1๏ธโƒฃ FridaLab.apk WriteUp

๐Ÿ“œFridaLab?

- https://rossmarks.uk/blog/fridalab/ ์—์„œ ์ œ๊ณต๋˜๋Š” Frida๋ฅผ ์ตํžˆ๊ธฐ ์œ„ํ•œ Challenge APK

๐Ÿ“œFridaLab APP

- FridaLab app์„ Nox ํ™˜๊ฒฝ์—์„œ ์‹คํ–‰ํ•ด ๋ณด๋ฉด 8๊ฐ€์ง€์˜ ๋ฌธ์ œ๊ฐ€ ๋‚˜์˜ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

- 8๊ฐ€์ง€ ๋ฌธ์ œ์— ๋Œ€ํ•˜์—ฌ ์กฐ๊ฑด์ด ๋งŒ์กฑํ•˜๋ฉด check๋ฅผ ๋ˆŒ๋ €์„๋•Œ ์ƒ‰์ƒ์ด Green์œผ๋กœ ๋ฐ”๋€๋‹ค. (์กฐ๊ฑด์ด ๋งŒ์กฑํ•˜์ง€ ๋ชปํ•˜๋Š” ๊ฒฝ์šฐ๋Š” ๋นจ๊ฐ„์ƒ‰!)

image-20240909092715174

๐Ÿ“œ๋ฌธ์ œํ’€์ด (1๋ฒˆ)

- ๋ฌธ์ œ : Change class challenge_01’s variable ‘chall01’ to : 1 > ๋ฌธ์ œ๋Š” Challenge_01 ํด๋ž˜์Šค์˜ ๋ณ€์ˆ˜์ธ chall01์˜ ๊ฐ’์„ 1๋กœ ๋ฐ”๊พธ๋ผ๋Š” ๊ฒƒ์ด๋‹ค. > ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด Jadx๋ฅผ ํ†ตํ•ด์„œ FridaLab์„ ๋ถ„์„ํ•ด๋ณด์ž image-20240909092731733

โ€‹ > uk.rossmarks.fridalab ํŒจํ‚ค์ง€์•ˆ์— challenge_01 ํด๋ž˜์Šค๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. โ€‹ > ์ด ํด๋ž˜์Šค์˜ ๋ณ€์ˆ˜์ธ ๊ฐ’์„ 1๋กœ ๋ฐ”๊ฟ”์ฃผ๋ฉด ๋œ๋‹ค.

setImmediate(function(){ // ์—ฐ๊ฒฐ๋˜์–ด ์žˆ๋Š” ๋ถ€๋ถ„์˜ ๋ฐ”๋กœ ๋‹ค์Œ์„ ์‹คํ–‰
    Java.perform(function(){ // ์Šค๋ ˆ๋“œ๊ฐ€ ์—ฐ๊ฒฐ๋˜์–ด ์žˆ์œผ๋ฉด ์•„๋ž˜์˜ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰
        //#1
        var test = Java.use("uk.rossmarks.fridalab.challenge_01");
        test.chall01.value = 1;
        console.log("[*] chall01 value is ", test.chall01.value);
     })
})

> ์‹คํ–‰ ๊ฒฐ๊ณผ ํ”„๋ฆฌ๋‹ค ์‹คํ–‰ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•˜์—ฌ ์Šคํฌ๋ฆฝ์Šค ์‹คํ–‰ : Frida -U -l fridalab.js uk.rossmakrs.fridalab ์‹คํ–‰๊ฒฐ๊ณผ 1๋ฒˆ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. image-20240909092741247

๐Ÿ“œ๋ฌธ์ œํ’€์ด (2๋ฒˆ)

- ๋ฌธ์ œ : Run chall02()

> ๋ฌธ์ œ๋ฅผ ๋ณด๋ฉด chall02() ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰ ํ•˜๋ผ๋Š” ๊ฒƒ์ด๋‹ค. > MainActivity๋ฅผ ํ™•์ธํ•ด๋ณด๋ฉด, chall02 ํ•จ์ˆ˜๋Š” ์ •์˜๋˜์–ด ์žˆ์ง€๋งŒ ์‚ฌ์šฉ์„ ํ•˜์ง€ ์•Š๋Š”๋‹ค. ๋”ฐ๋ผ์„œ MainActivity๋ฅผ ๋ถˆ๋Ÿฌ์™€ chall02ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰ํ•ด ์ฃผ๋ฉด ๋  ๊ฒƒ์ด๋‹ค. image-20240909092749346

