Bypass root + Frida

@sirpedrotavares seguranca-informatica.pt 0xSI_f33d
Search…
Bypass root + Frida
Bypass Android root protection with frida.
1. Install frida and root your emulator/device
Android Dynamic Analysis
Red Teaming and Malware Analysis
2. Use frida scripts to bypass (fast way)
Frida CodeShare
It works in the hardest applications. So, you need to create a file called "frida.js", and paste the code below.
1
Java.perform(function() {
2
    var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
3
        "com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager",
4
        "com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch",
5
        "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus",
6
        "de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot",
7
        "com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser",
8
        "eu.chainfire.supersu.pro", "com.kingouser.com"
9
    ];
10
​
11
    var RootBinaries = ["su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk"];
12
​
13
    var RootProperties = {
14
        "ro.build.selinux": "1",
15
        "ro.debuggable": "0",
16
        "service.adb.root": "0",
17
        "ro.secure": "1"
18
    };
19
​
20
    var RootPropertiesKeys = [];
21
​
22
    for (var k in RootProperties) RootPropertiesKeys.push(k);
23
​
24
    var PackageManager = Java.use("android.app.ApplicationPackageManager");
25
​
26
    var Runtime = Java.use('java.lang.Runtime');
27
​
28
    var NativeFile = Java.use('java.io.File');
29
​
30
    var String = Java.use('java.lang.String');
31
​
32
    var SystemProperties = Java.use('android.os.SystemProperties');
33
​
34
    var BufferedReader = Java.use('java.io.BufferedReader');
35
​
36
    var ProcessBuilder = Java.use('java.lang.ProcessBuilder');
37
​
38
    var StringBuffer = Java.use('java.lang.StringBuffer');
39
​
40
    var loaded_classes = Java.enumerateLoadedClassesSync();
41
​
42
    send("Loaded " + loaded_classes.length + " classes!");
43
​
44
    var useKeyInfo = false;
45
​
46
    var useProcessManager = false;
47
​
48
    send("loaded: " + loaded_classes.indexOf('java.lang.ProcessManager'));
49
​
50
    if (loaded_classes.indexOf('java.lang.ProcessManager') != -1) {
51
        try {
52
            //useProcessManager = true;
53
            //var ProcessManager = Java.use('java.lang.ProcessManager');
54
        } catch (err) {
55
            send("ProcessManager Hook failed: " + err);
56
        }
57
    } else {
58
        send("ProcessManager hook not loaded");
59
    }
60
​
61
    var KeyInfo = null;
62
​
63
    if (loaded_classes.indexOf('android.security.keystore.KeyInfo') != -1) {
64
        try {
65
            //useKeyInfo = true;
66
            //var KeyInfo = Java.use('android.security.keystore.KeyInfo');
67
        } catch (err) {
68
            send("KeyInfo Hook failed: " + err);
69
        }
70
    } else {
71
        send("KeyInfo hook not loaded");
72
    }
73
​
74
    PackageManager.getPackageInfo.implementation = function(pname, flags) {
75
        var shouldFakePackage = (RootPackages.indexOf(pname) > -1);
76
        if (shouldFakePackage) {
77
            send("Bypass root check for package: " + pname);
78
            pname = "set.package.name.to.a.fake.one.so.we.can.bypass.it";
79
        }
80
        return this.getPackageInfo.call(this, pname, flags);
81
    };
82
​
83
    NativeFile.exists.implementation = function() {
84
        var name = NativeFile.getName.call(this);
85
        var shouldFakeReturn = (RootBinaries.indexOf(name) > -1);
86
        if (shouldFakeReturn) {
87
            send("Bypass return value for binary: " + name);
88
            return false;
89
        } else {
90
            return this.exists.call(this);
91
        }
92
    };
93
​
94
    var exec = Runtime.exec.overload('[Ljava.lang.String;');
95
    var exec1 = Runtime.exec.overload('java.lang.String');
96
    var exec2 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;');
97
    var exec3 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;');
98
    var exec4 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File');
99
    var exec5 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;', 'java.io.File');
100
​
101
    exec5.implementation = function(cmd, env, dir) {
102
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
103
            var fakeCmd = "grep";
104
            send("Bypass " + cmd + " command");
105
            return exec1.call(this, fakeCmd);
106
        }
107
        if (cmd == "su") {
108
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
109
            send("Bypass " + cmd + " command");
110
            return exec1.call(this, fakeCmd);
111
        }
112
        return exec5.call(this, cmd, env, dir);
113
    };
114
​
115
    exec4.implementation = function(cmdarr, env, file) {
116
        for (var i = 0; i < cmdarr.length; i = i + 1) {
117
            var tmp_cmd = cmdarr[i];
118
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
119
                var fakeCmd = "grep";
120
                send("Bypass " + cmdarr + " command");
121
                return exec1.call(this, fakeCmd);
122
            }
123
​
124
            if (tmp_cmd == "su") {
125
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
126
                send("Bypass " + cmdarr + " command");
127
                return exec1.call(this, fakeCmd);
128
            }
129
        }
130
        return exec4.call(this, cmdarr, env, file);
131
    };
132
​
133
    exec3.implementation = function(cmdarr, envp) {
134
        for (var i = 0; i < cmdarr.length; i = i + 1) {
135
            var tmp_cmd = cmdarr[i];
136
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
137
                var fakeCmd = "grep";
138
                send("Bypass " + cmdarr + " command");
139
                return exec1.call(this, fakeCmd);
140
            }
141
​
142
            if (tmp_cmd == "su") {
143
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
144
                send("Bypass " + cmdarr + " command");
145
                return exec1.call(this, fakeCmd);
146
            }
147
        }
148
        return exec3.call(this, cmdarr, envp);
149
    };
150
​
151
    exec2.implementation = function(cmd, env) {
152
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
153
            var fakeCmd = "grep";
154
            send("Bypass " + cmd + " command");
155
            return exec1.call(this, fakeCmd);
156
        }
157
        if (cmd == "su") {
158
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
159
            send("Bypass " + cmd + " command");
160
            return exec1.call(this, fakeCmd);
161
        }
162
        return exec2.call(this, cmd, env);
163
    };
164
​
165
    exec.implementation = function(cmd) {
166
        for (var i = 0; i < cmd.length; i = i + 1) {
167
            var tmp_cmd = cmd[i];
168
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
169
                var fakeCmd = "grep";
170
                send("Bypass " + cmd + " command");
171
                return exec1.call(this, fakeCmd);
172
            }
173
​
174
            if (tmp_cmd == "su") {
175
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
176
                send("Bypass " + cmd + " command");
177
                return exec1.call(this, fakeCmd);
178
            }
179
        }
180
​
181
        return exec.call(this, cmd);
182
    };
183
​
184
    exec1.implementation = function(cmd) {
185
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
186
            var fakeCmd = "grep";
187
            send("Bypass " + cmd + " command");
188
            return exec1.call(this, fakeCmd);
189
        }
190
        if (cmd == "su") {
191
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
192
            send("Bypass " + cmd + " command");
193
            return exec1.call(this, fakeCmd);
194
        }
195
        return exec1.call(this, cmd);
196
    };
197
​
198
    String.contains.implementation = function(name) {
199
        if (name == "test-keys") {
200
            send("Bypass test-keys check");
201
            return false;
202
        }
203
        return this.contains.call(this, name);
204
    };
205
​
206
    var get = SystemProperties.get.overload('java.lang.String');
207
​
208
    get.implementation = function(name) {
209
        if (RootPropertiesKeys.indexOf(name) != -1) {
210
            send("Bypass " + name);
211
            return RootProperties[name];
212
        }
213
        return this.get.call(this, name);
214
    };
215
​
216
    Interceptor.attach(Module.findExportByName("libc.so", "fopen"), {
217
        onEnter: function(args) {
218
            var path = Memory.readCString(args[0]);
219
            path = path.split("/");
220
            var executable = path[path.length - 1];
221
            var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1)
222
            if (shouldFakeReturn) {
223
                Memory.writeUtf8String(args[0], "/notexists");
224
                send("Bypass native fopen");
225
            }
226
        },
227
        onLeave: function(retval) {
228
​
229
        }
230
    });
231
​
232
    Interceptor.attach(Module.findExportByName("libc.so", "system"), {
233
        onEnter: function(args) {
234
            var cmd = Memory.readCString(args[0]);
235
            send("SYSTEM CMD: " + cmd);
236
            if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id") {
237
                send("Bypass native system: " + cmd);
238
                Memory.writeUtf8String(args[0], "grep");
239
            }
240
            if (cmd == "su") {
241
                send("Bypass native system: " + cmd);
242
                Memory.writeUtf8String(args[0], "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled");
243
            }
244
        },
245
        onLeave: function(retval) {
246
​
247
        }
248
    });
249
​
250
    /*
251
​
252
    TO IMPLEMENT:
253
​
254
    Exec Family
255
​
256
    int execl(const char *path, const char *arg0, ..., const char *argn, (char *)0);
257
    int execle(const char *path, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]);
258
    int execlp(const char *file, const char *arg0, ..., const char *argn, (char *)0);
259
    int execlpe(const char *file, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]);
260
    int execv(const char *path, char *const argv[]);
261
    int execve(const char *path, char *const argv[], char *const envp[]);
262
    int execvp(const char *file, char *const argv[]);
263
    int execvpe(const char *file, char *const argv[], char *const envp[]);
264
​
265
    */
266
​
267
​
268
    BufferedReader.readLine.implementation = function() {
269
        var text = this.readLine.call(this);
270
        if (text === null) {
271
            // just pass , i know it's ugly as hell but test != null won't work :(
272
        } else {
273
            var shouldFakeRead = (text.indexOf("ro.build.tags=test-keys") > -1);
274
            if (shouldFakeRead) {
