準(zhǔn)備

手機(jī)得是root過的，然后從這個網(wǎng)站https://github.com/frida/frida/releases下載對應(yīng)版本的frida-server，現(xiàn)在的手機(jī)大多數(shù)都是arm64的。
電腦上下載adb，手機(jī)用USB連到電腦上，打開開發(fā)者選項的USB調(diào)試。adb devices確認(rèn)已經(jīng)連接，用adb push把frida-server傳到手機(jī)上，chmod 777后切換到root用戶下運(yùn)行。這一步手機(jī)上會向你確認(rèn)adb要求root權(quán)限，可以用magisk管理root權(quán)限。

adb push arm64-frida-server /data/local/tmp
adb shell
chmod 777 /data/local/tmp/arm64-frida-server
su
./data/local/tmp/arm64-frida-server

在電腦上安裝frida，直接用pip安裝，常見的問題可以看這篇文章:
https://www.jianshu.com/p/25b430bb60a6

電腦端設(shè)置一下端口轉(zhuǎn)發(fā)

adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043

先frida-ps -U看一下有沒有成功連接上，同時還能看到你要hook的app的進(jìn)程名。

繞過ssl pinning的frida腳本如下，用途是在使用fiddler抓包的時候給手機(jī)安裝了fiddler的證書但是app只信任自己的根證書因此app連不上網(wǎng)或者抓不到https包。

import frida
import sys

print("start")
session = frida.get_usb_device().attach('Facebook')
src = """  
setTimeout(function(){

    Java.perform(function() {
    var array_list = Java.use("java.util.ArrayList");
    var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');

    ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
        console.log('Bypassing SSL Pinning');
        var k = array_list.$new();
        return k; 
        }
   });
},0);
"""


def on_message(message, data):
    if message["type"] == "send":
        print("[+] {}".format(message["payload"]))
    else:
        print("[-] {}".format(message))


script = session.create_script(src)
script.on("message", on_message)
script.load()
sys.stdin.read()

或者寫成xposed模塊，現(xiàn)在都是用在lsposed上了。lsposed的安裝和模塊編寫可以看我其他的文章。文章來源地址http://www.zghlxwxcb.cn/news/detail-522620.html

package com.xposed.ssl;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Set;

public class passHook implements IXposedHookLoadPackage {

    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        XposedBridge.log("Loaded app: " + lpparam.packageName);
        //[Ljava.security.cert.X509Certificate;', '[B', '[B', 'java.lang.String', 'boolean', 'java.util.ArrayList', 'java.util.ArrayList', 'java.util.Set'
        Class<?> trustmanager = lpparam.classLoader.loadClass("com.android.org.conscrypt.TrustManagerImpl");
        XposedHelpers.findAndHookMethod(trustmanager, "checkTrustedRecursive",
                X509Certificate[].class, byte[].class, byte[].class, String.class, boolean.class, ArrayList.class, ArrayList.class, Set.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                super.beforeHookedMethod(param);
                XposedBridge.log("ssl pinning start");
            }

            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                super.afterHookedMethod(param);
                ArrayList result = new ArrayList();
                param.setResult(result);
            }
        });
    }
}

到了這里，關(guān)于手機(jī)frida繞過ssl pinning的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！