Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fishing Clash app. Some super-duper pinning protection. #89

Open
Yarogleck opened this issue Apr 22, 2024 · 2 comments
Open

Fishing Clash app. Some super-duper pinning protection. #89

Yarogleck opened this issue Apr 22, 2024 · 2 comments

Comments

@Yarogleck
Copy link

Yarogleck commented Apr 22, 2024
edited
Loading

There’s a game called Fishing Clash. I’ve been trying to peek into and analyze the HTTPS traffic that this game sends and receives. The game is built on Unity3D, and the crucial networking part operates over RPC via HTTPS. When you cast your fishing line and hook a fish, a mini-game begins where you have to reel in the line. During this time, you don’t know what kind of fish it is, its weight, or quality until you actually catch it. However, all the complete data is sent right at the start of the mini-game.

I’ve been using a script android-certificate-unpinning.js successfully in the Chrome browser and the Twitter (X) app. But as soon as I use it with com.tensquaregames.letsfish2 (Fishing Clash), it seems some clever ssl pinning defense mechanism kicks in, and the app doesn’t progress beyond the connection stage.

I haven’t noticed anything else suspicious. Even intercepting via a VPN method yields the same result. Perhaps this is some intricate defense related to DNSSEC. In any case, I’ve been grappling with this for several days now and would greatly appreciate any assistance.

**Android**

Http ToolKit View:
Aborted connection to letsfish2-b-servers.cf-tsg.net.

Logcat:
I /system/bin/netd: gethostby*.getanswer: asked for ‘letsfish2-b-servers.cf-tsg.net IN A’, got type ‘RRSIG’.

Frida command:
frida -H 127.0.0.1:27042 -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f com.tensquaregames.letsfish2

Frida log:

     ____
    / _  |   Frida 16.2.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to 127.0.0.1:27042 ([email protected]:27042)
Spawning `com.tensquaregames.letsfish2`...

*** Starting scripts ***
== Redirecting all TCP connections to .192.168.0.666:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `com.tensquaregames.letsfish2`. Resuming main thread!
[Remote::com.tensquaregames.letsfish2 ]-> == Proxy system configuration overridden to .192.168.0.666:8000 ==
Rewriting <class: java.net.ProxySelector>
Rewriting <class: sun.net.spi.DefaultProxySelector>
== Proxy configuration overridden to .192.168.0.666:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

Ignoring attempt to clear http.proxyHost system property
Ignoring attempt to clear https.proxyHost system property
Ignoring attempt to clear http.proxyPort system property
Ignoring attempt to clear https.proxyPort system property
Ignoring attempt to clear http.nonProxyHosts system property
Ignoring attempt to clear https.nonProxyHosts system property
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 102 to null (-1)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 117 to null (-1)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 118 to {"ip":"::ffff:.192.168.0.666","port":8000} (0)
Connected tcp6 fd 119 to {"ip":"::ffff:.192.168.0.666","port":8000} (0)
Connected tcp6 fd 120 to {"ip":"::ffff:.192.168.0.666","port":8000} (0)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 127 to {"ip":"::ffff:.192.168.0.666","port":8000} (0)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 128 to {"ip":"::ffff:.192.168.0.666","port":8000} (0)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Manually intercepting connection to 148.113.162.153:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 109 to null (-1)
Manually intercepting connection to 15.235.66.182:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 137 to {"ip":".192.168.0.666","port":8000} (-1)
Manually intercepting connection to 15.235.54.61:443                        <---- This is letsfish2-b-servers.cf-tsg.net
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 136 to null (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 110 to null (-1)
Ignoring unix:stream connection
Manually intercepting connection to 148.113.162.153:443
Ignoring unix:stream connection
Connected tcp fd 91 to null (-1)
Manually intercepting connection to 15.235.66.182:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 134 to {"ip":".192.168.0.666","port":8000} (-1)
Manually intercepting connection to 15.235.54.61:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 135 to null (-1)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 135 to null (-1)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
Ignoring unix:stream connection
Manually intercepting connection to 148.113.162.153:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 140 to null (-1)
Manually intercepting connection to 15.235.66.182:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 141 to null (-1)
Manually intercepting connection to 15.235.54.61:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 142 to null (-1)
Ignoring unix:stream connection
Manually intercepting connection to 148.113.162.153:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 119 to null (-1)
Manually intercepting connection to 15.235.66.182:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 142 to null (-1)
Manually intercepting connection to 15.235.54.61:443
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp fd 144 to null (-1)
Ignoring unix:stream connection
Process terminated    <- I killed it
@pimterry
Copy link
Member

Hard to know I'm afraid. I think that DNS error is probably a red herring - it's reported elsewhere (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213178) as a logging issue that doesn't actually affect DNS queries, and I'd be surprised if that was the main problem here.

One thing that is unusual is that your IP address in all that output has a preceeding . (i.e. .192.168.0.666 instead of 192.168.0.666). Presumably that's coming from your config.js. If you remove that, does it work correctly?

@Yarogleck
Copy link
Author

Yarogleck commented Apr 23, 2024
edited
Loading

Hard to know I'm afraid. I think that DNS error is probably a red herring - it's reported elsewhere (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213178) as a logging issue that doesn't actually affect DNS queries, and I'd be surprised if that was the main problem here.

Regarding the red herring, you might be right. It’s just that this is the only suspicious thing that i found, and it’s the only connection between Http ToolKit View showing Aborted connection to letsfish2-b-servers.cf-tsg.net and the log in Logcat. And seems letsfish2-b-servers.cf-tsg.net is where the main RPC logic happens. My Android platform proficiency prevented me from finding any other leads.

One thing that is unusual is that your IP address in all that output has a preceeding . (i.e. .192.168.0.666 instead of 192.168.0.666). Presumably that's coming from your config.js. If you remove that, does it work correctly?

Regarding the Dot, I have no idea where it came from. Here’s what the config looks like:

// Put your intercepting proxy's address here:
const PROXY_HOST = '192.168.0.666';
const PROXY_PORT = 8000;

// If you like, set to to true to enable extra logging:
const DEBUG_MODE = true;

(666 is just a quick replacement for this chat)

UPD: It seems the issue with Dot has somehow disappeared, but it doesn’t affect the problem with the game.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pimterry @Yarogleck