { 8 | onLeave: function(retval) { 9 | const ssl = new NativePointer(retval); 10 | const SSL_CTX_set_keylog_callbackFn = new NativeFunction(SSL_CTX_set_keylog_callback, 'void', ['pointer', 'pointer']); 11 | SSL_CTX_set_keylog_callbackFn(ssl, keyLogCallback); 12 | } 13 | }); 14 | } 15 | 16 | function main() { 17 | startTLSKeyLogger( 18 | Module.findExportByName('libssl.so', 'SSL_CTX_new'), 19 | Module.findExportByName('libssl.so', 'SSL_CTX_set_keylog_callback') 20 | ) 21 | } 22 | 23 | setImmediate(main); -------------------------------------------------------------------------------- /Android/hook_ssl.js: -------------------------------------------------------------------------------- 1 | function hook_checkServerTrusted() { 2 | var ClassName = "com.android.org.conscrypt.Platform"; 3 | var Platform = Java.use(ClassName); 4 | var targetMethod = "checkServerTrusted"; 5 | var len = Platform[targetMethod].overloads.length; 6 | console.log(len); 7 | for (var i = 0; i < len; ++i) { 8 | Platform[targetMethod].overloads[i].implementation = function () { 9 | console.log("class:", ClassName, "target:", targetMethod, " i:", i, arguments); 10 | }; 11 | } 12 | } 13 | 14 | function hook_checkTrustedRecursive() { 15 | var ClassName = "com.android.org.conscrypt.TrustManagerImpl"; 16 | var TrustManagerImpl = Java.use(ClassName); 17 | var targetMethod = "checkTrustedRecursive"; 18 | var ArrayList = Java.use("java.util.ArrayList"); 19 | 20 | var len = TrustManagerImpl[targetMethod].overloads.length; 21 | console.log(len); 22 | for (var i = 0; i < len; ++i) { 23 | TrustManagerImpl[targetMethod].overloads[i].implementation = function () { 24 | console.log("class:", ClassName, "target:", targetMethod, " i:", i, arguments); 25 | return ArrayList.$new(); 26 | }; 27 | } 28 | } 29 | function hook_ssl() { 30 | Java.perform(function () { 31 | hook_checkServerTrusted(); 32 | hook_checkTrustedRecursive(); 33 | }); 34 | } 35 | 36 | setTimeout(hook_ssl, 100); -------------------------------------------------------------------------------- /Android/hook_ssl2.js: -------------------------------------------------------------------------------- 1 | 2 | function hook_ssl() { 3 | var cert_dex = Java.openClassFile("/data/local/tmp/certs.dex"); 4 | 5 | Java.perform(function () { 6 | cert_dex.load(); 7 | var certs = Java.use("com.example.certs"); 8 | var ClassName = "com.android.org.conscrypt.Platform"; 9 | var Platform = Java.use(ClassName); 10 | var targetMethod = "checkServerTrusted"; 11 | var len = Platform[targetMethod].overloads.length; 12 | console.log("checkServerTrusted overloads:", len); 13 | Platform.checkServerTrusted.overload('javax.net.ssl.X509TrustManager', '[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'com.android.org.conscrypt.ConscryptEngine').implementation = 14 | function(tm, chain, authType, engine) { 15 | var result = this.checkServerTrusted(tm, chain, authType, engine); 16 | console.log("checkServerTrusted 1 authType:", authType, " engine:", engine); 17 | return result; 18 | }; 19 | 20 | Platform.checkServerTrusted.overload('javax.net.ssl.X509TrustManager', '[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'com.android.org.conscrypt.AbstractConscryptSocket').implementation = 21 | function(tm, chain, authType, socket) { 22 | var s = socket.toString(); 23 | var addr = s.substring(s.indexOf("[") + 1, s.indexOf(",")); 24 | var host = addr.split("=")[1].split("/")[0]; 25 | if (host == "") { 26 | host = addr.split("=")[1].split("/")[1]; 27 | } 28 | var r = certs.save_cert(host, chain); 29 | console.log("checkServerTrusted 2 authType:", authType, " socket:", socket, host); 30 | var tmp_chain = certs.get_cert(host); 31 | var result = this.checkServerTrusted(tm, tmp_chain, authType, socket); 32 | return result; 33 | }; 34 | 35 | Platform.checkClientTrusted.overload('javax.net.ssl.X509TrustManager', '[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'com.android.org.conscrypt.ConscryptEngine').implementation = 36 | function(tm, chain, authType, engine) { 37 | var result = this.checkClientTrusted(tm, chain, authType, engine); 38 | console.log("checkClientTrusted 1 authType:", authType, " engine:", engine); 39 | return result; 40 | }; 41 | 42 | Platform.checkClientTrusted.overload('javax.net.ssl.X509TrustManager', '[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'com.android.org.conscrypt.AbstractConscryptSocket').implementation = 43 | function(tm, chain, authType, socket) { 44 | var result = this.checkClientTrusted(tm, chain, authType, socket); 45 | console.log("checkClientTrusted 2 authType:", authType, " socket:", socket); 46 | return result; 47 | }; 48 | 49 | }); 50 | } 51 | 52 | setTimeout(hook_ssl, 100); --------------------------------------------------------------------------------