Root bypass

1. when we open the app with the root appears that the app doesn’t allow to open it as root.

1. let’s review the code in jadex

2. there is 2 functions

   1. check for the root.

   

   b. verify for a secret key.

   

3. in the root check function the we see that there is three functions checking a,b and c , and if only on of them is true we are blocked .

4. so we have to make these function return true, we will edit the function return in the runtime of the app with frida

5. code that will be used to edit the functions

Java.perform(function(){
        var rootCls = Java.use("sg.vantagepoint.a.c"); //sg.vantagepoint.a this package name the .a the is class name
 
        rootCls.a.implementation = function(){
                console.log("Check A bypassed");
        return false; 
        }
        rootCls.b.implementation = function(){
				        console.log("Check B bypassed");
        return false;
        }
        rootCls.c.implementation = function(){
				        console.log("Check C bypassed");
        return false;
        }
        });

save it as root-bypass.js .

1. now we need to overwrite the function , will do this with this command

frida -U -f owasp.mstg.uncrackable1 -l root-bypass.js

1. now we are in the app

verify

1. we see in the code to make the app return “this is correct secret” the function a.a() must return true.

1. Let’s look at the implementation of this method: