RootSlip
EasyMobile Security
Overview
Your device says it's rooted—but is that the whole truth? Dive into this Android app where native code plays gatekeeper. Your task is to challenge what it means to be "rooted" by manipulating a native check. Pay close attention to how native libraries are loaded and used—your way in lies beneath the Java layer.
flag format:
flag{*****_****_****_******}
Lab Details
Prerequisites & Requirements
- JNI (Java Native Interface):
- Understanding how Android apps load shared libraries (.so files) using
System.loadLibrary. - Familiarity with the JNI naming convention (
e.g., Java_package_name_ClassName_functionName) to map Java methods to their C/C++ counterparts.
- Understanding how Android apps load shared libraries (.so files) using
- Native Library Analysis:
- Basic ability to read ARM/x86 Assembly or decompiled C code to understand what a native function returns (
e.g., 0 vs 1).
- Basic ability to read ARM/x86 Assembly or decompiled C code to understand what a native function returns (
- Frida Interceptor API:
- Proficiency in using
Module.findExportByNameto locate functions in memory. - Understanding how to use
Interceptor.attachto modify arguments (onEnter) and return values (onLeave).
- Proficiency in using
- Asynchronous Loading Logic:
- Understanding that native libraries are not always loaded immediately at app startup, requiring scripts to wait or poll for the module before attempting to hook.
What will you learn?
- Native Function Hooking:
- Moving beyond Java hooking (
Java.use) to hook lower-level Native Exports inside .so files. - Targeting specific JNI functions (like Java_com_titoot_rootslip_MainActivity_isDeviceRooted) that act as bridges between the Java VM and native code.
- Moving beyond Java hooking (
- Return Value Tampering:
- Learning how to overwrite the execution result of a function in real-time.
- Using
retval.replace(0) to force the application to believe the device is clean (returning false), regardless of the actual system state.
- Handling Dynamic Library Loading:
- Implementing Polling Mechanisms (using setInterval or
Process.findModuleByName) to ensure your Frida script waits for the target library (libchecker.so) to be loaded into memory before attempting to attach hooks, preventing script crashes or "function not found" errors.
- Implementing Polling Mechanisms (using setInterval or
Tools
- JADX:
- Used for Java Static Analysis . It identifies the entry point (MainActivity), reveals the loading of native-lib and checker, and shows the JNI method declaration
isDeviceRooted().
- Used for Java Static Analysis . It identifies the entry point (MainActivity), reveals the loading of native-lib and checker, and shows the JNI method declaration
- IDA Pro / Ghidra:
- Used for Native Static Analysis . These tools disassemble the
libchecker.sofile, allowing you to confirm the exact exported function name and understand its logic (returning 1 if rooted).
- Used for Native Static Analysis . These tools disassemble the
- Frida:
- Used for Dynamic Instrumentation .
- It executes the JavaScript payload that locates the native module base address, hooks the specific export, and patches the return value at runtime to bypass the security check.
Job Positions
Mobile Security Engineer
Tags
Ida ProStatic AnalysisDynamic AnalysisDecompilerProcess InjectionHookingApi CallsFunction ProbesCode Flow