-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Early instrumentation: Intercepting method onCreate() from MainActivity on Android ART #29
Comments
The method With the following hook, I hit the method var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
mainactivity.onStart.overload().implementation = function() {
send("MainActivity.onStart() HIT!!!");
var ret = this.onStart.overload().call(this);
}; This is the result after minimizing and maximizing the Android app: [13:37 edu@ubuntu hooks] > python run_usb_spawn.py
pid: 10821
[*] Intercepting ...
[!] Received: [Starting hooks OWASP uncrackable1...]
[!] Received: [Hooks installed.]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [java.lang.System.exit(I)V // We avoid exiting the application :)]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!]
[!] Received: [MainActivity.onStart() HIT!!!] |
Hi, I have the same issue with the same application. I try to hook the sg.vantagepoint.a.c functions and don't have any feedback from Frida. if (Java.available) {
Java.perform(function () {
var rootChecks = Java.use('sg.vantagepoint.a.c');
rootChecks.a.overload().implementation = function() {
send('Return sg.vantagepoint.a.c.a -> false')
return false;
};
rootChecks.b.implementation = function() {
send('Return sg.vantagepoint.a.c.b -> false')
return false;
};
rootChecks.c.implementation = function() {
send('Return sg.vantagepoint.a.c.c -> false')
return false;
};
});
} Enviroment usedFrida: 9.1.27, 9.1.26, 9.1.14 |
Hi @SrFlipFlop , I also tried the same hooks and they weren't hit by Frida. Then I attempted to hook Know that @TheDauntless experimented issues when using emulator + Frida. Did the process crash for you? Cheers |
Hi @enovella In older versions of Frida sometimes the hooked applications crashed. But using Frida 9.1.27 I didn't found any issue. Regards. |
Hi all, Regarding the unreachable hooks due to the early instrumentation, I'd like to mention that I have been playing with the uncrackable level3, although I am still investigating where carefully to place the Java hooks on, I was able to hit my hooks:
Will be commenting more when all is more clear :P |
In the first run, The problem with this issue is the time when the Java hooks are set. Looking for a solution |
Possible contenders for hook:
Approach: |
A first possible solution is Currently, Frida hooks setArgV0, called from app_main.cpp. This is too early. A few lines further, the start method is called. This method is described as
Halfway through, after some other initialisations, The remaining question now is: Is this too late ? I used the following script for validating:
|
I just now noticed the following crash log in logcat when Java.perform is used:
|
Hi,
None of the sg.vantagepoint.a.c function hooks are hit either, unless I send the Activity to the background, and back to the foreground by re-launching it (see below).
If I send the Activity back to the foreground via recent apps, the hooks aren't hit (see below).
Has this issue been fixed on the latest versions? |
Hi @galapogos , I heard that it should have been fixed by one the @oleavr releases. The behaviour you comment was exacty the same I experimented. Don't promise anything but I will try to test it to verify your claim. Best, |
Just install the latest Frida. You do need both Frida and Frida-server running the same version. |
I've been trying the latest versions of both frida and frida-server. Was
using 10.3.12, now using 10.4. Both exhibit the same erroneous behavior.
…On Aug 17, 2017 3:37 AM, "Eduardo Novella" ***@***.***> wrote:
Just install the latest Frida. You do need both Frida and Frida-server
running the same version.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#29 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAoXgnReTizMczFczcPyo09egWZWa-y0ks5sY0UVgaJpZM4NF75->
.
|
Hi @galapogos, could you provide us more details about the issue? Best, |
Hi,
Basically MainActivity.onCreate() hooks are not hit on first run, and only
hit when I relaunch the app after pressing home button. It does not work if
I use task switcher to switch the app from fg to bg to fg again, presumably
because that results in an onResume() rather than onCreate().
Could be a case where the hooks are not happening fast enough to catch the
first run on onCreate()?
…On Aug 18, 2017 12:28 AM, "Eduardo Novella" ***@***.***> wrote:
Hi @galapogos <https://github.com/galapogos>,
could you provide us more details about the issue?
Best,
Edu
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#29 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAoXgqMaRchOiFGhC2VMqCFuhssHmEprks5sZGpEgaJpZM4NF75->
.
|
Also, now of the root/debug checks could be hooked on first run.
