https://rossmarks.uk/blog/fridalab/

Frida Lab 闯关挑战：

完整解题代码：https://gist.github.com/lushann/67f0b9b10cf0922f7c0fa816214bc4de

uk.rossmarks.fridalab

1、Change class challenge_01's variable 'chall01' to: 1

将 challenge_01类中的chall01变量设置为1

function challenge01() {
    Java.perform(function(){
        Java.use("uk.rossmarks.fridalab.challenge_01").chall01.value = 1
    })
}

2、Run chall02()

主动调用非静态方法chall02:

function challenge02() {
    Java.perform(function () {
        Java.choose('uk.rossmarks.fridalab.MainActivity', {
            onMatch: function (instance) {
                instance.chall02()
            }, onComplete: function () { }
        })
    })
}

3、Make chall03() return true

修改函数返回值为true

function challenge03() {
    Java.perform(function(){
        Java.use('uk.rossmarks.fridalab.MainActivity').chall03.implementation = function() {
            return true
        }
    })
}

4、Send "frida" to chall04()

主动调用非静态方法，参数为“frida”

function challenge04() {
    Java.perform(function () {
        Java.choose('uk.rossmarks.fridalab.MainActivity',{
            onMatch:function(instance){
                instance.chall04("frida")
            },onComplete:function(){}
        })
    })
}

5、Always send "frida" to chall05()

在方法被调用时，对其进行hook，修改其参数为"frida"

function challenge05(){
    Java.perform(function(){
        Java.use('uk.rossmarks.fridalab.MainActivity').chall05.implementation = function(x) {
            var res  = this.chall05("frida")
            return res
        }
      
    })
}

6、Run chall06() after 10 seconds with correct value

10s后运行chall06() 方法，并使用正确的参数

        challenge_06.startTime();
        challenge_06.addChall06(new Random().nextInt(50) + 1);

        new Timer().scheduleAtFixedRate(new TimerTask() {
            /* class uk.rossmarks.fridalab.MainActivity.C02732 */

            public void run() {
                int nextInt = new Random().nextInt(50) + 1;
                challenge_06.addChall06(nextInt);
                Integer.toString(nextInt);
            }
        }, 0, 1000);
   
public void chall06(int i) {
        if (challenge_06.confirmChall06(i)) {
            this.completeArr[5] = 1;
        }
 }

public class challenge_06 {
    static int chall06;
    static long timeStart;

  // 存储当前时间
    public static void startTime() {
        timeStart = System.currentTimeMillis();
    }

    public static boolean confirmChall06(int i) {
        return i == chall06 && System.currentTimeMillis() > timeStart + 10000;
    }

    public static void addChall06(int i) {
        chall06 += i;
        if (chall06 > 9000) {
            chall06 = i;
        }
    }
}

function challenge06() {
    setTimeout(function() {
        Java.perform(function () {
            var challenge_06 = Java.use('uk.rossmarks.fridalab.challenge_06')
            var chall06 = challenge_06.chall06.value // 获取正确的值
            console.log("NOW CLICK") // 提示：click
            Java.choose('uk.rossmarks.fridalab.MainActivity', {
                onMatch: function (instance) {
                    instance.chall06(chall06) // 调用chall06方法，并给予正确的值
                }, onComplete: function () { }
            })
        })
    }, 10000)
}

7、Bruteforce check07Pin() then confirm with chall07()

爆破check07Pin()方法，然后使用chall07()方法来验证

public class challenge_07 {
    static String chall07;

    public static void setChall07() {
        chall07 = BuildConfig.FLAVOR + (((int) (Math.random() * 9000.0d)) + 1000);
    }

    public static boolean check07Pin(String str) {
        return str.equals(chall07);
    }
}

确认 chall07的范围为： 1000 ~ 9999

function challenge07() {
    Java.perform(function () {
      
        var challenge_07 = Java.use('uk.rossmarks.fridalab.challenge_07')
        console.log("the pass : ", challenge_07.chall07.value)

        var main;
        Java.choose('uk.rossmarks.fridalab.MainActivity', {
            onMatch: function (instance) {
                main = instance
            },
            onComplete: function () {

            }
        })
        for (var i = 9999; i > 999; i--) {
            var str = i.toString()
            var pass = str.padStart(4, '0')


            if (challenge_07.check07Pin(pass)) {
                console.log('bruteforce:', pass)
                main.chall07(pass)
                break
            }
        }
    })
}

8、Change "check" button's text value to "Confirm"

修改 “check”按钮的文字为"Confirm"

function challenge08(){
    Java.perform(function(){
        
        var main;
        Java.choose('uk.rossmarks.fridalab.MainActivity', {
            onMatch: function (instance) {
                main = instance
            },
            onComplete: function () {

            }
        })

        var btn = Java.use('android.widget.Button')
        
        var checkid = main.findViewById(2131165231)
        console.log('check:', checkid)
        var checkbtn = Java.cast(checkid.$handle,btn)
        checkbtn.setText(Java.use('java.lang.String').$new('Confirm'))

    })
}

参考：

1、fridalab writeup - https://www.shielder.it/blog/2019/02/fridalab-writeup/

2、complete solver script - https://codeshare.frida.re/@TheZ3ro/fridalab-solver/

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界