SECCON 2015 Online CTF – Reverse-Engineering Android APK 1

December 7, 2015

After reading a write up of the Trend Micro CTF about someone discovering the Xposed Framework and wanting to use it to solve CTF challenges, I decided to do the same.
In short, the Xposed framework allows to hook methods from an android application without having to modify the app.

What I used:
Genymotion (site) (android emulator faster than the stock one)
Xposed Framework (site)
jadx (site) dex to java decompiler
Android Studio (to write the Xposed module)

After opening the apk in jadx, the relevant parts are found in the MainActivity

Screen Shot 2015-12-07 at 12.56.16

In particularly:

if (1000 == MainActivity.this.cnt) {
    tv3.setText("SECCON{" + String.valueOf((MainActivity.this.cnt + MainActivity.this.calc()) * 107) + "}");
}

So after winning 1000 times in a row, the flag is displayed. It is calculated based on the counter and the result of the calc() method. Unfortunately here, the calc method is a native method.Instead of starting Hopper and reversing the native lib or patching the apk to display directly the flag, let’s try to write a Xposed module for it.

Idea is then to hook up the onClick method and set the attributes to the correct values (ie set count to 999 and the attribute m and n in order to make it a wining move)

public class RPS implements IXposedHookLoadPackage {
    public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {

        if (!lpparam.packageName.equals("com.example.seccon2015.rock_paper_scissors"))
            return;
        findAndHookMethod("com.example.seccon2015.rock_paper_scissors.MainActivity", lpparam.classLoader, "onClick", View.class, new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                // set the modified values
                XposedHelpers.setIntField(param.thisObject, "cnt", 999);
                XposedHelpers.setIntField(param.thisObject, "m", 0);
                XposedHelpers.setIntField(param.thisObject, "n", 1);
            }
        });
}

Finally we start the application in the emulator, click on any button and the flag is displayed!

Screen Shot 2015-12-07 at 12.55.38

Leave a Reply




Get Adobe Flash player