Android CTF

Summary

A reverse engineering was performed on the provided .apk, finding 3 flags. Flag 1: Flag1:YouFoundthis!Findthesecondone? • Method: Simple Base64 in class d

Flag 2: Flag2:Yougothis!Findthelastone? • Method: Double Base64 in class e (base64 that contains another base64)

Flag 3: Flag:Congratsyougoallthree • Method: Combination of a.q() + b.r() + transformation f.i() • The number arrays in classes a and b are converted to characters • They are combined: u=28ir@?8C2EDJ@F8@2E9C66 • The transformation f.i() is applied: rotation of 47 positions in the ASCII range 33-126 • Final result: Flag:Congratsyougotallthree!

Scope

Download URL: https://github.com/AndroidCTFTeam/AndroidL1CTF
.zip file sha256: b1cbef85cede8a4c4f6e954f16d712920966b4fbbae8186dee262ecfda7ca22b
.apk file sha256: 4047c2612da1dfecec519efd4bab03c82befd65b6296bd9ddc5f20151194520a
zip password: AndroidL1CTFTeamL1CTFChallenge2025_Key

Goal

Obtain 3 flags, hiden in the code, knowing that they can be obtained with static analysis of the application. Without the need for emulators or running the app.

Step by step write up

Download file

The file is downloaded with git clone https://github.com/AndroidCTFTeam/AndroidL1CTF

File verification

First of all we verify that the files has the hashes indicated in the instructions:

`echo "b1cbef85cede8a4c4f6e954f16d712920966b4fbbae8186dee262ecfda7ca22b ChallengeFile.zip" | sha256sum -c`

Then we unzip the file:

We verify the second hash

`echo "4047c2612da1dfecec519efd4bab03c82befd65b6296bd9ddc5f20151194520a ChallengeFile.zip" | sha256sum -c`

In both cases we get an "Ok", the files are as expected.

Backups

As in all audits and CTFs that require file manipulation, a backup of the files is made. Just in case we wrongly manipulate the files.

.apk Analysis

Flag 1

We create a jadx folder and move the .apk to jadx

We open jadx-gui

We click on Open File and import the .apk

Once the .apk is loaded we look for the main domain files at SourceCode/com/trellix.trellixctf

Class d has a function a() that contains a variable called decoded which is assigned as the base64 decoding of the following string: RmxhZzE6WW91Rm91bmR0aGlzIUZpbmR0aGVzZWNvbmRvbmU

package com.trellix.trellixctf.b;

import android.util.Base64;
import java.nio.charset.StandardCharsets;

/* loaded from: app_debug/classes4.dex */
public class d {
    public static String a() {
        byte[] decoded = Base64.decode("RmxhZzE6WW91Rm91bmR0aGlzIUZpbmR0aGVzZWNvbmRvbmU/", 0);
        return new String(decoded, StandardCharsets.UTF_8);
    }
}

We use the terminal to decode the base64 string echo "RmxhZzE6WW91Rm91bmR0aGlzIUZpbmR0aGVzZWNvbmRvbmU" | base64 -d

With that we get the first flag. Flag1:YouFoundthis!Findthesecondone

Flag 2

Class e suspiciously has other long characters that contain '=' at the end. As extra fill for base64 characters.

package com.trellix.trellixctf.b;

/* loaded from: app_debug/classes4.dex */
public class e {
    public static String a() {
        String r = f.g("Um14aFp6STZXVzkxWjI5MGFHbHpJVVpwYm1SMGFHVnNZWE4wYjI1bFB3bz0=");
        String y = l.p(r);
        return y;
    }
}

This time there is no Base64.decode(...) function but if we decode the string we get another string that appears to be in base64

echo "Um14aFp6STZXVzkxWjI5MGFHbHpJVVpwYm1SMGFHVnNZWE4wYjI1bFB3bz0=" | base64 -d
RmxhZzI6WW91Z290aGlzIUZpbmR0aGVsYXN0b25lPwo=

If we decode the string again, we will find the second flag: Flag2:Yougothis!Findthelastone?

echo "RmxhZzI6WW91Z290aGlzIUZpbmR0aGVsYXN0b25lPwo=" | base64 -d                
Flag2:Yougothis!Findthelastone?

Flag 3

Class a has a function q with a variable gd of type int array, these are the values: {117, 61, 50, 56, 105, 114, 64, 63, 56, 67, 50, 69, 68, 74, 64, 70, 56, 64, 69}

If we check where this function is used, we will see that it is used in class f function i()

Function i() of class f performs an algorithm that concatenates two char arrays and applies ROT47 to them.

Basically this is the step by step of the algorithm:

Obtains two character arrays: a.q() and b.r().
Concatenates them in a StringBuilder.
Iterates through the resulting string and applies a shift of 47 positions to each character in an alphabet of 94 printable ASCII symbols (ROT47-type rotation).
Returns the transformed string. The obtained arrays are two. One from class a function q and the other is from class b function r {50, 61, 61, 69, 57, 67, 54, 54, 80};

This is function r from class b

The arrays are part of ASCII code. If we join them {117, 61, 50, 56, 105, 114, 64, 63, 56, 67, 50, 69, 68, 74, 64, 70, 56, 64, 69, 50, 61, 61, 69, 57, 67, 54, 54, 80};

We can use online tools like the following to get the chars from the ASCII code

The result is the following: u=28ir@?8C2EDJ@F8@E2==E9C66P

You can also get the same result with programming languages like python script like the following:

import sys    
def array_to_ascii(numbers_string):  
    numbers = [int(num.strip()) for num in numbers_string.split(',')]  
    result = ''.join(chr(num) for num in numbers)  
    return result  
  
if __name__ == "__main__":  
    input_array = sys.argv[1]  
    result = array_to_ascii(input_array)  
    print(result)

In this case using Pycharm Community edition.

Now we can apply the formula from function i() of class f mentioned earlier. If we take the u from ASCII, which is character number 117 we can apply the function manually:

index - '!' → 117 - 33 = 84
84 + 47 = 131
131 % 94 = 37
37 + 33 = 70
70 = F F could definetely be from "Flag" Doing it by hand would take us a lot of time so we will implement it in python:

concatenated = "u=28ir@?8C2EDJ@F8@E2==E9C66P"  
  
def simulate_function_i(text):  
    result = ""  
    for char in text:  
        ascii_val = ord(char)  
        transformed = ((ascii_val - 33) + 47) % 94 + 33  
        result += chr(transformed)  
    return result  
  
flag = simulate_function_i(concatenated)  
print(f"   Flag 3: {flag}")

The result in the print of our script is Flag:Congratsyougotallthree!

Used tools

Terminal
Jadx
Pycharm
ASCII to Chars
Kali linux All of the tools used in latest stable version. For example Jadx version 1.5.2

About me

Thanks for reading.

PreviousHow to protect your flask APIs from hackers

Last updated 3 months ago

hashtagSummary

hashtagScope

hashtagGoal

hashtagStep by step write up

hashtagDownload file

hashtagFile verification

hashtagBackups

hashtag.apk Analysis

hashtagFlag 1

hashtagFlag 2

hashtagFlag 3

hashtagUsed tools

hashtagAbout me