This time I decided to prepare a small Lab for testing mobile applications. Because of the 'future work' I decided to stick with Android based environment. Below you'll find few notes about it. Here we go...
This time we'll start here:
To build my mini Lab (this time;)) I used:
- Android Studio (ver. 2020.3)
- frida
- dex2jar
- apktool
- jadx-gui.
Created VM is based on Ubuntu 20.
(For our purposes today we'll focus mostly on frida with Android Studio.)
When all is installed we can start Android Studio:
My next step was to create a simple/blank app and run emulator available in Android Studio. After a while we should be here:
My plan was to stay with Frida so next case for me was to download it and install it on my new fresh emulator. :)
After another few quick steps, like:
$ adb root
$ adb push frida-server-15.0.13-android-x86 /data/local/tmp/frida-server
$ adb shell "/data/local/tmp/frida-server &"
(Yep, I used frida-version-15.0.13.) Continuing below...
Next step was: find some basic-vulnerable application we can check learning Frida (and Android Studio ;)). Between multiple crackmes from github or OWASP-resources available online I found one that should be pretty nice and quick to check it today:
After reading frida's docs (and few other tutorials I found online of course ;)) I decided to try to "overwrite" the function that will check our 'password'. Simple goal, should be easy. ;)
Let's try. I started from preparing a mini-wrapper to:
- start frida
- against our target.apk
- with our super_evil.js code. ;)
(ihmo: idea similar to LD_PRELOAD.) Similar 'wrapper' you can find here or here as well.)
So, a jump to the wrapper-code (mostly based on the one I found here - thanks!):
---<code>---
c@box:~ frida-intro-01/crackme01$ cat frida5.py
#!/usr/bin/env python3
# frida_run.py
# 18.08.2021 @ 02:45
#
# this is grabbed-and-modified version of the code I found here:
# https://www.trustedsec.com/blog/mobile-hacking-using-frida-to-monitor-encryption/
#
####
import frida, sys
apk = sys.argv[1]
jshook = sys.argv[2]
def parse_hook(script):
hook = open(jshook, 'r')
script = session.create_script(hook.read())
script.load()
##
print('[*] Spawning ' + apk)
pid = frida.get_usb_device().spawn(apk)
session = frida.get_usb_device().attach(pid)
parse_hook(jshook)
frida.get_usb_device().resume(pid)
print('')
sys.stdin.read()
c@box:~ frida-intro-01/crackme01$
---</code>---
My sup3r-ev1l.js code is presented on the screen below:
Evil, I know. ;)
But should be 'good enough' to start using Frida during future projects...
So - next step. Let's run our script to see results in the console:
Checking output from our script in the APK:
Great! ;]
Now if you want to also verify this password in the app's code - feel free to use jadx-gui. At this stage it should not be a spoiler anymore, right? ;)
Looks like done. ;) We should be a little bit more ready now to check few more crackmes for mobiles... ;) Maybe next time. ;)
I hope you'll find it useful.
Brak komentarzy:
Prześlij komentarz