Android UnCrackable Level 2

alt text

The crack will be performed on a Kali Linux machine.

The installation process for each tool will not be shown, but every step to create the environment will be documented.

To install the .apk an emulator is required. Create an emulator using the following command:

avdmanager create avd -n Android26 -k "system-images;android-26;default;x86_64" -c 10M

Verify that the device has been installed correctly:

avdmanager list avd

alt text

Start the emulator as follows:

emulator -avd Android26

alt text

Use the following command to list connected devices. Note the device name.

adb devices

alt text

Download UnCrackable-Level2.apk and install it on the emulator. Then open the app.

adb -s emulator-5554 install UnCrackable-Level2.apk

alt text

alt text

The application detects that the device is rooted and immediately closes.

alt text

To bypass this, we need to investigate the app for an anti-root check. Android APK Studio will be used for static analysis, although other tools like jadx or apktool can do the same job.

Open Android APK Studio and click “File” -> “Open” -> “APK”, then select UnCrackable-Level2.apk.

alt text

Select the “Decompile java?” checkbox and click “Decompile”.

alt text

Analyzing the code, we can see that in MainActivity.java a method a is called after detecting a rooted device and the application then exits.

alt text

To bypass this we will use Frida. For better visualization I will complement it using RMS (Runtime Mobile Security), which is a web interface that simplifies using Frida.

RMS is written in JavaScript, so we need to install npm and the RMS package.

sudo apt install -y npm
sudo npm install -g rms-runtime-mobile-security

A Frida server needs to be running on the Android device. Go to the Frida releases page and download the latest server version for Android x86_64.

alt text

Unpack the downloaded server.

unxz frida-server-17.8.2-android-x86_64.xz

Give the emulator root privileges.

adb -s emulator-5554 root

alt text

Copy the server to /data/local/tmp on the emulator.

adb -s emulator-5554 push frida-server-17.8.2-android-x86_64 /data/local/tmp/

alt text

Make the file executable.

adb -s emulator-5554 shell "chmod 755 /data/local/tmp/frida-server-17.8.2-android-x86_64"

Run it listening on all interfaces at port 27042.

adb -s emulator-5554 shell "/data/local/tmp/frida-server-17.8.2-android-x86_64 -l 0.0.0.0:27042 &"

In another terminal forward the local port 27042 to the device.

adb -s emulator-5554 forward tcp:27042 tcp:27042

alt text

Start RMS.

rms

alt text

Open a web browser and navigate to http://127.0.0.1:5491/ to see the interface. Then select:

  • Mobile OS: Android.

  • Package name: owasp.mstg.uncrackable2.

  • Spawn or Attach: Spawn.

Click “Load Default Frida Scripts”.

alt text

Several scripts will appear. For now we only need script number 24, called system_exit_bypass.js. Click it.

alt text

The script should be loaded. Click “Start RMS” to run the script and bypass the root protection.

alt text

Return to the mobile application and check the console logs to confirm the script is loaded. If you click “OK” when root is detected, the message “System.exit() Bypassed!” should appear and the application will remain open.

alt text

alt text

After bypassing the root protection, a form appears to enter a secret. Enter “secret” and click “Verify” to see what happens.

alt text

An error message is displayed. We now need to obtain the actual secret code.

Return to RMS. Navigate to the settings panel, fill in the data as before, and click “Start RMS”.

alt text

alt text

alt text

Click “Load classes”.

alt text

Several classes will be loaded. Click “Insert a Filter” to view only those related to the main activity.

alt text

Add a filter to hook classes starting with sv.vantagepoint and click “Submit”.

alt text

Click “Load Methods” to view and analyze them.

alt text

alt text

Click “Hook all methods”.

alt text

Return to the Android application and click the “Root detected!” message.

alt text

In RMS you will see a console showing which methods have been called.

alt text

Enter any secret and click “Verify”.

alt text

Messages will appear in the console. In this case, we can see that it calls CodeCheck.

alt text

Searching in MainActivity using Android APK Studio, we see that it loads the native library foo.

alt text

This library can be found under /lib/<architecture>/libfoo.so. However, we cannot read it directly, so we need to decompile it.

alt text

To do that we will use Ghidra. Rename the .apk to .zip, extract it, open libfoo.so in Ghidra, and double-click it.

alt text

Analyze the code and search for the part where the check is performed.

alt text

alt text

In the Symbol Tree under Exports you can see CodeCheck_bar. That is exactly what we need to analyze to find how to obtain the password.

alt text

In the “Decompile” tab you will find a strncpy containing the password. Ghidra has decompiled it and shows the password in plain text.

alt text

Return to the UnCrackable-l2 application, enter the secret string, and click “Verify”.

alt text

You should see that the secret is correct.

alt text