[go: up one dir, main page]
Scribd
Upload
173 views4 pages

Frida Tutorial 3 - HackTricks

This document provides two solutions for bypassing security checks in the OWASP Uncrackable Level 1 Android app using Frida. The first solution hooks the decryption and exit functions, decrypting and displaying the flag. The second solution additionally hooks root check functions to disable them and allow decrypting the flag. Both solutions use Frida to intercept functions and bypass validation in order to retrieve the encrypted flag. The document also contains advertisements for a cybersecurity company hiring Polish speakers.

Uploaded by

tonykwann
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
173 views4 pages

Frida Tutorial 3 - HackTricks

This document provides two solutions for bypassing security checks in the OWASP Uncrackable Level 1 Android app using Frida. The first solution hooks the decryption and exit functions, decrypting and displaying the flag. The second solution additionally hooks root check functions to disable them and allow decrypting the flag. Both solutions use Frida to intercept functions and bypass validation in order to retrieve the encrypted flag. The document also contains advertisements for a cybersecurity company hiring Polish speakers.

Uploaded by

tonykwann
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

11/26/22, 8:18 AM Frida Tutorial 3 - HackTricks

Frida Tutorial 3

Support HackTricks and get benefits!

I​f you are interested in hacking carer and hack the unhackable - we are hiring! (fluent polish written
and spoken required).

Careers | stmcyber.com | penetration testing


stmcyber.com

From: https://joshspicer.com/android-frida-1
APK: https://github.com/OWASP/owasp-
mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk​

Solution 1
Based in https://joshspicer.com/android-frida-1​

Hook the _exit()_ function and decrypt function so it print the flag in frida console when you press
verify:

Java.perform(function () {
send("Starting hooks OWASP uncrackable1...");

function getString(data){

https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1 1/4
11/26/22, 8:18 AM Frida Tutorial 3 - HackTricks

var ret = "";


for (var i=0; i < data.length; i++){
ret += "#" + data[i].toString();
}
return ret
}

var aes_decrypt = Java.use("sg.vantagepoint.a.a");


aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding");
send("Key : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + getString(ret));

var flag = "";


for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

var sysexit = Java.use("java.lang.System");


sysexit.exit.overload("int").implementation = function(var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)");
};

send("Hooks installed.");
});

Solution 2
Based in https://joshspicer.com/android-frida-1​

Hook rootchecks and decrypt function so it print the flag in frida console when you press verify:

Java.perform(function () {
send("Starting hooks OWASP uncrackable1...");

function getString(data){
var ret = "";

https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1 2/4
11/26/22, 8:18 AM Frida Tutorial 3 - HackTricks

for (var i=0; i < data.length; i++){


ret += "#" + data[i].toString();
}
return ret
}

var aes_decrypt = Java.use("sg.vantagepoint.a.a");


aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding");
send("Key : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + getString(ret));

var flag = "";


for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

var rootcheck1 = Java.use("sg.vantagepoint.a.c");


rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()");
return false;
};

var rootcheck2 = Java.use("sg.vantagepoint.a.c");


rootcheck2.b.overload().implementation = function() {
send("sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys");
return false;
};

var rootcheck3 = Java.use("sg.vantagepoint.a.c");


rootcheck3.c.overload().implementation = function() {
send("sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages");
return false;
};

var debugcheck = Java.use("sg.vantagepoint.a.b");


debugcheck.a.overload("android.content.Context").implementation = function(var_0)
send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT! ");
return false;

https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1 3/4
11/26/22, 8:18 AM Frida Tutorial 3 - HackTricks

};
send("Hooks installed.");
});

​If you are interested in hacking carer and hack the unhackable - we are hiring! (fluent polish written
and spoken required).

Careers | stmcyber.com | penetration testing


stmcyber.com

Support HackTricks and get benefits!

Previous
Frida Tutorial 2

Next
Objection Tutorial

Last modified 29d ago

WAS T H I S PAGE HEL PFUL?

https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1 4/4

You might also like