Posted inAndroJava WriteUp

ASIS2014: NUMDROID WRITE-UP

July 22, 2018No Comments
BrokenDroid
BrokenDroid

I’ve playing with Android CTF questions recently and found this jewelry box. One of the questions was about a numeric one way hash question named NUMDROID. The question was presented in ASIS2014 and here, I write the write-up!

Find the Numdroid Question

The question was a file of binary data. The first bytes (known as File Signatures) show that the file is a 7ziped file. Therefore I decompressed it and found the files inside compressed file.

FileType
FileType

The contents extracted from the file were parts of an APK.

Inside APK
Inside APK

So I zipped the files and signed by a self signed key. For more information about signing APK archives please refer to my previous post about smali code injection.

Make APK
Make APK

Install is the Magic

First of all, I installed the APK in order to find what does it do. It was a screen with numpad inside and a back-OK keys.

First Attemp
First Attemp

Source Code is Another Magic

For the sake of the byte code, Java code is vulnerable against decompilation  techniques if no obfuscation method is used. The code was clear! I used JADX which is very good decompiler for APK files.

The Code
The Code

After a fast overview of the source code, I found that the numeric input is hashed by an algorithm inside the code and checked against a string for being verified. I highlighted the code section for hash function.

The Digest
The Digest

As it is visible in the isOK function, the password’s length is 7 at maximum.

Capturing the Flag

I’ve checked the next activity which will be shown after verification process. The activity shows MD5 of input number as the flag. Therefore finding the flag is about to cracking the hash function.

There are two ways for cracking:

  1. Crypt Analysis and finding  a way to revert the hashed string to its original value, which is not suitable for this kind of challenge.
  2. Bruteforcing all ranges from 0 to 9999999 and calculating the hash.

I’ve select the second choice and bruteforce the range. For this aim, I’ve write a small piece of java code:

Bruteforce
Bruteforce

And converted it to dex file in order to access its smali code.The needed tools are javac, dx and backsmali.

javac
javac
Dexing the class
Dexing the class
The Smali
The Smali

Then I’ve injected the smali code inside the APK and put my bruteforce code inside onCreate() of the main activity. The bruteforce code will write the flag in Log of Android if the hash value is correct.

Bruteforce Smali Code
Bruteforce Smali Code
Calling the Code
Calling the Code
Smali Code Injection
Smali Code Injection

The Flag

Finally, after injection, I signed and installed the new APK on the Android Emulator and voila! the result.

Recompile
Recompile
Sign the injected APK
Sign the injected APK
The Flag
The Flag
The Flag in Action
The Flag in Action

The code is MD5(3130110) and thus the flag is ASIS_{3C56E1ED0597056FEF0006C6D1C52463}.

Tags:
Last updated on November 6, 2019

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *