Posted inPersonal Tutorial WriteUp

8st SharifCTF Android WriteUps: Vol I

February 17, 2018No Comments
Sharif CTF 13
Sharif CTF 13

Barnamak WriteUp

Two weeks ago, SharifCTF was hold and the questions were acceptable. We attended with CGU team name and and gain the 44th place among the 682 attended teams, whom has at least one question solved in the CTF. In this post I described the writeup for the question about reverse engineering of Android app with 200 points (the 3rd question of reverse section).

Sharif CTF 1
Sharif CTF 1

The App

The app for the question is available for downloading, however, you may download this link if you like. By the way, the task name was barnamak.

In the first step, I installed it on an emulator to watch what it wants.

adb install Find_Flag.apk
Sharif CTF 2
Sharif CTF 2
Sharif CTF 3
Sharif CTF 3

Step One

It said that “Waiting For A Lock…” and the location icon started to blink. So probably it waits for location. I gave it a try by setting a location.

Sharif CTF 4
Sharif CTF 4

It is OK. The app got the location.

Sharif CTF 5
Sharif CTF 5

I’ve pressed STEP ONE and got the message: “Please try again …”

Sharif CTF 6
Sharif CTF 6

So it is worth it to investigate around it. After that I decided to check the source code for the app. The famous DEX2JAR and JD-GUI helped me alot.

I’ve convert the APK to JAR file using dex2jar:

Sharif CTF 7
Sharif CTF 7

And opened with JD-GUI:

Sharif CTF 8
Sharif CTF 8

I’ve found that the piece of code when the button pressed is located in b() in com.challenge_android.fragments.ChallengeFragment.class where the code is:

Sharif CTF 9
Sharif CTF 9

It says j = 0x2C = 44 and i = -0x5B = -91. Then it checks the input location:

if (((int)this.location.getLatitude() == j + 1) && ((int)this.location.getLongitude() == i - 2))

Therefore, the latitude of location should be j+1 = 45 and longtitude should be i-2 = -91-2 = -93

Posting these values made a change in app. I did another thing. The app checks rootability of phone using com.challenge_android.a.c class and some things happen inside it. So I’ve changed my phone to be root. The com.challenge_android.a.c.c checks the existence of a folder named /dev/com.koushikdutta.superuser.daemon/ and I created the folder and got ROOT :).

Sharif CTF 11
Sharif CTF 11

 

Sharif CTF 10
Sharif CTF 10

Step Two

After that app suddenly closed. The final thing was omitting the application termination.

Sharif CTF 12
Sharif CTF 12

The noisy code was at com.challenge_android.fragments.ChallengeFragment.a() that can be bypassed by smali code injection and removing the part of code. For more information about smali code injection, you may follow my post about the subject.

Voila! The flag appeared.

Sharif CTF 13
Sharif CTF 13

Flag is MD5 Of Longtitude: SharifCTF{MD5(-93)} = SharifCTF{87a20a335768a82441478f655afd95fe}

Tags:
Last updated on November 5, 2019

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *