PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Reverse Engineering

droids1

PreviousChallenge NameNextdroids2

Last updated 4 years ago

Was this helpful?

Problem

Find the pass, get the flag. Check out this file. You can also find the file in /problems/droids1_0_b7f94e21c7e45e6604972f9bc3f50e24.

Solution

  1. Decompile the APK using , as suggested by the hint: apktool d one.apk:

     Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
     I: Using Apktool 2.4.1-dirty on one.apk
     I: Loading resource table...
     I: Decoding AndroidManifest.xml with resources...
     I: Loading resource table from file: /home/kali/.local/share/apktool/framework/1.apk
     I: Regular manifest package...
     I: Decoding file-resources...
     I: Decoding values */* XMLs...
     I: Baksmaling classes.dex...
     I: Copying assets and libs...
     I: Copying unknown files...
     I: Copying original files...

    Alternatively, you can use to decompile and look around in a GUI. This is the method used in this write-up.

    JADX Install:

     wget https://github.com/skylot/jadx/releases/download/v1.1.0/jadx-1.1.0.zip
     unzip jadx-1.1.0.zip -d jadx
     cd jadx
     sudo mkdir /opt/jadx
     sudo mv * /opt/jadx
     cd /opt/jadx/bin
     ./jadx-gui
  2. Launch jadx-gui and open one.apk

  3. In the MainActivity the button click code can be seen:

     public void buttonClick(View view) {
         this.text_bottom.setText(FlagstaffHill.getFlag(this.text_input.getText().toString(), this.ctx));
     }
  4. The getFlag() function is as follows:

     public static String getFlag(String input, Context ctx) {
         if (input.equals(ctx.getString(R.string.password))) {
             return fenugreek(input);
         }
         return "NOPE";
     }

    It checks if the input is R.string.password, and if it matches then the flag is shown.

  5. Go to R > string > password in the explorer to find public static final int password = 2131427375;. It is accessing resource `2131427375.

  6. Go to Resources > resources.arsc > res > values > strings.xml since the password is probably a string. We find: <string name="password">opossum</string>

  7. Start an AVD in . Install the app by dragging the APK to the emulator. Enter the password, opossum, and click the button to get the flag.

Flag

picoCTF{pining.for.the.fjords}

APK File
apktool
JADX
Android Studio
Screenshot of the app with flag output