반응형
js
function dumpAddr(info, addr, size) {
if (addr.isNull())
return;
console.log('Data dump ' + info + ' :');
var buf = Memory.readByteArray(addr, size);
console.log(hexdump(buf, { offset: 0, length: size, header: true, ansi: false }));
}
Java.perform(function(){
console.log("Hooking Start");
var System = Java.use("java.lang.System");
System.exit.implementation = function(){
console.log("System.exit called");
}
var T = Java.use('sg.vantagepoint.uncrackable2.CodeCheck');
console.log('codecheck @ ' + T.a.toString());
var foo = Module.getBaseAddress('libfoo.so');
console.log('[*] libfoo.so @ ' + foo.toString());
var t = 0x0F60;
var target = foo.add(t);
Interceptor.attach(target, {
onEnter: function(args){
console.log("AAAAAAAA");
},
onLeave: function(retval){
console.log('BBBBB');
console.log(retval);
retval.replace(1);
console.log(retval);
console.log('CCCCC');
}
});
// var k = Java.use('sg.vantagepoint.uncrackable2.CodeCheck');
// k.a.implementation = function(args){
// return true;
// }
// Interceptor.attach(target, {
// onEnter : function(args){
// console.log(args[0]);
// console.log(args[1]);
// console.log(args[2]);
// var r = ptr(args[0]).readPointer().add(736).readPointer();
// console.log('b3 : ' + ptr(r.toInt32() - 0xb31e5000));
// var k = ptr(args[2]);
// //var a = r.readPointer();
// dumpAddr('a1', r, 0x10);
// dumpAddr('a3', k, 0x10);
// }
// });
});python1
import sys, frida
def on_message(message, data):
print("[{}] -> {}".format(message, data))
jscode = '''
Java.perform(function(){
console.log("Hooking call!");
var exit = Java.use("java.lang.System");
exit.exit.implementation = function() {
console.log("System.exit called");
send("java.lang.System - exit() bypass");
};
console.log("Hooking call to CodeCheck_bar");
var ptr = Module.findExportByName("libfoo.so", "Java_sg_vantagepoint_uncrackable2_CodeCheck_bar");
Interceptor.attach (ptr, {
onEnter: function (args) {
console.log("onEnter");
},
onLeave: function (args) {
}
});
});
'''
jscode1 = '''
Java.perform(function(){
console.log("Hooking call to System.exit");
var exit = Java.use("java.lang.System");
exit.exit.implementation = function() {
console.log("System.exit called");
send("java.lang.System - exit() bypass");
};
console.log("Hooking call to CodeCheck_bar");
var strncmp = undefined;
var func = Module.enumerateImportsSync("libfoo.so");
for (var i =0; i< func.length; i++){
if(func[i].name == "strncmp"){
strncmp = func[i].address;
break;
}
}
Interceptor.attach(strncmp, {
onEnter: function (args) {
if(args[2].toInt32() == 23 && Memory.readUtf8String(args[0], 23) == "01234567890123456789012") {
console.log("[*] Secret string at " + args[1] + ": " + Memory.readUtf8String(args[1], 23));
}
},
onLeave: function (args) {
console.log("asdf");
}
});
console.log("[*] Intercepting strncmp");
});
'''
if __name__ == "__main__":
print("[*] Start Process ...")
PACKAGE_NAME = "owasp.mstg.uncrackable2"
try:
device = frida.get_usb_device(timeout=10)
print(device)
pid = device.spawn([PACKAGE_NAME])
print("App is starting ...")
print("[PID] : {}".format(pid))
process = device.attach(pid)
device.resume(pid)
script = process.create_script(jscode)
script.on("message", on_message)
script.load()
sys.stdin.read()
except Exception as error:
print(error)
반응형
'Write-up' 카테고리의 다른 글
| [GoogleCTF2020] Android writeup (2) | 2020.08.31 |
|---|---|
| [MidnightSun CTF 2020] StarCraft writeup (0) | 2020.07.26 |
| Uncrackable 1 (2) | 2020.07.15 |
| [ASIS CTF Quals 2020] Merry-go-round (0) | 2020.07.12 |
| [ASIS CTF Quals 2020] Full protection (0) | 2020.07.12 |