maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md

176 lines
6.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Frida Tutorial 3
{{#include ../../../banners/hacktricks-training.md}}
---
**This is a summary of the post**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk)
## Solution 1
Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)
**Hook the _exit()**_ function and **decrypt function** so it print the flag in frida console when you press verify:
```javascript
Java.perform(function () {
send("Starting hooks OWASP uncrackable1...")
function getString(data) {
var ret = ""
for (var i = 0; i < data.length; i++) {
ret += "#" + data[i].toString()
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a")
aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
send(
"sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"
)
send("Key : " + getString(var_0))
send("Encrypted : " + getString(var_1))
var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
send("Decrypted : " + getString(ret))
var flag = ""
for (var i = 0; i < ret.length; i++) {
flag += String.fromCharCode(ret[i])
}
send("Decrypted flag: " + flag)
return ret //[B
}
var sysexit = Java.use("java.lang.System")
sysexit.exit.overload("int").implementation = function (var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)")
}
send("Hooks installed.")
})
```
## Solution 2
Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)
**Hook rootchecks** and decrypt function so it print the flag in frida console when you press verify:
```javascript
Java.perform(function () {
send("Starting hooks OWASP uncrackable1...")
function getString(data) {
var ret = ""
for (var i = 0; i < data.length; i++) {
ret += "#" + data[i].toString()
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a")
aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
send(
"sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"
)
send("Key : " + getString(var_0))
send("Encrypted : " + getString(var_1))
var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
send("Decrypted : " + getString(ret))
var flag = ""
for (var i = 0; i < ret.length; i++) {
flag += String.fromCharCode(ret[i])
}
send("Decrypted flag: " + flag)
return ret //[B
}
var rootcheck1 = Java.use("sg.vantagepoint.a.c")
rootcheck1.a.overload().implementation = function () {
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()")
return false
}
var rootcheck2 = Java.use("sg.vantagepoint.a.c")
rootcheck2.b.overload().implementation = function () {
send("sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys")
return false
}
var rootcheck3 = Java.use("sg.vantagepoint.a.c")
rootcheck3.c.overload().implementation = function () {
send("sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages")
return false
}
var debugcheck = Java.use("sg.vantagepoint.a.b")
debugcheck.a.overload("android.content.Context").implementation = function (
var_0
) {
send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT! ")
return false
}
send("Hooks installed.")
})
```
---
## Solution 3 `frida-trace` (Frida ≥ 16)
If you do not want to hand-write hooks you can let **Frida** generate the Java stubs for you and then edit them:
```bash
# Spawn the application and automatically trace the Java method we care about
aadb shell "am force-stop owasp.mstg.uncrackable1"
frida-trace -U -f owasp.mstg.uncrackable1 \
-j 'sg.vantagepoint.a.a.a("[B","[B")[B' \
-j 'sg.vantagepoint.a.c!*' \
--output ./trace
# The first run will create ./trace/scripts/sg/vantagepoint/a/a/a__B_B_B.js
# Edit that file and add the logic that prints the decrypted flag or
# returns a constant for the root-checks, then:
frida -U -f owasp.mstg.uncrackable1 -l ./trace/_loader.js --no-pause
```
With Frida 16+ the generated stub already uses the modern **ES6** template syntax and will compile with the built-in *QuickJS* runtime you no longer need `frida-compile`.
---
## Solution 4 One-liner with Objection (2024)
If you have **Objection >1.12** installed you can dump the flag with a single command (Objection wraps Frida internally):
```bash
objection -g owasp.mstg.uncrackable1 explore \
--startup-command "android hooking watch class sg.vantagepoint.a.a method a \n && android hooking set return_value false sg.vantagepoint.a.c * \n && android hooking invoke sg.vantagepoint.a.a a '[B' '[B'"
```
* `watch class` prints the plaintext returned by the AES routine
* `set return_value false` forces every root / debugger check to report *false*
* `invoke` allows you to call the method directly without pressing **Verify**.
> NOTE: On Android 14 (API 34) you must run Objection/Frida in *spawn* mode (`-f`) because *attach* is blocked by **seccomp-bpf** restrictions introduced in October 2024.
---
## Modern Android notes (2023 - 2025)
* **libsu 5.x** and **Zygisk** hide *su* pretty well; however the Java based checks in Level 1 still fail if the file `/system/bin/su` exists. Make sure to enable **denylist** or simply hook `java.io.File.exists()` with Frida.
* Frida 16.1 fixed a crash on **Android 12/13** caused by Googles *Scudo* allocator. If you see `Abort message: 'missing SHADOW_OFFSET'`, upgrade Frida (or use the pre-built 17.0 nightly).
* Because Play Integrity replaced SafetyNet in 2023, some newer apps call the **com.google.android.gms.tasks.Task** API. Level 1 does NOT, but the same hooking strategy shown here works hook `com.google.android.gms.safetynet.SafetyNetClient` and return a forged *EvaluationType*.
## References
* Frida release announcement "Frida 16.0 (2023-04-02): Android 12/13 reliability fixes & spawn API overhaul"
* Objection 1.12 "Spawn-only mode for Android 14" (BlackHat USA 2024 talk slides)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink