Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't work for https://play.google.com/store/apps/details?id=enterprises.dating.boo #3

Closed
ardzz opened this issue Sep 8, 2022 · 6 comments
Closed

Doesn't work for https://play.google.com/store/apps/details?id=enterprises.dating.boo #3

ardzz opened this issue Sep 8, 2022 · 6 comments
Assignees
@TheDauntless
Labels
missing_signature

Comments

@ardzz
Copy link

ardzz commented Sep 8, 2022

How do I find the offset manually? I've read your article. And it said

If we take a look at the [ssl_crypto_x509_session_verify_cert_chain](https://github.com/google/boringssl/blob/master/ssl/ssl_x509.cc#L362) function again, we can see that the OPENSSL_PUT_ERROR macro is called at line 390. Searching for the number 390 (or 0x186) gives us some results (Search > For Scalars…):

How did you know that OPENSSL_PUT_ERROR is called at line 390? Because there are so many OPENSSL_PUT_ERROR in the x509.cc script. Can you give me screenshot of the code at line 390? Thank you

Apologize for my bad english
@ardzz
Copy link
Author

ardzz commented Sep 8, 2022

Screen Shot 2022-09-08 at 07 59 29

@ardzz
Copy link
Author

ardzz commented Sep 8, 2022

Here are the library
x86_64.zip
arm64-v8a.zip

@TheDauntless TheDauntless self-assigned this Sep 9, 2022
@TheDauntless
Copy link
Collaborator

The md5sums for this app are:

arm64-v8a: 4e7bf42e24dac3b1ff9737ea7a8351b6
x86_64: 2d9092cd3a69f0f0da4a545607fbf3d2

These two hashes are covered by the script. However, for some reason Frida can't find any active ranges inside of the Flutter module. This is either a Frida bug, or the application is using some kind of RASP.

> frida --no-pause -U -f enterprises.dating.boo 
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to SM G950F (id=ce02171255925c1b04)
Spawned `enterprises.dating.boo`. Resuming main thread!                 
[SM G950F::enterprises.dating.boo ]-> Process.findModuleByName("libflutter.so")
{
    "base": "0x6d0b4c1000",
    "name": "libflutter.so",
    "path": "/data/app/~~53aZ8vx7RLjO1eia_Vikyw==/enterprises.dating.boo-sovEFIjUrq2ioEiYCk-luA==/split_config.arm64_v8a.apk!/lib/arm64-v8a/libflutter.so",
    "size": 9625600
}
[SM G950F::enterprises.dating.boo ]-> Process.findModuleByName("libflutter.so").enumerateRanges("---")
[]

Both Frida bugs and RE'ing RASP are beyond the scope of this project, so I can't help you. I did update the error message in case this situation happens.

Feel free to reopen if you have further info / updates.

@ardzz
Copy link
Author

ardzz commented Sep 13, 2022

Informatively those address are verified but still doesn't work caused bug from frida or the app i use is implemented RASP?😞
Screen Shot 2022-09-13 at 23 29 48
Screen Shot 2022-09-13 at 23 30 23

@rikroe rikroe mentioned this issue Oct 3, 2022
Closed
@TheDauntless
Copy link
Collaborator

Can you try using the frida gadget approach instead of frida server? See frida/frida#2266

@TheDauntless TheDauntless reopened this Oct 5, 2022
@ardzz
Copy link
Author

ardzz commented Oct 6, 2022

not yet ...
Screen Shot 2022-10-06 at 13 14 00

@lv183037 lv183037 mentioned this issue Dec 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheDauntless TheDauntless

Labels
missing_signature
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheDauntless @ardzz