275
                send("Bypass build.prop file read");
276
                text = text.replace("ro.build.tags=test-keys", "ro.build.tags=release-keys");
277
            }
278
        }
279
        return text;
280
    };
281
​
282
    var executeCommand = ProcessBuilder.command.overload('java.util.List');
283
​
284
    ProcessBuilder.start.implementation = function() {
285
        var cmd = this.command.call(this);
286
        var shouldModifyCommand = false;
287
        for (var i = 0; i < cmd.size(); i = i + 1) {
288
            var tmp_cmd = cmd.get(i).toString();
289
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd.indexOf("mount") != -1 || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd.indexOf("id") != -1) {
290
                shouldModifyCommand = true;
291
            }
292
        }
293
        if (shouldModifyCommand) {
294
            send("Bypass ProcessBuilder " + cmd);
295
            this.command.call(this, ["grep"]);
296
            return this.start.call(this);
297
        }
298
        if (cmd.indexOf("su") != -1) {
299
            send("Bypass ProcessBuilder " + cmd);
300
            this.command.call(this, ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]);
301
            return this.start.call(this);
302
        }
303
​
304
        return this.start.call(this);
305
    };
306
​
307
    if (useProcessManager) {
308
        var ProcManExec = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File', 'boolean');
309
        var ProcManExecVariant = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.lang.String', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'boolean');
310
​
311
        ProcManExec.implementation = function(cmd, env, workdir, redirectstderr) {
312
            var fake_cmd = cmd;
313
            for (var i = 0; i < cmd.length; i = i + 1) {
314
                var tmp_cmd = cmd[i];
315
                if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") {
316
                    var fake_cmd = ["grep"];
317
                    send("Bypass " + cmdarr + " command");
318
                }
319
​
320
                if (tmp_cmd == "su") {
321
                    var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"];
322
                    send("Bypass " + cmdarr + " command");
323
                }
324
            }
325
            return ProcManExec.call(this, fake_cmd, env, workdir, redirectstderr);
326
        };
327
​
328
        ProcManExecVariant.implementation = function(cmd, env, directory, stdin, stdout, stderr, redirect) {
329
            var fake_cmd = cmd;
330
            for (var i = 0; i < cmd.length; i = i + 1) {
331
                var tmp_cmd = cmd[i];
332
                if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") {
333
                    var fake_cmd = ["grep"];
334
                    send("Bypass " + cmdarr + " command");
335
                }
336
​
337
                if (tmp_cmd == "su") {
338
                    var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"];
339
                    send("Bypass " + cmdarr + " command");
340
                }
341
            }
342
            return ProcManExecVariant.call(this, fake_cmd, env, directory, stdin, stdout, stderr, redirect);
343
        };
344
    }
345
​
346
    if (useKeyInfo) {
347
        KeyInfo.isInsideSecureHardware.implementation = function() {
348
            send("Bypass isInsideSecureHardware");
349
            return true;
350
        }
351
    }
352
​
353
});
Copied!
Next, after installing the target apk on your mobile device, you need to start frida server and execute the script from your attacker machine.
1
.\adb.exe connect localhost:21503
2
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'
3
​
4
frida-ps.exe -U (to obtain the app)
5
frida.exe -U -f 'com.xxx.xxx.xxx' -l .\frida.js --no-pause
Copied!
For more details about frida, you can check the next section.
Android Dynamic Analysis
Red Teaming and Malware Analysis
3. Dynamic analysis and frida script (manual)
Many times, when the root protection is made manually, it's difficult to bypass the protection. In that scenarios, you need:
Analyse the APK java code to understand how and where the root validation is performed
Create a frida specially crafted script to bypass it
Souce-code analysis
To start, we can use an online decompiler like this:
Java decompiler online / APK decompiler - Decompiler.com
or just doing it by using the tool dex2jar:
GitHub - pxb1988/dex2jar: Tools to work with android .dex and java .class files
GitHub
My favorite approach is: jadx Java decompiler:
GitHub - skylot/jadx: Dex to Java decompiler
GitHub
There is also a prepared VM you can find with all the tools installed called Mobexler: 
Mobexler - Mobile Application Penetration Testing Platform
BONUS: A lot of times I use Bytecode Viewer - a lightweight user friendly Java Bytecode Viewer. This tool allow you compare the decompiled Java code using different tools, and choosing the best one for you.
After that, using the ByteCode Viewer or JADX, you can export your project (source files) and use Visual Studio Code in order to analyze the code and taking advantage of cross-references, and all the available plugins to better understand the Android code. For instance, you can also install a Java Decompiler plugin.
​
Finding the root validation
By using the "Search" feature, we try to get some information about where the root function is called. 
and ... we got it! 😇
 
