Exploiting a debuggeable application

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bypassing root and debuggeable checks

Sehemu hii ya chapisho ni muhtasari kutoka kwa chapisho https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0

Steps to Make an Android App Debuggable and Bypass Checks

Making the App Debuggable

Maudhui yanategemea https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0

Decompile the APK:

Tumia zana ya APK-GUI kwa ajili ya decompiling APK.
Katika faili android-manifest, weka android:debuggable=true ili kuwezesha hali ya debugging.
Recompile, sign, na zipalign programu iliyobadilishwa.

Install the Modified Application:

Tumia amri: adb install <application_name>.

Retrieve the Package Name:

Tekeleza adb shell pm list packages –3 ili orodhesha programu za wahusika wengine na kupata jina la kifurushi.

Set the App to Await Debugger Connection:

Amri: adb shell am setup-debug-app –w <package_name>.
Kumbuka: Amri hii lazima ifanywe kila wakati kabla ya kuanzisha programu ili kuhakikisha inasubiri debugger.
Kwa kudumu, tumia adb shell am setup-debug-app –w -–persistent <package_name>.
Kuondoa bendera zote, tumia adb shell am clear-debug-app <package_name>.

Prepare for Debugging in Android Studio:

Tembea katika Android Studio hadi File -> Open Profile or APK.
Fungua APK iliyorekebishwa.

Set Breakpoints in Key Java Files:

Weka breakpoints katika MainActivity.java (hasa katika njia ya onCreate), b.java, na ContextWrapper.java.

Bypassing Checks

Programu, katika hatua fulani, itathibitisha ikiwa inapatikana kwa debugging na pia itakagua binaries zinazoashiria kifaa kilichoshikiliwa. Debugger inaweza kutumika kubadilisha taarifa za programu, kuondoa kipande cha debuggable, na kubadilisha majina ya binaries yanayotafutwa ili kupita hizi checks.

Kwa ajili ya ukaguzi wa debuggable:

Modify Flag Settings:

Katika sehemu ya mabadiliko ya debugger console, tembea hadi: this mLoadedAPK -> mApplicationInfo -> flags = 814267974.
Kumbuka: Uwiano wa binary wa flags = 814267974 ni 11000011100111011110, ikionyesha kuwa "Flag_debuggable" inafanya kazi.

Hatua hizi kwa pamoja zinahakikisha kuwa programu inaweza kudebugiwa na kwamba ukaguzi fulani wa usalama unaweza kupitishwa kwa kutumia debugger, ikiruhusu uchambuzi wa kina au mabadiliko ya tabia ya programu.

Hatua ya 2 inahusisha kubadilisha thamani ya bendera kuwa 814267972, ambayo inawakilishwa kwa binary kama 110000101101000000100010100.

Exploiting a Vulnerability

Uonyeshaji ulitolewa kwa kutumia programu yenye udhaifu inayojumuisha kitufe na textview. Kwanza, programu inaonyesha "Crack Me". Lengo ni kubadilisha ujumbe kutoka "Try Again" kuwa "Hacked" wakati wa utendaji, bila kubadilisha msimbo wa chanzo.

Checking for Vulnerability

Programu ilitolewa kwa kutumia apktool ili kufikia faili ya AndroidManifest.xml.
Uwepo wa android_debuggable="true" katika AndroidManifest.xml inaonyesha kuwa programu inapatikana kwa debugging na inaweza kuathiriwa.
Inafaa kutambua kuwa apktool inatumika pekee kuangalia hali ya debuggable bila kubadilisha msimbo wowote.

Preparing the Setup

Mchakato ulijumuisha kuanzisha emulator, kufunga programu yenye udhaifu, na kutumia adb jdwp ili kubaini bandari za Dalvik VM zinazot listening.
JDWP (Java Debug Wire Protocol) inaruhusu debugging ya programu inayotembea katika VM kwa kufichua bandari ya kipekee.
Kuelekeza bandari ilikuwa muhimu kwa ajili ya debugging ya mbali, ikifuatiwa na kuunganisha JDB kwenye programu lengwa.

Injecting Code at Runtime

Utekelezaji ulifanywa kwa kuweka breakpoints na kudhibiti mtiririko wa programu.
Amri kama classes na methods <class_name> zilitumika kufichua muundo wa programu.
Breakpoint ilipangwa katika njia ya onClick, na utekelezaji wake ulidhibitiwa.
Amri za locals, next, na set zilitumika kukagua na kubadilisha mabadiliko ya ndani, hasa kubadilisha ujumbe wa "Try Again" kuwa "Hacked".
Msimbo uliobadilishwa ulitekelezwa kwa kutumia amri ya run, ikibadilisha matokeo ya programu kwa wakati halisi.

Mfano huu ulionyesha jinsi tabia ya programu inayopatikana kwa debugging inaweza kubadilishwa, ikionyesha uwezekano wa udanganyifu zaidi wa hali kama kupata ufikiaji wa shell kwenye kifaa katika muktadha wa programu.

References

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousExploiting Content Providers NextFrida Tutorial

Last updated 7 days ago