tsarpaul/ FBUnpinner

Python

facebook

certificate-pinning

Need help with FBUnpinner?

Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

tsarpaul

187 Stars

44 Forks

42 Commits

6 Opened issues

Description

Bypass Facebook/Instagram Certificate Pinning for Android

Services available

Need anything else?

Contributors list

Paul tsarpaul

# 291,435

Python

faceboo...

certifi...

assembl...

19 commits

Ron TwoUnderscorez

# 173,619

python3

rop

assembl...

pwnable

3 commits

Steven Zhao zpv

# 517,062

Python

faceboo...

certifi...

1 commit

phwd phwd

# 389,050

Shell

C++

fuzzing

1 commit

Readme

FBUnpinner

Name: FBUnpinner
Brand: FBUnpinner
SKU: //tsarpaul/FBUnpinner
Rating: 2.2175 (187 reviews)

Works for Instagram & Facebook

SUPPORTS:
TLS1.3 & TLS1.2 for x86/ARM32/ARM64
Instagram x86 currently does not work, feel free to open a pull request :)

A script to automate removing certificate pinning defense from Facebook applications.

TESTED FOR THE FOLLOWING APPS: - com.facebook.katana (Facebook for Android) - com.facebook.orca (Messenger) - com.facebook.lasso (Lasso) - com.instagram.android (Instagram for Android)

How-to

[REQUIRES ROOT]

Note: for Instagram replace lib-xzs/libcoldstart.so with lib-zstd/libliger.so

Make sure you have run the desired Facebook application atleast once - what happens is that the cert pinning library (libcoldstart.so) is unpacked from an archive embedded in the APK.
Get root shell in your device:
```
$(comp): adb shell
$(phone): su
```
Pull libcoldstart.so from your desired Facebook application:

Before version 255 path: /data/data/com.facebook.katana/lib-xzs/libcoldstart.so

#(phone): cp /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so /sdcard/libcoldstart.so
#(phone): exit
$(phone): exit
$(comp): adb pull /sdcard/libcoldstart.so FBUnpinner/

Patch the file:

$ python3 patch.py

OR:

$ python3 patch.py libliger.so libliger-patched.so

Replace libcoldstart.so in the phone with the patched version: ``` $(comp): adb push libcoldstart-patched.so /sdcard/libcoldstart.so $(comp): adb shell $(phone): su

(phone): cp /sdcard/libcoldstart.so /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so

(phone): chmod 777 /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so
(Optional) Setting up Burp to work with TLS 1.3 ("no cipher suites in common")
```
/jdk-11.0.2.jdk/Contents/Home/bin/java -jar burpsuite_community.jar
```

TODO

A script to just patch an APK

Tested Emulators

Android Studio: Nexus6API_24 - Google APIs Intel Atom (x86)

Genymotion: Google Nexus 5X API 26 (x86)

Reference

https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/
https://plainsec.org/how-to-bypass-instagram-ssl-pinning-on-android-v78/

About the developer

Description

Services available

Need anything else?

Contributors list

FBUnpinner

Works for Instagram & Facebook

How-to

[REQUIRES ROOT]

(phone): cp /sdcard/libcoldstart.so /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so

(phone): chmod 777 /data/data/com.facebook.katana/lib-superpack-xz/libcoldstart.so

TODO

Tested Emulators

Reference