Two years ago Ross Marks created the FridaLab challenge as a playground to test and learn how to use the Frida dynamic instrumentation toolkit.
At that time, I solved FridaLab and wrote a writeup about it explaining the main APIs and usages of Frida for Android. This helped others to start getting familiar with it and as a reference when developing Frida scripts.
After trying Qiling for some time I decided to follow Ross Marks’ steps and to develop a basic playground challenge to make use of the main Qiling features and I obviously called it QilingLab.
QilingLab is made of a GNU/Linux ELF binary compiled for either x86_64 and aarch64 (challenges are the same besides the 11th which is architecture dependent).
The binary is not stripped, not obfuscated, and compiled with
QilingLab has been developed with the aim of learning how to use Qiling by showing some use-cases.
That said all the challenges could be easily solved by just overwriting the checker but you know that’s cheating 👼🏾
The intended way of solving them is to enter / call the code which is responsible for setting the value which will pass the check!
Challenge 1: Store 1337 at pointer 0x1337.
Challenge 2: Make the
uname syscall return the correct values.
Challenge 3: Make
Challenge 4: Enter inside the “forbidden” loop.
Challenge 5: Guess every call to
Challenge 6: Avoid the infinite loop.
Challenge 7: Don’t waste time waiting for
Challenge 8: Unpack the struct and write at the target address.
Challenge 9: Fix some string operation to make the iMpOsSiBlE come true.
Challenge 10: Fake the
cmdline line file to return the right content.
Challenge 11: Bypass CPUID/MIDR_EL1 checks.
Download the QilingLab challenge here:
x86_64 - aarch64
sha256sum qilinglab-* a583c09cff06471fb38b93218d9cc7147279da1965491cdcf5b2d6e2c7b096d7 qilinglab-aarch64 711fd4517b8ae5d96bf8b3da144f74940b4f4f39b2d80e8884fbbf080bad8d89 qilinglab-x86_64
If you solve the challenges drop your writeup on Twitter and tag @ShielderSec and @qiling_io, we’d ❤ to see how you did it!