Skip to content

Commit

Permalink
Davide Cioccia Android Crackme's solutions
Browse files Browse the repository at this point in the history 
Added 3 links to the writeups to solve the Android Crackme challenges (level 1, 2 and 3)
  • Loading branch information
@david3107
david3107 authored Jun 24, 2021
1 parent b933483 commit c8ffac1
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions Crackmes/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ This app is compatible with Android 4.4 and up.
- [Solution using Xposed by sh3llc0d3r](http://sh3llc0d3r.com/owasp-uncrackable-android-level1/ "Solution by sh3llc0d3r")
- [Solution using RMS by @mobilesecurity_ (video)](https://youtu.be/P6rNPkM2DdY "Solution by @mobilesecurity_")
- [Solution using static analysis by Eduardo Vasconcelos](https://tereresecurity.wordpress.com/2021/03/03/write-up-uncrackable-level-1/ "Solution by Eduardo Vasconcelos")
- [Solution using Frida by Davide Cioccia](https://1337.dcodx.com/mobile-security/owasp-mstg-crackme-1-writeup-android "Solution by Davide Cioccia")

### [UnCrackable App for Android Level 2](Android/Level_02 "Android level 2")

Expand All @@ -56,6 +57,7 @@ This app is compatible with Android 4.4 and up.
- [Solution using patches by sh3llc0d3r](http://sh3llc0d3r.com/owasp-uncrackable-android-level2/ "Solution by sh3llc0d3r").
- [Solution using RMS by @mobilesecurity_ (video)](https://youtu.be/xRQVljerl0A "Solution by @mobilesecurity_").
- [Solution using static analysis and Ghidra by Eduardo Vasconcelos](https://tereresecurity.wordpress.com/2021/03/23/write-up-uncrackable-level-2/ "Solution by Eduardo Vasconcelos").
- [Solution using Ghidra and Frida by Davide Cioccia](https://1337.dcodx.com/mobile-security/owasp-mstg-crackme-2-writeup-android "Solution by Davide Cioccia")

### [UnCrackable App for Android Level 3](Android/Level_03 "Android level 3")

Expand All @@ -78,6 +80,7 @@ $ adb install UnCrackable-Level3.apk

- [Solution using Frida by Eduardo Novella](https://enovella.github.io/android/reverse/2017/05/20/android-owasp-crackmes-level-3.html "Solution by Eduardo Novella").
- [Solution using patches by sh3llc0d3r](http://sh3llc0d3r.com/owasp-uncrackable-android-level3/ "Solution by sh3llc0d3r").
- [Solution using Ghidra and Frida by Davide Cioccia](https://1337.dcodx.com/mobile-security/owasp-mstg-crackme-3-writeup-android "Solution by Davide Cioccia")

### [UnCrackable App for Android Level 4: Radare2 Pay v0.9](Android/Level_04 "Android level 4")

Expand Down

1 comment on commit c8ffac1

@JohnyGever
Copy link

@JohnyGever JohnyGever commented on c8ffac1 Sep 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

/* ---------------------------------------------------------------------------------------------------------------
Solution for UnCrackable App for Android Level 3 (including Anti-Debug) by Frida script (PracticU)
---------------------------------------------------------------------------------------------------------------*/

function decrypt_secret(encrypted_secret){
	
	// "1d0811130f1749150d0003195a1d1315080e5a0017081314"
	var encrypted_secret_int = new Uint8Array(encrypted_secret);
	
	var xor_key="pizzapizzapizzapizzapizz";
	var the_big_secret="";

	for(var i=0; i<24; i++) {
		var hex_ch = encrypted_secret_int[i]
		var xor_key_ch = xor_key[i].charCodeAt();
		
		//console.log("hex_ch_orig: "+ hex_ch);
		//console.log("xor_key_ch:  "+ xor_key_ch);
		//console.log(String.fromCharCode(hex_ch ^ xor_key_ch));
		
		the_big_secret += String.fromCharCode(hex_ch ^ xor_key_ch);  
	}
	console.log("the_big_secret: "+the_big_secret);
}


Java.perform(function () {

console.log("-------------------------");

/*** NATIVE HOOKS ***/

// Solution 1 - Frida Detection Problem
// char *strstr(const char *haystack, const char *needle);
Interceptor.attach(Module.findExportByName(null, "strstr"), {

    onEnter: function (args) {

        this.str1 = args[0];
        this.str2   = args[1];
        this.isFridaFound;

        var str1 = Memory.readUtf8String(this.str1);
        var str2 = Memory.readUtf8String(this.str2);

        if ( str1.indexOf("frida") == -1 ) {
            this.isFridaFound = Boolean(false);
        } 
		else {
			this.isFridaFound = Boolean(true);
		}
    },

    onLeave: function (retval) {

        if (this.isFridaFound) {            
            retval.replace(0);
        }

        return retval;
    }
});


