GDA CTF Application Direction ONE

Introduction

Source: https://github.com/num1r0/android_crackmes

This article covers tools: GDA

crackme_0x01

Enter the APK entry point via the shortcut button for analysis, as shown below:

Entry Point Code

• Code parsing
  This code defines an Android application class named MainActivity, which inherits from AppCompatActivity. Two private fields, name and description, are defined in this class to store the name and description of the application, respectively. These two fields are initialized in the constructor of MainActivity.

The follow method is used to handle click events, and it attempts to open a link to a specific Twitter user. If the first fails, it tries to open the link in another way.

The onCreate method is one of the life cycle methods of an Android application and runs when the application starts. In this function, the ActionBar of the application is hidden, the layout of the application is set, and a click listener is set. When the user clicks the ‘submit’ button, the onClick method for an instance of class mainactivity $1 is executed.

Key Point mainactivity $1

Code content

• Code parsing
  This code is an anonymous Java inner class called mainactivity $1 that implements the view $onclicklistener interface used to handle click events in Android development.

Analyze the various parts of this class:

1. Final MainActivity this $0 and final EDITTEXT Val $edttxt are the parameters of the constructor MainActivity $1(MainActivity P 0, EditText p 1) , where this $0 is a reference to the external class MainActivity that contains it, Val $edttxt is an EditText object, and Val $edttxt is a reference to the, it could be a text box entered by the user on the interface. And call the Super (-RRB- method to initialize the other class attributes
2. The onClick (View.p 0) method is View. exe. Part of the OnClickListener interface, which is called when the user clicks on it. In this method, the GETFLAG method of the FLAGGUARD class gets a string named flag and determines that if flag is not null, then an instance of AlertDialogBuilder is created with the caption“Congratulations!”, the contents are“The flag is:” plus a dialog box that returns a string. Otherwise, a display with the title“Nope!”, dialog with“Wrong password-> No flag:)”. For both dialogs, the POSITIVEBUTTON is set, and the click event handler is set for the button. The two click event handlers are mainactivity $1 $1 and mainactivity $1 $2, which are subclasses of mainactivity $1 and may be used to handle events that click the“OK” button.
   Find the key judgment method getFlag here, double-click into view

Key Point getFlag

• Code content
  

• Parse the code
  This code defines a Java class called FlagGuard, which has the following capabilities:

1. Member variable:
   1. Flag: a variable used to store decrypted strings.
   2. Pad: a string containing lowercase letters for the decryption process.
   3. SCR: A string containing obfuscation characters that will be decrypted.
2. Construction method:
   1. When a new FlagGuard object is created, the constructor initializes the pad and SCR variables and sets the flag variable to an empty string.
3. Unscramble () method:
   1. A private method for decoding a string. This method first defines a StringBuilder object str, then iterates through each character from the“QW4R” string, compares it to the characters in the“ABCDEFGHIJKLMNOPQRSTUVWXYZ” string, and calculates their positions in the alphabet, and adds the result to the StringBuilder object str. Finally, the STR string is returned.
4. The getFlag (String P 0) method:
   1. A public method to get the flag string. This method first checks whether the parameter p 0 is equal to the string returned by the getData () method of the Data class. If it is, the unscramble () method is called to decode the string and return the result; otherwise, null is returned.
      See also the key points used to judge and output the content, ideas, change the judge does not output null, or see the GETDATA method involved in the content to find contrast string is a lot of probability is flag

Modify the judgment

Now right-click on the change position to switch the code function

Smail code

One of the two ideas here is to change the if-eqz to if-nez using the NOP fill or modify the judgement instruction

Demonstrate both approaches to revision

• NOP
  Right-click the NOP Fill button where you want it

The modified effect

Press R to save the changes

Click OK to perform the installation test step after

Select the linked device

Installation complete

Input test

Flag pops up

• Modify the instruction
  Since the NOP was previously populated, it is time to recover the DEX data and reload

After recovery and reload

Press M to enter modify mode or right-click modify command function where you want to modify

Return to determine the effect of the modification

Let me explain

If-nez: contrasts jump if they are not equal

If-eqz: comparisons jump if they are equal

Here changed to if-nez to flag the input error causing the contrast to wait for the output

Save the installation test

Also gets the flag

See getData

Double-click the GETDATA location

• The code is as follows
  

• Code analysis
  This is a Java class called Data, which contains a private permission String variable, secret, and two public methods: the Data () constructor and the getData () method. However, the GETDATA method does not return the value of the secret field, instead, a hard-coded string (“S3CR37”) is returned.

Before and after analysis, this string is the key to contrast

Modify the judgment APK test

See this is the key content, and the correct results to return the wrong data,

installation does not modify APK validation

Verify success

crackme_0x02

Entry function

Same method entry point view

The code here is similar to the previous one and will not be explained

Key Point mainactivity $1

The code here is similar to the previous one and will not be explained

Key Point getFlag

• Code content
  

• Code parsing
  This code defines a Java class called FlagGuard. Here’s a detailed breakdown of the class:

1. Member variable:
   1. C 1: an integer variable.
   2. C 2: a double-precision floating-point variable.
   3. Flag: a string variable that stores the decrypted flag.
   4. Pad: a string containing lowercase letters for the decryption process.
   5. SCR: A string containing obfuscated characters that will be decrypted.
2. Construction method:
   1. When a new FlagGuard object is created, the constructor is called. It initializes the pad and SCR variables and sets the flag variable to an empty string. It also sets the values for C 1 and C 2.
3. Unscramble () method:
   1. This is a private method for decrypting SCR.
   2. It does this by traversing each character in the SCR, and then finding the location of that character in the pad, subtracting a fixed value from this position (which is the result of some complex calculations, including the product of C 1 and C 2) gives an index. Then use this index to select a character from the pad and add it to the result string.
   3. If the character is not found in pad (that is, the index is less than 0) , it is added directly to the result string.
   4. Finally, the method returns the decrypted string. Throughout this process, this method uses log. exe. E print some debugging information.
4. getFlag (Context P 0, String p 1) method:
   1. This is a public method that takes a Context object and a string as arguments.
   2. If the incoming string is the same as the string returned by the getData (p 0) method of another class (possibly Data) , the unscramble () method is called and the decrypted string is returned.
   3. Returns null if the incoming string does not match.
      The same thought test

Get Flag easily

The key point getDate

This Java code defines a class called Data, located in Com. exe. Entebra. CRACKME0X02. Data package. This category includes the following:

Imported some required classes:

Java. Lang. Object: the base class Object that inherits from Java.

