Target
analyze
When capturing packets, it will prompt发送失败,请重试
At this time, using general hook scripts, such as objection自带的绕过pinning
functions, cannot be bypassed
Let's change the way of thinking. When the app verifies the certificate, it will go through 打开证书
this step. We will go to the hook 打开文件
method and useobjection就比较方便
It needs to be at startup hookFile类
, so --startup-command
the parameters are used
objection -g cn.ticktick.task explore --startup-command "android hooking watch class_method java.io.File.$init --dump-args --dump-backtrace"
Observing the results, you can find the following keywords, through which certificate pinning can be achieved
hook code
function main() {
Java.perform(function () {
var amf = Java.use("am.f");
amf.a.implementation = function (arg) {
console.log("hook到了");
console.log(arg);
}
})
}
setImmediate(main);
// frida -U -f cn.ticktick.task -l 测试.js --no-pause
success