//  Solution 2 - Frida Detection Problem
// var strstr_ptr = Module.findExportByName(null, "strstr");
// var strstr_orig_wrapper = new NativeFunction( strstr_ptr, "int", ["pointer", "pointer"]);

// Interceptor.replace(strstr_ptr, new NativeCallback(function (ptr0, ptr1) {
	
	// var res=0;	
	
	// if (ptr1.readUtf8String().includes("frida")== -1) {
		// res = strstr_orig_wrapper(ptr0,ptr1);
		// console.log("original strstr() called")
	// }
	// else{
		// //console.log("bypass frida detection in strstr()")
	// }
	
	// return res;
	
// }, "int", ["pointer", "pointer"]));
	
	



// ---- problem with module loading delay ----
// Process.enumerateModules({onMatch: function(module){if (module.name.includes("libf")){console.log('Module name: ' + module.name + " - Base Address: " + module.base.toString())}}, onComplete: function(){}}) 
// setTimeout(function(){ 
	// Process.enumerateModules({
			// onMatch: function(module){
				// if (module.name.includes("libf")){
					// console.log('Module name: ' + module.name + " - Base Address: " + module.base.toString());
				// }
			// }, 
			// onComplete: function(){}
		// });

// }, 100 );



    const System = Java.use('java.lang.System');
    const Runtime = Java.use('java.lang.Runtime');
    const SystemLoad_2 = System.loadLibrary.overload('java.lang.String');
    const VMStack = Java.use('dalvik.system.VMStack');

    SystemLoad_2.implementation = function(library) {
        console.log("Loading dynamic library => " + library);
        try {
            const loaded = Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);
            if(library.includes("foo")) {
                
				// do stuff
				Process.enumerateModules({
					onMatch: function(module){
						if (module.name.includes("libf")){
							console.log('Module name: ' + module.name + " - Base Address: " + module.base.toString());
						}
					}, 
					onComplete: function(){}
				});
				
				
				
				//anti-debug - offset 00003250
				var lib_foo_base_addr = Module.findBaseAddress('libfoo.so');
					
				if (lib_foo_base_addr) {

					var anti_debug_offset    = 0x00003250;
					var anti_debug_current_memory_address = lib_foo_base_addr.add(anti_debug_offset);
					
					Interceptor.replace(anti_debug_current_memory_address, new NativeCallback(function () {
						console.log("new empty debug func");						
					}, "void", []));
								
				}
				
				
				
				
				// Hack the secret
				var lib_foo_base_addr = Module.findBaseAddress('libfoo.so');
					
				if (lib_foo_base_addr) {

					var protect_secret_offset    = 0x00000FA0;
					var protect_secret_current_memory_address = lib_foo_base_addr.add(protect_secret_offset);
					
					Interceptor.attach( protect_secret_current_memory_address, {
						onEnter: function (args) {
															
							this.secret_memory_address = args[0];
							console.log("onEnter() this.secret_memory_address: "+this.secret_memory_address);
							
						},

						onLeave: function (retval) {

							console.log(hexdump(this.secret_memory_address, {
								offset: 0,
								length: 24,
								header: false,
								ansi: true
							}));
							
							var encrypted_secret = Memory.readByteArray(this.secret_memory_address,24);
							decrypt_secret(encrypted_secret)
											
						 }
					});
					
				}
		
            }
            return loaded;
        } catch(ex) {
            console.log(ex);
        }
    };
	
	


	/*** JAVA HOOKS ***/
	var sys = Java.use("java.lang.System");
	sys.exit.overload("int").implementation = function(var_0) {
		console.log("No System.exit !!! ");
	};
	
	/* ------------------------------------------------------------------------- 
	var my_MainActivity = Java.use("sg.vantagepoint.uncrackable3.MainActivity");
	my_MainActivity.verify.overload().implementation = function() {
		var obj ="123456789012345678901234";
		this.check.check_code(obj);
	};
	-------------------------------------------------------------------------  */
	   
	
});


/*
Input to App: 123456789012345678901234
*/

//---------------------------------------------------------------------------------
//frida -U -l _uncrackable3_frida_script.js -f owasp.mstg.uncrackable3  --no-pause
//---------------------------------------------------------------------------------

Please sign in to comment.