DEV Community

wireless90
wireless90

Posted on • Edited on

Try cracking me [Android Internals CTF Ex2]

Get the apk here.

Firstly, I fired up my android emulator and installed the app-debug.apk. Then I opened the app.

image

It seems that the application is a flag checker. I need to enter the flag and it would tell me if it is correct.

Since the instructions did not bar me from decompiling the apk, I proceeded to install jadx, a dex to java decompiler.

$ sudo apt install jadx
$ sudo jadx-gui `pwd`/app-debug.apk
Enter fullscreen mode Exit fullscreen mode

image

We have now decompiled the dex code into java and we have a nice GUI to browse through the files.

Lets take a look at the AndroidManifest.xml.

image

It says the location of the Main Activity. Lets open it up.

image

Focus on the function onTextChanged.

public void onTextChanged(CharSequence charSequence, int i, int i1, int i2) 
{
    if (charSequence.length() < 3) {
        view.setText(R.string.nc);
        return;
    }
    String txt = charSequence.toString();
    String str = "dart";
    if (txt.indexOf(str) == 0) {
        try {
            int val = Integer.parseInt(txt.substring(str.length()));
            if (val % 2 < 1) {
                int val2 = val >> 1;
                if (val2 > 700) {
                    view.setText(R.string.nc);
                    return;
                }
                int val3 = val2 * 31;
                if (val3 % 11 == 0 && val3 % 53 == 0) {
                    view.setText(R.string.cr);
                    return;
                }
            }
        } catch (NumberFormatException e) {
        }
    }
    view.setText(R.string.nc);
}
Enter fullscreen mode Exit fullscreen mode

Let's break it down.

At the line,

if (txt.indexOf(str) == 0) {
Enter fullscreen mode Exit fullscreen mode

, we can see that it checks if the string starts with dart.
So we know that the string starts with dart.

Following that the line

Integer.parseInt(txt.substring(str.length()));
Enter fullscreen mode Exit fullscreen mode

, shows that the rest of the string following dart is actually an integer.

if (val % 2 < 1)
Enter fullscreen mode Exit fullscreen mode

, shows that the integer must be divisible by 2.

int val2 = val >> 1;
Enter fullscreen mode Exit fullscreen mode

, a right shift by 1 operator was done which divides the number by 2.

if (val2 > 700) {
     view.setText(R.string.nc);
     return;
}
Enter fullscreen mode Exit fullscreen mode

If the resulting operation is greater than 700, it prints a message. This might be a wrong control flow path and might not lead us to the flag. But lets try dart1422, where 1422 is both divisible by 2, and the result would be greater than 700.

image

Seems like the flag is not correct. Lets continue on with the rest of the code.

int val3 = val2 * 31;
if (val3 % 11 == 0 && val3 % 53 == 0) {
     view.setText(R.string.cr);
     return;
}
Enter fullscreen mode Exit fullscreen mode

So basically, we have an integer, x.
x/2 <= 700 and (x/2)*31 must be divisible by 11 and 53.

So I first tried multiplying 11 x 53 = 583.
It does not satisfy the conditions.
Then I 583 x 2 = 1166.
1166 satisfies all the above conditions.

So I tried dart1166 as the flag.

image

We got the right flag this time.

Top comments (0)