-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add instagram app support #82
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -37,11 +37,16 @@ const TARGET_LIBS = [ | |
{ name: 'libsscronet.so', hooked: false }, // Cronet on Android | ||
{ name: 'boringssl', hooked: false }, // Bundled by some apps e.g. TikTok on iOS | ||
{ name: 'libssl.so', hooked: false }, // Native OpenSSL in Android | ||
{ name: 'libliger.so', hooked: false }, // Facebook proxygen | ||
]; | ||
|
||
TARGET_LIBS.forEach((targetLib) => { | ||
waitForModule(targetLib.name, (moduleName) => { | ||
patchTargetLib(moduleName); | ||
if(moduleName === 'libliger.so'){ | ||
hook_proxygen_SSLVerification(moduleName); | ||
}else{ | ||
patchTargetLib(moduleName); | ||
} | ||
targetLib.hooked = true; | ||
}); | ||
|
||
|
@@ -56,6 +61,23 @@ TARGET_LIBS.forEach((targetLib) => { | |
} | ||
}); | ||
|
||
function hook_proxygen_SSLVerification(library) { | ||
const functionName = "_ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE"; | ||
|
||
try { | ||
const f = Module.getExportByName(library, functionName); | ||
|
||
Interceptor.attach(f, { | ||
onLeave: function (retvalue) { | ||
retvalue.replace(1); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is definitely interesting, but it's tricky - right now all the existing scripts allow TLS interception just by the one extra MitM CA, but this line disables TLS validation completely for this code 😬 That creates some potential security problems. Even if you're intercepting Instagram traffic yourself, you probably don't want the risk that anybody on your local network could intercept you and steal your Instagram account. All the other hooks handle this by using related APIs to actually validate the certificate, and just trust the one extra cert that's configured. That doesn't have this problem, but I think that's impractically difficult here since there's no public code & docs available for libliger anywhere I can see. We can't easily tell what certificate this function is handling. I think there's probably a route through here. What do you think about adding a
|
||
} | ||
}); | ||
console.log(`[+] Hooked function: ${functionName}`); | ||
} catch (err) { | ||
console.log(`[-] Failed to hook function: ${functionName}: ${err.toString()}`); | ||
} | ||
} | ||
|
||
function patchTargetLib(targetLib) { | ||
// Get the peer certificates from an SSL pointer. Returns a pointer to a STACK_OF(CRYPTO_BUFFER) | ||
// which requires use of the next few methods below to actually access. | ||
|
@@ -190,5 +212,4 @@ function patchTargetLib(targetLib) { | |
} else if (customVerifyAddrs.length) { | ||
console.log(`Patched ${customVerifyAddrs.length} custom_verify methods, but couldn't find get_psk_identity`); | ||
} | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any idea how consistent this name is? It looks like the kind of thing that might change frequently between releases.
Can we match against this instead, with something like
*proxygen*SSLVerification*verifyWithMetrics*FailureVerificationCallbacks*
? That seems likely to be sufficiently specific but much less likely to change in future.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know, this method name is taken from libliger.so. It works.