hacktricks/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md

# Frida Tutorial 3

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Bug bounty tip**: **regístrate** en **Intigriti**, una **plataforma de recompensas por errores premium creada por hackers, para hackers**! Únete a nosotros en [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoy, y comienza a ganar recompensas de hasta **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

***

**Este es un resumen de la publicación**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)

## Solution 1

Basado en [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)

**Hook the \_exit()**\_ function and **decrypt function** so it print the flag in frida console when you press verify:
```javascript
Java.perform(function () {
send("Starting hooks OWASP uncrackable1...");

function getString(data){
var ret = "";
for (var i=0; i < data.length; i++){
ret += "#" + data[i].toString();
}
return ret
}

var aes_decrypt = Java.use("sg.vantagepoint.a.a");
aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
send("Key       : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + getString(ret));

var flag = "";
for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

var sysexit = Java.use("java.lang.System");
sysexit.exit.overload("int").implementation = function(var_0) {
send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
};

send("Hooks installed.");
});
```
## Solución 2

Basado en [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)

**Enganchar rootchecks** y la función de desencriptación para que imprima la bandera en la consola de frida cuando presiones verificar:
```javascript
Java.perform(function () {
send("Starting hooks OWASP uncrackable1...");

function getString(data){
var ret = "";
for (var i=0; i < data.length; i++){
ret += "#" + data[i].toString();
}
return ret
}

var aes_decrypt = Java.use("sg.vantagepoint.a.a");
aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
send("Key       : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + getString(ret));

var flag = "";
for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

var rootcheck1 = Java.use("sg.vantagepoint.a.c");
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
return false;
};

var rootcheck2 = Java.use("sg.vantagepoint.a.c");
rootcheck2.b.overload().implementation = function() {
send("sg.vantagepoint.a.c.b()Z  Root check 2 HIT!  test-keys");
return false;
};

var rootcheck3 = Java.use("sg.vantagepoint.a.c");
rootcheck3.c.overload().implementation = function() {
send("sg.vantagepoint.a.c.c()Z  Root check 3 HIT!  Root packages");
return false;
};

var debugcheck = Java.use("sg.vantagepoint.a.b");
debugcheck.a.overload("android.content.Context").implementation = function(var_0) {
send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z  Debug check HIT! ");
return false;
};

send("Hooks installed.");
});
```
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Consejo de bug bounty**: **regístrate** en **Intigriti**, una **plataforma de bug bounty premium creada por hackers, para hackers**! Únete a nosotros en [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoy, y comienza a ganar recompensas de hasta **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

{% hint style="success" %}
Aprende y practica Hacking en AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Apoya a HackTricks</summary>

* Revisa los [**planes de suscripción**](https://github.com/sponsors/carlospolop)!
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Comparte trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>
{% endhint %}
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`# Frida Tutorial 3`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`<details>`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`<summary>Support HackTricks</summary>`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2024-01-03 13:23:35 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
f 2023-06-05 18:33:24 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`{% endhint %}`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`Bug bounty tip: regístrate en Intigriti, una plataforma de recompensas por errores premium creada por hackers, para hackers! Únete a nosotros en [https://go.intigriti.com/hacktricks](https://go.intigriti.com/hacktricks) hoy, y comienza a ganar recompensas de hasta $100,000!`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`{% embed url="https://go.intigriti.com/hacktricks" %}`
f 2023-06-05 18:33:24 +00:00
Translated ['mobile-pentesting/android-app-pentesting/frida-tutorial/owa 2023-10-26 14:33:39 +00:00			`***`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`Este es un resumen de la publicación: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\`
f 2023-06-05 18:33:24 +00:00			`APK: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`## Solution 1`
f 2023-06-05 18:33:24 +00:00
			`Basado en [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`Hook the \_exit()\_ function and decrypt function so it print the flag in frida console when you press verify:`
f 2023-06-05 18:33:24 +00:00			```javascript
			`Java.perform(function () {`
Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma 2023-07-13 10:24:09 +00:00			`send("Starting hooks OWASP uncrackable1...");`

			`function getString(data){`
			`var ret = "";`
			`for (var i=0; i < data.length; i++){`
			`ret += "#" + data[i].toString();`
			`}`
			`return ret`
			`}`

			`var aes_decrypt = Java.use("sg.vantagepoint.a.a");`
			`aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {`
			`send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding");`
			`send("Key : " + getString(var_0));`
			`send("Encrypted : " + getString(var_1));`
			`var ret = this.a.overload("[B","[B").call(this,var_0,var_1);`
			`send("Decrypted : " + getString(ret));`

			`var flag = "";`
			`for (var i=0; i < ret.length; i++){`
			`flag += String.fromCharCode(ret[i]);`
			`}`
			`send("Decrypted flag: " + flag);`
			`return ret; //[B`
			`};`

			`var sysexit = Java.use("java.lang.System");`
			`sysexit.exit.overload("int").implementation = function(var_0) {`
			`send("java.lang.System.exit(I)V // We avoid exiting the application :)");`
			`};`

			`send("Hooks installed.");`
f 2023-06-05 18:33:24 +00:00			`});`
			```
			`## Solución 2`

			`Basado en [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`Enganchar rootchecks y la función de desencriptación para que imprima la bandera en la consola de frida cuando presiones verificar:`
f 2023-06-05 18:33:24 +00:00			```javascript
			`Java.perform(function () {`
Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma 2023-07-13 10:24:09 +00:00			`send("Starting hooks OWASP uncrackable1...");`

			`function getString(data){`
			`var ret = "";`
			`for (var i=0; i < data.length; i++){`
			`ret += "#" + data[i].toString();`
			`}`
			`return ret`
			`}`

			`var aes_decrypt = Java.use("sg.vantagepoint.a.a");`
			`aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {`
			`send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding");`
			`send("Key : " + getString(var_0));`
			`send("Encrypted : " + getString(var_1));`
			`var ret = this.a.overload("[B","[B").call(this,var_0,var_1);`
			`send("Decrypted : " + getString(ret));`

			`var flag = "";`
			`for (var i=0; i < ret.length; i++){`
			`flag += String.fromCharCode(ret[i]);`
			`}`
			`send("Decrypted flag: " + flag);`
			`return ret; //[B`
			`};`

			`var rootcheck1 = Java.use("sg.vantagepoint.a.c");`
			`rootcheck1.a.overload().implementation = function() {`
			`send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()");`
			`return false;`
			`};`

			`var rootcheck2 = Java.use("sg.vantagepoint.a.c");`
			`rootcheck2.b.overload().implementation = function() {`
			`send("sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys");`
			`return false;`
			`};`

			`var rootcheck3 = Java.use("sg.vantagepoint.a.c");`
			`rootcheck3.c.overload().implementation = function() {`
			`send("sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages");`
			`return false;`
			`};`

			`var debugcheck = Java.use("sg.vantagepoint.a.b");`
			`debugcheck.a.overload("android.content.Context").implementation = function(var_0) {`
			`send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT! ");`
			`return false;`
			`};`

			`send("Hooks installed.");`
f 2023-06-05 18:33:24 +00:00			`});`
			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`Consejo de bug bounty: regístrate en Intigriti, una plataforma de bug bounty premium creada por hackers, para hackers! Únete a nosotros en [https://go.intigriti.com/hacktricks](https://go.intigriti.com/hacktricks) hoy, y comienza a ganar recompensas de hasta $100,000!`
f 2023-06-05 18:33:24 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:52:40 +00:00			`{% embed url="https://go.intigriti.com/hacktricks" %}`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`{% hint style="success" %}`
			`Aprende y practica Hacking en AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`<details>`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2024-01-03 13:23:35 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`<summary>Apoya a HackTricks</summary>`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`* Revisa los [planes de suscripción](https://github.com/sponsors/carlospolop)!`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Comparte trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
f 2023-06-05 18:33:24 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:28:35 +00:00			`{% endhint %}`