hooker frida版just_trust_me.js 2025升级 支持boringssl unpinning

发布于:2025-04-19 ⋅ 阅读:(14) ⋅ 点赞:(0)

曾几何时,我翻版了 Xposed 的 just_trust_me.apk, just_trust_me.js 脚本仿佛是一张通行证,让我们在 SSL Pinning 的高墙前轻松穿越。

但时代变了。BoringSSL、Cronet、静态 inline hook、动态 verify callback……一切都变得更加隐蔽和棘手。

今天,hooker 终于补上了这块拼图 —— 支持 BoringSSL 的 unpinning。

这不仅是一小步的补丁,更是对抗“新时代证书信仰”的一次温柔叛逆。

我们不再只是 hook checkServerTrusted,而是深入到了 SSL_set_custom_verify、ssl_verify_cert_chain,直面 Cronet / Chromium 的加固体系。

世界依旧在加密,但我们依旧可以选择相信自己。

Hello again, BoringSSL.
And this time — Just Trust Me.

项目地址:

https://github.com/CreditTone/hooker

just_trust_me脚本地址:

https://github.com/CreditTone/hooker/blob/master/js/just_trust_me.js

hooker的just_trust_me依然深度绑定hooker,不能直接拷贝运行哦!得按hooker的使用指南来

环境部署

1. git clone项目
 
stephen@ubuntu:~$ git clone https://github.com/CreditTone/hooker.git
stephen@ubuntu:~$ cd hooker
stephen@ubuntu:~$ ls
colorful.py                 com.xxxx.aegis              mobile-deploy.tar
com.xxxx.wireless        com.xxxx.meituan          org.mokee.lawnchair
com.changba                 com.xxxx.kt.ktandroid     org.mokee.weatherservice
com.google.android.youtube  com.xxxx.gifmaker           __pycache__
com.xxx.qukan             com.ss.xxxx.xxx.news  radar.dex
com.jzg.jzgoto.phone        com.ss.xxx.xx.aweme     README.md
com.xxx.weidian.buyer    com.xxx.karaoke          run_env.py
com.xxx.shiqutouch        com.xxx.mm               sogou.mobile.explorer
com.xx.shop          hooker                       spider.py
com.xxxx.mall             hooker.py                    traceJNI
com.xxx.meipaimv          js                           xapk
com.miui.screenrecorder     mobile-deploy.sh             xinitdeploy.py
2. 安装依赖

  stephen@ubuntu:~/hooker$ pip3 install -r requirements.txt

3. frida-server环境部署


stephen@ubuntu:~/hooker$ adb push mobile-deploy/ /sdcard/
stephen@ubuntu:~/hooker$ adb shell #进入手机命令行界面
sailfish:/ $ su 
sailfish:/ $ cd /sdcard/mobile-deploy/
sailfish:/ $ sh deploy2.sh                                                            
start frida-server
deploy successfull.
sailfish:/ $ exit

4. 查看可调试进程
stephen@ubuntu:~/hooker$ ./hooker 
  PID  Name                           Identifier                                                   
-----  -----------------------------  -------------------------------------------------------------
 2857  Android Auto                   com.google.android.projection.gearhead                       
 1779  Android Services Library       com.google.android.ext.services                              
  929  Android 系统                     android                                                      
 5073  Carrier Services               com.google.android.ims                                       
11051  Device Health Services         com.google.android.apps.turbo                                
 2913  Device Personalization S…      com.google.android.as                                        
 2522  Google                         com.google.android.googlequicksearchbox                      
15189  Google Play 商店                 com.android.vending                                          
 2101  Google Play 服务                 com.google.android.gms                                       
 2833  Google VR 服务                   com.google.vr.vrcore                                         
 7710  Google 服务框架                    com.google.android.gsf                                       
 2546  NFC服务                          com.android.nfc                                              
  929  NetworkStack                   com.android.networkstack.inprocess                                                                   
  929  一体化位置信息                        com.android.location.fused                                   
14468  云端硬盘                           com.google.android.apps.docs                                 
14403  信息                             com.google.android.apps.messaging                            
12073  存储已屏蔽的号码                       com.android.providers.blockednumber                          
 1574  实时数据壁纸                         com.ustwo.lwp                                                                                                                    
12073  用户字典                           com.android.providers.userdictionary                         
13362  电话                             com.google.android.dialer                                    
 1704  电话和短信存储                        com.android.providers.telephony                              
 1704  电话服务                           com.android.phone                                                                                 
Enter the need to attach package.
:

5. attach一个应用

stephen@ubuntu:~/hooker$ ./hooker

Enter the need to attach package.
: com.ss.xxx.xxxx.xxxme  #在此处输入进程的Identifier即可调试应用
It'scom.ss.xxx.xxxx.xxxme that you have attached app.

6. 进入应用工作目录

这里我们可以看到hooker为我们的app逆向环境提供了非常多的工具,这里有板子、螺丝刀、老虎钳、热风枪、示波器、钛合金撬棍、八合一电动螺丝刀。不过本章节您只需要知道just_trust_me.js

bogon:com.ss.xxx.xxxx.xxxme stephen256$ ll
total 360
-rw-r--r--  1 stephen256  staff   7669  4 17 17:11 activity_events.js
-rw-r--r--  1 stephen256  staff   5793  4 17 17:11 android_ui.js
-rwxrwxrwx  1 stephen256  staff    105  4 17 17:11 attach
-rw-r--r--  1 stephen256  staff   2242  4 17 17:11 click.js
-rwxrwxrwx  1 stephen256  staff    374  4 17 17:11 disable_sslpinning
-rw-r--r--  1 stephen256  staff   5836  4 17 17:11 dump_dex.js
-rw-r--r--  1 stephen256  staff   4322  4 17 17:11 edit_text.js
-rw-r--r--  1 stephen256  staff      0  4 17 17:11 empty.js
-rw-r--r--  1 stephen256  staff    634  4 17 17:11 find_anit_frida_so.js
-rw-r--r--  1 stephen256  staff   3016  4 17 17:11 find_boringssl_custom_verify_func.js
-rw-r--r--  1 stephen256  staff   2531  4 17 17:11 hook_artmethod_register.js
-rw-r--r--  1 stephen256  staff  14229  4 17 17:11 hook_jni_method_trace.js
-rw-r--r--  1 stephen256  staff   2108  4 17 17:11 hook_register_natives.js
-rwxrwxrwx  1 stephen256  staff    162  4 17 17:11 hooking
-rw-r--r--  1 stephen256  staff  32661  4 17 17:11 just_trust_me.js
-rw-r--r--  1 stephen256  staff   3281  4 17 17:11 just_trust_me_for_ios.js
-rw-r--r--  1 stephen256  staff   3180  4 17 17:11 just_trust_me_okhttp_hook_finder_for_android.js
-rw-r--r--  1 stephen256  staff   4495  4 17 17:11 keystore_dump.js
-rwxrwxrwx  1 stephen256  staff    104  4 17 17:11 kill
-rw-r--r--  1 stephen256  staff   1529  4 17 17:11 object_store.js
-rwxrwxrwx  1 stephen256  staff    102  4 17 17:11 objection
-rw-r--r--  1 stephen256  staff   2353  4 17 17:11 replace_dlsym_get_pthread_create.js
-rwxrwxrwx  1 stephen256  staff    120  4 17 17:11 spawn
-rw-r--r--  1 stephen256  staff   2561  4 17 17:11 spider.py
-rw-r--r--  1 stephen256  staff    768  4 17 17:11 ssl_log.js
-rw-r--r--  1 stephen256  staff   2371  4 17 17:11 text_view.js
-rw-r--r--  1 stephen256  staff   3725  4 17 17:11 trace_initproc.js
-rw-r--r--  1 stephen256  staff   4789  4 17 17:11 url.js
drwxr-xr-x  4 stephen256  staff    128  4 17 17:11 xinit
-rwxrwxrwx  1 stephen256  staff   5846  4 17 17:11 xinitdeploy
7. 使用just_trust_me.js

命令行执行 ./spawn just_trust_me.js 启动

bogon:com.ss.xxx.xxxx.xxxme stephen256$ ./spawn just_trust_me.js
     ____
    / _  |   Frida 14.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://www.frida.re/docs/home/
Spawned `com.ss.xxx.xxxx.xxxme`. Resuming main thread!
[MI MAX 3::com.ss.xxx.xxxx.xxxme]-> android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
javax.net.ssl.TrustManagerFactory.getTrustManagers() was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
javax.net.ssl.TrustManagerFactory.getTrustManagers() was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
javax.net.ssl.TrustManagerFactory.getTrustManagers() was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!

板子、螺丝刀、热风枪、抓包钩子、动态脚本……连高温焊台和逻辑分析仪都给你安排得明明白白。普通应用?一套脚本过去直接开盖验芯。复杂点的?比如那些加了“加密外壳”的“短视频类社交平台”,你懂的——也不过是多拧几颗螺丝罢了。

至于某些深藏 BoringSSL 的“重量级工程”,hooker 里那份 just_trust_me.js 就像个万能钳,哪怕目标系统关得像保险柜,只要插进去一点缝,它就能让你“放心探索”整个流程逻辑,TLS握手仿佛穿了隐形斗篷,一切安全校验都悄悄按下了“稍后再提醒”。

我们当然不会说它能干什么,只能说——你不妨亲手试试,说不定,会有点小惊喜。

祝大家抓包愉快!!!

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布