…On Aug 18, 2017 11:19 AM, "Sihan Goi" ***@***.***> wrote:
Hi,
Basically MainActivity.onCreate() hooks are not hit on first run, and only
hit when I relaunch the app after pressing home button. It does not work if
I use task switcher to switch the app from fg to bg to fg again, presumably
because that results in an onResume() rather than onCreate().
Could be a case where the hooks are not happening fast enough to catch the
first run on onCreate()?
On Aug 18, 2017 12:28 AM, "Eduardo Novella" ***@***.***>
wrote:
> Hi @galapogos <https://github.com/galapogos>,
>
> could you provide us more details about the issue?
>
> Best,
> Edu
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#29 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAoXgqMaRchOiFGhC2VMqCFuhssHmEprks5sZGpEgaJpZM4NF75->
> .
>
|
Hi, adb logcat:
|
This is a device-specific issue. Until someone with a Nexus device volunteers to debug this (I don't have any such device myself), this will remain an unresolved issue. As a workaround you may use an emulator or another Android device. |
Hi @oleavr,
I can also reproduce this issue with Frida 9.1.16 and 10.1.2 on an x86 Android 6.0 Android Studio Emulator (Host running Fedora and python3.6). |
Hi, Host: Linux x86_64, python3.6 Tested:
AndroidStudio Emulator:
Genymotion Emulator:
(I tested a lot more Frida versions, but I encountered an other issue were Frida spawn crashes the App, see frida/frida#343) uncrackable1.js 'use strict';
setImmediate(function() {
send("hooking started");
Java.perform(function () {
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("'MainActivity.onCreate()' hooked");
this.onCreate.overload("android.os.Bundle").call(this,var_0);
};
mainactivity.onStart.overload().implementation = function() {
send("'MainActivity.onStart()' hooked");
this.onStart.overload().call(this);
};
var rootcheck = Java.use("sg.vantagepoint.a.c");
rootcheck.a.overload().implementation = function() {
var ret = this.a.overload().call(this)
send("'sg.vantagepoint.a.c.a()' hooked -> return \"false\" instead of \"" + ret + "\"");
return false;
};
rootcheck.b.overload().implementation = function() {
var ret = this.b.overload().call(this)
send("'sg.vantagepoint.a.c.b()' hooked -> return \"false\" instead of \"" + ret + "\"");
return false;
};
rootcheck.c.overload().implementation = function() {
var ret = this.c.overload().call(this)
send("'sg.vantagepoint.a.c.c()' hooked -> return \"false\" instead of \"" + ret + "\"");
return false;
};
var activity = Java.use("android.app.Activity");
activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("'android.app.Activity.onCreate()' hooked");
this.onCreate.overload("android.os.Bundle").call(this,var_0);
};
activity.onResume.implementation = function () {
send("'android.app.Activity.onResume()' hooked");
this.onResume();
};
var debugcheck = Java.use("sg.vantagepoint.a.b");
debugcheck.a.overload("android.content.Context").implementation = function(var_0) {
var ret = this.a.overload("android.content.Context").call(this,var_0)
send("'sg.vantagepoint.a.b.a(this.getApplicationContext())' hooked -> return \"false\" instead of \"" + ret + "\"");
return false;
};
send("hooks inserted");
});
}); Steps to reproduce:
or in python: device = frida.get_usb_device(timeout=1)
print ("[log] device.spawn() ...")
# creates the process with the main thread suspended
pid = device.spawn(["sg.vantagepoint.uncrackable1"])
print ("[log] device.attach() ...")
session = device.attach(pid)
with io.open(scriptname, "r", encoding='utf8') as f:
script = session.create_script(f.read())
script = session.create_script(script_content)
script.on('message', on_message)
print ("[log] script.load() ...")
script.load()
print ("[log] device.resume() ...")
