Open nibarius opened 4 years ago
after i load the script its not showing the secret key but the app is crashing
It's hard to say what is causing the crash for you, but it could be that you are using the wrong address when you attach to the secret generator function with Interceptor.attach(Module.findBaseAddress('libfoo.so').add(0x12c0), ...
The 0x12c0 value is different for each library, so you need to extract the address from the library matching the architecture on the device you are using.
[POCO F1::owasp.mstg.uncrackable3]-> Tamper detection suppressed, message was: Rooting or tampering detected.
Process crashed: Trace/BPT trap
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/walleye/walleye:8.1.0/OPM1.171019.011/4448085:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2020-08-18 21:12:14+0530
pid: 10889, tid: 10919, name: re-initialized> >>> owasp.mstg.uncrackable3 <<<
uid: 10252
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
x0 0000000000000000 x1 0000000000002aa7 x2 0000000000000006 x3 0000000000000000
x4 32646b61606a6260 x5 32646b61606a6260 x6 32646b61606a6260 x7 7f7f7f7f7f7f7f7f
x8 0000000000000083 x9 85bf8ac08bbbc7c0 x10 0000007871556550 x11 0000000000000023
x12 0000000000000018 x13 ffffffffffffffff x14 0000000000000004 x15 ffffffffffffffff
x16 0000007960624e60 x17 0000007960602f70 x18 000000787141a000 x19 000000787155e4c8
x20 000000787155e4d8 x21 000000787155e4da x22 000000787155e4e0 x23 0000007963f6e018
x24 0000007871556d50 x25 0000007871556d50 x26 0000007871557020 x27 0000007964283020
x28 000000787155e1b0 x29 0000007871556ab0
sp 0000007871556ab0 lr 000000787155e090 pc 0000007960602f78
backtrace:
#00 pc 00000000000cef78 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0xcd000) (tgkill+8) (BuildId: bf14cf7a62d1f91755beddd4a937354d)
#01 pc 000000000000308c /data/app/owasp.mstg.uncrackable3-NI9ob1dgZiJ5qeFckfQe5Q==/lib/arm64/libfoo.so (goodbye()+12) (BuildId: 7f891562d834beba2a395a2a6c5ab8d4e55cb3d8)
#02 pc 00000000000031ac /data/app/owasp.mstg.uncrackable3-NI9ob1dgZiJ5qeFckfQe5Q==/lib/arm64/libfoo.so (BuildId: 7f891562d834beba2a395a2a6c5ab8d4e55cb3d8)
#03 pc 00000000000e2390 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0xe1000) (__pthread_start(void*)+36) (BuildId: bf14cf7a62d1f91755beddd4a937354d)
#04 pc 0000000000083ab0 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0x83000) (__start_thread+64) (BuildId: bf14cf7a62d1f91755beddd4a937354d)
***
[POCO F1::owasp.mstg.uncrackable3]->
Thank you for using Frida!
uncrakcable challenge 3 app is crashing even if we opening
Looking at the backtrace it looks like the crash happens from the goodby() function. This is called if the native code tamper protection detects any problems. So it's likely the native tamper protection bypass that isn't working for you.
Comments made here will be shown on the "Solving OWASP MSTG UnCrackable App for Android Level 3" article.
https://nibarius.github.io/learning-frida/2020/06/05/uncrackable3