Court of Analysis and Testing

This is again "another" way to crack the owasp crack me challenge, but this time i used xposed framework to bypass the function authentication. Before using the xposed framework, you guys remember that the application has a root detection method inside the main function that will prevent us to hook into the method using xposed framework, to circumvent the check of the root detection i tamper the smali code of the application like the figure below. as you can see i tamper three function of the root checker inside the main function. This 3 function is equivalent to this source code:  if (c.a() || c.b() || c.c()) {             this.a("Root detected!");         } repackage the application and install it to the rooted vm or rooted device. Because we already taking care of the root detection now its time to move on to the xposed framework. This is the code i write to bypass the au...

  So this is another alternative way to solve owasp crackme challenge level 1. In this post i will use adb jdwp to bypass the anti-debugging feature of the application and retrieve the clear text secret string of the application i already told you from my previous post of debugging jdwp ( https://court-of-testing-analysing.blogspot.com/2018/11/going-old-fashion-debugging-android.html ) that in order to debug an application you need to add android:debuggable="true" option inside the application tag but this application is not stupid, as soon as we want to launch the app, the app is force to close because it has an anti debugging feature on them. Thus, we cannot tap into our jdwp :( so how do we do circumvent the anti-debugging feature inside the application ? According to OWASP documentation "Android's 'Developer options' contain the useful "Wait for Debugger" feature, which allows you to automatically suspend an app doing startup unti...

Hi guys ! sorry if have to gone for a while, i have to postponed the 100dayspentesing challenge to finished my bachelor thesis report and it took a lot of time to finish it. So because i have spare time before the final thesis test, i decide to do some stretching again with CTF challenge. This time i take the the owasp crackme challenge level 01 (you can download it in the following link: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android/Level_01 ) LET THE GAME BEGIN ! First of all, you need to setup a machine to install the owasp level 01 apk you can use your own devide or vm (just choose the most comfortable one) and after you decide which one to use, install it with adb utility: ~# adb install UnCrackable-Level1.apk The above figure is the interface when you opened the installed apk. From first glance you can tell that we only need to find a secret string (so no fancy function that we need to explore). At this point i just straightly reverse engi...