Java.perform(function() { var array_list = Java.use("java.util.ArrayList"); var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl'); ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) { // console.log('Bypassing SSL Pinning'); var k = array_list.$new(); return k; } }, 0); Java.perform(function() { var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu", "com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager", "com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch", "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus", "de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot", "com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser", "eu.chainfire.supersu.pro", "com.kingouser.com", "com.android.vending.billing.InAppBillingService.COIN","com.topjohnwu.magisk" ]; var RootBinaries = ["su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk","magisk"]; var RootProperties = { "ro.build.selinux": "1", "ro.debuggable": "0", "service.adb.root": "0", "ro.secure": "1" }; var RootPropertiesKeys = []; for (var k in RootProperties) RootPropertiesKeys.push(k); var PackageManager = Java.use("android.app.ApplicationPackageManager"); var Runtime = Java.use('java.lang.Runtime'); var NativeFile = Java.use('java.io.File'); var String = Java.use('java.lang.String'); var SystemProperties = Java.use('android.os.SystemProperties'); var BufferedReader = Java.use('java.io.BufferedReader'); var ProcessBuilder = Java.use('java.lang.ProcessBuilder'); var StringBuffer = Java.use('java.lang.StringBuffer'); var loaded_classes = Java.enumerateLoadedClassesSync(); send("Loaded " + loaded_classes.length + " classes!"); var useKeyInfo = false; var useProcessManager = false; send("loaded: " + loaded_classes.indexOf('java.lang.ProcessManager')); if (loaded_classes.indexOf('java.lang.ProcessManager') != -1) { try { //useProcessManager = true; //var ProcessManager = Java.use('java.lang.ProcessManager'); } catch (err) { send("ProcessManager Hook failed: " + err); } } else { send("ProcessManager hook not loaded"); } var KeyInfo = null; if (loaded_classes.indexOf('android.security.keystore.KeyInfo') != -1) { try { //useKeyInfo = true; //var KeyInfo = Java.use('android.security.keystore.KeyInfo'); } catch (err) { send("KeyInfo Hook failed: " + err); } } else { send("KeyInfo hook not loaded"); } PackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(pname, flags) { var shouldFakePackage = (RootPackages.indexOf(pname) > -1); if (shouldFakePackage) { send("Bypass root check for package: " + pname); pname = "set.package.name.to.a.fake.one.so.we.can.bypass.it"; } return this.getPackageInfo.call(this, pname, flags); }; NativeFile.exists.implementation = function() { var name = NativeFile.getName.call(this); var shouldFakeReturn = (RootBinaries.indexOf(name) > -1); if (shouldFakeReturn) { send("Bypass return value for binary: " + name); return false; } else { return this.exists.call(this); } }; var exec = Runtime.exec.overload('[Ljava.lang.String;'); var exec1 = Runtime.exec.overload('java.lang.String'); var exec2 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;'); var exec3 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;'); var exec4 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File'); var exec5 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;', 'java.io.File'); exec5.implementation = function(cmd, env, dir) { if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "which") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass which command"); return exec1.call(this, fakeCmd); } return exec5.call(this, cmd, env, dir); }; exec4.implementation = function(cmdarr, env, file) { for (var i = 0; i < cmdarr.length; i = i + 1) { var tmp_cmd = cmdarr[i]; if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") { var fakeCmd = "grep"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } if (tmp_cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } } return exec4.call(this, cmdarr, env, file); }; exec3.implementation = function(cmdarr, envp) { for (var i = 0; i < cmdarr.length; i = i + 1) { var tmp_cmd = cmdarr[i]; if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") { var fakeCmd = "grep"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } if (tmp_cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmdarr + " command"); return exec1.call(this, fakeCmd); } } return exec3.call(this, cmdarr, envp); }; exec2.implementation = function(cmd, env) { if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } return exec2.call(this, cmd, env); }; exec.implementation = function(cmd) { for (var i = 0; i < cmd.length; i = i + 1) { var tmp_cmd = cmd[i]; if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (tmp_cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } } return exec.call(this, cmd); }; exec1.implementation = function(cmd) { if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") { var fakeCmd = "grep"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } if (cmd == "su") { var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"; send("Bypass " + cmd + " command"); return exec1.call(this, fakeCmd); } return exec1.call(this, cmd); }; String.contains.implementation = function(name) { if (name == "test-keys") { send("Bypass test-keys check"); return false; } return this.contains.call(this, name); }; var get = SystemProperties.get.overload('java.lang.String'); get.implementation = function(name) { if (RootPropertiesKeys.indexOf(name) != -1) { send("Bypass " + name); return RootProperties[name]; } return this.get.call(this, name); }; Interceptor.attach(Module.findExportByName("libc.so", "fopen"), { onEnter: function(args) { var path1 = Memory.readCString(args[0]); var path = path1.split("/"); var executable = path[path.length - 1]; var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1) if (shouldFakeReturn) { Memory.writeUtf8String(args[0], "/ggezxxx"); send("Bypass native fopen >> "+path1); } }, onLeave: function(retval) { } }); Interceptor.attach(Module.findExportByName("libc.so", "fopen"), { onEnter: function(args) { var path1 = Memory.readCString(args[0]); var path = path1.split("/"); var executable = path[path.length - 1]; var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1) if (shouldFakeReturn) { Memory.writeUtf8String(args[0], "/ggezxxx"); send("Bypass native fopen >> "+path1); } }, onLeave: function(retval) { } }); Interceptor.attach(Module.findExportByName("libc.so", "system"), { onEnter: function(args) { var cmd = Memory.readCString(args[0]); send("SYSTEM CMD: " + cmd); if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id") { send("Bypass native system: " + cmd); Memory.writeUtf8String(args[0], "grep"); } if (cmd == "su") { send("Bypass native system: " + cmd); Memory.writeUtf8String(args[0], "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"); } }, onLeave: function(retval) { } }); BufferedReader.readLine.overload().implementation = function() { var text = this.readLine.call(this); if (text === null) { // just pass , i know it's ugly as hell but test != null won't work :( } else { var shouldFakeRead = (text.indexOf("ro.build.tags=test-keys") > -1); if (shouldFakeRead) { send("Bypass build.prop file read"); text = text.replace("ro.build.tags=test-keys", "ro.build.tags=release-keys"); } } return text; }; var executeCommand = ProcessBuilder.command.overload('java.util.List'); ProcessBuilder.start.implementation = function() { var cmd = this.command.call(this); var shouldModifyCommand = false; for (var i = 0; i < cmd.size(); i = i + 1) { var tmp_cmd = cmd.get(i).toString(); if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd.indexOf("mount") != -1 || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd.indexOf("id") != -1) { shouldModifyCommand = true; } } if (shouldModifyCommand) { send("Bypass ProcessBuilder " + cmd); this.command.call(this, ["grep"]); return this.start.call(this); } if (cmd.indexOf("su") != -1) { send("Bypass ProcessBuilder " + cmd); this.command.call(this, ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]); return this.start.call(this); } return this.start.call(this); }; if (useProcessManager) { var ProcManExec = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File', 'boolean'); var ProcManExecVariant = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.lang.String', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'boolean'); ProcManExec.implementation = function(cmd, env, workdir, redirectstderr) { var fake_cmd = cmd; for (var i = 0; i < cmd.length; i = i + 1) { var tmp_cmd = cmd[i]; if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") { var fake_cmd = ["grep"]; send("Bypass " + cmdarr + " command"); } if (tmp_cmd == "su") { var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]; send("Bypass " + cmdarr + " command"); } } return ProcManExec.call(this, fake_cmd, env, workdir, redirectstderr); }; ProcManExecVariant.implementation = function(cmd, env, directory, stdin, stdout, stderr, redirect) { var fake_cmd = cmd; for (var i = 0; i < cmd.length; i = i + 1) { var tmp_cmd = cmd[i]; if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") { var fake_cmd = ["grep"]; send("Bypass " + cmdarr + " command"); } if (tmp_cmd == "su") { var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]; send("Bypass " + cmdarr + " command"); } } return ProcManExecVariant.call(this, fake_cmd, env, directory, stdin, stdout, stderr, redirect); }; } if (useKeyInfo) { KeyInfo.isInsideSecureHardware.implementation = function() { send("Bypass isInsideSecureHardware"); return true; } } }); setTimeout(function () { // pattern bytes var pattern = "ff 03 05 d1 fd 7b 0f a9 bc de 05 94 08 0a 80 52 48" // library name var module = "libflutter.so" // define your arm version var armversion = 8 // expected return value var expectedReturnValue = true // random string, you may ignore this console.log("Horangi - Bypass Flutter SSL Pinning") // enumerate all process Process.enumerateModules().forEach(v => { // if the module matches with our library if(v['name'] == module) { // debugging purposes console.log("Base: ", v['base'], "| Size: ", v['size'], "\n") // scanning memory - synchronous version // compare it based on base, size and pattern Memory.scanSync(v['base'], v['size'], pattern).forEach(mem => { // assign address to variable offset var offset = mem['address'] if(armversion === 7) { // armv7 add 1 offset = offset.add(1) } // another debugging purposes console.log("Address:",offset,"::", mem['size']) // hook to the address Interceptor.attach(offset, { // when leaving the address, onLeave: function(retval) { // execute this debugging purpose (again) console.log("ReturnValue",offset,"altered from", +retval,"to", +expectedReturnValue) // replace the return value to expectedReturnValue retval.replace(+expectedReturnValue); } }) }) } }); }, 1000)