The Plan#

So first I made some drafts of the plan and here is the conclusion:

1. We needed to recreate the original xamarin SSL pinning bypass to make it work with frida 17 apis. This was a prerequisite to be done, since it had a lot of functions and methods that do not work anymore in frida 17.
2. We needed some app that we know to test on. Luckily, alxbl already provided the src code of the xamarin sample app. Cloned it, rebuilt it using latest maui, changed the deprecated functions and methods, added some verbose logging, and compiled using JIT first then AOT second after getting JIT to work (at least we know that it should work) :“D
3. We needed to understand why the original script crashes on MAUI using the JIT compile, and build a generic bypass that does not hardcode any app-specific class names.
4. We needed to test it on an AOT compiled app and check its behaviour.
5. Document everything and try to understand it “still trying :“D”.

Step 1 - Fixing Frida 17 Compatibility#

Before even touching maui, the original script would not even load on frida 17. It crashes immediately with:

TypeError: not a function

Root cause: frida 17.0.0 removed the static Module.findExportByName helpers. The frida-mono-api library was calling them at two spots.

Fix: two-line patch.

• Module.findExportByName(monoModule.name, sym) → monoModule.findExportByName(sym)
• Module.findExportByName(null, sym) → Module.findGlobalExportByName(sym)

I forked both repos and patched them:

• https://github.com/ymuuuu/frida-mono-api/tree/frida-17
• https://github.com/ymuuuu/frida-xamarin-unpin/tree/frida-17

Also opened upstream PRs back to GoSecure so the community can benefit:

• https://github.com/GoSecure/frida-mono-api/pull/1
• https://github.com/GoSecure/frida-xamarin-unpin/pull/19

Verified the patched script works on the original xamarin sample APK. Good, baseline established.

Step 2 - Building the MAUI Test Target#

I rebuilt alxbl’s sample app for .NET MAUI (net9.0-android). The app registers an HttpClient with a custom ServerCertificateCustomValidationCallback, exactly like the xamarin sample but using the unified BCL.

Compiled two versions:

• JIT - RunAOTCompilation=false (debug / default)
• AOT - RunAOTCompilation=true (release / optimized)

Both APKs are included in the repo if you want to test it: @ymuuuu/repo

Step 3 - The Crash#

Ran the patched xamarin script against the maui JIT app. It loads, hooks SendAsync, first request fires - then:

Error: access violation accessing 0x10
    at RuntimeInvoke (mono-api/src/mono-api-helper.js:71)
    at onEnter (src/main.js:55)

TIP

Why 0x10? The original script looks for a static factory method called CreateDefaultHandler() inside HttpClientHandler. On xamarin (mono BCL fork) this exists. On maui (unified BCL / dotnet/runtime) it does not. mono_class_get_method_from_name returns NULL. Passing NULL to mono_runtime_invoke dereferences offset +0x10 of the _MonoMethod struct - the signature field. The fault address tells you exactly which field was hit.

The fix was not to just guard the NULL. We needed a completely different approach for maui because the HttpClientHandler internals changed.

Find more here Mono Docs

The MAUI Approach - Four Techniques in One Script#

After a lot of trial and error (and enumerating fields at runtime to see what actually exists), the script now has four techniques depending on what it finds:

How the MAUI Path Works (The Juicy Part)#

When the script detects it is running on maui (no CreateDefaultHandler factory), it switches to the maui path:

LifetimeTrackingHttpMessageHandler -> LoggingScopeHttpMessageHandler -> ResilienceHandler -> SocketsHttpHandler

validator instance
  -> <Callback>k__BackingField (the Func<...> delegate)
    -> MonoDelegate.layout +0x28 = MonoMethod* 
      -> mono_compile_method = native entry point
        -> Interceptor.attach onLeave -> retval.replace(ptr(1))

The AOT Surprise#

Remember the blog said “iOS Full AOT not supported”? I tested against the AOT-compiled maui app expecting it to fail. It worked.

CAUTION

Plot twist: on android MonoVM AOT, mono_compile_method does not return a JIT stub. It returns the pre-compiled AOT native entry point. Interceptor.attach patches it directly, same as JIT. The Stage 3 hook successfully attached to ValidateCertificate (AOT-compiled), forced return=true, and the request returned OK.

This is an android-specific finding. iOS uses LLVM AOT with a different runtime layout - not addressed.

There was one small hiccup: a non-fatal access violation accessing 0x68 during script load. This was the ServicePointManager fallback block trying to load the System assembly (which does not exist in unified BCL) and dereferencing NULL. Fixed by guarding the entire legacy block behind if (!hooked).

SocketsHttpHandler Support#

Some apps set UseNativeHttpHandler=false, which makes the bottom handler SocketsHttpHandler instead of AndroidMessageHandler. Its certificate callback lives at:

SocketsHttpHandler._settings._sslOptions.<RemoteCertificateValidationCallback>k__BackingField

When the script detects SocketsHttpHandler, it walks this field chain and hooks the callback delegate using the same Stage 3 technique. If _sslOptions is null, the app has not configured a custom callback - the script logs this and returns cleanly.

DEBUG Flag#

Tired of noisy frida consoles? The script has a DEBUG flag at the top:

const DEBUG = true; // set to false for quiet mode
function dbg(...args) { if (DEBUG) console.log(...args); }

How to Use It#

TIP

Prerequisites: rooted android device, frida server running, MITM CA installed in the user trust store.

# 1. clone both repos
git clone https://github.com/ymuuuu/frida-mono-api-maui.git
git clone https://github.com/ymuuuu/frida-maui-unpin.git

# 2. build
cd frida-mono-api-maui && npm i
cd ../frida-maui-unpin && npm i && npm run build

# 3. launch the app, wait for mono init, then attach
frida -U -p $(adb shell "pidof -s com.test.sample.maui") -l ./dist/maui-unpin.js

# 4. trigger an HTTPS request in the app

Expected output with DEBUG = false:

[+] Hooked HttpMessageInvoker.SendAsync with mono_object_new technique (MAUI / unified BCL)
[+] Done!
Make sure you have a valid MITM CA installed on the device and have fun.
[+] Stage 3: hooked validator method (MonoMethod=0x..., name=ValidateCertificate, JIT=0x...), forced return=true

Repos#

• frida-mono-api-maui standalone Mono API + MAUI helpers https://github.com/ymuuuu/frida-mono-api-maui

• frida-maui-unpin the bypass script + sample APK source + pre-built JIT/AOT APKs https://github.com/ymuuuu/frida-maui-unpin

• frida-mono-api (frida-17 fork) patched upstream dependency https://github.com/ymuuuu/frida-mono-api/tree/frida-17 originally by freehuntx, maintained by GoSecure

• frida-xamarin-unpin (frida-17 fork) patched upstream script https://github.com/ymuuuu/frida-xamarin-unpin/tree/frida-17 originally by alxbl at GoSecure

Credits#

• @freehuntx - original frida-mono-api and the xamarin bypass concept
• GoSecure - maintained frida-xamarin-unpin and the extra branch of frida-mono-api
• alxbl - original author of frida-xamarin-unpin

I am still learning along the way, most of the work was done by digging thru docs and using some high thinking AI Agents, mistakes are meant to happen, if you have any edit, suggestion or an adjustment, please hit me up.