# SSL Pinning Bypass

SSL Pinning Bypass yapmak için aşağıdaki depodan `android` için yapılmış olan `frida-serverx86-64` dosyasını buluyoruz.

Frida: <https://github.com/frida/frida/releases/tag/16.7.19>

İndirdiğimiz dosyanın ismini `frida-server` yapıyoruz ve aşağıdaki komutları çağırıyoruz. Bu komutlar ile frida-server dosyası android üzerine kopyalanmış oldu.

```bash
adb push frida-server /data/local/tmp
adb shell chmod 777 /data/local/tmp/frida-server

adb push cert-der.crt /data/local/tmp/cert-der.crt
adb shell chmod 777 /data/local/tmp/cert-der.crt
```

Şimdi aşağıdaki komutlar ile frida-server dosyasını çalıştırıyoruz.

```bash
adb shell
su
./data/local/tmp/frida-server
```

Frida-server'ı çalıştırdıktan sonra aşağıdaki araçları yüklüyoruz. Eğer python yüklü değilse yüklememiz gerekiyor.

```bash
pip install frida==16.7.19 frida-tools objection==1.11.0
```

* SSL Pinning Bypass : <https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/>
* Root Detection Bypass: <https://codeshare.frida.re/@dzonerzy/fridantiroot/>
* Biometric Bypass: <https://codeshare.frida.re/@ax/universal-android-biometric-bypass/>

<figure><img src="/files/4LAIlF8IK4lecaegPYrg" alt=""><figcaption></figcaption></figure>

```bash
frida-ps -Uia
frida -U -f <identifier> -l ssl.js -l root.js
```

Aynı işlemi `objection` ile de yapabilirsiniz.

```bash
objection -g <identifier> explore
objection -g 20769 explore
import ssl.js
android hooking list activities
android intent launch_activity
android intent launch_service


android sslpinning disable
android root disable
android hooking list services
android hooking get current_activity
```

### Global Proxy

```bash
# Aktif
adb shell settings put global http_proxy 192.168.1.6:8080
adb shell settings put global https_proxy 192.168.1.6:8080

# Kapalı
adb shell settings put global http_proxy :0
```

### Frida Hook

```
Java.perform(function() {
    var Log = Java.use("android.util.Log");
    Log.d.overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(a, b, c) {
        console.log("The application reports Log.d(" + a.toString() + ", " + b.toString() + ")");
        return this.d(a, b, c);
    };
    Log.v.overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(a, b, c) {
        console.log("The application reports Log.v(" + a.toString() + ", " + b.toString() + ")");
        return this.v(a, b, c);
    };

    Log.i.overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(a, b, c) {
        console.log("The application reports Log.i(" + a.toString() + ", " + b.toString() + ")");
        return this.i(a, b, c);
    };
    Log.e.overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(a, b, c) {
        console.log("The application reports Log.e(" + a.toString() + ", " + b.toString() + ")");
        return this.e(a, b, c);
    };
    Log.w.overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(a, b, c) {
        console.log("The application reports Log.w(" + a.toString() + ", " + b.toString() + ")");
        return this.w(a, b, c);
    };
    Log.d.overload('java.lang.String', 'java.lang.String').implementation = function(a, b) {
        console.log("The application reports Log.d(" + a.toString() + ", " + b.toString() + ")");
        return this.d(a, b);
    };
    Log.v.overload('java.lang.String', 'java.lang.String').implementation = function(a, b) {
        console.log("The application reports Log.v(" + a.toString() + ", " + b.toString() + ")");
        return this.v(a, b);
    };

    Log.i.overload('java.lang.String', 'java.lang.String').implementation = function(a, b) {
        console.log("The application reports Log.i(" + a.toString() + ", " + b.toString() + ")");
        return this.i(a, b);
    };
    Log.e.overload('java.lang.String', 'java.lang.String').implementation = function(a, b) {
        console.log("The application reports Log.e(" + a.toString() + ", " + b.toString() + ")");
        return this.e(a, b);
    };
    Log.w.overload('java.lang.String', 'java.lang.String').implementation = function(a, b) {
        console.log("The application reports Log.w(" + a.toString() + ", " + b.toString() + ")");
        return this.w(a, b);
    };

});
```

```
am start -n com.example.myapplication/com.example.myapplication.AccountPage
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/android-pentesting/ssl-pinning-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.