//#2
//static method์ผ ๊ฒฝ์šฐ Java.use ์‚ฌ์šฉ
//instance method์ผ ๊ฒฝ์šฐ Java.choose๋ฅผ ์‚ฌ์šฉ
Java.choose("uk.rossmarks.fridalab.MainActivity",{
    onMatch : function(test){
        test.chall02();
    },
    onComplete : function(){
        console.log("[*]#2 is clear");
    }
})

> ์‹คํ–‰ ๊ฒฐ๊ณผ ํ”„๋ฆฌ๋‹ค ์‹คํ–‰ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•˜์—ฌ ์Šคํฌ๋ฆฝ์Šค ์‹คํ–‰ : Frida -U -l fridalab.js uk.rossmakrs.fridalab ์‹คํ–‰๊ฒฐ๊ณผ 2๋ฒˆ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. image-20240909092803442

๐Ÿ“œ๋ฌธ์ œํ’€์ด (3๋ฒˆ)

- ๋ฌธ์ œ : Make chall03() return true

> ๋ฌธ์ œ๋ฅผ ๋ณด๋ฉด chall03() ํ•จ์ˆ˜์—์„œ True๋ฅผ ๋ฆฌํ„ดํ•˜๋„๋ก ๋งŒ๋“œ๋Š” ๊ฒƒ์ด๋‹ค. image-20240909092813522

//#3
var test = Java.use("uk.rossmarks.fridalab.MainActivity");
test.chall03.implementation = function(){
    console.log("[*]#3 is clear");
    return true;
}

> ์‹คํ–‰ ๊ฒฐ๊ณผ ํ”„๋ฆฌ๋‹ค ์‹คํ–‰ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•˜์—ฌ ์Šคํฌ๋ฆฝ์Šค ์‹คํ–‰ : Frida -U -l fridalab.js uk.rossmakrs.fridalab ์‹คํ–‰๊ฒฐ๊ณผ 3๋ฒˆ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. image-20240909092821631

๐Ÿ“œ๋ฌธ์ œํ’€์ด (4๋ฒˆ)

- ๋ฌธ์ œ : Send “frida” to chall04() > ๋ฌธ์ œ๋ฅผ ๋ณด๋ฉด chall04() ์ธ์ž๊ฐ’์— “frida"๋ผ๋Š” ๋ฌธ๊ตฌ๋ฅผ ๋ณด๋‚ด์–ด ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰์‹œํ‚ค๋„๋ก ํ•˜๋Š” ๊ฒƒ์ด๋‹ค. image-20240909092829377

Java.choose("uk.rossmarks.fridalab.MainActivity",{
    onMatch : function(test){
        test.chall04("frida");
    },
    onComplete : function(){
        console.log("[*]#4 is clear");
    }
})

> ์‹คํ–‰ ๊ฒฐ๊ณผ ํ”„๋ฆฌ๋‹ค ์‹คํ–‰ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•˜์—ฌ ์Šคํฌ๋ฆฝ์Šค ์‹คํ–‰ : Frida -U -l fridalab.js uk.rossmakrs.fridalab ์‹คํ–‰๊ฒฐ๊ณผ 4๋ฒˆ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. image-20240909092836988

๐Ÿ“œ๋ฌธ์ œํ’€์ด (5๋ฒˆ)

- ๋ฌธ์ œ : Always send “frida” to chall05() > ๋ฌธ์ œ๋ฅผ ๋ณด๋ฉด chall05() ์ธ์ž๊ฐ’์— “frida"๋ผ๋Š” ๋ฌธ๊ตฌ๋ฅผ check๋ฅผ ๋ˆ„๋ฅผ๋•Œ ๋งˆ๋‹ค ๋ณด๋‚ด ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰์‹œํ‚ค๋„๋ก ํ•˜๋Š” ๊ฒƒ์ด๋‹ค. image-20240909092843747

image-20240909092850954

//#5
var test = Java.use("uk.rossmarks.fridalab.MainActivity");
test.chall05.implementation = function(){
    console.log("[*]#5 is clear");
    this.chall05("frida");
}

> ์‹คํ–‰ ๊ฒฐ๊ณผ ํ”„๋ฆฌ๋‹ค ์‹คํ–‰ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•˜์—ฌ ์Šคํฌ๋ฆฝ์Šค ์‹คํ–‰ : Frida -U -l fridalab.js uk.rossmakrs.fridalab ์‹คํ–‰๊ฒฐ๊ณผ 5๋ฒˆ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. image-20240909092858035

๐Ÿ“œ๋ฌธ์ œํ’€์ด (6๋ฒˆ)

- ๋ฌธ์ œ : Run chall06() after 10 seconds with correct value > ๋ฌธ์ œ๋ฅผ ๋ณด๋ฉด chall06() ํ•จ์ˆ˜๋ฅผ check๋ฒ„ํŠผ์„ ๋ˆ„๋ฅธ๋’ค 10์ดˆ ๋’ค์— ์‹คํ–‰์‹œํ‚ค๋Š” ๊ฒƒ์„ ์˜๋ฏธํ•˜๋Š” ๊ฒƒ ๊ฐ™๋‹ค image-20240909092905042

//challenge 06, setTimeout(fn, delay) ํ•„์š”
setTimeout(function(){
    console.log("[*]Click to solve the problem");
    setImmediate(function(){
        Java.perform(function(){
            var chall_06 = Java.use("uk.rossmarks.fridalab.challenge_06");
            chall_06.addChall06.overload("int").implementation = function(arg){
                Java.choose("uk.rossmarks.fridalab.MainActivity", {
                    onMatch : function(instance){
                        instance.chall06(chall_06.chall06.value);
                    },
                    onComplete : function(){
                        console.log("[*]Solved Challenge 06");
                    }
                })
                
            }
        
        })
        
    })
},10000);

> ์‹คํ–‰ ๊ฒฐ๊ณผ ํ”„๋ฆฌ๋‹ค ์‹คํ–‰ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•˜์—ฌ ์Šคํฌ๋ฆฝ์Šค ์‹คํ–‰ : Frida -U -l fridalab.js uk.rossmakrs.fridalab ์‹คํ–‰๊ฒฐ๊ณผ 6๋ฒˆ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค. image-20240909092924433

๐Ÿ“œ๋ฌธ์ œํ’€์ด (7๋ฒˆ)

- ๋ฌธ์ œ : Bruteforce check07pin() then confirm with chall07()

๐Ÿ“œ๋ฌธ์ œํ’€์ด (8๋ฒˆ)

- ๋ฌธ์ œ : Change ‘check’ button’s text value to ‘Confirm”

๐Ÿ“œ๋ฌธ์ œํ’€์ด ์ •๋ฆฌ

//fridaLab ์ •๋ฆฌ
 
setImmediate(function(){
    Java.perform(function(){
        //#1
        var test = Java.use("uk.rossmarks.fridalab.challenge_01");
        test.chall01.value = 1;
        console.log("[*] chall01 value is ", test.chall01.value);
    
        //#2
        Java.choose("uk.rossmarks.fridalab.MainActivity",{
            onMatch : function(test){
                test.chall02();
            },
            onComplete : function(){
                console.log("[*]#2 is clear");
            }
        })
        
        //#3
        var test = Java.use("uk.rossmarks.fridalab.MainActivity");
        test.chall03.implementation = function(){
            console.log("[*]#3 is clear");
            return true;
        }
        
        //#4
        Java.choose("uk.rossmarks.fridalab.MainActivity",{
            onMatch : function(test){
                test.chall04("frida");
            },
            onComplete : function(){
                console.log("[*]#4 is clear");
            }
        })
        
        //#5
        var test = Java.use("uk.rossmarks.fridalab.MainActivity");
        test.chall05.implementation = function(){
            console.log("[*]#5 is clear");
            this.chall05("frida");
        }
        
        //#7
        var test = Java.use("uk.rossmarks.fridalab.challenge_07");
        test.check07Pin.implementation = function(){
            console.log("[*]#7 is clear");
            return ture;
        }
        
        //#8
        var test = Java.use("uk.rossmarks.fridalab.MainActivity");
        test.chall08.implementation = function(){
            console.log("[*]#8 is clear");
            return true;
        }
    })
})
 
//challenge 06, setTimeout(fn, delay) ํ•„์š”
setTimeout(function(){
    console.log("[*]Click to solve the problem");
    setImmediate(function(){
        Java.perform(function(){
            var chall_06 = Java.use("uk.rossmarks.fridalab.challenge_06");
            chall_06.addChall06.overload("int").implementation = function(arg){
                Java.choose("uk.rossmarks.fridalab.MainActivity", {
                    onMatch : function(instance){
                        instance.chall06(chall_06.chall06.value);
                    },
                    onComplete : function(){
                        console.log("[*]Solved Challenge 06");
                    }
                })
                
            }
        
        })
        
    })
},10000);