Created
June 30, 2020 15:13
-
-
Save jeanbmar/08da8ad764d5f5611fa2c438b6efe4a5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // tested with frida server 12.10.4 on a rooted device | |
| rpc.exports = { | |
| init: function(stage, options) { | |
| Java.perform(function() { | |
| var agent = Process.findModuleByName('libff.so'); | |
| var counter = 0; | |
| Interceptor.attach(Module.findExportByName(null, 'open'), function(args) { | |
| if (args[0].readUtf8String().indexOf('frida-agent') >= 0) { // prevent our frida detection based on frida imports | |
| args[0].writeUtf8String('libc.so'); | |
| } | |
| }); | |
| Interceptor.attach(agent.base.add(0x2C3C50), { // enter _gum_duk_args_parse | |
| onEnter: function(args) { | |
| if (args[1].readUtf8String() === 'pZ') { // hook writeU8 to detect flag writing | |
| this.address = args[2]; | |
| } | |
| }, | |
| onLeave: function() { | |
| if (this.address) { | |
| counter += 1; | |
| if (counter === 1493 + 27 + 1) { // flag is about to be destroyed by second call to writeFlag | |
| this.address.readPointer().add(27).writeU8(0); | |
| console.log('flag', this.address.readPointer().readCString()); | |
| } | |
| } | |
| } | |
| }); | |
| }); | |
| } | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment