首页
社区
课程
招聘
[原创]FridaLab writeup
发表于: 2021-5-11 15:29 3477

[原创]FridaLab writeup

2021-5-11 15:29
3477


https://rossmarks.uk/blog/fridalab/


Frida Lab 闯关挑战:


完整解题代码:https://gist.github.com/lushann/67f0b9b10cf0922f7c0fa816214bc4de


uk.rossmarks.fridalab

1、Change class challenge_01's variable 'chall01' to: 1


将 challenge_01类中的chall01变量设置为1


function challenge01() {
    Java.perform(function(){
        Java.use("uk.rossmarks.fridalab.challenge_01").chall01.value = 1
    })
}

2、Run chall02()


主动调用非静态方法chall02:


function challenge02() {
    Java.perform(function () {
        Java.choose('uk.rossmarks.fridalab.MainActivity', {
            onMatch: function (instance) {
                instance.chall02()
            }, onComplete: function () { }
        })
    })
}




3、Make chall03() return true


修改函数返回值为true



function challenge03() {
    Java.perform(function(){
        Java.use('uk.rossmarks.fridalab.MainActivity').chall03.implementation = function() {
            return true
        }
    })
}


4、Send "frida" to chall04()

主动调用非静态方法,参数为“frida”




function challenge04() {
    Java.perform(function () {
        Java.choose('uk.rossmarks.fridalab.MainActivity',{
            onMatch:function(instance){
                instance.chall04("frida")
            },onComplete:function(){}
        })
    })
}

5、Always send "frida" to chall05()


在方法被调用时,对其进行hook,修改其参数为"frida"



function challenge05(){
    Java.perform(function(){
        Java.use('uk.rossmarks.fridalab.MainActivity').chall05.implementation = function(x) {
            var res  = this.chall05("frida")
            return res
        }
      
    })
}


6、Run chall06() after 10 seconds with correct value



10s后运行chall06() 方法,并使用正确的参数

        challenge_06.startTime();
        challenge_06.addChall06(new Random().nextInt(50) + 1);

        new Timer().scheduleAtFixedRate(new TimerTask() {
            /* class uk.rossmarks.fridalab.MainActivity.C02732 */

            public void run() {
                int nextInt = new Random().nextInt(50) + 1;
                challenge_06.addChall06(nextInt);
                Integer.toString(nextInt);
            }
        }, 0, 1000);
   
public void chall06(int i) {
        if (challenge_06.confirmChall06(i)) {
            this.completeArr[5] = 1;
        }
 }


public class challenge_06 {
    static int chall06;
    static long timeStart;

  // 存储当前时间
    public static void startTime() {
        timeStart = System.currentTimeMillis();
    }

    public static boolean confirmChall06(int i) {
        return i == chall06 && System.currentTimeMillis() > timeStart + 10000;
    }

    public static void addChall06(int i) {
        chall06 += i;
        if (chall06 > 9000) {
            chall06 = i;
        }
    }
}


function challenge06() {
    setTimeout(function() {
        Java.perform(function () {
            var challenge_06 = Java.use('uk.rossmarks.fridalab.challenge_06')
            var chall06 = challenge_06.chall06.value // 获取正确的值
            console.log("NOW CLICK") // 提示:click
            Java.choose('uk.rossmarks.fridalab.MainActivity', {
                onMatch: function (instance) {
                    instance.chall06(chall06) // 调用chall06方法,并给予正确的值
                }, onComplete: function () { }
            })
        })
    }, 10000)
}


7、Bruteforce check07Pin() then confirm with chall07()


爆破check07Pin()方法,然后使用chall07()方法来验证

public class challenge_07 {
    static String chall07;

    public static void setChall07() {
        chall07 = BuildConfig.FLAVOR + (((int) (Math.random() * 9000.0d)) + 1000);
    }

    public static boolean check07Pin(String str) {
        return str.equals(chall07);
    }
}



确认 chall07的范围为: 1000 ~ 9999



function challenge07() {
    Java.perform(function () {
      
        var challenge_07 = Java.use('uk.rossmarks.fridalab.challenge_07')
        console.log("the pass : ", challenge_07.chall07.value)

        var main;
        Java.choose('uk.rossmarks.fridalab.MainActivity', {
            onMatch: function (instance) {
                main = instance
            },
            onComplete: function () {

            }
        })
        for (var i = 9999; i > 999; i--) {
            var str = i.toString()
            var pass = str.padStart(4, '0')


            if (challenge_07.check07Pin(pass)) {
                console.log('bruteforce:', pass)
                main.chall07(pass)
                break
            }
        }
    })
}

8、Change "check" button's text value to "Confirm"


修改 “check”按钮的文字为"Confirm"


function challenge08(){
    Java.perform(function(){
        
        var main;
        Java.choose('uk.rossmarks.fridalab.MainActivity', {
            onMatch: function (instance) {
                main = instance
            },
            onComplete: function () {

            }
        })

        var btn = Java.use('android.widget.Button')
        
        var checkid = main.findViewById(2131165231)
        console.log('check:', checkid)
        var checkbtn = Java.cast(checkid.$handle,btn)
        checkbtn.setText(Java.use('java.lang.String').$new('Confirm'))

    })
}





参考:

1、fridalab writeup - https://www.shielder.it/blog/2019/02/fridalab-writeup/

2、complete solver script - https://codeshare.frida.re/@TheZ3ro/fridalab-solver/



[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-5-11 15:32 被lushanu编辑 ,原因:
收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//