- Category: Reversing
- 200 Points
- Solved by the JCTF Team
What we got
The download link points to an APK file. APK is an Android Package file that's used to distribute applications on Google's Android operating system.
I used Android Studio (Google's IDE for Android development) to install this APK into an emulator.
Trial to login gives me the following message. Login Failed!
To unpack and start reversing I used apktool, which extracts the apk and decompile the Android code into smali. My preferable format for Android reversing, simple, like assembly.
Looking at the decompiled files, we can see the LoginActivity which receives the username and password and has an onClick method for the login.
On the same path of LoginActivity there is another activity called TestActivity wich is not referenced from the application and not called. On this activity instead of receiving a username/password combination, we can see a token being created.
Looking at the code we can see
Get the application "signature", as cited on android reference, "This class name is slightly misleading, since it's not actually a signature." it represents the public certificate which signed the application.
a/b/k/o;->a(Application context, 0x7f0c0001, "token", Base64(Sha256("signature")), True);
a/b/k/o;->a() does a TLS connection to the server:
Creates some classes to help verifing the pulic certificate received from the TLS server.
Then it goes to the android resource [0x7f0c0001] and retrieves a PKCS12 file called qa.p12
<public type="raw" name="qa" id="0x7f0c0001" />
This file is password protected and the code retrieves the password with a resource string [0x7f0d001c] wich is
<public type="string" name="clientCertPassword" id="0x7f0d001c" /> with the value
<string name="clientCertPassword">thecakeisalie</string>. So the password for PKCS12 file is
This pkcs12 file has a certificate pair (public-private keys). That can be used to sign android applications.
Seems that this TestLogin will help us to get the challenge done!
I reworked the application instead of calling the login onClick method from the LoginActivity I used the onClick method of the TestActivity.
I used apktool again to re-build the new apk.
To run an application on android we must sign the apk. I used APK Signed Tool to sign the apk, and I used the qa PKCS12 file.
As we changed the signature of the application also the certificate that was signing the application was different, so I needed also instead of getting the "signature" of our new APK it will retrieve the same signature as before.
The "signature" is placed on the APK
META-INF folder named
CERT.RSA, this file is in pkcs7 format, but the "signature" we receive is in Jar format
Used OpenSSL to convert and got
which I changed the call to
a/b/k/o;->a(Application context, 0x7f0c0001, "token", "p9/BXgbp6d1vRtHIcCbi6Vm6faNALQIhYzQ6jXCpUvk=", True);