# Backdrops App - Crash Analysis & Solutions

## Problem Identified

The Backdrops app is **crashing immediately on launch** due to a native library crash in `libpairipcore.so`. This is NOT a Frida issue.

### Crash Details from logcat:
```
F DEBUG   : pid: 14813, tid: 14813, name: rops.wallpapers  >>> com.backdrops.wallpapers <<<
F DEBUG   : #00 pc 0000000000035d3e .../libpairipcore.so
```

This crash indicates:
1. **Native anti-tamper protection** in `libpairipcore.so`
2. The library detects something (root, frida-server, emulator, etc.) and crashes
3. This happens BEFORE any Java code runs, so Frida scripts can't help

---

## Solutions

### Solution 1: Fix the App (Recommended for CTF)

The app needs to be patched to disable the protection. Try these approaches:

#### A. Use an older version of the app
The .apkm file might be an older version without protections:
```powershell
# Check if there's a different APK version
ls *.apk*
```

#### B. Patch the native library
1. Extract `libpairipcore.so` from the split APK
2. Use Ghidra/IDA to find the anti-debug checks
3. Patch them out (NOP the protection)
4. Repack and resign the APK

#### C. Use a different device/emulator
The protection might be checking for:
- Root detection
- Frida detection  
- Emulator detection
- Debugger detection

Try running on:
- Non-rooted device
- Different Android version
- Physical device instead of emulator

### Solution 2: Hook Earlier (Advanced)

Use Frida Gadget to inject BEFORE the app starts:

```powershell
# Extract base.apk
7z x base.apk -obase_extracted

# Add frida-gadget.so to lib folders
# Modify AndroidManifest.xml to load gadget
# Repack and resign

# Then use frida without server
frida -H 127.0.0.1:27042 -l frida_backdrops_bypass.js
```

### Solution 3: Database-Only Approach (Works if app runs normally on device)

If the app works when launched normally (without Frida), use direct database manipulation:

```powershell
# Run without Frida attached
adb shell "am start -n com.backdrops.wallpapers/.activities.MainActivity"

# Wait for it to initialize
Start-Sleep -Seconds 5

# Then inject directly into database
python database_injector.py
```

### Solution 4: Try Different Frida Approach

```powershell
# Instead of spawn, try:
# 1. Launch app normally WITHOUT frida
adb shell "am start -n com.backdrops.wallpapers/.activities.MainActivity"

# 2. Wait for it to fully start
Start-Sleep -Seconds 5

# 3. Get PID
$pid = (adb shell "ps | grep com.backdrops.wallpapers" | ForEach-Object { ($_ -split '\s+')[1] })

# 4. Attach AFTER it's running
frida -U -p $pid -l frida_backdrops_bypass.js
```

---

## Debugging Steps

### 1. Check if app works WITHOUT Frida

```powershell
# Kill frida-server completely
adb shell "su -c 'killall -9 frida-server'"

# Launch app normally
adb shell "am start -n com.backdrops.wallpapers/.activities.MainActivity"

# Check if it stays running
Start-Sleep -Seconds 5
adb shell "ps | grep backdrop"
```

If it works: The app detects Frida
If it crashes: The app has other protections (root/emulator detection)

### 2. Check for anti-root

```powershell
# Try hiding root with Magisk Hide
# Or use a non-rooted device
```

### 3. Analyze the protection

```powershell
# Pull the native library
adb pull /data/app/.../split_config.x86_64.apk
7z x split_config.x86_64.apk
# Analyze lib/x86_64/libpairipcore.so with Ghidra
```

---

## Alternative: Static Analysis Only

Since dynamic analysis is blocked, use static analysis:

```powershell
# The decompiled Java code is already in backdrops_java/
# Analyze the premium checks there:

# Key files:
# - com/backdrops/wallpapers/data/DatabaseObserver.java
# - com/backdrops/wallpapers/data/local/DatabaseHandlerIAB.java

# Create a patch/mod APK that:
# 1. Modifies DatabaseObserver.isPremiumPackUnlocked() to return true
# 2. Recompiles with apktool
# 3. Signs and installs
```

---

## Quick Test: Is it Frida Detection?

```powershell
# Rename frida-server
adb shell "su -c 'mv /data/local/tmp/frida-server /data/local/tmp/debugserver'"
adb shell "su -c '/data/local/tmp/debugserver &'"

# Try again
frida -U com.backdrops.wallpapers -l frida_backdrops_bypass.js
```

---

## Recommended Next Steps for CTF

1. **Try on a clean, non-rooted device** - See if app runs
2. **Use database injection method** - If app runs normally
3. **Patch the APK** - Remove protections statically
4. **Analyze libpairipcore.so** - Find and disable the crash
5. **Check for flags in decompiled code** - Maybe the flag is in the Java source

The decompiled Java code in `backdrops_java/` might already contain the flag or clues!

---

## Search for Flags in Decompiled Code

```powershell
# Search for common flag patterns
Get-ChildItem -Path backdrops_java -Recurse -Filter *.java | Select-String -Pattern "flag|FLAG|ctf|CTF|{.*}" 

# Search for premium SKU values
Get-ChildItem -Path backdrops_java -Recurse -Filter *.java | Select-String -Pattern "premium\.|pack\."

# Check for hardcoded secrets
Get-ChildItem -Path backdrops_java -Recurse -Filter *.java | Select-String -Pattern "secret|Secret|SECRET|token|Token"
```

The CTF flag might not require dynamic analysis at all - it could be hidden in:
- Premium SKU strings
- Database default values
- Hardcoded premium tokens  
- Comments in the code
- Resource files