Google CTF 2016 – Ill intentions (mobile)
And another challenge solved using the Xposed framework.
So we have an Android application, let’s start it in the emulator (Genymotion).
It’s quite ugly and doesn’t seem to be finished. It just tells us to use “Send_to_Activity”…
So let’s decompile it using jadx .
The MainActivity registers the Send_to_Activity as a BroadcastReceiver using the filter “com.ctf.INCOMING_INTENT”.
IntentFilter filter = new IntentFilter(); filter.addAction("com.ctf.INCOMING_INTENT"); registerReceiver(new Send_to_Activity(), filter, permission._MSG, null);
Depending on the intent “msg” content, it launches another activity
public void onReceive(Context context, Intent intent) { String msgText = intent.getStringExtra("msg"); if (msgText.equalsIgnoreCase("ThisIsTheRealOne")) { context.startActivity(new Intent(context, ThisIsTheRealOne.class));
In those activities, a button is displayed and clicking on it send another intent with a “msg”. This “msg” is the result of a complex calculation involving native code and probably contains the flag…
public void onClick(View v) { Intent intent = new Intent(); intent.setAction("com.ctf.OUTGOING_INTENT"); String a = DefinitelyNotThisOne.this.getResources().getString(R.string.str1); intent.putExtra("msg", DefinitelyNotThisOne.this.definitelyNotThis(Utilities.doBoth(DefinitelyNotThisOne.this.getResources().getString(R.string.test)), Utilities.doBoth("Test"))); DefinitelyNotThisOne.this.sendBroadcast(intent, permission._MSG); }
So three possibilities: spend a lot of time reversing the native library doing the calculation, modify the app to directly write the msg content in the logs or do some dynamic analysis and write an Xposed module to intercept the intents and logs the message. I picked number 3 🙂
Actually I first tried to use Inspeckage – a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.. I could see the intents and that they have some content but not the content itself… :/
So now back to solution 3 and the Xposed module to intercept the intents and log them
findAndHookMethod(ContextWrapper.class, "sendBroadcast", Intent.class, String.class, new XC_MethodHook() { protected void beforeHookedMethod(MethodHookParam param) throws Throwable { Intent intent = (Intent) param.args[0]; XposedBridge.log("sendBroadcast: " + intent.getStringExtra("msg")); } });
We just have to send the broadcast intents using adb:
mooh$ adb shell am broadcast -a com.ctf.INCOMING_INTENT --es msg ThisIsTheRealOne Broadcasting: Intent { act=com.ctf.INCOMING_INTENT (has extras) } Broadcast completed: result=0 mooh$ adb shell am broadcast -a com.ctf.INCOMING_INTENT --es msg DefinitelyNotThisOne Broadcasting: Intent { act=com.ctf.INCOMING_INTENT (has extras) } Broadcast completed: result=0 mooh$ adb shell am broadcast -a com.ctf.INCOMING_INTENT --es msg IsThisTheRealOne Broadcasting: Intent { act=com.ctf.INCOMING_INTENT (has extras) } Broadcast completed: result=0
click on the buttons
and finally read the logs
04-29 17:01:04.694 1569-1569/com.example.hellojni I/Xposed: sendBroadcast: KeepTryingThisIsNotTheActivityYouAreLookingForButHereHaveSomeInternetPoints! 04-29 17:01:37.475 1569-1569/com.example.hellojni I/Xposed: sendBroadcast: Told you so! 04-29 17:02:05.279 1569-1569/com.example.hellojni I/Xposed: sendBroadcast: Congratulation!YouFoundTheRightActivityHereYouGo-CTF{IDontHaveABadjokeSorry}
Leave a Reply