Write-up

Uncrackable 2

ch4rli3kop 2020. 7. 15. 19:13
반응형

uncrackable 2

js

function dumpAddr(info, addr, size) {
   if (addr.isNull())
       return;
   console.log('Data dump ' + info + ' :');
   var buf = Memory.readByteArray(addr, size);
   console.log(hexdump(buf, { offset: 0, length: size, header: true, ansi: false }));
}

Java.perform(function(){
   console.log("Hooking Start");
   var System = Java.use("java.lang.System");
   System.exit.implementation = function(){
       console.log("System.exit called");
  }

   var T = Java.use('sg.vantagepoint.uncrackable2.CodeCheck');
   console.log('codecheck @ ' + T.a.toString());

   var foo = Module.getBaseAddress('libfoo.so');
   console.log('[*] libfoo.so @ ' + foo.toString());
   var t = 0x0F60;
   var target = foo.add(t);

   Interceptor.attach(target, {
       onEnter: function(args){
           console.log("AAAAAAAA");
      },
       onLeave: function(retval){
           console.log('BBBBB');
           console.log(retval);
           retval.replace(1);
           console.log(retval);
           console.log('CCCCC');
           
      }
  });

   // var k = Java.use('sg.vantagepoint.uncrackable2.CodeCheck');
   // k.a.implementation = function(args){
   //     return true;
   // }
   // Interceptor.attach(target, {
   //     onEnter : function(args){
   //         console.log(args[0]);
   //         console.log(args[1]);
   //         console.log(args[2]);
   //         var r = ptr(args[0]).readPointer().add(736).readPointer();
   //         console.log('b3 : ' + ptr(r.toInt32() - 0xb31e5000));
   //         var k = ptr(args[2]);
   //         //var a = r.readPointer();
   //         dumpAddr('a1', r, 0x10);
   //         dumpAddr('a3', k, 0x10);
   //     }
   // });
});

python1

import sys, frida

def on_message(message, data):
   print("[{}] -> {}".format(message, data))




jscode = '''
Java.perform(function(){
  console.log("Hooking call!");
  var exit = Java.use("java.lang.System");
  exit.exit.implementation = function() {
      console.log("System.exit called");
      send("java.lang.System - exit() bypass");
  };

  console.log("Hooking call to CodeCheck_bar");
  var ptr = Module.findExportByName("libfoo.so", "Java_sg_vantagepoint_uncrackable2_CodeCheck_bar");
  Interceptor.attach (ptr, {
      onEnter: function (args) {
          console.log("onEnter");
      },
      onLeave: function (args) {

      }
  });
});

'''

jscode1 = '''
Java.perform(function(){
  console.log("Hooking call to System.exit");
  var exit = Java.use("java.lang.System");
  exit.exit.implementation = function() {
      console.log("System.exit called");
      send("java.lang.System - exit() bypass");
  };

  console.log("Hooking call to CodeCheck_bar");
   

  var strncmp = undefined;
  var func = Module.enumerateImportsSync("libfoo.so");
  for (var i =0; i< func.length; i++){
      if(func[i].name == "strncmp"){
          strncmp = func[i].address;
          break;
      }
  }
  Interceptor.attach(strncmp, {
      onEnter: function (args) {
          if(args[2].toInt32() == 23 && Memory.readUtf8String(args[0], 23) == "01234567890123456789012") {
              console.log("[*] Secret string at " + args[1] + ": " + Memory.readUtf8String(args[1], 23));
          }
      },
      onLeave: function (args) {
          console.log("asdf");
      }
  });
  console.log("[*] Intercepting strncmp");
});
'''

if __name__ == "__main__":
   print("[*] Start Process ...")
   PACKAGE_NAME = "owasp.mstg.uncrackable2"

   try:
       device = frida.get_usb_device(timeout=10)
       print(device)
       pid = device.spawn([PACKAGE_NAME])
       print("App is starting ...")
       print("[PID] : {}".format(pid))
       process = device.attach(pid)
       device.resume(pid)
       script = process.create_script(jscode)
       script.on("message", on_message)
       script.load()
       sys.stdin.read()
   except Exception as error:
       print(error)


반응형

'Write-up' 카테고리의 다른 글

[GoogleCTF2020] Android writeup  (2) 2020.08.31
[MidnightSun CTF 2020] StarCraft writeup  (0) 2020.07.26
Uncrackable 1  (2) 2020.07.15
[ASIS CTF Quals 2020] Merry-go-round  (0) 2020.07.12
[ASIS CTF Quals 2020] Full protection  (0) 2020.07.12