You technically don't need that load_symbols directive, but by default it will attempt to load the symbols for EVERY loaded library, which turns out to take a little bit on an android emulator. The later library was discovered via running it as will be shown below. The final line tells revenge to spawn a new process, don't "gate" it (i.e.: let it fully start), and load up the symbols specifically for the dex file and libnative-lib.so.
The second line simply installs this apk.
P = android.spawn("*ooo*", gated=False, load_symbols=)įirst, we create an AndroidDevice object, that will automatically discover your android device, install the latest version of frida server to it, and then connect to it. The following is how you can load up the challenge with revenge:įrom revenge import Process, types, common, devicesĪndroid = devices.AndroidDevice(type="usb") I ran it via an emulator, but you can run it directly on your phone hardware if you want. To get started, lets install and run this challenge. There are plenty of writeups out there right now on solving this challenge, so I will skip a lot of the common information and mostly focus on what is specific to my solution, the revenge library. That said, i think most people solved with frida since this challenge lends itself to a dynamic approach. There's a writeup on solving this challenge with angr posted here. Given the authors, and their recent addition of Java to their symbolic execution engine angr, it is very likely this challenge was placed in to showcase their tool. This particular challenge is an android reverse engineering challenge. My goal with revenge is to make a much more pythonic library around frida and add extra libraries and functionality based around frida as the framework. Frida does expose a python library, but it is effectively just enough to be able to run javascript scripts. I don't enjoy coding in javascript (or typescript for that matter). I decided to create revenge since I think that the frida tool is pretty useful, but i really hate the API.
What follows is a walk-through on solving this challenge with my revenge tool. That said, I like to look at challenges afterwards and identify what I could do to solve it more efficiently next time. Aegis officially scored and I'm sure others helped out. This specific challenge was not actually solved by me during quals.