AB2 Blog

MCH2022CTF - MySimpleLogin - Writeup

 
  • Jul 26, 2022

Description

image

Solution

We were given an APK file

MySimpleLogin.zip

image

After downloading the APK file, we can use any Android DEX decompiler to open it.

To find the entry point or main activity, we can check the AndroidManifest.xml file.

image

The main activity for this APK is ctf.challenges.mysimplelogin.MainActivity, as shown in the screenshot. We can examine this activity to see what it does.

image

Based on the decompiled code, there is a password checker present in the APK. This function appears to describe how it works.

image

The function takes an input value i, adds it to the string value of s, and passes the result to a function called l. It then compares the output of l to the value of h. If they are equal, it calls showError(w); if they are not equal, it calls showFlag(f). This seems somewhat illogical, so we should continue reading the code to see if we can find more context or clarification.

[+] The l function:

The l function appears to be calculating the MD5 hash of the concatenation of i and s.

image

It’s good to know how the l function works. To find the values of s, h, and other string variables, we can check the resources section of the decompiled code.

        String s = getResources().getString(R.string.OO0O00OOO00O0O);
        String h = getResources().getString(R.string.OO0O00OOO00OOO);
        String f = getResources().getString(R.string.OO0O0O0OO00OOO);
        String w = getResources().getString(R.string.OO0O0OOOO00OOO);

It looks like the values of s, h, and other string variables are stored in the strings.xml file located in the res/values directory.

image

[+] The s value:

image

[+] The h value:

image

[+] The f value:

Was called in showFlag(f);

image

[+] The w value:

was called in showError(w);

image

Based on the information we have gathered, it appears that the flag is stored in the showError(w) function, not in the showFlag(f) function.

image

If we provide the correct input to the app, it looks like it will pass it to the x function once and then to the r function 7 times.To save time, I immedeatly copied the 3 functions in a new .java file.

Note: the original value of w contains some escaped characeters, so I paste it to this HTML Entities decoder for decoding.

public class MainActivity{
	
    public static void showError(String e) {
        System.out.println(x(r(r(r(r(r(r(r(e, "r"), "s"), "t"), "u"), "v"), "w"), "x"), "X"));
    }

	public static String r(String s, String c) {
		return s.replace(c, "");
	}

	public static String x(String s, String k) {
		StringBuilder sb = new StringBuilder();
		for (int i = 0; i < s.length(); i++) {
			sb.append((char) (s.charAt(i) ^ k.charAt(i % k.length())));
		}
		return sb.toString();
	}
	
	public static void main(String[] args) {
		showError(">49s?#kjllw>ijvnra;;i>=kuki`ta;`iirj9::xtm;<rij%");
    }
}

Flag

By running the java code above, you should be able to see the flag printed out.

image