Let’s continue to the second challenge for mobile security!
Like the last one, let’s decompile the program first using jadx :
For this one, I look at the AndroidManifest.xml first to see what is the entry point or the main activity. To do that, we need to look at the activity tag which contains the action main inside. In this case:
Once we know the main activity, let’s see what it is doing:
So, there will be a pass code input which will only trigger FlagActivity if we supplied PIN of “YourPINNeverMatched”.
Given the name of the activity, the FlagActivity must contain our flag. Let’s see what it does:
There are multiple of ways so solve this:
- run the getFlag code in Java
- call the activity directly
- modify the smali
For this blog, I will go over the first and second way.
Run the getFlag code in Java
This one is pretty straight forward and is the one I use in the competition. Copy the code and put it in some java compiler online or locally.
But before we can do that, the code that call this function does not show the string directly. Instead, it references the R.string:
R.string is a Resource pointer to a string, which stored in strings.xml:
Now, we can put all of the code in Java compiler!
Reference: https://www.tutorialspoint.com/compile_java_online.php
Call the activity directly
For this one, we need to know couple of things:
- Is the target activity has exported set to true?
- Is there any data sent when starting the activity?
- How the target activity handles the data?
Let’s go through each one.
Is the target activity has exported set to true?
Yes
Is there any data sent when starting the activity?
Yes, with the name PIN
How the target activity handles the data?
We can only get the flag if the data sent has a key PIN set to showmetheflag
With all information, we can start the activity!
To start one, we need to use activity manager (am). The syntax is:
am start -n <COMPONENT NAME> -e <EXTRA_KEY> <EXTRA_STRING_VALUE>So, in our case:
and the flag is shown!
Part 1: