bypass root

In the root bypass segement, we can see from the decomplied code that the segment where the check is taking place is:

if (c.a() || c.b() || c.c())
      a("Root detected!"); 
    if (b.a(getApplicationContext()))
      a("App is debuggable!"); 
    super.onCreate(paramBundle);

From digging down a bit more we can locate the functions declearations are under sg.vantagepoint.a.c. We will override all the functions so that they always return false and thus the application will believe that no su command exists and in the system implying that the system is not rooted.

How to run the Frida server into the

init

Frida is a reverse engineering framework which can be used to

installed apps

The below command will let you view applications which are on the virtual mobile device.

$ frida-ps -Uai
 PID  Name           Identifier                
----  -------------  --------------------------
3054  Calendar       com.android.calendar      
2463  Clock          com.android.deskclock     
3141  Email          com.android.email         
3175  Gallery        com.android.gallery3d     
3554  Hello App      com.example.helloapp      
3198  Messaging      com.android.messaging     
2547  Phone          com.android.dialer        
2299  Settings       com.android.settings      
3372  WebView Shell  org.chromium.webview_shell
   -  Calculator     com.android.calculator2   
   -  Camera         com.android.camera2       
   -  Contacts       com.android.contacts      
   -  Files          com.android.documentsui   
   -  Music          com.android.music         
   -  Search         com.android.quicksearchbox

run script

The below command will run the script on the application.

init

When we have reverse shell from that shell we need to create a user so that we can access the domain as domain admin. However, sometimes you might have only hash of that user but unable to login locally.

In such situation, it could be beneficial to create a AD Domain user and work on it

To create the user

PS C:\users\robb.stark\Desktop> New-ADUser adm1n
New-ADUser adm1n

To check if the user has been successfully created.

Dig deeper into the PowerShell base64 encoder