⏪
CTFs
TwitterGithub
  • 👋Introduction
  • 📚Write Up
    • 2024
      • 📖1337UP LIVE CTF
        • Reverse Engineering
        • Mobile
        • Forensic
        • Misc
      • 📖HKCERT CTF Quals
        • Reverse Engineering
        • Binary Exploitation
      • 📖Flare-On 11
        • Challenge #1 - frog
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖Cyber Breaker Competition (1v1)
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
        • Binary Exploitation
      • 📖Cyber Breaker Competition Quals
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖BlackHat MEA Quals
        • Reverse Engineering
        • Forensic
      • 📖TFC CTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖DeadSec CTF
        • Reverse Engineering
        • Web Exploitation
      • 📖Aptos - Code Collision CTF
        • Reverse Engineering
        • Misc
      • 📖DownUnder CTF
        • Reverse Engineering
      • 📖JustCTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖Akasec CTF
        • Reverse Engineering
        • Forensic
      • 📖Codegate CTF Preliminary
        • Reverse Engineering
      • 📖NahamCon CTF
        • Cryptography
        • Reverse Engineering
        • Malware
        • Misc
        • Mobile
        • Scripting
        • Web Exploitation
        • Forensic
      • 📖SAS CTF Quals
        • Reverse Engineering
      • 📖SwampCTF
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖UNbreakable International
        • Reverse Engineering
        • Network
        • Cryptography
      • 📖ACSC
        • Reverse Engineering
        • Hardware
        • Web Exploitation
      • 📖0xL4ugh
        • Mobile
    • 2023
      • 📖BlackHat MEA Final
        • Reverse Engineering
        • Web Exploitation
      • 📖Flare-On 10
        • Challenge #1 - X
        • Challenge #2 - ItsOnFire
        • Challenge #3 - mypassion
        • Challenge #4 - aimbot
        • Challenge #5 - where_am_i
        • Challenge #6 - FlareSay
        • Challenge #7 - flake
        • Challenge #8 - AmongRust
        • Challenge #9 - mbransom
        • Challenge #10 - kupo
        • Challenge #11 - over_the_rainbow
        • Challenge #12 - HVM
        • Challenge #13 - y0da
      • 📖LakeCTF Quals
        • Reverse Engineering
        • Cryptography
      • 📖TSG CTF
        • Reverse Engineering
        • Cryptography
      • 📖ISITDTU Quals
        • Web Exploitation
        • Misc
        • Reverse Engineering
      • 📖BlackHat MEA Quals
        • Reverse Engineering
      • 📖ASCIS Final
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖ASCIS Quals
        • Reverse Engineering
        • Forensic
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Misc
      • 📖Cyber Jawara International
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Web Exploitation
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖CSAW Quals
        • Reverse Engineering
      • 📖SECCON Quals
        • Reverse Engineering
      • 📖CTFZone Quals
        • Reverse Engineering
      • 📖Securinets Quals
        • Reverse Engineering
      • 📖Compfest Final (Attack Defense)
        • Web Exploitation
        • Cryptography
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
        • Forensic
        • Misc
      • 📖Tenable
        • Reverse Engineering
        • Cryptography
        • Steganography
      • 📖ASCWG Quals
        • Reverse Engineering
        • Cryptography
      • 📖Gemastik Quals
        • Reverse Engineering
      • 📖BSides Indore
        • Reverse Engineering
        • Cryptography
      • 📖NahamCon CTF
        • Cryptography
      • 📖HSCTF
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
        • Misc
      • 📖ACSC
        • Reverse Engineering
      • 📖HackTM Quals
        • Reverse Engineering
    • 2022
      • 📖Intechfest
        • Reverse Engineering
        • Mobile
        • Cryptography
      • 📖NCW Final
        • Reverse Engineering
      • 📖NCW Quals
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
        • Forensic
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Forensic
    • 2021
      • 📖Cyber Jawara Final
        • Reverse Engineering
      • 📖Cyber Jawara Quals
        • Reverse Engineering
        • Cryptography
      • 📖DarkCon CTF
        • Reverse Engineering
      • 📖Wreck IT Quals
        • Mobile
      • 📖MDT4.0 Final
        • Reverse Engineering
        • Cryptography
        • Forensic
      • 📖MDT4.0 Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
    • 2020
      • 📖Deep CTF
        • Reverse Engineering
  • 🚩Lifetime CTF
    • 📖Hack The Box
      • Reverse Engineering
        • TBU
Powered by GitBook
On this page
  • Where's my APK? (499 pts)
  • Description
  • Solution
  1. Write Up
  2. 2024
  3. 1337UP LIVE CTF

