search

nibarius / learning-frida

A blog about learning how to use the Frida dynamic instrumentation toolkit with Android
MIT License
28 stars 7 forks source link

Comments for "Solving OWASP MSTG UnCrackable App for Android Level 3" #5

Open nibarius opened 4 years ago

nibarius commented 4 years ago

Comments made here will be shown on the "Solving OWASP MSTG UnCrackable App for Android Level 3" article.

https://nibarius.github.io/learning-frida/2020/06/05/uncrackable3

balook commented 4 years ago

after i load the script its not showing the secret key but the app is crashing

nibarius commented 4 years ago

It's hard to say what is causing the crash for you, but it could be that you are using the wrong address when you attach to the secret generator function with Interceptor.attach(Module.findBaseAddress('libfoo.so').add(0x12c0), ...

The 0x12c0 value is different for each library, so you need to extract the address from the library matching the architecture on the device you are using.

balook commented 4 years ago

My Error

[POCO F1::owasp.mstg.uncrackable3]-> Tamper detection suppressed, message was: Rooting or tampering detected.
Process crashed: Trace/BPT trap

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/walleye/walleye:8.1.0/OPM1.171019.011/4448085:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2020-08-18 21:12:14+0530
pid: 10889, tid: 10919, name: re-initialized>  >>> owasp.mstg.uncrackable3 <<<
uid: 10252
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
    x0  0000000000000000  x1  0000000000002aa7  x2  0000000000000006  x3  0000000000000000
    x4  32646b61606a6260  x5  32646b61606a6260  x6  32646b61606a6260  x7  7f7f7f7f7f7f7f7f
    x8  0000000000000083  x9  85bf8ac08bbbc7c0  x10 0000007871556550  x11 0000000000000023
    x12 0000000000000018  x13 ffffffffffffffff  x14 0000000000000004  x15 ffffffffffffffff
    x16 0000007960624e60  x17 0000007960602f70  x18 000000787141a000  x19 000000787155e4c8
    x20 000000787155e4d8  x21 000000787155e4da  x22 000000787155e4e0  x23 0000007963f6e018
    x24 0000007871556d50  x25 0000007871556d50  x26 0000007871557020  x27 0000007964283020
    x28 000000787155e1b0  x29 0000007871556ab0
    sp  0000007871556ab0  lr  000000787155e090  pc  0000007960602f78

backtrace:
      #00 pc 00000000000cef78  /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0xcd000) (tgkill+8) (BuildId: bf14cf7a62d1f91755beddd4a937354d)
      #01 pc 000000000000308c  /data/app/owasp.mstg.uncrackable3-NI9ob1dgZiJ5qeFckfQe5Q==/lib/arm64/libfoo.so (goodbye()+12) (BuildId: 7f891562d834beba2a395a2a6c5ab8d4e55cb3d8)
      #02 pc 00000000000031ac  /data/app/owasp.mstg.uncrackable3-NI9ob1dgZiJ5qeFckfQe5Q==/lib/arm64/libfoo.so (BuildId: 7f891562d834beba2a395a2a6c5ab8d4e55cb3d8)
      #03 pc 00000000000e2390  /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0xe1000) (__pthread_start(void*)+36) (BuildId: bf14cf7a62d1f91755beddd4a937354d)
      #04 pc 0000000000083ab0  /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0x83000) (__start_thread+64) (BuildId: bf14cf7a62d1f91755beddd4a937354d)
***
[POCO F1::owasp.mstg.uncrackable3]->

Thank you for using Frida!
balook commented 4 years ago

uncrakcable challenge 3 app is crashing even if we opening

nibarius commented 4 years ago

Looking at the backtrace it looks like the crash happens from the goodby() function. This is called if the native code tamper protection detects any problems. So it's likely the native tamper protection bypass that isn't working for you.