Etiquetas

Parcheando b.ne con FRIDA

 

Otra solución al Challenge 0xB de:

 https://github.com/DERE-ad2001/Frida-Labs/tree/main/Frida%200xB 



En el offset 00015248 parchear para que salte directamente a 00015250,

y nos muestre la bandera ( FLAG )

 

 Arrancamos script:

 


 

Con 

adb logcat | grep -i FLAG

 


 

El script que carga FRIDA versión 17:

//v.17 Process.getModuleByName('libc.so').base
var adr = Process.getModuleByName('libfrida0xb.so').base.add(0x15248);  // Addres of the b.ne instruction
Memory.protect(adr, 0x1000, "rwx");
var jump = Process.getModuleByName('libfrida0xb.so').base.add(0x15250);  // Jump where FLAG will be shown in logcat
var writer = new Arm64Writer(adr);  // ARM64 writer object

try {

  writer.putBranchAddress(jump);  
  writer.flush();

  console.log(`Branch instruction inserted at ${adr}`);
} finally {

  writer.dispose();

}

FRIDA versión <17:

 

//dere_challenge_0xb_1.js

var adr = Module.findBaseAddress("libfrida0xb.so").add(0x15248);  // b.ne
Memory.protect(adr, 0x1000, "rwx");
var jump = Module.findBaseAddress("libfrida0xb.so").add(0x15250);  // Salto al FLAG
var writer = new Arm64Writer(adr);  // ARM64 writer object
try {
  writer.putBranchAddress(jump);  
  writer.flush();
  console.log(`Branch instruction inserted at ${adr}`);
} finally {
  writer.dispose();



Etiquetas:

Entradas populares