[bug] SSL Pinning SIGSEGV Error

[luke13456]

[usb] # android sslpinning disable
(agent) Custom TrustManager ready, overriding SSLContext.init()
(agent) Found okhttp3.CertificatePinner, overriding CertificatePinner.check()
An unexpected internal exception has occurred. If this looks like a code related error, please file a bug report!
(session detach message) process-terminated
script has been destroyed
(process crash report)

	*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sdk_gphone_x86_64/generic_x86_64_arm64:11/RSR1.201211.001/7027799:user/release-keys'
Revision: '0'
ABI: 'x86_64'
Timestamp: 2022-01-04 01:05:29-0600
pid: 4775, tid: 5181, name: Thread-22  >>> com.microsoft.xboxone.smartglass <<<
uid: 10159
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf2e79d2e
    rax 000072c1037aca00  rbx 000072bff2be50a8  rcx 8b45ae29d3e41140  rdx 000000000000123d
    r8  0000000000000002  r9  0000000000000000  r10 000000006f6b76b0  r11 0000000000000000
    r12 000000000000123d  r13 00000000f2e79d2a  r14 000000006f655438  r15 000072c0c37a2b50
    rdi 000072c0c37a2b50  rsi 000000006f6cba00
    rbp 000072bf8b465970  rsp 000072bf8b4658a0  rip 000072bff373355a
backtrace:
      #00 pc 000000000078a55a  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x643000) (MterpInvokeVirtual+218) (BuildId: 7fbaf2a1a3317bd634b00eb90e32291e)
      #01 pc 0000000000162f99  /apex/com.android.art/lib64/libart.so (mterp_op_invoke_virtual+25) (BuildId: 7fbaf2a1a3317bd634b00eb90e32291e)
      #02 pc 00000000000fa0a8  /apex/com.android.art/javalib/core-oj.jar (java.lang.reflect.Method.getGenericReturnType)
      #03 pc 0000000000392b7f  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x2cc000) (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.17093650825981166841)+335) (BuildId: 7fbaf2a1a3317bd634b00eb90e32291e)
      #04 pc 00000000007765af  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x643000) (artQuickToInterpreterBridge+1103) (BuildId: 7fbaf2a1a3317bd634b00eb90e32291e)
      #05 pc 000000000018424c  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x182000) (art_quick_to_interpreter_bridge+140) (BuildId: 7fbaf2a1a3317bd634b00eb90e32291e)
      #06 pc 000072bf1379c0f8  <unknown>


Python stack trace: Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/objection/console/repl.py", line 371, in start_repl
    self.run_command(document)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/objection/console/repl.py", line 185, in run_command
    exec_method(arguments)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/objection/commands/android/pinning.py", line 26, in android_disable
    api.android_ssl_pinning_disable(_should_be_quiet(args))
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida/core.py", line 468, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida/core.py", line 400, in _rpc_request
    raise result[2]
frida.InvalidOperationError: script has been destroyed

[luke13456]

Using Android v11 api 30 through android studio avd emulator.

[leonjza]

Unfortunately this will require you to do some reverse engineering to try and understand what is up. It can be anything from a bug, to an integrity check (or even both)!

If it helps, it looks like this is the last successful hook. The hook following that may be culprit.