This lib is located in /system/lib/libdoor.so or /system/lib64/libdoor.so. You can find the sample here: https://www.virustotal.com/#/file/3e6df251ad4fe115563b51b302fec2d7836e14dd28ae06e8b41c1939d4bca33d …
-
Show this thread
-
This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkeypic.twitter.com/Y0JbAk3Fp7
1 reply 3 retweets 25 likesShow this thread -
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.pic.twitter.com/efldDJO0Qu
2 replies 4 retweets 26 likesShow this thread -
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
2 replies 2 retweets 27 likesShow this thread -
If the verification is passed the password hash is stored in /data/backup/fpwdpic.twitter.com/lkcWlr7Wfb
1 reply 3 retweets 19 likesShow this thread -
and the key is made from different build properties like http://ro.build .type, http://ro.build .user,... and stored in /data/backup/fkeypic.twitter.com/NMto5BY7zp
1 reply 2 retweets 21 likesShow this thread -
Using
@fridadotre and the script attached, I managed to bypass the escalate and isEscalated methods and become rootpic.twitter.com/oXGGEIqFad
5 replies 12 retweets 60 likesShow this thread -
But you would need root to use Frida-server or repackage the app. How does this work without doing one of those which defeats the purpose of the vulnerable intent?
2 replies 0 retweets 2 likes -
Replying to @insitusec @fs0c131y and
Won’t repackaging the app invalidate the signature? Also you said you don’t know the password. Def agree there’s smoke, but I don’t understand the approach using Frida yet.
1 reply 0 retweets 0 likes -
Replying to @insitusec @oneplus and
Using Frida is a dead end and not the correct approach. I just gave what I did during my investigation
2 replies 0 retweets 0 likes
And yes you cannot repackage the app as it is a system app. This is why it's complicate to make native dynamic analysis
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.