Null address in Sslpinning bypass of flutter app by using frida

Question

I was working on pentesting a flutter android app on genymotion x86 to bypass sslpinning by using this and this approaches, but my function address return null when running Frida.

First of all, by Ghidra found the address of the function which is (0x773c52) and here are bytes of early lines of this function: (\x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xec\xf8\x00\x00\x00\xc6) Then the correct offset of the address was found by binwalk:

C:\ >python binwalk -R " \x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xec\xf8\x00\x00\x00\xc6" <app_path>\lib\x86_64\libflutter.so

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
6761554       0x672C52        Raw signature (\x55\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xec\xf8\x00\x00\x00\xc6)

Next I used this address in Frida code like below:

function disablePinning(){
    var address = Module.findBaseAddress('lib/x86_64/libflutter.so').add(0x673c52)
    hook_ssl_verify_result(address);
}
setTimeout(disablePinning, 10000)

finally, when I was running the Frida Script, I faced the null address exception.

TypeError: cannot read property 'add' of null at disablePinning (/hook_ssl.js:20) at apply (native) at (frida/runtime/core.js:45)

null address error in frida

I also tried this with many different versions of Frida. Does anybody have any idea why this happened?

Thanks in advance.

score 2 · Answer 1 · answered Aug 15 '21 at 10:16

2

The problem of your code is that you mixed-up the module name with the file-name.

var address = Module.findBaseAddress('lib/x86_64/libflutter.so') returns null because the module name you have specified is wrong and thus the module was not found.

If you execute the the following code snippet you will see that the module name is never denoted with a path. The module name is the internal name of a library, usually it is identical to the file-name (but it can be different as far as I know).

Process.enumerateModules({
        onMatch: function(module){
            console.log('Module name: ' + module.name + " - Base Address: " + module.base.toString());
        }, 
        onComplete: function(){}
    });

Sample output for the code snippet of a regular Android app:

Module name: app_process64 - Base Address: 0x763b8e3000
Module name: libandroid_runtime.so - Base Address: 0x7637b04000
Module name: libbinder.so - Base Address: 0x763a365000
Module name: libcutils.so - Base Address: 0x763a7df000
Module name: libdl.so - Base Address: 0x763a20d000
Module name: libhwbinder.so - Base Address: 0x7637183000
Module name: liblog.so - Base Address: 0x763a9dd000
Module name: libnativeloader.so - Base Address: 0x7639fcc000
Module name: libutils.so - Base Address: 0x7636f92000
Module name: libwilhelm.so - Base Address: 0x7637e86000
Module name: libc++.so - Base Address: 0x7639bdb000
Module name: libc.so - Base Address: 0x7638d5e000
...

Considering this your code should work if you use 'libflutter.so' without the path name. If it is still not working get the list of modules of your app using the presented code snippet and identify the correct module name of the flutter library.

function disablePinning(){
    var address = Module.findBaseAddress('libflutter.so').add(0x673c52)
    hook_ssl_verify_result(address);
}

answered Aug 15 '21 at 10:16

Robert

39,162
17
99
152

Thanks for your response, at first I had tried 'libflutter.so' but when getting null error I changed it to path. Anyway by running your code, there is no module named libflutter.so in the output. How can I get which one is related to flutter library? – Maede Hojjati Aug 15 '21 at 12:18
@MaedeHojjati Have you checked the APK file that `libflutter.so` is included? If it is contained in the APK then it may be the case that it is not yet loaded when you execute the hooking code. I don't have much Flutter experience but considering [this issue](https://github.com/flutter/flutter/issues/56893) it seems like libflutter is loaded at run-time by Java code. I would recommend to decompile the Java part using Jadx and hook the method that loads the library, so that you can hook the method directly after the library has been loaded, or you directly hook the System.loadLibray method. – Robert Aug 15 '21 at 16:32
Applications that are fully created in Flutter will typically load the library at startup and the used timeout of 10 000 should be enough. However, it's perfectly possible to combine Flutter with other frameworks (or native code) and the Flutter functionality might only be loaded after specific functionality is triggered. Try combining the hook with a System.loadLibrary hook. An example can be found [here (scroll down)](https://github.com/frida/frida-java-bridge/issues/63) – Dauntless Aug 17 '21 at 09:57
@Robert Yes, `libflutter.so` exists in the APK file. I also check the app by `Process.findModuleByName("libflutter.so")` and returns null! The other flutter apps do the same(there is no modules named `libflutter.so`). Is there a possibility that it might be because of my processor(I mean x86)!? – Maede Hojjati Aug 19 '21 at 18:55
@MaedeHojjati Are you still using Genymotion emulator? There were some people having this problem using the Android emulator with an x86 image and ARM apps (latest Android emulators have a translation layer ARM to x86). On such an emulator modules could also not be found be we thought this is because of the translation layer. May be there is a general bug in Frida's Android x86 engine? – Robert Aug 19 '21 at 19:11
@Dauntless Thanks, by using [this frida code](https://codeshare.frida.re/@dzonerzy/whereisnative/), I can find flutter library, but the app crashed after that by the error of `Process crashed: java.lang.UnsatisfiedLinkError: Library flutter not found; tried [/system/lib/libflutter.so, /vendor/lib/libflutter.so]`. – Maede Hojjati Aug 20 '21 at 14:00
As @Robert indicates, this will only work if the application actually has the flutter apk compiled for x86. What's the location of the libflutter.so in the .apk ? Is the apk file publicly available? – Dauntless Aug 23 '21 at 10:33
@Dauntless Yes, the app uses flutter for x86 too. In `lib` folder the separate folder dedicated to `x86_64` which contains `libflutter.so` file. This problem occurs in all apps not only on this specific one for instance, I have same issue with the tested app which is described [here](https://blog.nviso.eu/2020/05/20/intercepting-flutter-traffic-on-android-x64/). Unfortunately, it isn’t publicly available. – Maede Hojjati Aug 24 '21 at 11:34

Null address in Sslpinning bypass of flutter app by using frida

1 Answers1