Mobile
Last updated
Last updated
Quiz (100 pts)
Here
Where's my APK? (499 pts) 🥉
Can you achieve a leet download speed?
Note 1: Flag is not in the usual format.
Note 2: Only non password protected files can be opened with the app.
Given .aab file, through googling i found a way to convert it to a single APK
Through decompiling using apktool, i found that this APK is using flutter.
So the source code will not be in .dex file, it shuold be in libapp.so. Previously i've been read some article regarding flutter reverse engineering and i found that this tools is very useful.
So lets use blutter on our target
Now we have some information about the target. In this case i use ida script to recover the function name and object pool. Do a little modify to make the script work fully
change # to any value (for example _)
After that load the script and we will see almost all functions are renamed. Lets filter the function name with cybersharing.
Back to the application, we need to find some string to get the reference.
There is a string, so let's search it on the object pool.
Next, go the structures then ctrl+g and put the 0x7970 as the address.
We can see that there is XREF, click it and we will see the code that use the value.
Now the problem is, i cannot open any cybersharing.net/s/ URL with the application. So i decided to take a look on the AndroidManifest.
From AndroidManifest i tried to create a command to spawn the Activity including the data used.
Now i can continue the the next Activity.
We see some new information in current activity. Let's try to findout which function that show the current screen.
cybersharing_files__FilesPageState::build_1d3f30
We can confirm it by looking at the object used in the function, such as below
Looking the code, i found something suspicious.
We can see there is value 13371337 used as comparation which is not common. Through the analysis i conclude the logic below
if value == 13371337
Show string @Obj_0x3d60 -> WLGOOQNAWWPLSEA
else
Show string <speed> + MiB/s
Back to the challenge description, i also found that there is "leet" mentioned. So lets try to found another 13371337 value. Use search immediate value in IDA
There are 3 instructions that load value 13371337. Lets check each instruction
After looking at each instruction, i've idea. The idea is patching the library so it will do the behaviour like if the value is 13371337. The easiest way to do that is by changing the B.NE to B.EQ, the problem is this is not x64 architecture so it would not that easy to change the assembly. But we've shell-storm as our savior.
Copy the bytecode for each B.NE <jump_location> to the shell-storm then disassemble it.
After that copy the assembly then change from b.ne to b.eq
Now, we've the pattern which is decrement the first byte by 1 for changing fro B.NE to B.EQ. So do that for all the rest instructions.
The last step just compile the APK and sign it.
After that install the new APK and trigger the activity again.
Now the flag will shown in the topbar.
Flag: WCLHGQOWOEQBNZALWSWDPSLQSLELA
