M 513: Instrumenting with Frida (15 pts extra)

What You Need for This Project

Purpose

To practice instrumenting, overriding Java functions.

Launch an Android Emulator

In Android Studio, use an emulator with API 30 and a phone that does not have Google Play, so it's rooted.

Note: the app we're using doesn't work on API 33.

I used the emulator highlighted in the image below. My emulator uses an ARM64 processor. Make a note of the processor your emulator is using.

Installing Frida-Tools

On your host system, in a Terminal or Command Prompt, execute this command: 
python3 -m pip install frida-tools

"error: externally-managed-environment"

If you see this error message, you need to create a Python virtual environment with these commands: 
python3 -m venv venv
source venv/bin/activate
python3 -m pip install frida-tools
Execute this command: 
frida --version
If it fails, try opening a new Terminal window and executing it there.

Note your version of Frida. When I did it in 2024, it was version 16.2.1, as shown below.

Downloading Frida-Server

On your host system, in a Web browser, go to

https://github.com/frida/frida/releases

Download the appropriate version of frida-server for your emulator's processor, with the same version number you found above, or as close as possible.

I used frida-server-16.2.0-android-arm64.xz, outlined in the image below.

Uncompressing Frida-Server

On a Mac, you can uncompress the file by double-clicking it. On Windows, use 7-zip.

Installing Frida-Server on your Android Device

On your host system, in a Terminal or Command Prompt, execute these commands: 
adb push frida-server-16.2.0-android-arm64 /data/local/tmp/
adb shell
su
chmod 755 /data/local/tmp/*
/data/local/tmp/frida-server-16.2.0-android-arm64
The command hangs without replying, as shown below.

Leave this Terminal window open.

Testing Frida-Server

On your host system, open a new Terminal or Command Prompt.

If your frida-tools were installed in a virtual environment, execute this command: 

source venv/bin/activate
Execute this command 
frida-ps -U
A long list of processes running on Android appears, as shown below.

Installing a Vulnerable App

We'll use an intentionally vulnerable app.

On your host system, in a Web browser, go to

https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

Download UnCrackable-Level1.apk.

If that page is not available, use this alternate link.

Drag the UnCrackable-Level1.apk file and drop it on your running Android emulator.

On your emulator, launch the Uncrackable app.

It refuses to run, complaining about the phone being rooted, as shown below.

Viewing the Code in jadx-gui

Open the UnCrackable-Level1.apk file in jadx-gui.

Navigate to the Main Activity and click OnCreate(Bundle), as shown below.

The root detection uses three functions: c.a(), c.b(), and c.c().

Navigate to sg.vantagepoint.a.c, as shown below.

The three functions: c.a(), c.b(), and c.c() are performing various tests to see if the phone is rooted.

Finding the App's Name

On your host system, in an unused Terminal, execute this command: 
frida-ps -U | grep uncrack
The name of the vulnerable app appears, as shown below.

The name is owasp.mstg.uncrackable1

Creating a JavaScript Payload

In a Terminal, execute this command: 
nano disableRoot.js
Paste in this code, as shown below.

This code will override the a, b, and c functions and always return false. 

Java.perform(function() {

       var theClass = Java.use("sg.vantagepoint.a.c");

       theClass.a.implementation = function(v) {
            console.log("In function A");
             return false;
         }
       theClass.b.implementation = function(v) {
           console.log("In function B");
            return false;
        }
      theClass.c.implementation = function(v) {
           console.log("In function C");
            return false;
        }

       console.log("Exploit Complete")

})

Type Ctrl+x, y, Enter to save the file.

Closing the App

On your Android device, click OK to close the app.

Exploiting the App

This command will launch the app in a frozen state, let the instrumentation occur, and then continue execution.

In a Terminal, execute this command:

If you are using Frida version 16, omit the --no-pause switch 

frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1

M 513.1: Message

The app opens.

The flag is covered by a green rectangle in the image below.

Sources

Android Hacking with FRIDA
Posted 10-17-22
disableRoot.js filename fixed and note for Frida 16 added 10-17-22
Updated to Frida version 13 and Mac M1 host 3-20-24
"Externally managed environment" box added 3-28-24
Video added 4-18-24