Mobile

PreviousReverse EngineeringNextForensic

Last updated 6 months ago

Challenge
Link

Quiz (100 pts)

Here

Where's my APK? (499 pts) 🥉

Where's my APK? (499 pts)

Description

Can you achieve a leet download speed?

  • Note 1: Flag is not in the usual format.

  • Note 2: Only non password protected files can be opened with the app.

Solution

Given .aab file, through googling i found a way to convert it to a single APK

brew install bundletool
bundletool build-apks --mode universal --bundle ./app-release.aab --output ./app.apks
mv app.apks app.zip
unzip app.zip

Through decompiling using apktool, i found that this APK is using flutter.

So the source code will not be in .dex file, it shuold be in libapp.so. Previously i've been read some article regarding flutter reverse engineering and i found that this tools is very useful.

So lets use blutter on our target

Now we have some information about the target. In this case i use ida script to recover the function name and object pool. Do a little modify to make the script work fully

  • change # to any value (for example _)

After that load the script and we will see almost all functions are renamed. Lets filter the function name with cybersharing.

Back to the application, we need to find some string to get the reference.

There is a string, so let's search it on the object pool.

Next, go the structures then ctrl+g and put the 0x7970 as the address.

We can see that there is XREF, click it and we will see the code that use the value.

Now the problem is, i cannot open any cybersharing.net/s/ URL with the application. So i decided to take a look on the AndroidManifest.

From AndroidManifest i tried to create a command to spawn the Activity including the data used.

adb shell am start -W \
    -c android.intent.category.BROWSABLE \
    -n com.et3rnos.cybersharing/.MainActivity \
    -d "https://cybersharing.net/s/630ca91826267dee"

Now i can continue the the next Activity.

We see some new information in current activity. Let's try to findout which function that show the current screen.

  • cybersharing_files__FilesPageState::build_1d3f30

We can confirm it by looking at the object used in the function, such as below

Looking the code, i found something suspicious.

We can see there is value 13371337 used as comparation which is not common. Through the analysis i conclude the logic below

  • if value == 13371337

    • Show string @Obj_0x3d60 -> WLGOOQNAWWPLSEA

  • else

    • Show string <speed> + MiB/s

Back to the challenge description, i also found that there is "leet" mentioned. So lets try to found another 13371337 value. Use search immediate value in IDA

There are 3 instructions that load value 13371337. Lets check each instruction

After looking at each instruction, i've idea. The idea is patching the library so it will do the behaviour like if the value is 13371337. The easiest way to do that is by changing the B.NE to B.EQ, the problem is this is not x64 architecture so it would not that easy to change the assembly. But we've shell-storm as our savior.

Copy the bytecode for each B.NE <jump_location> to the shell-storm then disassemble it.

After that copy the assembly then change from b.ne to b.eq

Now, we've the pattern which is decrement the first byte by 1 for changing fro B.NE to B.EQ. So do that for all the rest instructions.

The last step just compile the APK and sign it.

apktool b universal
cd universal/dist
uber-apk-signer --allowResign -a universal.apk
# install universal-aligned-debugSigned.apk

After that install the new APK and trigger the activity again.

adb shell am start -W \
    -c android.intent.category.BROWSABLE \
    -n com.et3rnos.cybersharing/.MainActivity \
    -d "https://cybersharing.net/s/630ca91826267dee"

Now the flag will shown in the topbar.

Flag: WCLHGQOWOEQBNZALWSWDPSLQSLELA

📚
📖
https://github.com/worawit/blutter
https://shell-storm.org/online/Online-Assembler-and-Disassembler/
Here
https://stackoverflow.com/a/68752831