root2victory Hack0n-URJC 2024

Write up for root2victory challenge on HackOn 2024

Given an apk, in jadx-gui we see that we had to bypass some checks in order to get the flag:

The first check is, when apk is oppened, two methods make the apk close inmediately

 if (rootBeer.isRooted() || Candy.Companion.marshmallow()) {
            Toast.makeText(this, "Try harder!", 1).show();
            finishAffinity();

The second one, in order to display the flag, one of this functions must return True:

if (Candy.Companion.gummy() || Candy.Companion.jelly() || Candy.Companion.sugar_free()) {
            Toast.makeText(this, Donut.Companion.sentence(), 1).show();

I used frida alongside Android Studio,

Here was my frida code:

Java.perform(function () {
    const bypass1 = Java.use('com.scottyab.rootbeer.RootBeer');
    const bypass2 = Java.use('com.android.hackon.foods.Candy$Companion');
    bypass1.isRooted.implementation= function(){
        console.log("Root Bypass 1");
        return false;
    };
    bypass2.marshmallow.implementation= function(){
        console.log("Root Bypass 2");
        return false;
    };
    bypass2.gummy.implementation= function(){
        console.log("show flag");
        return true;
    };
});

Running script:

frida -U -f com.android.hackon -l hook.js

PreviousBraeker CTF - 2024 NextLaCTF 2024

Last updated 1 year ago