Trying EsCrackMe.apk with Frida

Question

Trying EsCrackMe.apk with Frida

GanbaruTobi opened this issue 3 years ago · 5 comments

When trying to recreate
how-to-perform-symbolic-execution-of-mobile-apps-with-r2frida-esilsolve i get the following base.odex representation:

From the video in the blog the code looks quite the same (so i suppose its not a radare issue):

I try solving with the following code: https://gist.github.com/GanbaruTobi/1821f9c4cedbc98f07a2c15c22bfae5f

Expected result: 0xcafebabe
Got result: 0xbadd000c
The resulting flag is wrong:

Besides, if u have an idea how to pull the address correctly for each attachment, we could at this to the repo (when its working correctly).

Answer 1 · 2022-06-19T00:24:09.000Z

Execution output: https://gist.github.com/GanbaruTobi/bd7ec1583af9a392cb1ea008fd66617c

Answer 2 · 2022-06-21T16:11:46.000Z

so the second check to make sure the value is correct gets turned into that cset w0, eq instruction, so all you need to do is add a couple lines before evaluating the flag that constrains w0 to be 1 (or nonzero also works here) so let w0 = new_state.registers.get("w0"); new_state.assert(w0);

Answer 3 · 2022-07-16T07:00:43.000Z

let me know if this worked so i can close

Answer 4 · 2022-07-16T08:31:02.000Z

it worked, but do u have something in radius where a radare2 command can be executed to get an address? So to execute "s :il~foobar" for example? In that case i could make an example that gets the right address.

Answer 5 · 2022-07-16T14:42:09.000Z

yes you can execute any command with radius.cmd(...). so something like "s `:il~foobar`; :is symname" should work. on phone right now ill check when im at my workstation