eltion / facebook-ssl-pinning-bypass Goto Github PK

do you know. where is the place that fb send the request and recieve response ?
i want to use frida to hook that method

Hello, I installed the patched apk([facebook-v373.0.0.31.112-armeabi-v7a]) on my device, and it worked very good.
But when I use burpsuite to intercept(I switched off intercept), the app shows that the network is unreachable.

Could you please tell me what the reason is and how I should solve it?

Hi, can you provide Ads Manager android app ssl pinning bypass ?

Describe the bug
Not a bug: Could you modify the Frida script to work for the oculus Meta Quest app (com.oculus.twilight)? Standard Frida methods do not work, and neither does your facebook script. Hopefully a similar approach would work.

Method
Frida

App info

• Version: Meta Quest-226.0.0.5.47
• Arch: x86, x86_64

Device info

• Android emulator version 31.2.8.0

Proxy tool
mitmproxy: v8.1.1

Logs
Spawning com.oculus.twilight...
[][] Waiting for library...
Spawned com.oculus.twilight. Resuming main thread!
[Android Emulator 5554::com.oculus.twilight ]-> [*][+] Hooked checkTrustedRecursive

Additional context
TLS Certificate not accepted errors in mitmproxy

Describe the bug
A clear and concise description of what the bug is.

Method
Patched APK or Frida

App info

• Version: facebook-v378.0.0.18.112
• Arch: x86, x86_64, armeabi-v7a, arm64-v8a

Device info

• Model: Samsung SM-A525F, Nox Emulator
• Android Version: 12

Proxy tool
mitmproxy: v8.1.1
brup: v2022.5.2

Logs
Frida or logcat logs, screenshots, mitmproxy event logs, Brup event log.

Additional context
Add any other context about the problem here.

Describe the bug
A clear and concise description of what the bug is.

Method
Patched APK or Frida

App info

• Version: facebook-v378.0.0.18.112
• Arch: x86, x86_64, armeabi-v7a, arm64-v8a

Device info

• Model: Samsung SM-A525F, Nox Emulator
• Android Version: 12

Proxy tool
mitmproxy: v8.1.1
brup: v2022.5.2

Logs
Frida or logcat logs, screenshots, mitmproxy event logs, Brup event log.

Additional context
Add any other context about the problem here.

Hi @Eltion ,

Can you provide a SSL-Pinning-Bypass for WhatsApp ?

Thanks! 🙏

even after removing facebook app using adb shell..can't install patched apk ..While downloading and installing it says "The package conflicts with the existing package with the same name".. Is there is solution for this/way to install this patched apk .

please by pass facebook lite

Facebook Messenger libcoldstart.so doesn't have proxygen::SSLVerification::verifyWithMetrics method. Do you have any idea ? thanks

Facebook now requires new version for using the chat function, please update the new patch codes. Thanks for all your effort

Hi, can you provide facebook lite android app ssl pinning bypass ?

Hi @Eltion,

Can you please provide the script for patching the apk if possible?

SSL PINNING BYPASSE OF SNAPCHAT KINDLY!

Android: AVD api 28 (pixel 4 android virtual device)
Facebook downloaded: arm
Device: macbook M1
i installed patched apk on android virutal device, capture request by burp proxy but nothing captured.
Log ADB:
--------- beginning of system
--------- beginning of main
01-14 22:24:01.619 4149 4295 V FACEBOOK_SSL_PINNING_BYPASS: [][] Waiting for library...
01-14 22:24:01.621 4149 4295 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Hooked checkTrustedRecursive
01-14 22:24:02.052 4149 4369 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Found libcoldstart.so at: 0x7b685e6000
01-14 22:24:02.055 4149 4369 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
01-14 22:24:02.150 4149 4451 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Patched libcoldstart.so
01-14 22:24:05.386 5129 5190 V FACEBOOK_SSL_PINNING_BYPASS: [][] Waiting for library...
01-14 22:24:05.387 5129 5190 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Hooked checkTrustedRecursive
01-14 22:24:05.779 5129 5202 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Found libcoldstart.so at: 0x7b686df000
01-14 22:24:05.793 5129 5202 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
01-14 22:24:05.893 5129 5250 V FACEBOOK_SSL_PINNING_BYPASS: [][+] Patched libcoldstart.so
Burpsuite error:

Describe the bug
I installed frida in termux and tried the frida script in the 428*+ versions. But it showing the problem "Failed to find pattern: ......" . It was working on 427* and lower versions.

Method
Frida

App info

• Version: facebook-v455.0.0.44.88
• Arch: arm64-v8a

Device info

• Model: Xiaomi Redmi Note 11 Pro (Veux)
• Android Version: 13

Proxy tool
brup: v2022.8.2

Logs
Frida :
[Remote::com.facebook.katana ]-> [][+] Hooked checkTrustedRecursive
[][+] Found libcoldstart.so at: 0x70eaa12000
[][+] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
[][-] Failed to find pattern: ff ff 01 a9 ?? ?? 00 b4 80 82 4c 39

Bro, why can't the application be installed?

Describe the bug
Unable to use in the latest version of genymotion, received the following error after start intercepting traffic from genymotion

• 1687246756573 Error Proxy [2] The client failed to negotiate a TLS connection to b-www.facebook.com:443: Received fatal alert: certificate_unknown

Method
Patched APK or Frida

App info
latest

Device info
any

Proxy tool
mitmproxy: v8.1.1
brup: v2022.5.2

Logs
Frida or logcat logs, screenshots, mitmproxy event logs, Brup event log.

Additional context
Add any other context about the problem here.

I need help or need to see where I messed up. following commands were used for setting up my emulator with Frida

adb push frida-server /data/local/tmp/
adb shell chmod 777 /data/local/tmp/frida-server
adb push facebook-ssl-pinning-bypass.js /data/local/tmp/
adb push 9a5ba575.0 /data/local/tmp/cert-der.crt 
adb push 9a5ba575.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/9a5ba575.0
adb shell "/data/local/tmp/frida-server &"
frida -U -f com.facebook.katana -l facebook-ssl-pinning-bypass.js

When use file packed then show error
[][] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
[][] Failed tp hook function: X509_verify_cert
Error: libcoldstart.so: unable to find export 'X509_verify_cert'

i'm try with file new in google play then success(hook working) but using fiddler then can't handshake(can't trust cer).

Bug description

sydo26 in ~
❯ frida -U -l .\OneDrive\Documentos\bypass.js -f com.facebook.katana --no-pause
     ____
    / _  |   Frida 15.1.27 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.facebook.katana`...
[*][*] Waiting for library...
Spawned `com.facebook.katana`. Resuming main thread!
[Android Emulator 5554::com.facebook.katana ]-> [*][*] Found libcoldstart.so at: 0xb4a8e000
[*][*] Hooked function: _ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk212basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE
[*][*] Failed tp hook function: X509_verify_cert
Error: libcoldstart.so: unable to find export 'X509_verify_cert'

How to reproduce

Create virtual device with Android Studio with these settings:

• Api Level 30 (Google APIs) x86
• Android 11.0
• Pixel 4 XL
• Without Google Play

Start emulator in terminal:

> emulator -avd Pixel_4_XL_API_30 -writable-system

Root with adb:

> adb root
> adb shell avbctl disable-verification
> adb disable-verity
> adb reboot
> adb root
> adb remount

Start frida server in device:

> adb push ./frida-server /data/local/tmp
> adb shell "chmod 755 /data/local/tmp/frida-server"
> adb shell "/data/local/tmp/frida-server &"
> adb forward tcp:27042 tcp:27042
> adb forward tcp:27043 tcp:27043
> frida-ps -R

Install patched facebook:

> adb install .\facebook-v373.0.0.31.112-x86.apk

Start facebook for the first time.

And finally, start the bypass:

> frida -U -l ./bypass.js -f com.facebook.katana --no-pause

Environment & setup

• OS: Windows 11

When run "frida -U -l E:\LD1\LD1\bypassSSL.js -f com.facebook.katana --no-pause"
then show
____
/ _ | Frida 15.2.2 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to VOG-AL00 (id=127.0.0.1:5557)
Spawning com.facebook.katana...
[][] Waiting for library...
Spawned com.facebook.katana. Resuming main thread!
[VOG-AL00::com.facebook.katana ]-> TypeError: cannot set property 'implementation' of undefined
at (/frida/repl-2.js:77)
at (frida/node_modules/frida-java-bridge/lib/vm.js:12)
at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250)
at (frida/node_modules/frida-java-bridge/index.js:242)
at apply (native)
at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:620)
at (frida/node_modules/frida-java-bridge/lib/class-factory.js:598)
Process terminated
[VOG-AL00::com.facebook.katana ]->

how to fix this problem?

I installed patched apk at android 13 but it did not work.

Describe the bug
Patched APK and Frida not working on version 417.0.0.33.65 and for latest apk with updated offset also not working.

Method
Patched APK and Frida

Logs

Additional context

I have tried this on a newer version, but no luck. Please give it a check.

Regards,
brutexploiter