# resumes the main thread
device.resume(pid) Output:
the App shows the "Root detected" Alert
the App does not show the "Root detected" Alert and I can proceed ... Since at first glance logcat logs do not show anything suspicious, I don't know how to proceed here. |
Might work better with 10.6.59, which fixed a long-standing stability issue in the Java hooking logic. |
@oleavr I am not sure about that. Look at this #29 (comment) |
@enovella Did you verify this with 10.6.59? The bug that was fixed in .59 caused undefined behavior, so it could explain this issue – or this could be a different one, but someone has to test this on 10.6.59 to be sure. |
Hi, This works:
If I switch to frida-gadget, everything works fine, except early instrumentation. @oleavr , thanks again for all the awesome work on frida and especially regarding Android. |
I could confirm that 10.6.59 early instrumentation does not work with python2 bindings. Tested on OneplusOne (armv7) running Android 6. |
Hi, |
Hi all, I also had no success with 10.6.59 and python2 bindings (Android 7.1.2 ARM64). Is there something we can do to solve finally this issue? (@oleavr ). This is an important issue to resolve imho. Best |
Hi, Edit:
Same behaviour than with the emulator: |
@enovella If you're saying it works with the REPL but not the python bindings, that means you're using the API wrong – because the REPL is using the same python bindings. Could you share a minimal example reproducing the behavior you're seeing? |
Hi @oleavr, I thought that had already shared with you. Anyhow, here you go:
Looking forward to solving this issue. |
Also to comment, with the REPL "kinda" worked but didn't continue working after hitting the hooks. Therefore, I could say that it didn't work properly for me on Android 7.1.2 Nexus 5X. |
@enovella Ah sorry, I should have looked closer. I see the problem: Some style nitpicks:
do:
Regarding the hanging issue, a good way to get to the bottom of that is to disable hooks until it's able to start, to narrow it down to just one. |
Hi @oleavr, Many thanks for the comments and reopening the issue. It seems that the problem is at my side. Will come back to you with answers after testing your advises. Regarding the gadget, do you want to keep this page for handling this issue as well? Otherwise, after verifying that the error was in my code, I will close the issue. Cheers |
Busy this week but I will share my testing results as soon as possible. Let's leave this issue opened until the issue has been entirely resolved both in frida-gadget and Python bindings. |
Hi Guys, I have the same problem (Frida 10.7.6, frida-server 10.7.6, Nexus 5, Android 6). Following setup:
Output:
So, the The interesting part is, when I type
When I try to hook onCreate or other "early" stuff, this does not work, because the hook is not set... |
go up! |
This works perfectly: [23:10 edu@truelove ~] > r2 frida://spawn/usb//owasp.mstg.uncrackable1
-- Don't do this.
[0x00000000]> \. ./owasp1.js
[0x00000000]> \dc
resumed spawned process.
[0x00000000]> Starting hooks OWASP uncrackable1...
Hooks installed.
MainActivity.onCreate() HIT!!!
sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()
sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys
sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages
sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT!
MainActivity.onStart() HIT!!!
[0x00000000]>
[0x00000000]> sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding
Decrypted flag: I want to believe
[0x00000000]> \?V
{"version":"12.4.7.3.gc04f610"} |
Hi @enovella , can you include your owasp1.js script? Or give some more insights into what is now working, what isn't? It might be a little bit too early to close this issue? |
Uncomment the commented code and return false instead of |
Hi @enovella Below is my code and on that code I want to hook onClick implementation. But I didn't find the way on how to do it? Do you have an idea about How can i?
|
@oleavr shouldn't this issue be open? Issue exists even on frida 12.2.25 |
Please @giorgos-pieri upgrade to 12.6.x where the issue is fixed Check this out: |
Hi all,
I have been playing around with some Android crackmes from the OWASP community and found that I was not able to hook the first class loaded that extended from the class
Activity
. Therefore, I wondered why this was happening.Target code (decompiled)
First of all lets see the target code to intercept:
The goal is to inject code when entering into
onCreate()
to defeat the security checks. To achieve early instrumentation, the process was chosen to be spawned instead of attached, and the hook was written as such:Question
With all that, my question was if Frida is capable of intercepting this early method when the main activity class is instantiated.
Further information
APK: Uncrackable level1
Target class:
public class MainActivity extends Activity
Target method:
protected void onCreate(final Bundle bundle)
Frida version: 9.1.27
Target Arch: Android 7.1.x ART
Device: Nexus 5x
Host Arch: x64 Ubuntu 16.04.2
The text was updated successfully, but these errors were encountered: