Skip to content

Instantly share code, notes, and snippets.

@Techbrunch

Techbrunch/gist:bf127334fd0338f7167937a0df97acb1

Last active May 3, 2023 15:59
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Techbrunch/bf127334fd0338f7167937a0df97acb1 to your computer and use it in GitHub Desktop.
Save Techbrunch/bf127334fd0338f7167937a0df97acb1 to your computer and use it in GitHub Desktop.
Download ZIP
UnCrackable App for Android Level 1
Raw
gistfile1.md

Source: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes

Let's try running the app.

adb install UnCrackable-Level1.apk

When we open the app we directly get an error:

Root detected!
This is unacceptable. The app is now going to exit.

Let's look at the code for the root detection.

jadx UnCrackable-Level1.apk.apk

Quickly looking through the files we can see that there is some root detection.

/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
    if (c.a() || c.b() || c.c()) {
        a("Root detected!");
    }
    if (b.a(getApplicationContext())) {
        a("App is debuggable!");
    }
    super.onCreate(bundle);
    setContentView(R.layout.activity_main);
}
package sg.vantagepoint.a;

import android.os.Build;
import java.io.File;

public class c {
    public static boolean a() {
        for (String file : System.getenv("PATH").split(":")) {
            if (new File(file, "su").exists()) {
                return true;
            }
        }
        return false;
    }

    public static boolean b() {
        String str = Build.TAGS;
        return str != null && str.contains("test-keys");
    }

    public static boolean c() {
        for (String file : new String[]{"/system/app/Superuser.apk", "/system/xbin/daemonsu", "/system/etc/init.d/99SuperSUDaemon", "/system/bin/.ext/.su", "/system/etc/.has_su_daemon", "/system/etc/.installed_su_daemon", "/dev/com.koushikdutta.superuser.daemon/"}) {
            if (new File(file).exists()) {
                return true;
            }
        }
        return false;
    }
}

Let's patch the APK using Objection so that we can take a closer look:

objection patchapk -s UnCrackable-Level1.apk
adb install UnCrackable-Level1.objection.apk

Let's see if the root detection bypass of Objection works in this case:

objection explore --startup-command 'android root disable'

In this case objection is not fast enough so we will need to use Frida:

frida -U -f owasp.mstg.uncrackable1 -l root.js

Java.perform(function() {
    var c = Java.use("sg.vantagepoint.a.c");
    c.a.implementation = function(v) { return false; }
    c.b.implementation = function(v) { return false; }
    c.c.implementation = function(v) { return false; }
})

To make the change persistant we can patch the APK using objection:

objection patchapk -s UnCrackable-Level1.apk -c gadget -l root.js
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment