WEBVTT

00:00.840 --> 00:07.470
All right, so now in this lecture, I want to show you the route detection bypass vulnerability again

00:07.950 --> 00:10.800
for those who want to use the RPK studio.

00:12.020 --> 00:18.200
So the changes in the code are the same, but with a book studio, you're going to manually sign the

00:18.200 --> 00:21.290
RPK and upload it to the device.

00:22.250 --> 00:28.070
Now, if you don't want to use a studio and you've already practices vulnerability with a lab extension,

00:28.430 --> 00:30.080
just go ahead and skip this lecture.

00:31.950 --> 00:34.320
For those of you here, let's get started.

00:35.350 --> 00:41.620
I'm sure you remember we successfully installed the APJ studio just by adding the necessary binaries.

00:42.040 --> 00:49.580
Now, if you see version number of each tool, it means that you have also installed them successfully.

00:49.840 --> 00:54.970
Otherwise, please just go back and check the installation of a case studio.

00:56.500 --> 01:00.310
Now under the final tab at the APK file.

01:03.850 --> 01:04.930
OK, open.

01:06.660 --> 01:10.740
And select the decompiled Java option and click on Decompiled.

01:12.140 --> 01:13.610
And you might have to wait for a bit.

01:17.620 --> 01:19.150
Display project folders.

01:20.990 --> 01:25.280
So let's first have a look at the Java source code to understand exactly what the method does.

01:29.470 --> 01:37.300
So there's a method called cheroot status that returns a message based on whether the device is routed

01:37.300 --> 01:37.570
or not.

01:38.110 --> 01:46.330
So looking into this method, two methods called does super user APIC exist and does Asou exist?

01:47.020 --> 01:49.960
Are used to determine if the device has been routed.

01:51.560 --> 02:00.590
Now, in order to bypass route detection, we can force a jump to always at device not rooted just by

02:00.590 --> 02:02.120
changing the conditional loop.

02:03.770 --> 02:06.800
So let's open the assembly code and make the changes.

02:09.430 --> 02:13.360
Press control F and search for condition to.

02:18.290 --> 02:22.710
And down here online, 450, there is a conditional.

02:23.710 --> 02:29.830
And it means that when, if not equal, jump to the device, not routed tag.

02:30.970 --> 02:38.830
So mapping this to the previously decompiled Java files, this is a loop where if two methods are true,

02:39.040 --> 02:44.500
then jump to Rouda device or else jump to device not rooted.

02:46.050 --> 02:52.410
Sort of force a jump to always add device not rooted, we can change the conditional loop into a go

02:52.410 --> 02:53.010
to loop.

02:54.730 --> 02:57.340
But first, we need to disable this line.

02:59.180 --> 03:05.600
So to make this line comment, just add a sharp character and add a go to loop, to jump to condition

03:05.600 --> 03:06.290
to directly.

03:07.690 --> 03:10.540
And remember to add space after go to.

03:12.490 --> 03:14.110
And now you can say the changes.

03:16.190 --> 03:20.270
So this means that we're ready to rebuild and resign the AP file.

03:22.870 --> 03:26.260
So under the Project Tab, click on Billed.

03:27.700 --> 03:29.320
And wait for a bit.

03:31.770 --> 03:35.890
So the new HBK file happens to be under the dust folder.

03:36.450 --> 03:43.250
Now, unlike in RPK lab will do the signing and installing on the device manually this time.

03:43.770 --> 03:47.880
So on the project tab, click on the sign and export.

03:49.320 --> 03:54.060
Design the RPK file, we need to have a key created with key tool.

03:55.270 --> 03:57.220
So open a terminal screen.

03:59.870 --> 04:03.740
Now, I want to say my key to the desktop, so I'll go to desktop.

04:04.590 --> 04:05.040
Ron.

04:06.250 --> 04:11.500
Key tool dash the dash jenky dash keester.

04:13.060 --> 04:17.200
And here I can give a name for a new keester.

04:20.270 --> 04:21.560
And alias.

04:22.820 --> 04:25.820
Defined RSA as a key algorithm.

04:26.760 --> 04:28.230
Define the key size.

04:31.280 --> 04:37.880
And finally, at a validity option, and it's just an expiration date, so you can give a really big

04:37.880 --> 04:38.530
number if you want.

04:40.170 --> 04:42.390
Now create a password for keester.

04:43.880 --> 04:47.240
And and we can skip these questions.

04:48.710 --> 04:53.030
All right, yeah, so it's created a key store on the desktop.

04:55.210 --> 05:01.210
Now we're ready to sign the APK with this key, so if you go under the project tab.

05:02.080 --> 05:04.030
Click on the sign and export.

05:05.020 --> 05:10.150
Select the key store, enter the password that you just created when generating the key.

05:11.860 --> 05:16.120
Enter areas and the same password for the alias password.

05:17.250 --> 05:18.300
Click on Sign.

05:19.690 --> 05:23.770
All right, so there's only one step left open the terminal screen.

05:25.740 --> 05:28.740
Go to the disk folder where the signed APIC is.

05:37.150 --> 05:38.920
And we'll check the connectivity.

05:41.480 --> 05:44.300
All right, so we can install the APK to the device.

05:45.960 --> 05:50.130
Now, before installing the new one, don't forget to uninstall the old.

05:53.290 --> 05:57.700
Now, run ADB, install and give the new APK file.

05:58.900 --> 06:00.490
Click on install anyway.

06:01.790 --> 06:03.470
And do not send.

06:05.320 --> 06:06.610
And could continue.

06:07.390 --> 06:08.010
OK.

06:10.530 --> 06:15.870
So first, make sure you have configured the server IP.

06:20.360 --> 06:23.150
And let's go ahead and log into the app to see the changes.

06:25.730 --> 06:31.300
And there is you can see the device not routed is the message on the screen, what does that mean?

06:32.030 --> 06:37.480
We have bypass route detection mechanism quite successfully, if I do say so myself.

06:38.060 --> 06:38.870
Very good job.