We can see that an object (r0) is returned if the "Device is rooted", and r0 is returned with "none" when the device is not rooted. Next, we are presenting the general block of code we analyzed.
1
 package d.a.a.a.c.g;
2
 
3
 (...)
4
 public enum g {
5
 (...)
6
   
7
     public static final class e extends g {
8
        public e(String str, int i) {
9
            super(str, i, (q.v.c.f) null);
10
        }         
11
        
12
                        
13
      public java.lang.Object doProcedure(android.content.Context r17, q.s.d<? super d.a.a.a.c.g.a> r18) {                                                  
14
              (...)   
15
                
16
              d.a.a.a.c.g.a$a r0 = d.a.a.a.c.g.a.g
17
                java.lang.String r2 = "Device rooted"
18
                d.a.a.a.c.g.a r0 = r0.a(r1, r2)
19
                return r0
20
            L_0x01ee:
21
                d.a.a.a.c.g.a$a r0 = d.a.a.a.c.g.a.g
22
                java.lang.String r2 = "none"
23
                d.a.a.a.c.g.a r0 = r0.a(r1, r2)
24
                return r0
25
           
26
               (...)
27
      } 
28
  }     
Copied!
​
To bypass this protection, we need to:
Create the target path: Package of the class + Add the "public enum g" + Add the target class (d.a.a.a.c.g.g$e)
Implement the code on the target method (doProcedure)
Create an object from "d.a.a.a.c.g.a"  to return something using its constructor
We can see the constructor can be "empty" or we can passing it 5 args. Analysing the code we can understand that. For instance:
1
 return new d.a.a.a.c.g.a(r6, r7, r8, (android.content.DialogInterface.OnClickListener) null, 8);
Copied!
​
Frida script (hook)
Now, it's time to write our frida script:
1
console.log("Starting hook ...");
2
Java.perform(function() {
3
	//package d.a.a.a.c.g;
4
	//d.a.a.a.c.g.g$e
5
	var my = Java.use("d.a.a.a.c.g.g$e");
6
	my.doProcedure.implementation = function (func1, func2, func3) {
7
		 console.log('..doing some stuff..');
8
		 //var x = Java.use("d.a.a.a.c.g.a").$new(); 
9
		 var x = Java.use("d.a.a.a.c.g.a").$new("none", "none", null, null, 8);
10
		 return x;
11
	}
12
});
Copied!
another approach overloading the method:
1
Java.perform(function () {
2
​
3
	var hookclass = Java.use("d.a.a.a.c.g.g$e");
4
​
5
	hookclass.doProcedure.overload("android.content.Context", "q.s.d").implementation = function(ctx, rsd) {
6
		var p = Java.use("d.a.a.a.c.g.a").$new("none", "none", null, null, 8);
7
		var ret = p;
8
		console.log(ret);
9
		return ret;
10
	}
11
	console.log("hook created!");
12
});
Copied!
To execute it:
1
.\adb.exe connect localhost:21503
2
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'
3
​
4
frida.exe -U -f 'com.xxx.xxx.xxxx' -l .\frida.js --no-pause
Copied!
and, we got it! We bypassed root validations!😎
 
BONUS - PATCH the APK
Instead using frida, we can patch directly the APK using this approach:
Backdooring/patch APKs
Red Teaming and Malware Analysis
So, we just need, in this case, changing the content of the r2 (v2 smali) variable.
Before
After
After that, we need to follow the steps to build the APK, sign it and align it. 😎
 
​