Mobile Apps Pentesting: Android UnCrackable L2

Introduction

In this challenge we will try to crack the UnCrackable L2 android Apps, it’s basically same with the L1 but need more exploration on the low level. In this challenge we will do some reverse engineering using ghidra to find secret string to complete the challenge, ok let’s start.

Prerequisites

In this level we will proceed using this tools :

1. Frida
2. RMS
3. Jadx
4. Ghidra

Step-by-Step Guide to Cracking the Challenge

• Run the android emulator

Setup the emulator

• Install the UnCrackable L2 android Apps

install the apps

• If success installing the apps, on the first screen will display popup root detection. we will bypass this later.

Run the apps

• To bypass root detection, we will use Frida & RMS, first run your frida server on the emulator/device.

Run the frida server

• Run your RMS apps and access the http://127.0.0.1:5000.

Run the RMS apps

• Setup the RMS to invoke the android apps and run frida script from the RMS to bypass system.exit() function, so the apps will not exit when we click the ok button the

Bypass the Popup Root Detection

• When we run the script, the root detection will useless. tap the ok button.

RMS Dashboard

• So in this state we have been complete half the challenge.
• For the next solution, I’ll using a few approach from this source.

1. RMS youtube channel

• I’ll proceed using their solution and added my solution on the last.
• Firstly open the Jadx-gui to analyze the code.

Analyze .apk using Jadx-GUI

• Pay attention on the MainActivity class and verify () method. when we analyze more, this method execute another class, on the class CodeCheck in this class is clueless.

CodeCheck Method

• We want to try open libfoo.so using ghidra, let’s see what we get.

CheckCode method view on Ghidra

• We find interesting hex value and we find there is function strncmp()
• Using RMS we can find the parameter input from the int strncmp(char *__s1,char *__s2,size_t __n) function. strncmp(param1,param2,size), this function comparing 2 param with specific size. in this case the size is 0x17 or 23 in decimal.

• so must input the 23 value length to the input form and we can write custom frida script to get the 23 bit value from memory.

var moduleName = "libfoo.so"; 
var functionName = "strncmp"; 

Interceptor.attach(
    Module.findExportByName(moduleName, functionName), {
        onEnter: function(args) {
            var args1 = Memory.readCString(args[0],23);
            var args2 = Memory.readCString(args[1],23);
            send("Argument 1 : " + args1);
            send("Argument 2 : " + args2);
        }
});

• we will input this 23 length string testtesttesttesttest123 and observe the RMS console you will find the secret key

Run the custom Frida Script

• You Solve the challange!

Solve the challenge

• My approach is more simple, just find the juicy hex on the Ghidra and convert into ascii. and you will see the Secret key like below

Convert the secret hex into ASCII