FRIDA

========================================================================================= FRIDA ========================================================================================= >>Install Frida >Downlod frida-server (URL: https://github.com/frida/frida/releases) wget https://github.com/frida/frida/releases/download/12.10.4/frida-server-12.10.4-android-x86_64.xz >Extract unxz frida-server-12.10.4-android-x86_64.xz mv frida-server-12.10.4-android-x86_64 frida-server >>Run Frida on android adb root; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" adb root adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" >>Check from Linux terminal frida-ps -U frida-ps -U | grep -i <part_of_the_package_name> Note: You must run your app first to get in process list. >>Frida commands # listen on 127.0.0.1:27042 (the default) $ frida-server # listen on all interfaces $ frida-server -l 0.0.0.0 # listen on a specific interface $ frida-server -l 192.168.1.3 # listen on a specific interface and port $ frida-server -l 192.168.1.3:1337 # connect to specific IP $ frida-trace -H 192.168.1.3 -i "open*" # connect to specific IP/port $ frida-trace -H 192.168.1.3:1337 -i "open*" ================================================================================================ BYPASS ROOT DETECTION USING FRIDA ================================================================================================ >Identify Class name for Root detection Syntax: package_name.Class_name Usages: bd.com.sonalibank.sonaliwallet.security.RootUtil >Write code vim hook/disableRoot.js Java.perform(function() { var theClass; theClass = Java.use("bd.com.sonalibank.sonaliwallet.security.RootUtil"); theClass.checkRootMethod1.implementation = function(v) { console.log("In function checkRootMethod1"); return false; }; theClass.checkRootMethod2.implementation = function(v) { console.log("In function checkRootMethod2"); return false; }; theClass.checkRootMethod3.implementation = function(v) { console.log("In function checkRootMethod3"); return false; }; console.log("Exploit Complete"); }); >Execute frida -U --no-pause -l hook/disableRoot.js -f bd.com.sonalibank.sonaliwallet ================================================================================================ VULNERABLE APK WALKTHROUGH ================================================================================================ ================================================================================================ OWASP UNCRACKABLE 1 ================================================================================================ ================================================================================================ BYPASS ROOT DETECTION ================================================================================================ >Identify Class name for Root detection Syntax: sg.vantagepoint.a Usages: owasp.mstg.uncrackable1.c >Write code vim hook/uncrakable1/disableRoot.js Java.perform(function() { var theClass; theClass = Java.use("sg.vantagepoint.a.c"); theClass.a.implementation = function(v) { console.log("In function a"); return false; }; theClass.b.implementation = function(v) { console.log("In function b"); return false; }; theClass.c.implementation = function(v) { console.log("In function c"); return false; }; console.log("Exploit Complete"); }); >Execute frida -U --no-pause -l hook/uncrakable1/disableRoot.js -f owasp.mstg.uncrackable1 ================================================================================================ GET SECRET STRING ================================================================================================ vim hook/uncrakable1/get-secret-string.js //Helper function to decode byte[] to String //Note: If you put this code to frida main call it will also work function arrToStr(byteArr) { var tmp = ""; for (var k = 0; k < byteArr.length; k++) { tmp += String.fromCharCode(byteArr[k]); } return tmp; } //main frida call Java.perform(function() { //disable Root var theClass; theClass = Java.use("sg.vantagepoint.a.c"); theClass.a.implementation = function(v) { console.log("In function a"); return false; }; theClass.b.implementation = function(v) { console.log("In function b"); return false; }; theClass.c.implementation = function(v) { console.log("In function c"); return false; }; console.log("Exploit Complete"); //Get Secret String console.log("Finding Secret String..."); var theClassAC; theClassAC = Java.use("sg.vantagepoint.a.a"); // Method a() in sg.vantagepoint.a.a theClassAC.a.implementation = function(x1, x2){ console.log("In function a.a.a()"); //x1 and x2 are the variables the _app_ is calling with var rawFunctionCall, output; rawFunctionCall = this.a(x1, x2); output = arrToStr(rawFunctionCall); //Print Secret String console.log("Secret String ==> " + output ); //Implemetation function should have return value return rawFunctionCall; }; }); >Execute frida -U --no-pause -l hook/uncrakable1/get-secret-string.js -f owasp.mstg.uncrackable1 ##Secret: I want to believe =================================================================

FRIDA

Products

Support

FRIDA

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib