BabyAPK - BreizhCtf 2018
When participating to BreizhCTF one of the categories was mobile application reversing. This write up is about reversing the first mobile application that was provided to us : BabyAPK
Decompilation
To reverse Android application, I usually start by reversing the source code . For that i use 2 tools : Jadx and APKTool when Jadx is not sufficient.
For this chall, I only used Jadx with the command
jadx BabyAPK.apk
Once this command executed desassembled file of this applications are located in the folder BabyApk.
Finding the vulnerable feature
Once the disassembly done, I first looked in the fr/breizhctf/saxx/babyapk folder where the source Java file are located.
Here are 3 files : - BuildConfig.java : which contains the config of the Apk - LoginActivity.java : which contains the interesting part of the application - R.java : which is used to stored layout object references.
In the LoginActivity, after scrolling a little we can see an interesting function named isPasswordValid taking a String as parameter and validating it :
private boolean isPasswordValid(String password) {
String v3 = password;
int v0 = 0;
if (v3.length() == 45) {
for (int v1 = 0; v1 < "kmqgwg]Tm3=NE_#$%$#!&#^_^~/4ouKJW@WE^(:p@_*##".length(); v1++) {
if (")79$#!&#^l\\t<v\\x00Q\\x17\\x11HOXyD2k:!\\x18\\x040@xy\\x089g0\\x01_\\t\\x1c#oGF^".charAt(v1) != ("kmqgwg]Tm3=NE_#$%$#!&#^_^~/4ouKJW@WE^(:p@_*##".charAt(v1) ^ v3.charAt(v1))) {
v0 = 1;
Toast.makeText(this, "Seems I don't recognize you! go out :(", 0).show();
break;
}
}
if (v0 != 0) {
return true;
}
Toast.makeText(this, "Hey buddy! It's you, Welcome :)", 0).show();
} else {
Toast.makeText(this, "Seems I don't recognize you! go out :(", 0).show();
}
if (password.length() <= 4) {
return false;
}
return true;
}
Here we can see that , in order to compare the password, the program xor a String with another and compare each char of it.
Getting the password
In order to get the password, all you have to do is to get back the xored result between the first 45 characters of
kmqgwg]Tm3=NE_#$%$#!&#^_^~/4ouKJW@WE^(:p@_*##
and
)79$#!&#^l\t<v\x00Q\x17\x11HOXyD2k:!\x18\x040@xy\\x089g0\x01_\t\x1c#oGF^
Here is my python script :
from Crypto.Util import strxor
a = b"kmqgwg]Tm3=NE_#$%$#!&#^_^~/4ouKJW@WE^(:p@_*##"[:45]
b = b")79$#!&#^l\t<v\x00Q\x17\x11HOXyD2k:!\x18\x040@xy\x089g0\x01_\t\x1c#oGF^"[:45]
print(strxor.strxor(a,b))
And the flag is :
BZHCTF{w3_4r3_r34lly_gl4d_70_533_y0u_w3lc0me}