Hook-me write up
Syria National CTF (Finals)
Hook-me challenge
we had an android app named hook-me, back to the time of the competition we solved the challenge by de-compiling the apk and patching the smali code then recompile the app and signing it to get the flag , since that time i felt there should be another way to solve it using hooking so i decide to write this write-up after finding the second way to solve this hook-me .
by de-compiling the apk and viewing its source code using apktool and dex2jar or simply using Jadx
if you have no idea what i'm talking about then i recommend you read this guide
Android App Reverse Engineering 101
then back to continue reading this post.
when you view the source code you will see the following :
| package com.example.myapplication; | |
| import android.os.Bundle; | |
| import android.widget.TextView; | |
| import androidx.appcompat.app.AppCompatActivity; | |
| public class MainActivity extends AppCompatActivity { | |
| public native String CreateTheFlag(); | |
| public native String stringFromJNI(); | |
| static { | |
| System.loadLibrary("native-lib"); | |
| } | |
| /* access modifiers changed from: protected */ | |
| public void onCreate(Bundle bundle) { | |
| super.onCreate(bundle); | |
| setContentView((int) R.layout.activity_main); | |
| ((TextView) findViewById(R.id.SecretBox)).setText(stringFromJNI()); | |
| DoSomeMagic(55); | |
| } | |
| public void DoSomeMagic(int i) { | |
| if (i == 256) { | |
| setContentView((int) R.layout.activity_main); | |
| ((TextView) findViewById(R.id.SecretBox)).setText(CreateTheFlag()); | |
| } | |
| } |
as you see we have to change DoSomeMagic(55); to DoSomeMagic(256);
then the flag will be displayed so to do this without patching the apk we can use a great tool called Frida but i never used it before so i have to read the documentation
https://frida.re/docs/android/
after spending some time reading the doc i could solve it by hooking the DoSomeMagic function and changing the argument (55) to (256)
first we have to install Frida-tools to python using the following command :
pip install frida-tools
then we have to install frida-server to the emaluater we will use or to your own device but make sure first to have a rooted one in order to avoid some issues that might happen on un-rooted androids .
you can install the frida server by downloading it from
https://github.com/frida/frida/releases
and uncompress it.
after that you have to push it to the device using adb then run it as follow :
now we should have our frida server runing and we are ready to inject our script into hook-me app
that will be done using java script
| console.log("Script loaded successfully "); | |
| Java.perform(function(){ | |
| console.log("Inside java perform function"); | |
| var my_class = Java.use("com.example.myapplication.MainActivity"); //specify the class we want to play with | |
| my_class.DoSomeMagic.implementation = function(x){ //hooking the DoSomeMagic function | |
| console.log("Original arg: " +x ); | |
| var ret_value = this.DoSomeMagic(256); //replace the 55 arg with our 256 arg to display the flag | |
| console.log("done"); | |
| return ret_value; | |
| }}); |
and for injecting the js script i used python (you can inject it directly using frida commands )
| import frida | |
| import time | |
| device = frida.get_usb_device(1) #get the device if this not work for you try replace 1 by 0 | |
| pid = device.spawn(["com.example.myapplication"]) #the pakage name we want to spawn to inject inside it | |
| device.resume(pid) | |
| time.sleep(1) | |
| session = device.attach(pid) | |
| script = session.create_script(open("ff.js").read()) #loading the script | |
| script.load() #injecting the script |
now lets see the injecting in action ^_* :
تعليقات
إرسال تعليق