frida-interception-and-unpinning icon indicating copy to clipboard operation
frida-interception-and-unpinning copied to clipboard
verified publisher icon httptoolkit

Unable to Bypass SSL Pinning for Unity Game

Open awesomness560 opened this issue 1 year ago • 1 comments

I've tried to use the unpinning scripts to bypass what I think is SSL Pinning on a Unity Game. However, everytime the app attempts to do the TLS handshake, it disconnects even though I injected the scripts. I am also using HTTP Toolkit via the "Android Device via ADB" option connected to a rooted phone. Below I attached the logs.

Namely the communication error appeared everytime this set of logs also appeared:

Manually intercepting connection to 35.193.120.131:34210
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 177 to {"ip":"127.0.0.1","port":8000} (-1)

This is the command that I used:

frida -U -f com.bandainamcoent.dblegends_ww -l config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js  -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js

Here are the logs:

*** Starting scripts ***
== Redirecting all TCP connections to 127.0.0.1:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `com.bandainamcoent.dblegends_ww`. Resuming main thread!
[CPH2513::com.bandainamcoent.dblegends_ww ]-> Ignoring unix:dgram connection
Ignoring unix:dgram connection
== Proxy system configuration overridden to 127.0.0.1:8000 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: android.net.PacProxySelector>
== Proxy configuration overridden to 127.0.0.1:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[+] okhttp3.CertificatePinner check(String, Certificate;[])
[ ] okhttp3.CertificatePinner check$okhttp
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

Ignoring unix:dgram connection
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 197 to {"ip":"127.0.0.1","port":8000} (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 188 to {"ip":"127.0.0.1","port":8000} (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 190 to {"ip":"127.0.0.1","port":8000} (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 198 to {"ip":"127.0.0.1","port":8000} (-1)
Manually intercepting connection to 35.193.120.131:34210
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 298 to {"ip":"127.0.0.1","port":8000} (-1)
Manually intercepting connection to 35.193.120.131:34210
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 301 to {"ip":"127.0.0.1","port":8000} (-1)
Manually intercepting connection to 35.193.120.131:34210
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 316 to {"ip":"127.0.0.1","port":8000} (-1)
Manually intercepting connection to 35.193.120.131:34210
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 316 to {"ip":"127.0.0.1","port":8000} (-1)

awesomness560 avatar Dec 03 '24 22:12 awesomness560