Write-up

Uncrackable 1

ch4rli3kop 2020. 7. 15. 19:13
반응형

uncrackable 1

js

Java.perform(function(){
    console.log("[+] Hooking Start");
    var S = Java.use("java.lang.System");
    S.exit.implementation = function(){
        console.log("System.exit Called");
    }

    var MainActivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
    var a = Java.use("sg.vantagepoint.a.a");
    a.a.implementation = function(args1, args2){
        var retval = this.a(args1, args2);
        console.log(retval);
        var result = '';
        for (var i=0; i<retval.length; i++){
            result += String.fromCharCode(retval[i]);
        }
        console.log(result);
        return retval;
    }
});

python1

import sys, frida, socket

def on_message(message, data):
    if message['type'] == 'send':
        payload = str(message['payload']) + '\n'
        print(payload)
    else:
        print(str(message['stack']) + '\n')

jscode = '''
function check(){
    send(' - Process id: ' + Process.id);
    send(' - Process arch : ' + Process.arch);
    send(' - isDebuggetAttached : ' + Process.isDebuggerAttached());
}

Java.perform(function(){
    send('Hooking Start ...');
    check();

    var target = Java.use("java.lang.System");
    target.exit.implementation = function(){
        console.log("Hooked...");
    }

    var target2 = Java.use("java.lang.String");
    target2.equals.implementation = function(argv){
        console.log(argv);
        return true;
    }

});

'''



if __name__ == "__main__":
    print("[*] Start Process ...")
    package_name = "owasp.mstg.uncrackable1"
    try:
        process = frida.get_usb_device().attach(package_name)
        script = process.create_script(jscode)
        script.on('message', on_message)
        script.load()
        sys.stdin.read()
    except Exection as error:
        print(error)
        

python2

import sys, frida

def on_message(message, data):
    print( "[%s] -> %s" % (message, data))

PACKAGE_NAME = 'owasp.mstg.uncrackable1'

jscode = '''
Java.perform(function(){

    console.log("[+] Hooking call to Check Root");
    var acClass = Java.use("sg.vantagepoint.a.c");
    console.log(acClass.a.overloads);
    acClass.a.overloads[0].implementation = function(){
        console.log("Bypass c.a()");
        send("Bypass c.a()");
        return false;
    }
    acClass.b.overloads[0].implementation = function(){
        console.log("Bypass c.a()");
        send("Bypass c.a()");
        return false;
    }
    acClass.c.overloads[0].implementation = function(){
        console.log("Bypass c.a()");
        send("Bypass c.a()");
        return false;
    }
    
    console.log("[+] Hooking call to MainActivity.a");
    var main = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
    main.onStart.overload().implementation = function() {
        send("MainActivity.onStart() HIT");
        console.log("MainActivity.onStart() HIT");
        this.onStart.overload().call(this);
    }

    main.a.implementation = function(arg1){
        console.log("MainActivity.a called!");
        console.log(arg1);
    }

    console.log("[+] Hooking call to System.exit");
    var exit = Java.use("java.lang.System");
    exit.exit.implementation = function () {
        console.log("System.exit called");
        //send("java.lang.System - exit() bypass ");
    }

    console.log("[+] Hooking call to sg.vantagepoint.a.a");
    var aaClass = Java.use("sg.vantagepoint.a.a");
    aaClass.a.implementation = function(arg1, arg2){
        var retval = this.a(arg1, arg2);
        var password = '';
        for (var i=0;i<retval.length; i++){
            password += String.fromCharCode(retval[i]);
        }
        console.log("[*] Decrypted : " + password);
        return retval;
    }

    console.log("[+] Hooking call to sg.vantagepoint.uncrackable1.a");
    var aClass = Java.use("sg.vantagepoint.uncrackable1.a");
    aClass.a.implementation = function(arg1){
        console.log("Go to Success");
        this.a(arg1);
        return true;
    }

});
'''

# '''
# main.onCreate.implementation = function(x) {
#         send("MainActivity.onCreate() HIT");
#         console.log("MainActivity.onCreate() HIT")
#         this.onCreate.overload().call(this);
#     }

# console.log("[*] Hooking call to java.io.File");
#     var fileClass = Java.use("java.io.File");
#     fileClass.exists.implementation = function(){
#         var name = fileClass.getName.call(this);
#         console.log(name);
#         if (name.indexOf("su") !== -1){
#             console.log("File Bypass");
#             return false;
#         }
#         return this.exists.call(this);
#     }
# '''


try:
    device = frida.get_usb_device(timeout=10)
    print(device)
    pid = device.spawn([PACKAGE_NAME])
    print("App is starting ... pid : {}".format(pid))
    process = device.attach(pid)
    device.resume(pid)
    script = process.create_script(jscode)
    script.on('message', on_message)
    print("[+] Helllo world")
    script.load()
    sys.stdin.read()
except Exception as e:
    print(e)


반응형
저작자표시 비영리 변경금지

'Write-up' 카테고리의 다른 글

[MidnightSun CTF 2020] StarCraft writeup  (0) 2020.07.26
Uncrackable 2  (0) 2020.07.15
[ASIS CTF Quals 2020] Merry-go-round  (0) 2020.07.12
[ASIS CTF Quals 2020] Full protection  (0) 2020.07.12
[ASIS CTF Quals 2020] Baby note  (0) 2020.07.12

'Write-up'의 다른글

  • 현재글Uncrackable 1

관련글

티스토리툴바