參考文檔https://bbs.kanxue.com/thread-261941.htm
一.從安裝的app所在文件夾目錄中提出libflutter.so
cd /data/app/包名/lib/xxx/..../...libflutter.so
二.將其拖入ida中進行分析
字符串窗口搜索ssl_server
按x進入
F5看了一下和上面博客說的相似
不理解上面說的也沒事模仿總會吧
訪問https://armconverter.com
把函數入口的內容複製進去
修改js
function hook_ssl_verify_result(address) {
Interceptor.attach(address, {
onEnter: function(args) {
console.log("Disabling SSL validation")
},
onLeave: function(retval) {
console.log("Retval: " + retval);
retval.replace(0x1);
console.log("Modified Retval: " + retval);
}
});
}
function hookFlutter() {
var m = Process.findModuleByName("libflutter.so");
console.log(m)
var pattern = "2D E9 F0 4F 85 B0 06 46 50 20 10 70";
console.log(m.base, m.size)
var res = Memory.scan(m.base, m.size, pattern, {
onMatch: function(address, size){
console.log('[+] ssl_verify_result found at: ' + address.toString());
hook_ssl_verify_result(address.add(0x01));
// hook_ssl_verify_result(address);
},
onError: function(reason){
console.log('[!] There was an error scanning memory');
},
onComplete: function() {
console.log("All done")
}
});
}
hookFlutter();
然後開始hook
後面就發現結合drony抓發就可以抓到包了