-
-
[分享]分享一个facebook绕过ssl校验的脚本
-
发表于: 2020-7-12 22:44
-
前段时间研究了一下facebook的ssl校验,后面发现facebook自己提供了去除ssl校验的设置。只需要开启即可。地址:dd6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2X3j5h3y4W2j5X3!0G2K9#2)9J5k6h3y4G2L8g2)9J5c8Y4N6Z5K9i4c8W2K9r3q4@1i4K6u0r3M7X3g2K6k6h3q4J5j5$3S2W2M7W2)9J5k6s2y4W2N6s2c8A6L8X3N6K6i4K6u0r3。另外发现了另外一篇文章,详细描述了怎么绕过iOS端的证书校验197K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2U0P5h3y4D9L8$3^5K6i4K6u0W2j5$3!0E0i4K6u0r3j5Y4W2H3j5i4y4K6i4K6u0V1k6X3q4U0k6h3u0G2L8$3E0Q4x3X3c8K6M7$3I4Q4x3X3c8U0k6i4u0@1K9h3k6A6j5$3q4@1k6g2)9J5k6s2m8A6L8X3&6A6L8X3N6Q4x3X3c8X3L8%4u0Q4x3X3c8A6L8%4x3`.。详细信息可以参考这里。本文所提供的脚本就是通过他这篇文章所描述的,写了一个frida脚本。就不用直接去patch二进制文件那么麻烦,直接用frida的patchcode功能。代码如下(20年7月12最新版278.0):
import { log } from "./logger";
let FBSharedFramework = Module.getBaseAddress("FBSharedFramework")
log(`FBSharedFramework : ${FBSharedFramework}`)
let maxPatchSize = 64;
var left = FBSharedFramework.add(0x1A53A8);
// b.ne #0x150
// 81 0A 00 54
log(`before: ${hexdump(left, { length: 8, ansi: true })}`);
Memory.patchCode(left, maxPatchSize, function(code){
let cw = new Arm64Writer(code, {pc: left});
cw.putBytes([0x80, 0x0a, 0x00, 0x54]); //b.eq #0x150
cw.flush()
});
log(`after: ${hexdump(left, { length: 8, ansi: true })}`);
使用效果如下,可以正常的抓到facebook的包了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
那条关键指令的偏移,你看看我文中的链接,有说怎么去找 |
|
|
偏移地址找到了,脚本运行没问题,我的Burp Suite在iOS 13抓不了包,能否私信下2020.6 pro的破解版链接 |
|
|
用5deK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6f1M7X3!0B7j5h3&6m8h3X3S2W2L8W2)9J5c8V1u0#2M7Y4m8e0N6h3W2@1k6g2m8J5L8#2)9J5k6o6u0Q4x3X3f1I4i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1@1i4@1t1^5i4@1q4m8L8r3!0S2k6r3g2J5i4@1f1#2i4@1t1H3i4@1t1I4i4@1f1^5i4@1p5I4i4K6S2o6 |
|
|
谢谢楼主,能否确认下最新的Instagram(150.0版本)可行吗? ins和fb都用的最新版,hook完后,登录有报错(fb和ins错误一样)
|
|
|
最新版的应该偏移啥的变了,你重新找找位置patch一下就行 |
|
|
|
