본문 바로가기

reversing/android

frida - fridalab

SMALL

1. memory에 올라와 있는 내용은 java.use
2. memory에 올라와있지 않으면 이미 존재하는 instance 획득해서 사용(java.choose)

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Java.perform(function(){
    console.log("[*] Chall 01 solve");
    var challenge_01 = Java.use('uk.rossmarks.fridalab.challenge_01');
    challenge_01.chall01.value = 1;
 
 
    var instance_2 ;
    Java.choose("uk.rossmarks.fridalab.MainActivity", {
        onMatch: function (instance) {
            instance_2 = instance
        },
        onComplete: function () { }
    });
 
    instance_2.chall02();
     
    var challenge_03 = Java.use('uk.rossmarks.fridalab.MainActivity');
    challenge_03.chall03.implementation = function(){
            return true;
    }
 
 
    var challenge_04 = instance_2;
    challenge_04.chall04("frida");
 
 
    var challenge_05 = instance_2;
    challenge_05.chall05.implementation = function(str){
        challenge_05.chall05("frida");
    }
 
    console.log('[*] challenge 6 solve')
    var challenge_06 = instance_2;
 
    var class06 = Java.use('uk.rossmarks.fridalab.challenge_06');
 
    var tmpValue = 0;
    class06.addChall06.overload('int').implementation = function(value){
     //   console.log(value);
        class06.addChall06.overload('int').call(this, value);
        tmpValue = class06.chall06.value;
    //    console.log(class06.chall06.value);
        return
    };
 
 
    //setTimeout(function () {
    //    console.log('[*] Timeout Test');
    //}, 10000);
 
 
    class06.confirmChall06.overload('int').implementation = function(arg0){
 
        return class06.confirmChall06.overload('int').call(this, tmpValue);
        
    };
    
 
 
 
    Thread.sleep(10);
    console.log('[*] call chall06');
    challenge_06.chall06(tmpValue);
 
 
 
    var challenge_07 = instance_2;
    var class07 = Java.use('uk.rossmarks.fridalab.challenge_07');
 
    
    var btStartNum = 0;
 
    while (btStartNum < 10000){
        console.log(btStartNum);
        console.log(class07.chall07.value);
        
        var ret = class07.check07Pin(String(btStartNum));
        if (ret == true){
            break;
        }
        btStartNum = btStartNum+1
    }
 
    challenge_07.chall07(String(btStartNum));
 
 
 
 
    var objectclass = Java.use('java.lang.Object');
    var challenge_08 = instance_2;
 
    /*
     ((Button) findViewById(C0274R.C0276id.check)).setOnClickListener(new View.OnClickListener() {
            public void onClick(View view) {
                if (challenge_01.getChall01Int() == 1) {
                    MainActivity.this.completeArr[0] = 1;
                }
                if (MainActivity.this.chall03()) {
                    MainActivity.this.completeArr[2] = 1;
                }
                MainActivity.this.chall05("notfrida!");
                if (MainActivity.this.chall08()) {
                    MainActivity.this.completeArr[7] = 1;
                }
                MainActivity.this.changeColors();
            }
        });
 
 
    public static final int check = 2131165231;
 
    java.lang.Object
   ↳    android.view.View
       ↳    android.widget.TextView
           ↳    android.widget.Button
    */
    var button = Java.use('android.widget.Button');
    var checkid = challenge_08.findViewById(2131165231);
    var check = Java.cast(checkid.$handle, button);
    var string = Java.use('java.lang.String');
    check.setText(string.$new("Confirm"));
 
 
});
cs
LIST

'reversing > android' 카테고리의 다른 글

frida - script  (0) 2020.12.02
frida dynamic loader hook Script  (0) 2020.07.15