ASIS2014: NUMDROID WRITE-UP

BrokenDroid

I’ve playing with Android CTF questions recently and found this jewelry box. One of the questions was about a numeric one way hash question named NUMDROID. The question was presented in ASIS2014 and here, I write the write-up!

Find the Numdroid Question

The question was a file of binary data. The first bytes (known as File Signatures) show that the file is a 7ziped file. Therefore I decompressed it and found the files inside compressed file.

FileType

FileType

The contents extracted from the file were parts of an APK.

Inside APK

Inside APK

So I zipped the files and signed by a self signed key. For more information about signing APK archives please refer to my previous post about smali code injection.

Make APK

Make APK

Install is the Magic

First of all, I installed the APK in order to find what does it do. It was a screen with numpad inside and a back-OK keys.

First Attemp

First Attemp

Source Code is Another Magic

For the sake of the byte code, Java code is vulnerable against decompilation  techniques if no obfuscation method is used. The code was clear! I used JADX which is very good decompiler for APK files.

The Code

The Code

After a fast overview of the source code, I found that the numeric input is hashed by an algorithm inside the code and checked against a string for being verified. I highlighted the code section for hash function.

The Digest

The Digest

As it is visible in the isOK function, the password’s length is 7 at maximum.

Capturing the Flag

I’ve checked the next activity which will be shown after verification process. The activity shows MD5 of input number as the flag. Therefore finding the flag is about to cracking the hash function.

There are two ways for cracking:

  1. Crypt Analysis and finding  a way to revert the hashed string to its original value, which is not suitable for this kind of challenge.
  2. Bruteforcing all ranges from 0 to 9999999 and calculating the hash.

I’ve select the second choice and bruteforce the range. For this aim, I’ve write a small piece of java code:

Bruteforce

Bruteforce

And converted it to dex file in order to access its smali code.The needed tools are javac, dx and backsmali.

javac

javac

Dexing the class

Dexing the class

The Smali

The Smali

Then I’ve injected the smali code inside the APK and put my bruteforce code inside onCreate() of the main activity. The bruteforce code will write the flag in Log of Android if the hash value is correct.

Bruteforce Smali Code

Bruteforce Smali Code

Calling the Code

Calling the Code

Smali Code Injection

Smali Code Injection

The Flag

Finally, after injection, I signed and installed the new APK on the Android Emulator and voila! the result.

Recompile

Recompile

Sign the injected APK

Sign the injected APK

The Flag

The Flag

The Flag in Action

The Flag in Action

The code is MD5(3130110) and thus the flag is ASIS_{3C56E1ED0597056FEF0006C6D1C52463}.

Your email address will not be published. Required fields are marked *

*