Write-up

Uncrackable 1

ch4rli3kop 2020. 7. 15. 19:13
반응형

uncrackable 1

js

Java.perform(function(){
   console.log("[+] Hooking Start");
   var S = Java.use("java.lang.System");
   S.exit.implementation = function(){
       console.log("System.exit Called");
  }

   var MainActivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
   var a = Java.use("sg.vantagepoint.a.a");
   a.a.implementation = function(args1, args2){
       var retval = this.a(args1, args2);
       console.log(retval);
       var result = '';
       for (var i=0; i<retval.length; i++){
           result += String.fromCharCode(retval[i]);
      }
       console.log(result);
       return retval;
  }
});

python1

import sys, frida, socket

def on_message(message, data):
   if message['type'] == 'send':
       payload = str(message['payload']) + '\n'
       print(payload)
   else:
       print(str(message['stack']) + '\n')

jscode = '''
function check(){
  send(' - Process id: ' + Process.id);
  send(' - Process arch : ' + Process.arch);
  send(' - isDebuggetAttached : ' + Process.isDebuggerAttached());
}

Java.perform(function(){
  send('Hooking Start ...');
  check();

  var target = Java.use("java.lang.System");
  target.exit.implementation = function(){
      console.log("Hooked...");
  }

  var target2 = Java.use("java.lang.String");
  target2.equals.implementation = function(argv){
      console.log(argv);
      return true;
  }

});

'''



if __name__ == "__main__":
   print("[*] Start Process ...")
   package_name = "owasp.mstg.uncrackable1"
   try:
       process = frida.get_usb_device().attach(package_name)
       script = process.create_script(jscode)
       script.on('message', on_message)
       script.load()
       sys.stdin.read()
   except Exection as error:
       print(error)
       

python2

import sys, frida

def on_message(message, data):
   print( "[%s] -> %s" % (message, data))

PACKAGE_NAME = 'owasp.mstg.uncrackable1'

jscode = '''
Java.perform(function(){

  console.log("[+] Hooking call to Check Root");
  var acClass = Java.use("sg.vantagepoint.a.c");
  console.log(acClass.a.overloads);
  acClass.a.overloads[0].implementation = function(){
      console.log("Bypass c.a()");
      send("Bypass c.a()");
      return false;
  }
  acClass.b.overloads[0].implementation = function(){
      console.log("Bypass c.a()");
      send("Bypass c.a()");
      return false;
  }
  acClass.c.overloads[0].implementation = function(){
      console.log("Bypass c.a()");
      send("Bypass c.a()");
      return false;
  }
   
  console.log("[+] Hooking call to MainActivity.a");
  var main = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
  main.onStart.overload().implementation = function() {
      send("MainActivity.onStart() HIT");
      console.log("MainActivity.onStart() HIT");
      this.onStart.overload().call(this);
  }

  main.a.implementation = function(arg1){
      console.log("MainActivity.a called!");
      console.log(arg1);
  }

  console.log("[+] Hooking call to System.exit");
  var exit = Java.use("java.lang.System");
  exit.exit.implementation = function () {
      console.log("System.exit called");
      //send("java.lang.System - exit() bypass ");
  }

  console.log("[+] Hooking call to sg.vantagepoint.a.a");
  var aaClass = Java.use("sg.vantagepoint.a.a");
  aaClass.a.implementation = function(arg1, arg2){
      var retval = this.a(arg1, arg2);
      var password = '';
      for (var i=0;i<retval.length; i++){
          password += String.fromCharCode(retval[i]);
      }
      console.log("[*] Decrypted : " + password);
      return retval;
  }

  console.log("[+] Hooking call to sg.vantagepoint.uncrackable1.a");
  var aClass = Java.use("sg.vantagepoint.uncrackable1.a");
  aClass.a.implementation = function(arg1){
      console.log("Go to Success");
      this.a(arg1);
      return true;
  }

});
'''

# '''
# main.onCreate.implementation = function(x) {
#         send("MainActivity.onCreate() HIT");
#         console.log("MainActivity.onCreate() HIT")
#         this.onCreate.overload().call(this);
#     }

# console.log("[*] Hooking call to java.io.File");
#     var fileClass = Java.use("java.io.File");
#     fileClass.exists.implementation = function(){
#         var name = fileClass.getName.call(this);
#         console.log(name);
#         if (name.indexOf("su") !== -1){
#             console.log("File Bypass");
#             return false;
#         }
#         return this.exists.call(this);
#     }
# '''


try:
   device = frida.get_usb_device(timeout=10)
   print(device)
   pid = device.spawn([PACKAGE_NAME])
   print("App is starting ... pid : {}".format(pid))
   process = device.attach(pid)
   device.resume(pid)
   script = process.create_script(jscode)
   script.on('message', on_message)
   print("[+] Helllo world")
   script.load()
   sys.stdin.read()
except Exception as e:
   print(e)


반응형

'Write-up' 카테고리의 다른 글

[MidnightSun CTF 2020] StarCraft writeup  (0) 2020.07.26
Uncrackable 2  (0) 2020.07.15
[ASIS CTF Quals 2020] Merry-go-round  (0) 2020.07.12
[ASIS CTF Quals 2020] Full protection  (0) 2020.07.12
[ASIS CTF Quals 2020] Baby note  (0) 2020.07.12