-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Verification disabling fails; No memory ranges found in Flutter library. #7
Comments
Have the same issue here unfortunately. Attached the used libflutter.so files if that's of any help. |
If you're in the same boat as me, I managed to intercept my target app with Burp using reFlutter (https://github.com/Impact-I/reFlutter). It patches flutter from the apk/ipa to enforce a custom MitM proxy. Hope that helps in the meantime! |
I have the same issue like this anyone who can help me. |
@biruk1224 Can you share your APK? |
app.zip |
For this last zip, the pattern matches, so this is most likely related to frida/frida#2266 I currently don't have an Android 11 device to test though, but I can confirm that Frida doesn't find the correct ranges. |
My pattern for x64 and small modification so it works for me.
|
Thanks @gelldur. Based on his idea, I added a loop to find a valid pattern. function disableTLSValidation(fallback=false) {
if (TLSValidationDisabled) return;
var platformConfig = config[Java.available ? "android" : "ios"];
var m = Process.findModuleByName(platformConfig["modulename"]);
// If there is no loaded Flutter module, the setTimeout may trigger a second time, but after that we give up
if (m === null) {
if (fallback) console.log("[!] Flutter module not found.");
return;
}
if (Process.arch in platformConfig["patterns"])
{
console.log("[+] Flutter library found");
var patterns = platformConfig["patterns"][Process.arch]
patterns.forEach(pattern => {
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] Match pattern: ' + pattern)
console.log('[+] ssl_verify_result found at: ' + address.toString());
console.log('[+] ssl_verify_peer_cert found at offset: 0x' + (address - m.base).toString(16));
TLSValidationDisabled = true;
var thumb = Java.available && Process.arch == "arm" ? 1 : 0
hook_ssl_verify_peer_cert(address.add(thumb));
console.log("[+] Hook success!");
},
onError: function(reason){
console.log('[!] There was an error scanning memory: ' + reason);
},
onComplete: function()
{
console.log("[+] Done")
}
});
});
}
else
{
console.log("[!] Processor architecture not supported: ", Process.arch);
}
if (!TLSValidationDisabled)
{
if (fallback){
if(m.enumerateRanges('r-x').length == 0)
{
console.log('[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP. Try using Frida as a Gadget or using an older Android version (https://github.com/frida/frida/issues/2266)');
}
else
{
console.log('[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues');
}
}
else
{
console.log('[!] ssl_verify_peer_cert not found. Trying again...');
}
}
} |
It worked, the code does not return an error, but it cannot intercept the network |
Did you find a valid pattern? And which proxy are you using? You can read more at (https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work) |
For others:
|
I've refactored the script to hopefully no longer have this issue. Please create a new issue if this problem reemerges. |
Unfortunately I can't provide the target application due to an NDA, but I'll try to give as much information as possible.
Target: Android 10, LineageOS 17.1, Frida-Server 16.0.2-arm64, rooted with magisk.
I proxy everything with ProxyDroid.
From the target app, I gathered:
Attempting to disable TLS verification:
The target app opens on the device, but requests fail. Burp logs "client failed to negotiate the TLS connection. Remote host terminated the handshake".
The text was updated successfully, but these errors were encountered: