Frida Tutorial 3

Reading time: 5 minutes

This is a summary of the post: https://joshspicer.com/android-frida-1
APK: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

Solution 1

Based in https://joshspicer.com/android-frida-1

Hook the _exit()_ function and decrypt function so it print the flag in frida console when you press verify:

Java.perform(function () {
  send("Starting hooks OWASP uncrackable1...")

  function getString(data) {
    var ret = ""
    for (var i = 0; i < data.length; i++) {
      ret += "#" + data[i].toString()
    }
    return ret
  }

  var aes_decrypt = Java.use("sg.vantagepoint.a.a")
  aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
    send(
      "sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding"
    )
    send("Key       : " + getString(var_0))
    send("Encrypted : " + getString(var_1))
    var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
    send("Decrypted : " + getString(ret))

    var flag = ""
    for (var i = 0; i < ret.length; i++) {
      flag += String.fromCharCode(ret[i])
    }
    send("Decrypted flag: " + flag)
    return ret //[B
  }

  var sysexit = Java.use("java.lang.System")
  sysexit.exit.overload("int").implementation = function (var_0) {
    send("java.lang.System.exit(I)V  // We avoid exiting the application  :)")
  }

  send("Hooks installed.")
})

Solution 2

Based in https://joshspicer.com/android-frida-1

Hook rootchecks and decrypt function so it print the flag in frida console when you press verify:

Java.perform(function () {
  send("Starting hooks OWASP uncrackable1...")

  function getString(data) {
    var ret = ""
    for (var i = 0; i < data.length; i++) {
      ret += "#" + data[i].toString()
    }
    return ret
  }

  var aes_decrypt = Java.use("sg.vantagepoint.a.a")
  aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
    send(
      "sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding"
    )
    send("Key       : " + getString(var_0))
    send("Encrypted : " + getString(var_1))
    var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
    send("Decrypted : " + getString(ret))

    var flag = ""
    for (var i = 0; i < ret.length; i++) {
      flag += String.fromCharCode(ret[i])
    }
    send("Decrypted flag: " + flag)
    return ret //[B
  }

  var rootcheck1 = Java.use("sg.vantagepoint.a.c")
  rootcheck1.a.overload().implementation = function () {
    send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()")
    return false
  }

  var rootcheck2 = Java.use("sg.vantagepoint.a.c")
  rootcheck2.b.overload().implementation = function () {
    send("sg.vantagepoint.a.c.b()Z  Root check 2 HIT!  test-keys")
    return false
  }

  var rootcheck3 = Java.use("sg.vantagepoint.a.c")
  rootcheck3.c.overload().implementation = function () {
    send("sg.vantagepoint.a.c.c()Z  Root check 3 HIT!  Root packages")
    return false
  }

  var debugcheck = Java.use("sg.vantagepoint.a.b")
  debugcheck.a.overload("android.content.Context").implementation = function (
    var_0
  ) {
    send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z  Debug check HIT! ")
    return false
  }

  send("Hooks installed.")
})

Solution 3 – frida-trace (Frida ≥ 16)

If you do not want to hand-write hooks you can let Frida generate the Java stubs for you and then edit them:

# Spawn the application and automatically trace the Java method we care about
aadb shell "am force-stop owasp.mstg.uncrackable1"
frida-trace -U -f owasp.mstg.uncrackable1 \
            -j 'sg.vantagepoint.a.a.a("[B","[B")[B' \
            -j 'sg.vantagepoint.a.c!*' \
            --output ./trace

# The first run will create ./trace/scripts/sg/vantagepoint/a/a/a__B_B_B.js
# Edit that file and add the logic that prints the decrypted flag or
# returns a constant for the root-checks, then:
frida -U -f owasp.mstg.uncrackable1 -l ./trace/_loader.js --no-pause

With Frida 16+ the generated stub already uses the modern ES6 template syntax and will compile with the built-in QuickJS runtime – you no longer need frida-compile.

Solution 4 – One-liner with Objection (2024)

If you have Objection >1.12 installed you can dump the flag with a single command (Objection wraps Frida internally):

objection -g owasp.mstg.uncrackable1 explore \
  --startup-command "android hooking watch class sg.vantagepoint.a.a method a \n  && android hooking set return_value false sg.vantagepoint.a.c * \n  && android hooking invoke sg.vantagepoint.a.a a '[B' '[B'"

• watch class prints the plaintext returned by the AES routine
• set return_value false forces every root / debugger check to report false
• invoke allows you to call the method directly without pressing Verify.

NOTE: On Android 14 (API 34) you must run Objection/Frida in spawn mode (-f) because attach is blocked by seccomp-bpf restrictions introduced in October 2024.

Modern Android notes (2023 - 2025)

• libsu 5.x and Zygisk hide su pretty well; however the Java based checks in Level 1 still fail if the file /system/bin/su exists. Make sure to enable denylist or simply hook java.io.File.exists() with Frida.
• Frida 16.1 fixed a crash on Android 12/13 caused by Google’s Scudo allocator. If you see Abort message: 'missing SHADOW_OFFSET', upgrade Frida (or use the pre-built 17.0 nightly).
• Because Play Integrity replaced SafetyNet in 2023, some newer apps call the com.google.android.gms.tasks.Task API. Level 1 does NOT, but the same hooking strategy shown here works – hook com.google.android.gms.safetynet.SafetyNetClient and return a forged EvaluationType.

References

• Frida release announcement – "Frida 16.0 (2023-04-02): Android 12/13 reliability fixes & spawn API overhaul"
• Objection 1.12 – "Spawn-only mode for Android 14" (BlackHat USA 2024 talk slides)