Dynamic Hooking and Overwriting of Native Android Password Validation Using Frida

-
Dynamic Hooking and Overwriting of Native Android Password Validation Using Frida

Dynamic Hooking and Overwriting of Native Android Password Validation Using Frida

Introduction

Reverse engineering native libraries in Android applications provides a direct avenue for examining the intricate logic underpinning critical functions. This exploration employs Frida, a sophisticated dynamic instrumentation framework, to interact with and manipulate the password validation routine of a native Android application.

Hooking and Overwriting the Password Validation

Using Frida, we intercepted and manipulated the password validation logic within the application’s native codebase.

Java.perform(function () {
    var lib = Module.findExportByName("libnative-lib.so", "Java_com_optiv_ndkcrackme_MainActivity_b");

    if (lib) {
        console.log("Found function: " + lib);

        Interceptor.attach(lib, {
            onEnter: function (args) {
                try {
                    var input = Memory.readUtf8String(args[1]);
                    console.log("Intercepted password check. Input: " + input);
                } catch (e) {
                    console.log("Error decoding input string: " + e.message);
                }
            },
            onLeave: function (retval) {
                console.log("Original return value: " + retval.toInt32());
                retval.replace(1);
                console.log("Modified return value: " + retval.toInt32());
            }
        });

        console.log("[X] Password bypass hook installed.");
    } else {
        console.log("Failed to find target function in libnative-lib.so.");
    }
});

Key Steps

Return Value Manipulation: The onLeave method modifies the original return value to 1, coercing the function to treat all inputs as valid credentials.

Results: Password Bypass in Action

By executing the script within the application’s runtime using the following command:

frida -U -p <pid> -l bypass_password_v2.js

The password validation mechanism was successfully overridden. The application consistently displayed Password accepted! regardless of the input provided.

Addressing Runtime Function Loading

During the hooking process, it was observed that the target function resided within a native library dynamically loaded during runtime. This behavior necessitated attaching directly to the application’s PID:

frida -U -p <pid> -l bypass_password_v2.js

We successfully identified and hooked the function at memory address 0x738ad16478. This pattern underscores the necessity of adaptive analysis techniques to accommodate dynamic library behavior.

Conclusion

Frida’s dynamic instrumentation capabilities exemplify fine-grained control over native Android application behavior. By targeting Java_com_optiv_ndkcrackme_MainActivity_b, we demonstrated a concrete application of runtime hooking to bypass password validation. These techniques provide a comprehensive framework for advanced reverse engineering, debugging, and security evaluation.

Final Note

The methodologies articulated in this document are exclusively intended for scholarly and ethical application. Practitioners bear the responsibility of ensuring adherence to all pertinent legal statutes and professional standards when employing these techniques.

Comments

Post a Comment

Popular posts from this blog

Automated Exploitation of a Bluetooth vulnerability that leads to 0-click code execution

-
Image
This blog post covers an interesting vulnerability that was just discovered earlier this year and an open source free tool that was created to automate testing for this vulnerability in Bluetooth devices.  I will preface this with the warning that this is of course done in my personal testing lab environment with my own devices for learning and demonstration purposes. I am in no way encouraging that these tools, snippets of code or techniques be used maliciously as there can be very serious legal consequences for those that use these hacking tricks nefariously. However, in a personal testing lab environment I think this is great for learning and allows someone to quickly be able to confirm or deny if their personal devices are truly standing up to the Bluetooth CVE of CVE-2023-45866 . CVE-2023-45866 is described as an issue where the " Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept...
Read more

Sniffing GSM traffic on a private cellphone network

-
Image
Legal Disclaimer: GSM Research and Passive Traffic Monitoring ‘The information provided in this blog is for educational and informational purposes only. The author and publisher of this blog are not responsible for any misuse, illegal activities, or damages that may arise from the use of the information provided herein. The author conducted research using two Samsung phones and a BladeRF with YateBTS to create a small-scale GSM network for the purpose of analyzing and intercepting traffic. It is important to note that intercepting or tampering with wireless communication without proper authorization is illegal in many jurisdictions. The author undertook this research within a controlled and lawful environment, and any techniques or findings described in this blog should not be replicated or applied in unauthorized or illegal activities. The author strongly advises against engaging in any illegal activities, including but not limited to intercepting or tampering with wireless communicat...
Read more

Raspberry Pi WiFi Honeypot 🍯

-
Image
This was a fun project to work on and build out. I learned a few new interesting tricks along the way. I started with this tutorial from 2013 by Andy Smith . However, a few things have changed with hostapd that I had to figure out through debugging. Also, the configuration of the nginx server as well as dnsmasq were slightly different for me using the new Raspbian Buster for Raspberry Pi 4.  This should save you some time if you follow my trick tips later on in the article that I found by searching through various message boards and googling error messages as I did debugging to get this working properly. I have gone over setting up nginx servers in previous articles so if you need help with getting started these may be helpful. So first things first. I started with a canakit and assembled the raspberry pi with the appropriate heat sinks and a little fan set to a standard speed. The speed is adjusted by how you install the wiring. If you haven't done this before you can follow the ...
Read more