Android. Content. Context: represents a Context object in an Android application that is used to access the application’s resources.

Java. Lang. String: represents a String type in Java.

1. Member variable:
   1. Secret: this is a private string variable that stores a secret string.
2. Construction method:
   1. Public Void Data () : this is the constructor of the class, and it takes no arguments. In this method, the Super () constructor of the parent class is called and secret is initialized to an empty string.
3. Method:
   1. Public String getData (Context P 0) : this is a public method that takes a parameter of type Context called P0. This method gets the string resource R. Exe from the Context object. String. Secret and assign it to secret. It then returns the value of secret.
   2. The path to this resource file is usually in RES/values/strings. exe. XML
      

1	s0m3_0th3r_s3cr3t_passw0rd

Validation

crackme_0x03

Entry function

Also access via shortcut keys

Key Point mainactivity $1

Key Point getFlag

• Code parsing
  This Java code defines a class called FlagGuard. This class contains an array of characters named flag and a private method named generate. The main purpose of the generate method is to generate a string based on the input string P 0(used in the GETFLAG method) .

First, the code imports the required classes, such as Object, String, StringBuilder, and Android. exe. OS. Build $version and so on.

Next, the constructor of the FLAGGUARD class creates an array of characters called uocharArray and assigns it to this. class. Flag.

The generate method begins by defining several integer variables and then creating an array of integers called ointArray. Next, a string builder named STR is created to store the generated string. At the same time, an array of integers called OINTARRAY1 is created to operate on in subsequent loops.

In the IF statement, check build $version. XML. The length of the CODENAME is greater than 0. If the condition is satisfied, a while loop is executed. In the loop, a series of operations are performed on the elements of the oint RAY1 array, such as assignment, shift, addition, and so on. The exact purpose of these operations is unclear and may be related to the generation of strings.

In another if statement, if the input string p 0 satisfies the ISPASSWORDK method of the Data class, the generate method is called to generate the string.

In the generate method, first check that the input string P 0 meets the criteria. If it does, a for loop is executed, traversing the integer array ointArray and storing the value of each element in a flag array. Finally, the flag array is spliced into the string builder STR and the result is returned.

In summary, the main purpose of this code is to generate a string that might be related to password validation. The concrete generating logic involves a series of complicated mathematical operations, but the concrete meaning is not clear yet.

Summary: you can modify the judgement or view the generate method to generate a string or ISPASSWORDK content

Modification

Get Flag easily

Key Point generate

• Code parsing
  The main function of this Java code is to generate a string containing an array of integers and some specific operations. Here’s a detailed breakdown of the code:

1. Defining variables: some integer variables and StringBuilder variables are defined.
2. Create an array of integers: create an array of integers called OINTARRAY1, of length I (20) , initialized with an array initialization list.
3. Set the array element: set all elements of the array OINTARRAY1 to 27.
4. Judgment: Judgment build $version. exe. If the length of the CODENAME is greater than 0, do the following; otherwise, execute the code at Line 9.
5. Loop: a while loop is used to execute the body of the loop when I 2 is less than I 3(5) . Within the body of the loop, various operations are performed based on the value of I 2, including setting array elements, swapping element positions, and so on. At the end of each cycle, I 2 increases by 1. When I 2 is greater than or equal to I 3, out of the loop.
6. Set the array elements: set the I 5(10) elements of the array OINTARRAY1 to 73, the 13,12, and I 4(11) elements of the array OINTARRAY1 to 79, and the 7 elements of the array OINTARRAY1 to 79-2.
7. Loop: a while loop is used to execute the body of the loop when I 2 is less than I (20) . Within the body of the loop, various operations are performed based on the value of I 2, including setting array elements, swapping element positions, and so on. At the end of each cycle, I 2 increases by 1. When I 2 is greater than or equal to I, the loop is broken.
8. Returns the result: returns the value of the StringBuilder variable str, the generated string. The entire function through the complex loop and conditional statements, the array of integers to carry out a series of operations, the final generation of a specific character string.

   The key point ISPASSWORDOK

• Code parsing
  This Java code defines a class called Data, which is used primarily to handle password validation. Here’s the code parsing:

1. Class definitions and static code blocks: A class named Data is defined, along with a static lastError variable that defaults to“Unknown error…”.
2. Constructor: a constructor of the Data class that sets the following properties:
   1. Short: message with too short password
   2. Long: message with too long password
   3. Wrong: a message for entering the wrong password
   4. Password: password length, 6 by default
   5. Password: the MD5 hash value used to validate the password, default is“AC43BB53262E4EDD82C0E82A93C84755”
3. The MD5 compare method: Used to compare the MD5 hash values of two strings for equality. Returns true if equal; otherwise, false.
4. The GETDATA method: returns the MD5 hash value of the Data class, which is“AC43BB53262E4EDD82C0E82A93C84755”
5. The GETLASTERROR method: returns the value of the lastError variable to display the last error message
   Read here to get key information by disassembling MD5