Installing the application
Make sure to connect the android phone with debugging mode enabled and then install the application.
adb install kgb-messenger.apk
Decoding using Apktool
Decode the APK using Apktool and output it into
Converting the apk in .jar format using dex2jar
We convert to jar because then we can use JD-GUI to see Java code.
Using JD-GUI, we open the
kgb-jar.jar created by the dex2jar (previous command).
Launching the app now
As soon as we launch the app we get this error.
To see what is causing this error, we need to see which Activity is being launched first. So we open
AndroidManifest.xml which can be found inside
kgb-smali (Files created by apktool)
Using vim editor, we open
MainActivity is the activity that is launched first. So use JD-GUI to view
We can see, when the activity is created, two string values are checked. First
str1 is checked if it equals to Russia. Similarly,
str2 is checked if it equals to
getResources().getString(2131558400). The number is numerical representation for the value of string stored in
Since we also have the
.smali files inside smali folder created by Apktool, we open
MainActivity.smali and locate this particular line
Before that we need to represent
2131558400 in hex format so that it becomes easier for us to find the value inside of smali code.
So we open
MainActivity.smali file using Vim editor.
Now, we try to locate the String resource which has the id
0x7f0d0000 and is being compared to
We go to the res/values directory and search where does
We see that the name is “User” and type is “string”. So we search for “User” and in strings.xml file the name=”User” has value encoded using Base64. We docode it.
Capturing the Second Flag
To capture the second flag we need to go to the next activity, that is
In order to get to
LoginActivity, we need to find a way to get through both if conditions or we could just remove them.
Let’s open the
.smali version of
MainActivity.class to remove the code responsible for both if conditions.
Getting rid of both conditions
Note: Make sure after removing your code looks this and ends with
Building the apk
After making the changes we need to build the apk. So we build the apk using Apktool.
Signing the apk
We cannot directly install the apk. We need to sign them first. However, since we are not the original developers of this app, we will Uber Apk Signer for this purpose.
Installing and running the modified apk
Now when we launch, we are directly taken to
Now we have to find out what the username and password is. Let’s take a look at the source code again but this time for LoginActivity using
onLogin method, we have two edit text who are converted to string.
EditText1 is converted to string
EditText2 is converted to string
o. Right now we do not know which EditText corresponds to username and password.
We look at the first nested if condition, string
n is being compared to a resource with id
2131158450. So we convert it to hex code again and check if we can find the corresponding string name.
So the username is codenameduchess.
Let’s try to find the password using the same method used for username.
We go through the code again, and can see that function
j should return
Here, the string
o is hashed using MD5 and then compared with string resource id
We try to find the value of hash from strings.xml and would use
findmyhashto find its original value.
We get hash value in the
strings.xml, but when we try to use
findmyhash to find the hash’s original value, we do not get any results.
The question did say that we would have to use social engineering to get the password. So we try googling codenameduchess.
The name of account ‘Sterling Archer’ also checks out with the first flag. So we take a look at it’s twitter account.
It looks like it is a character of a TV show. We now try to Google for
codename duchess password.
We open the PDF, and search through it for password.
According to this, the password is Guest. So we input the password as ‘guest’ (all lowercase).
And..we are in. The Flag is G00G13_PR0.
Checking the value of hash
Just for fun, let’s see why could we not find the hash. So when we calculate the MD5 hash of guest, we get
So the reason we were not able to find the result was the hash we had was incomplete (did not have the zero at the start).
Capturing the third flag
After logging in, we are taken to MessageActivity. There’s where we will find our third flag.
So we open
JD-GUI, we take a look at the source code.
Whenever we send the message,
onSendMessage function is called, and the text entered using EditText is converted to String
Now if we look closely, the string str is passed to a function named a on which equals function is called to check if it is equal to p.
The value of p is:
Now, let’s take a look at function
a returns string. In this function, the value of string passed as an argument obtained by:
So, the value of p equals to the parameter string passed to this function a. So, we can reverse engineer the original value of p by doing these steps in reverse. As we know
(A XOR B) XOR B = A, we can use this to find the original value of the string:
We recreate this above algorithm using Python:
When we run this file, we get
So we enter this string as the input for the EditText of the app:
Similarly, the input from the EditText is passed through function
b and check if it equals to string
While converting the smali code to java class, there seems to be some problem. The code can be refactored so it can be better understood.
Here it is not possible to reverse engineer, so we try to brute force our way in. We check for what values of loop iterable
i and alphabet, we get the output
After running this file, we get the output.
The values for every 8th position is ‘_’ because we have i%8 == 0. And irrespective of the alphabets, the output from the function is 0, so it is difficult to find the answer using brute force.
So the message could be May I *PLEASE* have the password.
Let’s put this message
Third flag captured.
Why did not directly type this message and type the message before?
To understand this, we need to see how the flag is calculated. Function
i is responsible for calculating the flag. Let’s see how
The first condition checks if String
s are not null. That is they have to be initialized and set to some specific value. We cannot delete this if condition like before because we need values of
s to calculate the flag.
It’s only after successfully sending both questions, the values for
s are set. So it is necessary to send both messages.