Game crashing with native-connect-hook.js script
Opened this issue · 3 comments
Hello.
There's this game that I think do not handle proxy well. Basically when httptoolkit runs, all in-game request fails. And on httptoolkit it shows Aborted connection to xxx
.
Initially I thought that was a cert pinning issue but uppon trying the scripts in this repo it seems like an issue that the native-connect-hook.js
is trying to solve, but it crashes with that.
frida -U \
-l ./config.js \
-l ./native-connect-hook.js \
-f com.chillyroom.soulknightprequel
Game is com.chillyroom.soulknightprequel
, error is:
Spawning `com.chillyroom.soulknightprequel`...
== Redirecting all TCP connections to 127.0.0.1:8000 ==
Spawned `com.chillyroom.soulknightprequel`. Resuming main thread!
[M2012K11AG::com.chillyroom.soulknightprequel ]-> Manually intercepting connection to ::ffff:192.168.1.184:8000
Manually intercepting connection to ::ffff:192.168.1.184:8000
Manually intercepting connection to ::ffff:223.6.6.6:443
Manually intercepting connection to ::ffff:223.5.5.5:443
Manually intercepting connection to 172.67.70.14:443
Manually intercepting connection to 104.26.14.59:443
Manually intercepting connection to 104.26.15.59:443
Manually intercepting connection to [26:6:47:0:0:20:0:0:0:0:0:0:68:1a:e:3b]:443
Manually intercepting connection to [26:6:47:0:0:20:0:0:0:0:0:0:ac:43:46:e]:443
Manually intercepting connection to [26:6:47:0:0:20:0:0:0:0:0:0:68:1a:f:3b]:443
Process crashed: Trace/BPT trap
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'POCO/alioth/alioth:13/TP1A.221005.002/0112:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2024-08-02 22:57:56.871190341+0200
Process uptime: 11s
Cmdline: com.chillyroom.soulknightprequel
pid: 13767, tid: 13767, name: ulknightprequel >>> com.chillyroom.soulknightprequel <<<
uid: 10284
signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'terminating'
x0 0000000000000000 x1 00000000000035c7 x2 0000000000000006 x3 0000007fcc8375d0
x4 fefefefeff666d68 x5 fefefefeff666d68 x6 fefefefeff666d68 x7 7f7f7f7f7f7f7f7f
x8 00000000000000f0 x9 00000077bf030a00 x10 0000000000000001 x11 00000077bf071840
x12 000000000006f2f2 x13 0000000a172c793d x14 0019468573c1d079 x15 00000000341555ac
x16 00000077bf0e0d58 x17 00000077bf0bbe50 x18 00000077c916a000 x19 00000000000000ac
x20 00000000000000b2 x21 00000000000035c7 x22 00000000000035c7 x23 00000000ffffffff
x24 0000007fcc837830 x25 0000007fcc837778 x26 000000000000008d x27 0000007fcc838390
x28 000000000000000d x29 0000007fcc837650
lr 00000077bf062294 sp 0000007fcc8375b0 pc 00000077bf0622c4 pst 0000000000001000
***
[M2012K11AG::com.chillyroom.soulknightprequel ]->
Thank you for using Frida!
Wondering if you could help me on how to procede. Thanks for the great work!
Hi @CyriacBr, I've just had a quick test and I think this is because the traffic being sent here isn't HTTP.
When I use the script above (on a device which already trusts my CA certificate generally) I can see quite a few requests sent with garbed HTTP methods like SOT_
and similar, which is probably a message sent as part of some other non-HTTP protocol. Unfortunately that means you're in trouble here, since HTTP Toolkit (and other similar tools) don't support this. It's significantly more challenging to intercept an unknown protocol than to intercept just HTTP specifically. Does that make sense?
You may be able to make some progress with tools like Wireshark which can show the raw bytes back & forth for any protocol (it uses a different mechanism internally, so it's not actually a proxy at all) but you'll need to investigate that yourself, and it can be very significantly more difficult to set up.
Hi @pimterry , thank you so much for looking into this. Really appreciate the implication.
I understand everything you said. However I want to provide the information that HTTPToolkit used to work just fine few months ago (I wasn't playing much in the meanwhile). And even back then I would randomly bump into in game "connection error" prompts with the proxy enabled, which was always solved with turning off then on flight mode.
Also, I want to add that the crash happens during the loading screen while some stuff are being downloaded. I know 100% the game was using HTTP requests when actually playing because I could see everything in HTTPToolkit. It'd really surprise me if the dev scrapped everything for an obscure protocol but I guess that's still possible.
Thank you again.
It's hard to know what might have changed or what could cause this, but for the version I tested at least, there is no way that any of that SOT_
traffic is HTTP - they are definitely using a different protocol. In general I'm not aware of any way that normal HTTP traffic can end up broken inside HTTP Toolkit, so if you see any messages in HTTP Toolkit with HTTP methods that don't make sense and lots of errors shown there, you can safely assume the app is definitely sending something that's not HTTP.