At that time, I solved FridaLab and wrote a writeup about it explaining the main APIs and usages of Frida for Android. This helped others to start getting familiar with it and as a reference when developing Frida scripts.
After trying Qiling for some time I decided to follow Ross Marks’ steps and to develop a basic playground challenge to make use of the main Qiling features and I obviously called it QilingLab.
QilingLab is made of a GNU/Linux ELF binary compiled for either x86_64 and aarch64 (challenges are the same besides the 11th which is architecture dependent).
The binary is not stripped, not obfuscated, and compiled with
QilingLab has been developed with the aim of learning how to use Qiling by showing some use-cases.
That said all the challenges could be easily solved by just overwriting the checker but you know that’s cheating 👼🏾
The intended way of solving them is to enter / call the code which is responsible for setting the value which will pass the check!
Challenge 1: Store 1337 at pointer 0x1337.
Challenge 2: Make the
uname syscall return the correct values.
Challenge 3: Make
Challenge 4: Enter inside the “forbidden” loop.
Challenge 5: Guess every call to
Challenge 6: Avoid the infinite loop.
Challenge 7: Don’t waste time waiting for
Challenge 8: Unpack the struct and write at the target address.
Challenge 9: Fix some string operation to make the iMpOsSiBlE come true.
Challenge 10: Fake the
cmdline line file to return the right content.
Challenge 11: Bypass CPUID/MIDR_EL1 checks.