frida 初体验

admin
admin
admin
102737
文章
87
评论
2024年4月3日10:44:30评论10 views字数 4786阅读15分57秒阅读模式

UnCrackable App for Android Level 1

This app holds a secret inside. Can you find it?

adb -d install UnCrackable-Level1.apk

装好之后先大致看一下逻辑,一打开就有个 Root detected! 弹窗,点 OK 就强制退出了。

frida 初体验

jadx 启动

public void onCreate(Bundle bundle) {
    if (C0002c.m2a() || C0002c.m3b() || C0002c.m4c()) {
    m5a("Root detected!");
    }
    if (C0001b.m1a(getApplicationContext())) {
    m5a("App is debuggable!");
    }
    super.onCreate(bundle);
    setContentView(R.layout.activity_main);
}

跟进可以发现,这一部分是判断是否有 root 的逻辑。

public class C0002c {
    /* renamed from: a */
    public static boolean m2a() {
        for (String file : System.getenv("PATH").split(":")) {
            if (new File(file, "su").exists()) {
                return true;
            }
        }
        return false;
    }

    /* renamed from: b */
    public static boolean m3b() {
        String str = Build.TAGS;
        return str != null && str.contains("test-keys");
    }

    /* renamed from: c */
    public static boolean m4c() {
        for (String file : new String[]{"/system/app/Superuser.apk", "/system/xbin/daemonsu", "/system/etc/init.d/99SuperSUDaemon", "/system/bin/.ext/.su", "/system/etc/.has_su_daemon", "/system/etc/.installed_su_daemon", "/dev/com.koushikdutta.superuser.daemon/"}) {
            if (new File(file).exists()) {
                return true;
            }
        }
        return false;
    }
}

退出的逻辑:

private void m5a(String str) {
    AlertDialog create = new AlertDialog.Builder(this).create();
    create.setTitle(str);
    create.setMessage("This is unacceptable. The app is now going to exit.");
    create.setButton(-3, "OK", new DialogInterface.OnClickListener() {
        public void onClick(DialogInterface dialogInterface, int i) {
            System.exit(0);
        }
    });
    create.setCancelable(false);
    create.show();
}

干掉退出

为了不退出,先尝试 hook 住 System.exit(0)

setImmediate(function () {
    console.log("[*] hook start")
    Java.perform(function () {
        var System = Java.use("java.lang.System");
        System.exit.implementation = function (v) {
            console.log("[*] exit called");
        }
        console.log("[*] exit handler modified");
    })
})

frida 初体验

hook 成功,下一步就是获取到 secret string。

干掉验证

public void verify(View view) {
    String str;
    String obj = ((EditText) findViewById(R.id.edit_text)).getText().toString();
    AlertDialog create = new AlertDialog.Builder(this).create();
    if (C0005a.m6a(obj)) {
        create.setTitle("Success!");
        str = "This is the correct secret.";
    } else {
        create.setTitle("Nope...");
        str = "That's not it. Try again.";
    }
    create.setMessage(str);
    create.setButton(-3, "OK", new DialogInterface.OnClickListener() {
        public void onClick(DialogInterface dialogInterface, int i) {
            dialogInterface.dismiss();
        }
    });
    create.show();
}

按照这里的逻辑,先使用简单粗暴的方法,直接 hook 住 m6a 的返回值就可以了。

frida 初体验

setImmediate(function () {
    console.log("[*] hook start")
    Java.perform(function () {
        var System = Java.use("java.lang.System");
        System.exit.implementation = function (v) {
            console.log("[*] exit called");
        }
        console.log("[*] exit handler modified");

        /* 这种一直没有成功,以后再深究下原因。 */
        // var String = Java.use("java.lang.String");
        // String.equals.overload("java.lang.Object").implementation = function (v) {
        //     console.log("[*] return true");
        //     // return true;
        // }
        // console.log("[*] equals handler modified");

        var String = Java.use("sg.vantagepoint.uncrackable1.a");
        String.a.implementation = function (v) {
            console.log("[*] return true");
            return true;
        }
        console.log("[*] a handler modified");
    })
})

换种思路

在运行时拿到 secret string。

a.a(b("8d127684cbc37c17616d806cf50473cc"), Base64.decode("5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc=", 0));
 
Java.use("sg.vantagepoint.a.a").a.implementation = function (arg1, arg2) {
    const retVal = this.a(arg1, arg2);  // 获取到返回值
    var decrypt = "";
    for (var i = 0; i < retVal.length; i++) {  // frida 里不支持 let 写法……
        decrypt += String.fromCharCode(retVal[i]);
    }
    console.log(decrypt);
    return retVal;
}

UnCrackable App for Android Level 2

This app holds a secret inside. May include traces of native code.

  • Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
  • Author: Bernhard Mueller
  • Special thanks to Michael Helwig for finding and fixing an oversight in the anti-tampering mechanism.
  • Maintained by the OWASP MSTG leaders Jeroen Willemsen & Sven Schleier

这题开始涉及 lib 的逆向了,未完待续。

UnCrackable App for Android Level 3

The crackme from hell!

  • Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
  • Author: Bernhard Mueller.
  • Special thanks to Eduardo Novella for testing, feedback and pointing out flaws in the initial build(s).
  • Maintained by the OWASP MSTG leaders.

UnCrackable App for Android Level 4

The Radare2 community always dreamed with its decentralized and free currency to allow r2 fans to make payments in places and transfer money between r2 users. A debug version has been developed and it will be supported very soon in many stores and websites. Can you verify that this is cryptographically unbreakable?

Hint: Run the APK in a non-tampered device to play a bit with the app.

  • Objectives:
    • 1: There is a master PIN code that generates green tokens (aka r2coins) on the screen. If you see a red r2coin, then this token won’t be validated by the community. You need to find out the 4 digits PIN code and the salt employed as well. Flag: r2con{PIN_NUMERIC:SALT_LOWERCASE}
    • 2: There is a “r2pay master key” buried in layers of obfuscation and protections. Can you break the whitebox? Flag: r2con{ascii(key)}
  • Author: Eduardo Novella & Gautam Arvind.
  • Special thanks to NowSecure for supporting this crackme.
  • Maintained by Eduardo Novella & Gautam Arvind.

- By:wywwzjj.top

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年4月3日10:44:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   frida 初体验https://cn-sec.com/archives/2624197.html

发表评论

匿名网友 填写信息