# 🚀 Quick Start Guide - Backdrops Premium Bypass ## ⚡ TL;DR - Fastest Method ### Option 1: Runtime Bypass (RECOMMENDED - No Root Needed) ```bash # 1. Start Frida server on device adb shell "/data/local/tmp/frida-server &" # 2. Run bypass script frida -U -f com.backdrops.wallpapers -l frida_backdrops_bypass.js # 3. Open app - all premium content unlocked! 🎉 ``` ### Option 2: Interactive Python Controller ```bash python backdoors_controller.py # Then select option 3 to inject all premium packs ``` ### Option 3: Database Injection (Requires Root) ```bash python database_injector.py ``` --- ## 📋 Files Overview | File | Purpose | Usage | |------|---------|-------| | `frida_backdrops_analysis.js` | Monitor premium checks without modification | Analysis only | | `frida_backdrops_bypass.js` | **Bypass all premium checks** | **USE THIS** | | `backdoors_controller.py` | Interactive Python menu for Frida | Easy control | | `database_injector.py` | Direct SQLite database manipulation | Requires root | | `README_DYNAMIC_ANALYSIS.md` | Full documentation | Reference | --- ## 🎯 Attack Summary ### The Vulnerability ``` Premium Check Flow: DatabaseObserver.isPremiumPackUnlocked(sku) ↓ ThemeApp.g().existPurchase(sku) ↓ SQLite Query: SELECT * FROM Premium WHERE item='' ↓ Returns Boolean → App shows/hides content ``` **The Flaw**: All checks are client-side! No server validation! ### The Exploit Hook `isPremiumPackUnlocked()` to always return `TRUE` → Instant access to all premium wallpapers. --- ## 🔑 Key Java Classes ```java // Main premium verification com.backdrops.wallpapers.data.DatabaseObserver ├── isPremiumPackUnlocked(String sku) → Boolean // MAIN TARGET ├── isPro() → Boolean ├── isPackTrinity() → Boolean ├── isPackAmoled() → Boolean └── ... other pack checks // Purchase database com.backdrops.wallpapers.data.local.DatabaseHandlerIAB ├── getPurchased(String sku) → Boolean ├── existPurchase(String sku) → Single └── AddtoPurchased(ItemPurchased item) // App singleton com.backdrops.wallpapers.ThemeApp └── g() → DatabaseHandlerIAB // Static getter ``` --- ## 💾 Database Schema ```sql -- Database: /data/data/com.backdrops.wallpapers/databases/premium CREATE TABLE Premium ( id INTEGER PRIMARY KEY, item TEXT, -- SKU (e.g., "premium.pack.trinity") token TEXT -- Purchase token from Google Play ); -- Inject fake purchase: INSERT INTO Premium (id, item, token) VALUES (1, 'premium.pack.trinity', 'fake_token_123'); ``` --- ## 🏴 Premium SKU List Based on static analysis (in `j1.E` class): | Field | Estimated SKU | Description | |-------|---------------|-------------| | `f21381A` | premium.pack.trinity | Trinity wallpaper pack | | `f21382B` | premium.pack.amoled | AMOLED wallpaper pack | | `f21383C` | premium.pro | Pro subscription | | `f21384D` | premium.pack.acid | Acid wallpaper pack | | `f21385E` | premium.pack.optic | Optic wallpaper pack | | `f21386F` | premium.pack.void | Void wallpaper pack | | `f21387G` | premium.pack.synth | Synth wallpaper pack | *Note: Actual SKU values will be logged when app accesses them.* --- ## 🛠️ Setup Requirements ### Minimum Setup - ✅ Android device (rooted OR non-rooted) - ✅ Frida installed (`pip install frida-tools`) - ✅ Frida-server running on device - ✅ USB debugging enabled - ✅ Backdrops APK installed ### For Database Injection (Optional) - ✅ Root access OR `run-as` permissions - ✅ SQLite3 on PC - ✅ ADB access to /data/data --- ## 📱 Commands Cheat Sheet ```bash # === Device Setup === # Enable USB debugging on device # Settings → Developer Options → USB Debugging # Push frida-server adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server" # Start frida-server adb shell "/data/local/tmp/frida-server &" # Verify Frida frida-ps -U # === Frida Bypass === # Spawn app with bypass (RECOMMENDED) frida -U -f com.backdrops.wallpapers -l frida_backdrops_bypass.js # Attach to running app frida -U com.backdrops.wallpapers -l frida_backdrops_bypass.js # Analysis only (no bypass) frida -U -f com.backdrops.wallpapers -l frida_backdrops_analysis.js # === Python Tools === # Interactive controller python backdoors_controller.py # Database injector (requires root) python database_injector.py # === Manual Database Access === # Pull database adb pull /data/data/com.backdrops.wallpapers/databases/premium premium.db # Inspect database sqlite3 premium.db sqlite> .schema sqlite> SELECT * FROM Premium; sqlite> INSERT INTO Premium VALUES (1, 'premium.pack.trinity', 'fake'); sqlite> .quit # Push back adb push premium.db /data/data/com.backdrops.wallpapers/databases/premium # === Debugging === # View app logs adb logcat | grep -i backdrop # Check if app is running adb shell "ps | grep backdrop" # Force stop app adb shell "am force-stop com.backdrops.wallpapers" # Launch app adb shell "am start com.backdrops.wallpapers/.activities.MainActivity" # List app files adb shell "ls -la /data/data/com.backdrops.wallpapers/" ``` --- ## 🐛 Troubleshooting | Problem | Solution | |---------|----------| | `Failed to spawn: unable to find process` | Check package name: `adb shell pm list packages \| grep backdrop` | | `Failed to attach: process not found` | Start app first: `adb shell am start com.backdrops.wallpapers/.activities.MainActivity` | | `frida-server: not found` | Make sure frida-server is in `/data/local/tmp/` and executable | | Bypass doesn't work | Restart app after loading script, or try spawn mode (`-f`) | | `Permission denied` on database | Need root for direct DB access, use Frida runtime method instead | | Hooks not installing | Check frida-server version matches frida-tools version | --- ## 🎓 Testing Workflow 1. **Install & Setup** (5 min) - Install APK on device - Setup Frida server - Verify connection 2. **Reconnaissance** (10 min) - Run analysis script - Navigate through app - Identify premium content - Note which SKUs are checked 3. **Exploitation** (2 min) - Run bypass script - Open app - Access premium collections - ✅ Success! 4. **Flag Hunting** (If CTF) - Check wallpaper EXIF data - Examine database entries - Monitor network traffic - Look for hidden strings --- ## 🔍 Finding the Flag (CTF Tips) If this is a CTF challenge, check these locations: ```bash # 1. EXIF data in premium wallpapers exiftool downloaded_wallpaper.jpg | grep -i flag # 2. Database after bypass adb shell "sqlite3 /data/data/com.backdrops.wallpapers/databases/premium 'SELECT * FROM Premium'" # 3. App logs when accessing specific pack adb logcat | grep -i flag # 4. Strings in APK strings com.backdrops.wallpapers.apkm | grep -i flag # 5. Shared preferences adb shell "cat /data/data/com.backdrops.wallpapers/shared_prefs/*.xml" | grep -i flag # 6. Watch Frida console output carefully! # The flag might be logged when you access a specific premium pack ``` --- ## 💡 Pro Tips 1. **Use Spawn Mode**: `-f` flag ensures hooks are active before app initializes 2. **Check Console Output**: SKU values are logged when app accesses them 3. **Restart After Injection**: If database injection, restart app to reload data 4. **Monitor Network**: Use Burp/mitmproxy to see API calls for premium content 5. **Screenshot Everything**: Document your findings for writeup --- ## 🎉 Success Indicators You know it worked when: - ✅ Console shows `[BYPASS] isPremiumPackUnlocked() -> TRUE` - ✅ Premium collections open without payment prompts - ✅ You can download premium wallpapers - ✅ "Unlock" or "Purchase" buttons are gone - ✅ All wallpaper packs are accessible --- ## 🏆 Challenge Complete! Once you can access all premium wallpapers: 1. Document your methodology 2. Screenshot the bypass in action 3. Note any flags or secrets found 4. Write your CTF submission **Congratulations! You've successfully reverse engineered the premium feature! 🎊** --- ## 📚 Learning Resources - Frida Documentation: https://frida.re/docs/ - Android Reverse Engineering: https://maddiestone.github.io/AndroidAppRE/ - Java Hooking with Frida: https://frida.re/docs/javascript-api/#java - Google Play Billing: https://developer.android.com/google/play/billing --- **Remember**: This is for educational/CTF purposes only. Respect software licenses and intellectual property! 🔐