droids4
Last updated
Was this helpful?
Last updated
Was this helpful?
reverse the pass, patch the file, get the flag. Check out this file. You can also find the file in /problems/droids4_0_99ba4f323d3d194b5092bf43d97e9ce9.
Use JADX to decompile and look around in a GUI. Launch jadx-gui
and open four.apk
The getFlag()
function is as follows:
We can copy this into our own java program. Run password.java to get the password without having to manually decode the logic. Password is alphabetsoup
.
Run apktool d four.apk --no-res
to decompile without resources (decompiling resources was causing build errors).
Edit four/smali/com/hellocmu/picoctf/FlagstaffHill.smali
: Change const-string v5, "call it"
to invoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->cardamom(Ljava/lang/String;)Ljava/lang/String;
. This change was made to call the actual function that gives the flag. Add move-result-object v0
directly after the previous change and replace return-object v5
with return-object v0
.
I figured out the syntax by using the last challenge (droids3
) as a model since it contained the following lines:
In essence, replace this:
with this:
Use the cardamom
function to get the flag because this line public static native String cardamom(String str);
exists within the FlagstaffHill
class.
Rebuild the application: apktool b four -o recompiled/recompiled_four.apk
Use patrickfav/uber-apk-signer latest release to sign the app:
This produces the recompiled_four-aligned-debugSigned.apk
file, which can be installed.
Start an AVD in Android Studio. Install the app by dragging the APK to the emulator. Enter the password, alphabetsoup
, and click the button to get the flag.
picoCTF{not.particularly.silly}
Create an AVD in Android Studio through the AVD Manager that does not have the Play Store. I selected the Pixel 2, clicked "Clone Device...", and then hit "Finish" which created a device named "Pixel 2 (Edited)" without the icon in the Play Store category. Virtual devices without the Play Store can be rooted while those with it can not be easily rooted.
ADB is located at ~/Android/Sdk/platform-tools/adb
on linux. See this StackOverflow Answer for other OS's.
Install Frida on the virtual device by following their tutorial. Download the latest release from their releases page. I downloaded frida-server-12.9.7-android-x86.xz
because my virtual device is x86
. This can be determiend by clicking the more options arrow in the AVD Manager and clicking "View Details".
Decompress it with unxz frida-server.xz
, then run the following:
Install Frida on your host OS with pip install frida-tools
(detailed instructions).
Run frida-ps -U
on your desktop to make sure everything is working. This should give you a process list.
Install four.apk
by dragging it onto the emulator.
Use frida.js to inject a modified getFlag()
function into the running process. The script was built using the tutorial from Josh Spicer. The command is frida -U -l frida.js -f com.hellocmu.picoctf
. Then run %resume
to let the main thread start executing. Next, enter the password, alphabetsoup
, and click the button to get the flag.
picoCTF{not.particularly.silly}