曾几何时,我翻版了 Xposed 的 just_trust_me.apk,里面的 just_trust_me.js 脚本仿佛是一张通行证,让我们在 SSL Pinning 的高墙前轻松穿越。
但时代变了。BoringSSL、Cronet、静态 inline hook、动态 verify callback……一切都变得更加隐蔽和棘手。
今天,Hooker 终于补上了这块拼图 —— 支持 BoringSSL 的 unpinning。
这不仅是一小步的补丁,更是对抗“新时代证书信仰”的一次温柔叛逆。
我们不再只是 hook checkServerTrusted,而是深入到了 SSL_set_custom_verify、ssl_verify_cert_chain,直面 Cronet / Chromium 的加固体系。
🔓 世界依旧在加密,但我们依旧可以选择相信自己。
Hello again, BoringSSL.
And this time — Just Trust Me.
环境部署
1. git clone项目
stephen@ubuntu:~$ git clone https://github.com/CreditTone/hooker.git
stephen@ubuntu:~$ cd hooker
stephen@ubuntu:~$ ls
colorful.py com.xxxx.aegis mobile-deploy.tar
com.xxxx.wireless com.xxxx.meituan org.mokee.lawnchair
com.changba com.xxxx.kt.ktandroid org.mokee.weatherservice
com.google.android.youtube com.xxxx.gifmaker __pycache__
com.xxx.qukan com.ss.xxxx.xxx.news radar.dex
com.jzg.jzgoto.phone com.ss.xxx.xx.aweme README.md
com.xxx.weidian.buyer com.xxx.karaoke run_env.py
com.xxx.shiqutouch com.xxx.mm sogou.mobile.explorer
com.xx.shop hooker spider.py
com.xxxx.mall hooker.py traceJNI
com.xxx.meipaimv js xapk
com.miui.screenrecorder mobile-deploy.sh xinitdeploy.py
2. 安装依赖
stephen@ubuntu:~/hooker$ pip3 install -r requirements.txt
3. 手机连接adb
stephen@ubuntu:~/hooker$ adb devices
List of devices attached
FA77C0301476 device
4. 启动fridaserver
stephen@ubuntu:~/hooker$ adb shell #进入手机命令行界面
sailfish:/ $ su #进入root权限命令行模式
sailfish:/ $ cd /sdcard/mobile-deploy/
sailfish:/ $ sh deploy2.sh
disable android firewall.
start frida-server
deploy successfull.
stephen@ubuntu:~/hooker$ #如果你看到你的adb命令被弹出来了,表示已经正常部署。
5. 查看可调试进程
stephen@ubuntu:~/hooker$ ./hooker
PID Name Identifier
----- ----------------------------- -------------------------------------------------------------
2857 Android Auto com.google.android.projection.gearhead
1779 Android Services Library com.google.android.ext.services
929 Android 系统 android
5073 Carrier Services com.google.android.ims
11051 Device Health Services com.google.android.apps.turbo
2913 Device Personalization S… com.google.android.as
2522 Google com.google.android.googlequicksearchbox
15189 Google Play 商店 com.android.vending
2101 Google Play 服务 com.google.android.gms
2833 Google VR 服务 com.google.vr.vrcore
7710 Google 服务框架 com.google.android.gsf
2546 NFC服务 com.android.nfc
929 NetworkStack com.android.networkstack.inprocess
929 一体化位置信息 com.android.location.fused
14468 云端硬盘 com.google.android.apps.docs
14403 信息 com.google.android.apps.messaging
12073 存储已屏蔽的号码 com.android.providers.blockednumber
1574 实时数据壁纸 com.ustwo.lwp
12073 用户字典 com.android.providers.userdictionary
13362 电话 com.google.android.dialer
1704 电话和短信存储 com.android.providers.telephony
1704 电话服务 com.android.phone
Enter the need to attach package.
:
6. attach一个应用
stephen@ubuntu:~/hooker$ ./hooker
Enter the need to attach package.
: com.ss.xxx.xxxx.xxxme #在此处输入进程的Identifier即可调试应用
It'scom.ss.xxx.xxxx.xxxme that you have attached app.
提示: attach时hooker会将radar.dex文件拷贝到手机的/data/user/0/{package}/目录下,这样just_trust_me.js才能正常工作
7. 进入应用工作目录
打开另一个命令行窗口 cd com.ss.xxx.xxxx.xxxme 进入到你的应用工作目录
bogon:com.ss.xxx.xxxx.xxxme stephen256$ ll
total 360
-rw-r--r-- 1 stephen256 staff 7669 4 17 17:11 activity_events.js
-rw-r--r-- 1 stephen256 staff 5793 4 17 17:11 android_ui.js
-rwxrwxrwx 1 stephen256 staff 105 4 17 17:11 attach
-rw-r--r-- 1 stephen256 staff 2242 4 17 17:11 click.js
-rwxrwxrwx 1 stephen256 staff 374 4 17 17:11 disable_sslpinning
-rw-r--r-- 1 stephen256 staff 5836 4 17 17:11 dump_dex.js
-rw-r--r-- 1 stephen256 staff 4322 4 17 17:11 edit_text.js
-rw-r--r-- 1 stephen256 staff 0 4 17 17:11 empty.js
-rw-r--r-- 1 stephen256 staff 634 4 17 17:11 find_anit_frida_so.js
-rw-r--r-- 1 stephen256 staff 3016 4 17 17:11 find_boringssl_custom_verify_func.js
-rw-r--r-- 1 stephen256 staff 2531 4 17 17:11 hook_artmethod_register.js
-rw-r--r-- 1 stephen256 staff 14229 4 17 17:11 hook_jni_method_trace.js
-rw-r--r-- 1 stephen256 staff 2108 4 17 17:11 hook_register_natives.js
-rwxrwxrwx 1 stephen256 staff 162 4 17 17:11 hooking
-rw-r--r-- 1 stephen256 staff 32661 4 17 17:11 just_trust_me.js
-rw-r--r-- 1 stephen256 staff 3281 4 17 17:11 just_trust_me_for_ios.js
-rw-r--r-- 1 stephen256 staff 3180 4 17 17:11 just_trust_me_okhttp_hook_finder_for_android.js
-rw-r--r-- 1 stephen256 staff 4495 4 17 17:11 keystore_dump.js
-rwxrwxrwx 1 stephen256 staff 104 4 17 17:11 kill
-rw-r--r-- 1 stephen256 staff 1529 4 17 17:11 object_store.js
-rwxrwxrwx 1 stephen256 staff 102 4 17 17:11 objection
-rw-r--r-- 1 stephen256 staff 2353 4 17 17:11 replace_dlsym_get_pthread_create.js
-rwxrwxrwx 1 stephen256 staff 120 4 17 17:11 spawn
-rw-r--r-- 1 stephen256 staff 2561 4 17 17:11 spider.py
-rw-r--r-- 1 stephen256 staff 768 4 17 17:11 ssl_log.js
-rw-r--r-- 1 stephen256 staff 2371 4 17 17:11 text_view.js
-rw-r--r-- 1 stephen256 staff 3725 4 17 17:11 trace_initproc.js
-rw-r--r-- 1 stephen256 staff 4789 4 17 17:11 url.js
drwxr-xr-x 4 stephen256 staff 128 4 17 17:11 xinit
-rwxrwxrwx 1 stephen256 staff 5846 4 17 17:11 xinitdeploy
8. 使用just_trust_me.js
命令行执行 ./spawn just_trust_me.js 启动
bogon:com.ss.xxx.xxxx.xxxme stephen256$ ./spawn just_trust_me.js
____
/ _ | Frida 14.2.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
Spawned `com.ss.xxx.xxxx.xxxme`. Resuming main thread!
[MI MAX 3::com.ss.xxx.xxxx.xxxme]-> android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
javax.net.ssl.TrustManagerFactory.getTrustManagers() was hooked!
android.net.http.X509TrustManagerExtensions.checkServerTrusted('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String') was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
javax.net.ssl.TrustManagerFactory.getTrustManagers() was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
javax.net.ssl.TrustManagerFactory.getTrustManagers() was hooked!
javax.net.ssl.SSLContext.init('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom') was hooked!
祝大家抓包愉快!!!
