<aside> 🌟
同义:怎么能抓到包 ???
</aside>
OSI七层参考模型从下至上 一层一层抓var _imports = Process.findModuleByName("bitauto").enumerateImports();
var _CFNetworkCopySystemProxySettings = null;
for (var i = 0; i < _imports.length; i++) {
// 查找CFNetworkCopySystemProxySettings系统代理函数
if (_imports[i].name.indexOf("CFNetworkCopySystemProxySettings") !== -1) {
console.log(_imports[i].name, _imports[i].address);
_CFNetworkCopySystemProxySettings = _imports[i].address;
}
}
if (_CFNetworkCopySystemProxySettings) {
Interceptor.attach(_CFNetworkCopySystemProxySettings, {
onEnter: function (agrgs) {
}, onLeave: function (retval) {
console.log("retval: ", ObjC.Object(retval));
retval.replace(0);
}
})
}
SSL Pinningssl-kill-switch3
插件商店里面搜索下载
**ios sslpinning disable**
⚠️警告:由于objection库很久没更新了,需要对它进行改造。
库源码(agent.js)修改
return "fakePSKidentity";
// 改成
var ret = Memory.allocUTF8String("fakePSKidentity")
return ret;
// Variables
var SSL_VERIFY_NONE = 0;
var ssl_ctx_set_custom_verify;
var ssl_get_psk_identity;
ssl_ctx_set_custom_verify = new NativeFunction(
Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_custom_verify"),
'void', ['pointer', 'int', 'pointer']
);
ssl_get_psk_identity = new NativeFunction(
Module.findExportByName("libboringssl.dylib", "SSL_get_psk_identity"),
'pointer', ['pointer']
);
var ssl_verify_result_t = new NativeCallback(function (ssl, out_alert) {
return 0;
}, 'int', ['pointer', 'pointer']);
function bypassSSL() {
console.log("[+] Bypass successfully loaded ");
Interceptor.replace(Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_custom_verify"), new NativeCallback(function (ssl, mode, callback) {
ssl_ctx_set_custom_verify(ssl, mode, ssl_verify_result_t);
}, 'void', ['pointer', 'int', 'pointer']));
Interceptor.replace(Module.findExportByName("libboringssl.dylib", "SSL_get_psk_identity"), new NativeCallback(function (ssl) {
var res = Memory.allocUtf8String("fakePSKidentity");
return res;
}, 'pointer', ['pointer']));
}
bypassSSL();