Skip to content

TinyCTF 2014 - Oh! What does this button do?

Note: For this challenge, we need install some things into our Android 5.1 device with Genymotion.

For example, an ARM Translator.

https://github.com/m9rco/Genymotion_ARM_Translation

Download APK: https://lautarovculic.com/my_files/rev200.zip

When download the .zip file, we can extract this with 

7z x rev200.zip

The rev200 file is another zip file 

rev200: Zip archive data, at least v2.0 to extract, compression method=deflate

So, what is an apk? We can look this as an zip. Then, rename the file 

mv rev200 rev200.apk

And now, we can install the apk file with adb 

adb install -r rev200.apk

Now, decompile the apk with apktool 

apktool d rev200.apk

Let's inspect the source code with jadx (GUI version)

The package name is ctf.crackme

We have 2 activities that we are interested.

MainActivity 

package ctf.crackme;  

import android.app.Activity;  
import android.content.Intent;  
import android.os.Bundle;  
import android.view.Menu;  
import android.view.MenuItem;  
import android.view.View;  
import android.widget.Button;  
import android.widget.EditText;  


public class MainActivity extends Activity {  

    protected void onCreate(Bundle bundle) {  
        super.onCreate(bundle);  
        setContentView(C0072R.layout.activity_main);  
        ((Button) findViewById(C0072R.id.enterButton)).setOnClickListener(new View.OnClickListener() {

            public void onClick(View view) {  
                if (((EditText) MainActivity.this.findViewById(C0072R.id.passwordField)).getText().toString().compareTo("EYG3QMCS") == 0) {  
                    MainActivity.this.startActivity(new Intent(MainActivity.this, (Class<?>) FlagActivity.class));  
                }  
            }  
        });  
    }  


    public boolean onCreateOptionsMenu(Menu menu) {  
        getMenuInflater().inflate(C0072R.menu.main, menu);  
        return true;  
    }  


    public boolean onOptionsItemSelected(MenuItem menuItem) {  
        return menuItem.getItemId() == 2131230724 ? true : super.onOptionsItemSelected(menuItem);  
    }  
}

When button is pressed, the OnClickListener get the text from the field password.

This compare with the string EYG3QMCS.

If the compare is successful, this will call a new activity FlagActivity.

Then, insert the password and we'll get the flag

But, let broke this app. Let's modify the onClick method.

So the idea is that any string inserted, is the "correct password".

For that, we need change this if 

if (passwordField.getText().toString().compareTo("EYG3QMCS") == 0) {

The smali code that we need modify is this method 

    move-result-object v2  

    const-string v3, "EYG3QMCS"  

    invoke-virtual {v2, v3}, Ljava/lang/String;->compareTo(Ljava/lang/String;)I  

    move-result v2  

    if-nez v2, :cond_29 # We need change this

The smali file are in the folder that apktool extract. 

└── smali
    └── ctf
        └── crackme
            └── MainActivity$1.smali

Search for the smali code that I mention previously. And just change this line 

if-nez v2, :cond_29

For this 

if-eqz v2, :cond_29 # New

Now, save the file and rebuild the app. 

apktool b rev200

Create a key 

keytool -genkey -v -keystore name.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias alias

And sign with jarsigner 

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore name.keystore rev200/dist/rev200.apk alias

Uninstall the previous app and then install the new modified apk file. 

adb install -r rev200/dist/rev200.apk

Open the app and you can notice that the flag appears when we leave blank the password field.

I hope you found it useful (: