M 402: mAadhaar Code Modification (20 pts) M 402:mAadhaar代码修改(20分)

What You Need for This Project你需要什么这个项目

Purpose目的

To modify the Indian government app mAadhaar so it runs on a rooted device.修改印度政府应用程序mAadhaar,使其在root设备上运行。

This will give us practice using apktool and Jadx.这将使我们使用apktool和Jadx练习。

This tutorial follows a tweetstream by @fs0c131y.本教程遵循@ fs0c131y的推文。

Task 1: Getting the App任务1:获取应用程序

Download the APK下载APK

The app doesn't appear in Google Play in the USA, so download the APK from this page:该应用不会出现在美国的Google Play中,因此请从此页面下载APK:

https://www.apkmonk.com/app/in.gov.uidai.mAadhaarPlus/ https://www.apkmonk.com/app/in.gov.uidai.mAadhaarPlus/

You should get this file: in.gov.uidai.mAadhaarPlus_2018-09-26.apk你应该得到这个文件: in.gov.uidai.mAadhaarPlus_2018-09-26.apk

If you are doing this project after Jan. 2019, the app may have been updated.如果您在2019年1月之后进行此项目,该应用程序可能已更新。 If you want the APK file I used, you can get it here .如果你想要我使用的APK文件,你可以在这里得到它。

Installing the App安装应用程序

Launch Kali.发射卡利。 Connect it to your Genymotion device with adb.使用adb将其连接到Genymotion设备。 Copy the APK file into Kali.将APK文件复制到Kali。

On Kali, execute this command:在Kali上,执行以下命令: 

adb install in.gov.uidai.mAadhaarPlus_2018-09-26/dist/in.gov.uidai.mAadhaarPlus_2018-09-26.apk adb install in.gov.uidai.mAadhaarPlus_2018-09-26 / dist / in.gov.uidai.mAadhaarPlus_2018-09-26.apk
The installation succeeds, as shown below.安装成功,如下所示。

Running the App运行应用程序

On your Genymotion device, launch the mAadhaar app.在您的Genymotion设备上,启动mAadhaar应用程序。

A message appears on your phone telling you that you cannot use this app, as shown below.手机上会显示一条消息,告知您无法使用此应用,如下所示。

Task 2: Using Jadx to Read the Code任务2:使用Jadx读取代码

You can use 64-bit Windows or Kali Linux to run Jadx.您可以使用64位Windows或Kali Linux来运行Jadx。 Choose one of them and follow the instructions below.选择其中一个,然后按照以下说明操作。

Using 64-Bit Windows使用64位Windows

Launch your Windows machine.启动Windows计算机。 (Jadx is Java-based, so it should run on other platforms also, but I wrote these instructions using Windows.) Copy the in.gov.uidai.mAadhaarPlus_2018-09-26.apk file into your Windows machine. (Jadx是基于Java的,因此它也应该在其他平台上运行,但是我使用Windows编写了这些指令。)将in.gov.uidai.mAadhaarPlus_2018-09-26.apk文件复制到Windows机器中。

Installing Java安装Java

First open Control Panal and uninstall all old Java versions.首先打开Control Panal并卸载所有旧的Java版本。

Then open a Web browser and go here:然后打开Web浏览器并转到此处:

https://java.com/en/download/manual.jsp https://java.com/en/download/manual.jsp

Download "Windows Offline (64-bit)" version and install it.下载“Windows Offline(64位)”版本并安装它。 as shown below.如下所示。

Installing Jadx on Windows在Windows上安装Jadx

Go here:到这里:

https://github.com/skylot/jadx/releases/tag/v0.8.0 https://github.com/skylot/jadx/releases/tag/v0.8.0

Download jadx-gui , as shown below.下载jadx-gui ,如下所示。

Launch Jadx.启动Jadx。

Using Kali使用Kali

In Kali, execute these commands:在Kali中,执行以下命令: 
git clone https://github.com/skylot/jadx.git git clone https://github.com/skylot/jadx.git
cd jadx cd jadx
./gradlew dist ./gradlew dist
./build/jadx/bin/jadx-gui ./build/jadx/bin/jadx-gui

Examining the Android Manifest检查Android清单

In Jadx, open the in.gov.uidai.mAadhaarPlus_2018-09-26.apk file.在Jadx中,打开in.gov.uidai.mAadhaarPlus_2018-09-26.apk文件。

In the left pane, at the bottom expand Resources .在左侧窗格的底部展开Resources

Click AndroidManifest.xml .单击AndroidManifest.xml

The contents appear on the right side, as shown below.内容显示在右侧,如下所示。

Notice that the LAUNCHER activity, which runs when the app launches, is请注意,应用程序启动时运行的LAUNCHER活动是

in.gov.uidai.mAadhaarPlus.ui.activity.SplashScreenActivity in.gov.uidai.mAadhaarPlus.ui.activity.SplashScreenActivity

as outlined in green in the imager below.如下面的成像仪中的绿色部分所示。

According to the official Android documentation , the first method called when an activity is launched is the "onCreate" method, as shown at the top of the diagram below.根据官方Android文档 ,启动活动时调用的第一个方法是“onCreate”方法,如下图顶部所示。

Reading the onCreate Method阅读onCreate方法

In the left pane, in the top section, expand these items, as shown below.在左侧窗格的顶部,展开这些项目,如下所示。 Click SplashScreenActivity , as shown below.单击SplashScreenActivity ,如下所示。

In the right pane, scroll down to the OnCreate() method.在右窗格中,向下滚动到OnCreate()方法。

Notice the two code sections outlined in green in the image below.请注意下图中以绿色标出的两个代码部分。

The first section is Integrity Verfication , using methods named fa and fb to detect app modification.第一部分是Integrity Verfication ,使用名为fafb的方法来检测应用程序修改。

The second section uses a method named b to detect rooted devices.第二部分使用名为b的方法来检测有根设备。

We want to disable both these operations.我们想要禁用这两个操作。

Finding the Integrity Verification Code查找完整性验证码

The routine to detect an altered app is "fa".检测更改的应用程序的例程是“fa”。 Scroll to the top of the SplashScreenActivity code, and you can see that this module imports滚动到SplashScreenActivity代码的顶部,您可以看到此模块导入

in.gov.uidai.mAadhaarPlus.ui.activity.bf in.gov.uidai.mAadhaarPlus.ui.activity.bf

as shown below.如下所示。

In the left pane, scroll up and navigate to that module.在左侧窗格中,向上滚动并导航到该模块。 Here you can find the a() method, as shown below.在这里你可以找到a()方法,如下所示。

This module compares a SHA-256 hash with a hard-coded value to see if the app has been modified.此模块将SHA-256哈希值与硬编码值进行比较,以查看应用程序是否已被修改。

Task 3: Modifying the App任务3:修改应用程序

Unpacking the APK打开APK的包装

Copy the in.gov.uidai.mAadhaarPlus_2018-09-26.apk file into Kali.in.gov.uidai.mAadhaarPlus_2018-09-26.apk文件复制到Kali中。

On Kali, execute this command:在Kali上,执行以下命令: 

apktool d -f -r in.gov.uidai.mAadhaarPlus_2018-09-26.apk apktool d -f -r in.gov.uidai.mAadhaarPlus_2018-09-26.apk

Disabling Integrity Control禁用完整性控制

First we need to find the code to modify.首先,我们需要找到要修改的代码。

On Kali, execute this command:在Kali上,执行以下命令: 

grep SplashScreenActivity -r . grep SplashScreenActivity -r。 | | less -S少-S
The main smali file path appears, highlighted in the image below.出现主要的smali文件路径,在下图中突出显示。

Press Q to exit "less".Q退出“less”。

Execute this command to edit the file:执行以下命令编辑文件: 

nano ./in.gov.uidai.mAadhaarPlus_2018-09-26/smali/in/gov/uidai/mAadhaarPlus/ui/activity/SplashScreenActivity.smali nano ./in.gov.uidai.mAadhaarPlus_2018-09-26/smali/in/gov/uidai/mAadhaarPlus/ui/activity/SplashScreenActivity.smali
Scroll down and find the code shown below.向下滚动并找到下面显示的代码。

This code calls the f->a and f->b methods, highlighted in yellow in the image below.此代码调用f-> af-> b方法,在下图中以黄色突出显示。

If the app is modified, the code sets the parameter "p1" to zero, as highlighted in light gray in the image below.如果应用程序被修改,代码将参数“p1”设置为零,如下图中浅灰色突出显示。

Change the 0x0 value to 0x1 , outlined in green in the image below.0x0值更改为0x1 ,在下图中以绿色标出

This modification allows us to change the app without being detected.此修改允许我们在不被检测到的情况下更改应用程序。

Disabling Root Detection禁用根检测

Scroll down a few lines and find the code shown below.向下滚动几行,找到下面显示的代码。

This code calls a scottyab RootBeer function to detect a rooted phone.此代码调用scottyab RootBeer函数来检测有根电话。 If the phone is rooted, it kills the app.如果手机已植根,它会杀死该应用。

To prevent that, add # characters to comment out the nine lines colored blue in the image below.为防止这种情况,请添加字符以注释掉下面图像中的蓝色九条线。

Now the app will run on a rooted phone.现在该应用程序将在root电话上运行。

Rebuilding the App重建应用程序

On Kali, execute this command:在Kali上,执行以下命令: 
apktool b in.gov.uidai.mAadhaarPlus_2018-09-26 apktool b in.gov.uidai.mAadhaarPlus_2018-09-26
The file builds without errors, as shown below.文件构建没有错误,如下所示。

Making a Code Signing Certificate制作代码签名证书

Android won't run unsigned apps, so we need a signing certificate. Android不会运行未签名的应用程序,因此我们需要签名证书。

Execute this command:执行以下命令:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
A prompt asks for a "keystore password".提示要求输入“密钥库密码”。 Enter password twice.输入密码两次。

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.然后,一系列问题会询问您的姓名等。除最后一个问题外,您可以按Enter键 ,您必须回答“ 是” ,如下所示。

Signing the APK签署APK

On Kali, execute this command:在Kali上,执行以下命令: 
jarsigner -sigalg SHA1withRSA \ jarsigner -sigalg SHA1withRSA \
-digestalg SHA1 -keystore my-release-key.keystore \ -digestalg SHA1 -keystore my-release-key.keystore \
in.gov.uidai.mAadhaarPlus_2018-09-26/dist/in.gov.uidai.mAadhaarPlus_2018-09-26.apk alias_name in.gov.uidai.mAadhaarPlus_2018-09-26 / dist / in.gov.uidai.mAadhaarPlus_2018-09-26.apk alias_name
Enter the password of password when you are prompted to.出现提示时输入密码。

The app is signed, as shown below.该应用已签名,如下所示。

Uninstalling the Old App卸载旧应用程序

On your Genymotion virtual Android device, open Settings and tap these items.在您的Genymotion虚拟Android设备上,打开“设置”并点按这些项目。

Installing the Modified App安装修改后的应用程序

On Kali, execute this command:在Kali上,执行以下命令: 
adb install in.gov.uidai.mAadhaarPlus_2018-09-26/dist/in.gov.uidai.mAadhaarPlus_2018-09-26.apk adb install in.gov.uidai.mAadhaarPlus_2018-09-26 / dist / in.gov.uidai.mAadhaarPlus_2018-09-26.apk
The installation succeeds, as shown below.安装成功,如下所示。

Launching the App启动应用程序

On your Genymotion device, launch the mAadhaar app.在您的Genymotion设备上,启动mAadhaar应用程序。

It asks whether it can make phone calls.它询问是否可以拨打电话。 Click ALLOW .单击“ 允许”

In the "mAadhaar Consent" page, click OK .在“mAadhaar Consent”页面中,单击“ 确定”

In the "Usage Guidelines" page, at the top left, click the leftware-pointing arrow.在“使用指南”页面的左上角,单击左侧指向箭头。

You get past the root detection, and see a "VERSION MISMATCH" screen, as shown below.您将通过根检测,并看到“VERSION MISMATCH”屏幕,如下所示。

M 402: Recording Your Success (20 pts) M 402:记录你的成功(20分)

Find the text covered by a green box in the image above.找到上图中绿框所覆盖的文字。 That's the flag.那是旗帜。
Converted to a CTF 2-28-19转换为CTF 2-28-19