Frida Scripts | Notion

OWASP Uncrackable2:

Java.perform(
    () => {
        let RootDetectionClass = Java.use("sg.vantagepoint.a.b")   
        RootDetectionClass.a.implementation = function(){
            console.log("[+] Bypass RootDetection a function")
            return false
        }
        RootDetectionClass.b.implementation = function(){
            console.log("[+] Bypass RootDetection b function")
            return false;
        }
        RootDetectionClass.c.implementation = function() {
            console.log("[+] Bypass RootDetection c function")
            return false;
        }

        Interceptor.attach(
            Module.findExportByName("libc.so", "strncmp"),
            {
                onEnter: (args) => {
                    if(args[2] == 0x17){
                        if(Memory.readCString(args[0]).includes("aaaaaaaaaaaaa"))
                        {
                            console.log(Memory.readCString(args[0]))
                            console.log(Memory.readCString(args[1]))
                        }
    
                    }
                },
                onLeave: (retVale) => {
                    
                }
            }
        )

    }
)

Uncrackable3

console.log("[+] Hello From Frida")
let strstrParam1 = ""
let strstrParam2 = ""
Interceptor.attach(
    Module.findExportByName("libc.so", "strstr"),
    {
        onEnter: inputs => {
            strstrParam1 = Memory.readUtf8String(inputs[0])
            strstrParam2 = Memory.readUtf8String(inputs[1])
        },
        onLeave: retval => {
            if(strstrParam1.indexOf("frida") != -1 || strstrParam2.indexOf("frida") != -1){
                //console.log("[+] Done. Replacing return value to False.")
                retval.replace(0)
            }
            
        }
    }
)

const System = Java.use('java.lang.System');
const Runtime = Java.use('java.lang.Runtime');
const VMStack = Java.use('dalvik.system.VMStack');

System.loadLibrary.implementation = function(library) {
    try {
        console.log('System.loadLibrary("' + library + '")');
        Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);
        if(library == "foo"){
            let functionAddress = Module.getBaseAddress("libfoo.so").add(0xfa0)

            Interceptor.attach(
                functionAddress, {
                    onEnter: (args) => {
                        console.log("[+] Function Called")
                        this.secret = args[0]
                    }, 
                    onLeave: (args) => {
                        console.log("[+] Function Returned")
                        console.log(hexdump(ptr(this.secret), {offset:0, length:24, header: false, ansi: true}))

                    }
                }
            )
        }
    } catch(ex) {
        console.log(ex);
    }
};

The output is bytes:

Untitled

To decode the secret:

cipher = bytes.fromhex('1d0811130f1749150d0003195a1d1315080e5a0017081314').decode("utf-8")
key = 'pizzapizzapizzapizzapizz'

def xor_two_str(a,b):
    return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(a, b))

print(xor_two_str(cipher, key))