wywwzjj's Blog

frida 初体验

frida
字数统计: 973阅读时长: 5 min
2020/06/23 Share

UnCrackable App for Android Level 1

This app holds a secret inside. Can you find it?

adb -d install UnCrackable-Level1.apk

装好之后先大致看一下逻辑,一打开就有个 Root detected! 弹窗,点 OK 就强制退出了。

jadx 启动

public void onCreate(Bundle bundle) {
    if (C0002c.m2a() || C0002c.m3b() || C0002c.m4c()) {
    	m5a("Root detected!");
    }
    if (C0001b.m1a(getApplicationContext())) {
    	m5a("App is debuggable!");
    }
    super.onCreate(bundle);
    setContentView(R.layout.activity_main);
}

跟进可以发现,这一部分是判断是否有 root 的逻辑。

public class C0002c {
    /* renamed from: a */
    public static boolean m2a() {
        for (String file : System.getenv("PATH").split(":")) {
            if (new File(file, "su").exists()) {
                return true;
            }
        }
        return false;
    }

    /* renamed from: b */
    public static boolean m3b() {
        String str = Build.TAGS;
        return str != null && str.contains("test-keys");
    }

    /* renamed from: c */
    public static boolean m4c() {
        for (String file : new String[]{"/system/app/Superuser.apk", "/system/xbin/daemonsu", "/system/etc/init.d/99SuperSUDaemon", "/system/bin/.ext/.su", "/system/etc/.has_su_daemon", "/system/etc/.installed_su_daemon", "/dev/com.koushikdutta.superuser.daemon/"}) {
            if (new File(file).exists()) {
                return true;
            }
        }
        return false;
    }
}

退出的逻辑:

private void m5a(String str) {
    AlertDialog create = new AlertDialog.Builder(this).create();
    create.setTitle(str);
    create.setMessage("This is unacceptable. The app is now going to exit.");
    create.setButton(-3, "OK", new DialogInterface.OnClickListener() {
        public void onClick(DialogInterface dialogInterface, int i) {
            System.exit(0);
        }
    });
    create.setCancelable(false);
    create.show();
}

干掉退出

为了不退出,先尝试 hook 住 System.exit(0)

setImmediate(function () {
    console.log("[*] hook start")
    Java.perform(function () {
        var System = Java.use("java.lang.System");
        System.exit.implementation = function (v) {
            console.log("[*] exit called");
        }
        console.log("[*] exit handler modified");
    })
})

hook 成功,下一步就是获取到 secret string。

干掉验证

public void verify(View view) {
    String str;
    String obj = ((EditText) findViewById(R.id.edit_text)).getText().toString();
    AlertDialog create = new AlertDialog.Builder(this).create();
    if (C0005a.m6a(obj)) {
        create.setTitle("Success!");
        str = "This is the correct secret.";
    } else {
        create.setTitle("Nope...");
        str = "That's not it. Try again.";
    }
    create.setMessage(str);
    create.setButton(-3, "OK", new DialogInterface.OnClickListener() {
        public void onClick(DialogInterface dialogInterface, int i) {
            dialogInterface.dismiss();
        }
    });
    create.show();
}

按照这里的逻辑,先使用简单粗暴的方法,直接 hook 住 m6a 的返回值就可以了。

setImmediate(function () {
    console.log("[*] hook start")
    Java.perform(function () {
        var System = Java.use("java.lang.System");
        System.exit.implementation = function (v) {
            console.log("[*] exit called");
        }
        console.log("[*] exit handler modified");

        /* 这种一直没有成功,以后再深究下原因。 */
        // var String = Java.use("java.lang.String");
        // String.equals.overload("java.lang.Object").implementation = function (v) {
        //     console.log("[*] return true");
        //     // return true;
        // }
        // console.log("[*] equals handler modified");

        var String = Java.use("sg.vantagepoint.uncrackable1.a");
        String.a.implementation = function (v) {
            console.log("[*] return true");
            return true;
        }
        console.log("[*] a handler modified");
    })
})

换种思路

在运行时拿到 secret string。

a.a(b("8d127684cbc37c17616d806cf50473cc"), Base64.decode("5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc=", 0));
Java.use("sg.vantagepoint.a.a").a.implementation = function (arg1, arg2) {
    const retVal = this.a(arg1, arg2);  // 获取到返回值
    var decrypt = "";
    for (var i = 0; i < retVal.length; i++) {  // frida 里不支持 let 写法……
        decrypt += String.fromCharCode(retVal[i]);
    }
    console.log(decrypt);
    return retVal;
}

UnCrackable App for Android Level 2

This app holds a secret inside. May include traces of native code.

  • Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
  • Author: Bernhard Mueller
  • Special thanks to Michael Helwig for finding and fixing an oversight in the anti-tampering mechanism.
  • Maintained by the OWASP MSTG leaders Jeroen Willemsen & Sven Schleier

这题开始涉及 lib 的逆向了,未完待续。

UnCrackable App for Android Level 3

The crackme from hell!

  • Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
  • Author: Bernhard Mueller.
  • Special thanks to Eduardo Novella for testing, feedback and pointing out flaws in the initial build(s).
  • Maintained by the OWASP MSTG leaders.

UnCrackable App for Android Level 4

The Radare2 community always dreamed with its decentralized and free currency to allow r2 fans to make payments in places and transfer money between r2 users. A debug version has been developed and it will be supported very soon in many stores and websites. Can you verify that this is cryptographically unbreakable?

Hint: Run the APK in a non-tampered device to play a bit with the app.

  • Objectives:
    • 1: There is a master PIN code that generates green tokens (aka r2coins) on the screen. If you see a red r2coin, then this token won’t be validated by the community. You need to find out the 4 digits PIN code and the salt employed as well. Flag: r2con{PIN_NUMERIC:SALT_LOWERCASE}
    • 2: There is a “r2pay master key” buried in layers of obfuscation and protections. Can you break the whitebox? Flag: r2con{ascii(key)}
  • Author: Eduardo Novella & Gautam Arvind.
  • Special thanks to NowSecure for supporting this crackme.
  • Maintained by Eduardo Novella & Gautam Arvind.

原文作者:wywwzjj

原文链接:https://wywwzjj.top/2020/06/23/frida初体验/

发表日期:June 23rd 2020, 10:03:07 am

更新日期:May 15th 2021, 12:02:44 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. UnCrackable App for Android Level 1
    1. 1.1. jadx 启动
    2. 1.2. 干掉退出
    3. 1.3. 干掉验证
    4. 1.4. 换种思路
  2. 2. UnCrackable App for Android Level 2
  3. 3. UnCrackable App for Android Level 3
  4. 4. UnCrackable App for Android Level 4
Total : 63
2022
2021
2020
2019
2018
Writeup php 伪随机数 算法 ssrf 读书笔记 漏洞分析 PHP Cloud Docker Container 代码审计 SQLi 反序列化 php redis xss ThinkPHP frida smarty 渗透测试 pwn webshell 心得 命令注入 SSRF 笔记 Java SQL