SSLUnpinning_Xposed icon indicating copy to clipboard operation
SSLUnpinning_Xposed copied to clipboard

Published 20 hours ago verified publisher icon ac-pm

Instagram 10.0.0 and up.

Open GHXST01 opened this issue 8 years ago • 17 comments

Hey,

Since v10.0.0 and up, I have been getting SSL errors even while using the xposed module. Anyway to tell why this is happening?

Thanks :)

GHXST01 avatar Dec 15 '16 13:12 GHXST01

Maybe the Instagram does not use the api that this hooks work.

ac-pm avatar Dec 15 '16 14:12 ac-pm

Yes confirmed even for inspeckage

ydaniels avatar Jan 25 '17 16:01 ydaniels

I'm up for any collaboration to patch their cert pinning.

GHXST01 avatar Jan 25 '17 16:01 GHXST01

@GHXST01 can you please guide me on how to patch their cert pinning.

simransandhu1203 avatar Feb 08 '17 16:02 simransandhu1203

Cert pinning is done in native, requires some knowledge of IDA to patch.

I'll make a guide once I am more confident in how to patch it.

GHXST01 avatar Feb 08 '17 16:02 GHXST01

Any luck with patching?

maximTartachnik avatar Feb 13 '17 11:02 maximTartachnik

@GHXST01 can I email you? Thanks :)

mangledbottles avatar Feb 15 '17 22:02 mangledbottles

@GHXST01 have you figured out anything about how to patch it? I'm currently trying to change the apk logics, but it doesn't work, so I think it's really done native. Could you please give any ideas on which lib it's made?

slruslan avatar Apr 30 '17 05:04 slruslan

@slruslan Check out libxliger.so

idb- avatar May 16 '17 20:05 idb-

Can anyone share how to bypass ssl pinning on the latest Instagram app?

ghost avatar Jun 23 '17 02:06 ghost

@mangledbottles @rpw98 @slruslan @maximTartachnik @simransandhu1203

Use Frida.

var moduleNames  = ['libxliger.so', 'libsslx.so'];
var functionName = 'X509_verify_cert'

moduleNames.forEach( function(moduleName) {

    Interceptor.attach(Module.findExportByName(moduleName, functionName), {

        onEnter: function (args) {
            // Logging the progress
            send('');
        },

        onLeave: function (retval) {
            // Patching return value from 0x0 -> 0x1
            retval.replace(1);
        }

    });

});

__ e-mail: [email protected]

GHXST01 avatar Jun 24 '17 14:06 GHXST01

@GHXST01 your code doesn't work for me =( Instagram version 10.25.1

Fi5t avatar Jul 01 '17 20:07 Fi5t

Use this Patch

martinhood avatar Nov 20 '17 19:11 martinhood

There is a way to patch the APK file only without using any module or patching any native library. It might be interested for those having non-rooted devices.

ghost avatar Dec 21 '17 12:12 ghost

@martinhood does this patch worked for you?

lazyjohny500 avatar Feb 08 '18 10:02 lazyjohny500

@lazyjohny500 Works like charm :)

asad0x01 avatar Mar 23 '18 15:03 asad0x01

@martinhood @asad0x01 can either of you document the actual patch? I'd like to make it available in Frida to avoid tampering with the APK.

GHXST01 avatar May 26 '18 23:05 GHXST01