httptoolkit/frida-interception-and-unpinning

Game crashing with native-connect-hook.js script

Opened this issue · 3 comments

Hello.
There's this game that I think do not handle proxy well. Basically when httptoolkit runs, all in-game request fails. And on httptoolkit it shows Aborted connection to xxx.

Initially I thought that was a cert pinning issue but uppon trying the scripts in this repo it seems like an issue that the native-connect-hook.js is trying to solve, but it crashes with that.

frida -U \
    -l ./config.js \
    -l ./native-connect-hook.js \
    -f com.chillyroom.soulknightprequel

Game is com.chillyroom.soulknightprequel, error is:

Spawning `com.chillyroom.soulknightprequel`...                          

== Redirecting all TCP connections to 127.0.0.1:8000 ==
Spawned `com.chillyroom.soulknightprequel`. Resuming main thread!       
[M2012K11AG::com.chillyroom.soulknightprequel ]-> Manually intercepting connection to ::ffff:192.168.1.184:8000
Manually intercepting connection to ::ffff:192.168.1.184:8000
Manually intercepting connection to ::ffff:223.6.6.6:443
Manually intercepting connection to ::ffff:223.5.5.5:443
Manually intercepting connection to 172.67.70.14:443
Manually intercepting connection to 104.26.14.59:443
Manually intercepting connection to 104.26.15.59:443
Manually intercepting connection to [26:6:47:0:0:20:0:0:0:0:0:0:68:1a:e:3b]:443
Manually intercepting connection to [26:6:47:0:0:20:0:0:0:0:0:0:ac:43:46:e]:443
Manually intercepting connection to [26:6:47:0:0:20:0:0:0:0:0:0:68:1a:f:3b]:443
Process crashed: Trace/BPT trap

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'POCO/alioth/alioth:13/TP1A.221005.002/0112:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2024-08-02 22:57:56.871190341+0200
Process uptime: 11s
Cmdline: com.chillyroom.soulknightprequel
pid: 13767, tid: 13767, name: ulknightprequel  >>> com.chillyroom.soulknightprequel <<<
uid: 10284
signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'terminating'
    x0  0000000000000000  x1  00000000000035c7  x2  0000000000000006  x3  0000007fcc8375d0
    x4  fefefefeff666d68  x5  fefefefeff666d68  x6  fefefefeff666d68  x7  7f7f7f7f7f7f7f7f
    x8  00000000000000f0  x9  00000077bf030a00  x10 0000000000000001  x11 00000077bf071840
    x12 000000000006f2f2  x13 0000000a172c793d  x14 0019468573c1d079  x15 00000000341555ac
    x16 00000077bf0e0d58  x17 00000077bf0bbe50  x18 00000077c916a000  x19 00000000000000ac
    x20 00000000000000b2  x21 00000000000035c7  x22 00000000000035c7  x23 00000000ffffffff
    x24 0000007fcc837830  x25 0000007fcc837778  x26 000000000000008d  x27 0000007fcc838390
    x28 000000000000000d  x29 0000007fcc837650
    lr  00000077bf062294  sp  0000007fcc8375b0  pc  00000077bf0622c4  pst 0000000000001000
***
[M2012K11AG::com.chillyroom.soulknightprequel ]->

Thank you for using Frida!

Wondering if you could help me on how to procede. Thanks for the great work!

Hi @CyriacBr, I've just had a quick test and I think this is because the traffic being sent here isn't HTTP.

When I use the script above (on a device which already trusts my CA certificate generally) I can see quite a few requests sent with garbed HTTP methods like SOT_ and similar, which is probably a message sent as part of some other non-HTTP protocol. Unfortunately that means you're in trouble here, since HTTP Toolkit (and other similar tools) don't support this. It's significantly more challenging to intercept an unknown protocol than to intercept just HTTP specifically. Does that make sense?

You may be able to make some progress with tools like Wireshark which can show the raw bytes back & forth for any protocol (it uses a different mechanism internally, so it's not actually a proxy at all) but you'll need to investigate that yourself, and it can be very significantly more difficult to set up.

Hi @pimterry , thank you so much for looking into this. Really appreciate the implication.

I understand everything you said. However I want to provide the information that HTTPToolkit used to work just fine few months ago (I wasn't playing much in the meanwhile). And even back then I would randomly bump into in game "connection error" prompts with the proxy enabled, which was always solved with turning off then on flight mode.

Also, I want to add that the crash happens during the loading screen while some stuff are being downloaded. I know 100% the game was using HTTP requests when actually playing because I could see everything in HTTPToolkit. It'd really surprise me if the dev scrapped everything for an obscure protocol but I guess that's still possible.

Thank you again.

It's hard to know what might have changed or what could cause this, but for the version I tested at least, there is no way that any of that SOT_ traffic is HTTP - they are definitely using a different protocol. In general I'm not aware of any way that normal HTTP traffic can end up broken inside HTTP Toolkit, so if you see any messages in HTTP Toolkit with HTTP methods that don't make sense and lots of errors shown there, you can safely assume the app is definitely sending something that's not HTTP.