Skip to content

sensepost/memunpin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
plugin
plugin
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
openssl.js
openssl.js
 
 
tools.js
tools.js
 
 

Repository files navigation

memunpin

Utilities for working around certificate pinning with Objection.

This repository is centered around an Objection plugin named certpinutils that helps you:

  • calculate the SHA-256 public key hash for a local certificate
  • retrieve SHA-256 public key hashes from a remote TLS certificate chain
  • replace discovered pinning hashes in process memory with your proxy certificate hash

The repository also includes a couple of small Frida JavaScript helpers for memory search/replace and OpenSSL-related instrumentation.

Repository layout

  • plugin/: the Objection plugin implementation
  • tools.js: helper functions for searching and replacing values in memory from Frida
  • openssl.js: Frida hooks for selected OpenSSL functions and key export helpers

Objection plugin

The plugin namespace is certpinutils and it exposes three commands:

  • cert_sha256 <certificate.pem> Computes the SHA-256 hash of the certificate public key, prints both raw hex and Base64, and stores the Base64 value for later replacement.
  • retrieve_chain_hashes <host> Connects to <host>:443, extracts the presented certificate chain, computes each public key SHA-256 hash, and stores the Base64 hashes.
  • replace_hashes Replaces every stored chain hash found in process memory with the previously stored proxy certificate hash.

Prerequisites

  • Objection
  • openssl installed and available in PATH
  • xxd available in PATH

The plugin checks for openssl during initialization and will refuse to load without it.

Typical workflow

  1. Prepare the certificate used by your interception proxy in PEM format.
  2. Start Objection and load the certpinutils pligin folder in your normal Objection workflow (-P certpinutils).
  3. Run cert_sha256 with the proxy certificate to capture the replacement hash.
  4. Run retrieve_chain_hashes with the target host to collect the original pinning hashes.
  5. Run replace_hashes to patch matching hashes in memory. This should be done after the app has made some kind of network request to ensure the relevant hashes are present in memory.

Example command sequence inside an Objection session after the plugin is loaded:

cert_sha256 ./proxy-cert.pem
retrieve_chain_hashes api.example.com
replace_hashes

Notes

  • replace_hashes depends on both earlier steps. If no hashes have been collected, the plugin exits with an error.
  • retrieve_chain_hashes currently connects to port 443.
  • The hash format used by the plugin matches common certificate pinning implementations: SHA-256 of the DER-encoded public key, shown as Base64.

Helper scripts

tools.js

Provides a few generic Frida helpers:

  • search(pattern, permission) to scan memory ranges
  • replaceHex(pattern, replace, permission) to replace matched byte sequences
  • replaceString(pattern, replace, permission) to replace strings by converting them to bytes first

openssl.js

Contains OpenSSL-oriented Frida helpers and hooks for inspecting selected libssl.so calls. This is useful when you need to confirm where key or certificate handling happens in the target process.

License

See LICENSE.

About

memunpin

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages