Seccon – Reverse-Engineering Android APK 1

Hello.

This weekend was the seccon CTF with some android challenge.

I will show you how to do easily the first one and hopefully the other one if I have time.

First you should have the rps.apk file. (Link to come when put on github 🙂

Second, you need your environment set

  • Genymotion (Android emulator). Any other should work too.
  • Jd-gui (read .jar source code)
  • XPosed framework
  • Android visual studio

 

As usual we decompile our apk with jd-guito get some nice java code.

# d2j-dex2jar rps.apk

We have only one interesting class, MainActivity.

We have one method showMessageTask that will show our flag.Screen Shot 2015-12-07 at 14.06.37

The flag will have the format:

"SECCON{" + String.valueOf(107 * (this.cnt + this.calc())) + "}"

We know that this.cnt should be equal to 1000. We only have this.calc() that is missing.

Let’s check where it is defined.

Screen Shot 2015-12-07 at 14.06.43

Ho…. a native library… this means it is probably in a .so file with C code…
I don’t like to mix code so we will not bother reversing this .so code… we will just call him when needed. Thanks Xposed!

Now let’s run our android studio and get our module read to be implement.

So for this challenge what would be the logic in order to find the flag?

We don’t really care about this.cnt because we know it will be 1000 when computing the flag. We have one expression to evaluate inside Xposed:

"SECCON{" + String.valueOf(107 * (this.cnt + this.calc())) + "}"

To do that I hooked the method “onCreate”. This means that this method will be replaced with mine when the app is running.

The idea is to evaluate this expression and print it in Xposed logs.

private static final String MAIN_ACTIVITY_CLASS = "com.example.seccon2015.rock_paper_scissors.MainActivity";
    @Override
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable{
        if(lpparam.packageName.equals("com.example.seccon2015.rock_paper_scissors")) {

            XposedBridge.log("Loaded App: " + lpparam.packageName);

            XposedHelpers.findAndHookMethod(MAIN_ACTIVITY_CLASS, lpparam.classLoader, "onCreate", Bundle.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    Method calc = XposedHelpers.findMethodBestMatch(param.thisObject.getClass(), "calc");
                    int resultKey = (int) calc.invoke(param.thisObject);
                    XposedBridge.log("SECCON{" + String.valueOf(107 * (1000 + resultKey)) + "}");

                }

            });

        }
    }

Here we hook the method “onCreate” in “com.example.seccon2015.rock_paper_scissors.MainActivity” class.

We find a method name “calc” in our class and invoke it to get the result. We do not need to know what is inside this method because we just call it.

Then we print in Xposed log the flag with all our variables replaced.

Let’s deploy our module in our genymotion emulator, enable it and run the application.

Just after running it you can check in the Xposed logs and surprise:

Screen Shot 2015-12-07 at 14.15.54

 

Enjoy 🙂