Description
Solution
We were given an APK file
After downloading the APK file, we can use any Android DEX decompiler to open it.
To find the entry point or main activity, we can check the AndroidManifest.xml
file.
The main activity for this APK is ctf.challenges.mysimplelogin.MainActivity
, as shown in the screenshot. We can examine this activity to see what it does.
Based on the decompiled code, there is a password checker present in the APK. This function appears to describe how it works.
The function takes an input value i
, adds it to the string value of s
, and passes the result to a function called l
. It then compares the output of l
to the value of h
. If they are equal, it calls showError(w);
if they are not equal, it calls showFlag(f)
. This seems somewhat illogical, so we should continue reading the code to see if we can find more context or clarification.
[+] The l
function:
The l
function appears to be calculating the MD5 hash of the concatenation of i
and s
.
It’s good to know how the l
function works. To find the values of s
, h
, and other string variables, we can check the resources section of the decompiled code.
String s = getResources().getString(R.string.OO0O00OOO00O0O);
String h = getResources().getString(R.string.OO0O00OOO00OOO);
String f = getResources().getString(R.string.OO0O0O0OO00OOO);
String w = getResources().getString(R.string.OO0O0OOOO00OOO);
It looks like the values of s
, h
, and other string variables are stored in the strings.xml
file located in the res/values
directory.
[+] The s
value:
[+] The h
value:
[+] The f
value:
Was called in showFlag(f);
[+] The w
value:
was called in showError(w);
Based on the information we have gathered, it appears that the flag is stored in the showError(w)
function, not in the showFlag(f)
function.
If we provide the correct input to the app, it looks like it will pass it to the x
function once and then to the r
function 7 times.To save time, I immedeatly copied the 3 functions in a new .java file.
Note: the original value of w
contains some escaped characeters, so I paste it to this HTML Entities decoder for decoding.
public class MainActivity{
public static void showError(String e) {
System.out.println(x(r(r(r(r(r(r(r(e, "r"), "s"), "t"), "u"), "v"), "w"), "x"), "X"));
}
public static String r(String s, String c) {
return s.replace(c, "");
}
public static String x(String s, String k) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < s.length(); i++) {
sb.append((char) (s.charAt(i) ^ k.charAt(i % k.length())));
}
return sb.toString();
}
public static void main(String[] args) {
showError(">49s?#kjllw>ijvnra;;i>=kuki`ta;`iirj9::xtm;<rij%");
}
}
Flag
By running the java code above, you should be able to see the flag printed out.