Google CTF 2016 – Ill intentions (mobile)

May 2, 2016

And another challenge solved using the Xposed  framework.

So we have an Android application, let’s start it in the emulator (Genymotion).

app1

It’s quite ugly and doesn’t seem to be finished. It just tells us to use “Send_to_Activity”…
So let’s decompile it using jadx .

The MainActivity registers the Send_to_Activity as a BroadcastReceiver using the filter “com.ctf.INCOMING_INTENT”.


IntentFilter filter = new IntentFilter();
filter.addAction("com.ctf.INCOMING_INTENT");
registerReceiver(new Send_to_Activity(), filter, permission._MSG, null);

Depending on the intent “msg” content, it launches another activity


public void onReceive(Context context, Intent intent) {
String msgText = intent.getStringExtra("msg");
if (msgText.equalsIgnoreCase("ThisIsTheRealOne")) {
  context.startActivity(new Intent(context, ThisIsTheRealOne.class));

In those activities, a button is displayed and clicking on it send another intent with a “msg”. This “msg” is the result of a complex calculation involving native code and probably contains the flag…


public void onClick(View v) {
  Intent intent = new Intent();
  intent.setAction("com.ctf.OUTGOING_INTENT");
  String a = DefinitelyNotThisOne.this.getResources().getString(R.string.str1);
  intent.putExtra("msg", DefinitelyNotThisOne.this.definitelyNotThis(Utilities.doBoth(DefinitelyNotThisOne.this.getResources().getString(R.string.test)), Utilities.doBoth("Test")));
    DefinitelyNotThisOne.this.sendBroadcast(intent, permission._MSG);
}

So three possibilities: spend a lot of time reversing the native library doing the calculation, modify the app to directly write the msg content in the logs or do some dynamic analysis and write an Xposed module to intercept the intents and logs the message. I picked number 3 🙂

Actually I first tried to use Inspeckage – a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.. I could see the intents and that they have some content but not the content itself… :/

inspeckage

So now back to solution 3 and the Xposed module to intercept the intents and log them


findAndHookMethod(ContextWrapper.class, "sendBroadcast", Intent.class, String.class, new XC_MethodHook() {

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
  Intent intent = (Intent) param.args[0];
  XposedBridge.log("sendBroadcast: " + intent.getStringExtra("msg"));

}
});

 

We just have to send the broadcast intents using adb:


mooh$ adb shell am broadcast -a com.ctf.INCOMING_INTENT --es msg ThisIsTheRealOne
Broadcasting: Intent { act=com.ctf.INCOMING_INTENT (has extras) }
Broadcast completed: result=0
mooh$ adb shell am broadcast -a com.ctf.INCOMING_INTENT --es msg DefinitelyNotThisOne
Broadcasting: Intent { act=com.ctf.INCOMING_INTENT (has extras) }
Broadcast completed: result=0
mooh$ adb shell am broadcast -a com.ctf.INCOMING_INTENT --es msg IsThisTheRealOne
Broadcasting: Intent { act=com.ctf.INCOMING_INTENT (has extras) }
Broadcast completed: result=0

click on the buttons

app2

 

and finally read the logs


04-29 17:01:04.694 1569-1569/com.example.hellojni I/Xposed: sendBroadcast: KeepTryingThisIsNotTheActivityYouAreLookingForButHereHaveSomeInternetPoints!
04-29 17:01:37.475 1569-1569/com.example.hellojni I/Xposed: sendBroadcast: Told you so!
04-29 17:02:05.279 1569-1569/com.example.hellojni I/Xposed: sendBroadcast: Congratulation!YouFoundTheRightActivityHereYouGo-CTF{IDontHaveABadjokeSorry}

 

 

Leave a Reply




Get Adobe Flash player