Frida Hooking Journey Part 1
“If I have seen further, it is by standing on the shoulders of giants.”
-Sir Issac Newton
When my formal leader inspired me with this word of wisdom, I had little understanding of the full meaning. After 2 years in the cybersecurity field, I truly appreciate the importance of learning from the giants and also working hard to be a giant for somebody else.
In this column, I am going to share a simple authentication bypass using 2 methods. Instead of building a new apk, I have decided to use the MSTG playground that can already meet the current objective.
What you need:
1. Rooted Device
1.1 Download the frida-server-15.1.17-android-arm64.xz (https://github.com/frida/frida/releases)
1.2 Start the frida-server using the following command:
2. Linux VM (or any OS of your choice)
2.1 Objection 1.11.0
2.2 Frida 15.1.17
3. MSTG Hacking Playground
3.1 Download app-arm-debug.apk (https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App/app)
Before begin, decompile the apk using a Java decompiler. Alternatively, you can also refer to the source code that already provided in the github. Well, learning to decompile is also part of the learning process which I will share more in future column on Smali code decompiling/modifying/recompiling.
Method 1: Using JS / JD-Gui
- Inspect the code and noted that the verify is a Boolean method call
2. Create the hooking script as following:
console.log(“Script loaded successfully “);
Java.perform(function () {var Auth_hook = Java.use(“sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption”);Auth_hook.verify.implementation = function(){console.log(‘Password Verify Hooked ! ‘);return true;}});
3. Run the following command to inject the script and bypass the authentication check.
Method 2: Built-in Commands via Objection
1. Open the app and start the connection
$objection -g sg.vp.owasp_mobile.omtg_android explore
2. List the class method
$android hooking list class_methods sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption
3. Forcing boolean return when hooked
$ android hooking set return_value sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption.verify true
Conclusion:
Stay tune for more advanced hooking sharing in next column, eg method overriding and more…:)