TechQA.

Null address in Sslpinning bypass of flutter app by using frida

2.3k views Asked by At

I was working on pentesting a flutter android app on genymotion x86 to bypass sslpinning by using this and this approaches, but my function address return null when running Frida.

First of all, by Ghidra found the address of the function which is (0x773c52) and here are bytes of early lines of this function: (\x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xec\xf8\x00\x00\x00\xc6) Then the correct offset of the address was found by binwalk:

C:\ >python binwalk -R " \x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xec\xf8\x00\x00\x00\xc6" <app_path>\lib\x86_64\libflutter.so

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
6761554       0x672C52        Raw signature (\x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xec\xf8\x00\x00\x00\xc6)

Next I used this address in Frida code like below:

function disablePinning(){
    var address = Module.findBaseAddress('lib/x86_64/libflutter.so').add(0x673c52)
    hook_ssl_verify_result(address);
}
setTimeout(disablePinning, 10000)

finally, when I was running the Frida Script, I faced the null address exception.

TypeError: cannot read property 'add' of null at disablePinning (/hook_ssl.js:20) at apply (native) at (frida/runtime/core.js:45)

null address error in frida

I also tried this with many different versions of Frida. Does anybody have any idea why this happened?

Thanks in advance.

android flutter frida ghidra sslpinning
Original Q&A
1

There are 1 answers

8
Robert On

The problem of your code is that you mixed-up the module name with the file-name.

var address = Module.findBaseAddress('lib/x86_64/libflutter.so') returns null because the module name you have specified is wrong and thus the module was not found.

If you execute the the following code snippet you will see that the module name is never denoted with a path. The module name is the internal name of a library, usually it is identical to the file-name (but it can be different as far as I know).

Process.enumerateModules({
        onMatch: function(module){
            console.log('Module name: ' + module.name + " - Base Address: " + module.base.toString());
        }, 
        onComplete: function(){}
    });

Sample output for the code snippet of a regular Android app:

Module name: app_process64 - Base Address: 0x763b8e3000
Module name: libandroid_runtime.so - Base Address: 0x7637b04000
Module name: libbinder.so - Base Address: 0x763a365000
Module name: libcutils.so - Base Address: 0x763a7df000
Module name: libdl.so - Base Address: 0x763a20d000
Module name: libhwbinder.so - Base Address: 0x7637183000
Module name: liblog.so - Base Address: 0x763a9dd000
Module name: libnativeloader.so - Base Address: 0x7639fcc000
Module name: libutils.so - Base Address: 0x7636f92000
Module name: libwilhelm.so - Base Address: 0x7637e86000
Module name: libc++.so - Base Address: 0x7639bdb000
Module name: libc.so - Base Address: 0x7638d5e000
...

Considering this your code should work if you use 'libflutter.so' without the path name. If it is still not working get the list of modules of your app using the presented code snippet and identify the correct module name of the flutter library.

function disablePinning(){
    var address = Module.findBaseAddress('libflutter.so').add(0x673c52)
    hook_ssl_verify_result(address);
}

Related Questions in ANDROID

Related Questions in FLUTTER

Related Questions in FRIDA

Related Questions in GHIDRA

Related Questions in SSLPINNING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions