maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md

119 lines
3.7 KiB
Markdown
Raw Blame History

# Frida Tutorial 3
{{#include ../../../banners/hacktricks-training.md}}
---
**यह पोस्ट का सारांश है**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk)
## समाधान 1
आधारित [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)
**\_exit()**\_ फ़ंक्शन को **हुक करें** और **डिक्रिप्ट फ़ंक्शन** ताकि यह फ्रिडा कंसोल में फ्लैग प्रिंट करे जब आप वेरिफाई दबाते हैं:
```javascript
Java.perform(function () {
send("Starting hooks OWASP uncrackable1...")
function getString(data) {
var ret = ""
for (var i = 0; i < data.length; i++) {
ret += "#" + data[i].toString()
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a")
aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
send(
"sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"
)
send("Key : " + getString(var_0))
send("Encrypted : " + getString(var_1))
var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
send("Decrypted : " + getString(ret))
var flag = ""
for (var i = 0; i < ret.length; i++) {
flag += String.fromCharCode(ret[i])
}
send("Decrypted flag: " + flag)
return ret //[B
}
var sysexit = Java.use("java.lang.System")
sysexit.exit.overload("int").implementation = function (var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)")
}
send("Hooks installed.")
})
```
## समाधान 2
Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)
**हुक रूटचेक्स** और डिक्रिप्ट फ़ंक्शन ताकि यह फ्रिडा कंसोल में फ्लैग प्रिंट करे जब आप वेरिफाई दबाते हैं:
```javascript
Java.perform(function () {
send("Starting hooks OWASP uncrackable1...")
function getString(data) {
var ret = ""
for (var i = 0; i < data.length; i++) {
ret += "#" + data[i].toString()
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a")
aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
send(
"sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"
)
send("Key : " + getString(var_0))
send("Encrypted : " + getString(var_1))
var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
send("Decrypted : " + getString(ret))
var flag = ""
for (var i = 0; i < ret.length; i++) {
flag += String.fromCharCode(ret[i])
}
send("Decrypted flag: " + flag)
return ret //[B
}
var rootcheck1 = Java.use("sg.vantagepoint.a.c")
rootcheck1.a.overload().implementation = function () {
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()")
return false
}
var rootcheck2 = Java.use("sg.vantagepoint.a.c")
rootcheck2.b.overload().implementation = function () {
send("sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys")
return false
}
var rootcheck3 = Java.use("sg.vantagepoint.a.c")
rootcheck3.c.overload().implementation = function () {
send("sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages")
return false
}
var debugcheck = Java.use("sg.vantagepoint.a.b")
debugcheck.a.overload("android.content.Context").implementation = function (
var_0
) {
send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT! ")
return false
}
send("Hooks installed.")
})
```
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink