A, goals,
Fenfei: Boss, we need to recruit some girls. The ratio of men to women in our company is too unbalanced.
Boss Li: If you go to this App, it is said that there are many girls on it.
Oh, my god. I can’t even catch the bag.
Hot and fresh V3.83.0
Second, the steps
SSL Bidirectional authentication
The return value 400 No required SSL certificate was sent.
They agreed that it was SSL two-way authentication.
But the word from Google is that it’s very easy to do SSL two-way authentication, you take the client certificate, you take it out, you import it into Charles, and you’re done.
client.p12
P12 /assets/client.p12 is easy to find in Apk package, the next step is to find the corresponding certificate password, so easy.
On Jadx, search for the string “client.p12” or “client.cer”, and the string is found, but the problem is, you can’t find where these strings are called.
It seems to have been done several times by fellow users, and the new version of the App has been modified.
Hook KeyStore to Dump certificates
As long as the client has a certificate, it must be imported in use, we Dump it when he imports, so it should be able to kill.
Perform (function() {console.log(" In the case of HTTPS two-way authentication, dump client certificate p12. Storage location :/sdcard/Download/client_keystore_{nowTime}. P12 Certificate Password: Fenfei "); Java.use("java.security.KeyStore$PrivateKeyEntry").getPrivateKey.implementation = function() { var result = this.getPrivateKey(); let filePath = "/sdcard/Download/client_keystore_" + "_" + getNowTime() + '.p12'; dump2sdcard(this.getPrivateKey(), this.getCertificate(), filePath); return result; } Java.use("java.security.KeyStore$PrivateKeyEntry").getCertificateChain.implementation = function() { var result = this.getCertificateChain(); let filePath = "/sdcard/Download/client_keystore_" + "_" + getNowTime() + '.p12'; dump2sdcard(this.getPrivateKey(), this.getCertificate(), filePath); return result; }})Copy the codeAllow the App to read and write to the sd card before running it, because eventually we write the certificate to the SD card, otherwise it will prompt:
Error: java.io.FileNotFoundException: /sdcard/Download/client_keystore__2021_05_24_xx_xx_xx_53.p12 (Permission denied)
Copy the codeRun. The program crashed.
This will not be difficult for us, we expect a high probability of detection, so change the Frida port, and then change the fridaServer to hluda-server.
Again, crash again. Strange, what else? Xposed. Turn off Xposed Status. Come again.
dump File
dump OK !!!
dump:/sdcard/Download/client_keystore__2021_05_24_16_48_09_24.p12
Copy the codePerfect. I got the certificate. Let’s copy it out.
Charles add certificate
Proxy -> SSL Porxy Settings
Then enter the certificate monitor host, *.sxxapp.cn, port 443
I can’t wait to run.
Perfect finish.
Third, summary
The Spawn mode of Frida will crash when starting this App. I think it’s because of the Xposed module. Turn off the Xposed module. Of course, maybe there’s something wrong with my phone.
Everyone is in progress, so to master several methods, the east is not bright west bright.
To Dump certificates, see github.com/CreditTone/… Keystore_dump.js is a great tool to thank for.
Be clever when everyone else is honest; Be honest while everyone else is being smart. While others can be both smart and honest, do something else.
TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.
Wechat public account: Fenfei safety, the latest technology dry goods real-time push