I have a jailbroken iPhone (iOS 12.4) that I can use to disable certificate pinning, which works great. However I want to intercept and download the certificate so I can use it directly in a proxy without needing certificate pinning.
I am quite new to frida and i've been playing around with both frida-trace and frida with a script, but I can't seem to import the ssl library to use some of the methods to get a certificate from an ssl context.
This is my current script:
function overrideCustomVerify() {
var SSL_CTX_set_custom_verify = Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_custom_verify");
if (SSL_CTX_set_custom_verify == null) {
console.log("[!] SSL_CTX_set_custom_verify(...) not found!");
return;
}
// Create native function wrappers for SSL_CTX_set_custom_verify
var NEW_SSL_CTX_set_custom_verify = new NativeFunction(SSL_CTX_set_custom_verify, 'void', ['pointer', 'int', 'pointer']);
// Hook
Interceptor.replace(SSL_CTX_set_custom_verify, new NativeCallback(function(ssl_ctx, mode, callback) {
// Show "hit!" message if we are in debugging mode
console.log("[*] SSL_CTX_set_custom_verify(...) hit!");
console.log(ssl_ctx);
}, 'void', ['pointer', 'int', 'pointer']));
// It's hooked!
console.log("[*] SSL_CTX_set_custom_verify(...) hooked.");
}
This logs:
[*] SSL_CTX_set_custom_verify(...) hit!
0x112049df8
0x112049df8 I assume is the pointer to the ssl context, how can I fetch the certificate from this?