Mobile

Challenge
Link

Quiz (100 pts)

Here

Where's my APK? (499 pts) 🥉

Where's my APK? (499 pts)

Description

Can you achieve a leet download speed?

  • Note 1: Flag is not in the usual format.

  • Note 2: Only non password protected files can be opened with the app.

Solution

Given .aab file, through googling i found a way to convert it to a single APK

brew install bundletool
bundletool build-apks --mode universal --bundle ./app-release.aab --output ./app.apks
mv app.apks app.zip
unzip app.zip

Through decompiling using apktool, i found that this APK is using flutter.

So the source code will not be in .dex file, it shuold be in libapp.so. Previously i've been read some article regarding flutter reverse engineering and i found that this tools is very useful.

So lets use blutter on our target

Now we have some information about the target. In this case i use ida script to recover the function name and object pool. Do a little modify to make the script work fully

  • change # to any value (for example _)

After that load the script and we will see almost all functions are renamed. Lets filter the function name with cybersharing.

Back to the application, we need to find some string to get the reference.

There is a string, so let's search it on the object pool.

Next, go the structures then ctrl+g and put the 0x7970 as the address.

We can see that there is XREF, click it and we will see the code that use the value.

Now the problem is, i cannot open any cybersharing.net/s/ URL with the application. So i decided to take a look on the AndroidManifest.

From AndroidManifest i tried to create a command to spawn the Activity including the data used.

adb shell am start -W \
    -c android.intent.category.BROWSABLE \
    -n com.et3rnos.cybersharing/.MainActivity \
    -d "https://cybersharing.net/s/630ca91826267dee"

Now i can continue the the next Activity.

We see some new information in current activity. Let's try to findout which function that show the current screen.

  • cybersharing_files__FilesPageState::build_1d3f30

We can confirm it by looking at the object used in the function, such as below

Looking the code, i found something suspicious.

We can see there is value 13371337 used as comparation which is not common. Through the analysis i conclude the logic below

  • if value == 13371337

    • Show string @Obj_0x3d60 -> WLGOOQNAWWPLSEA

  • else

    • Show string <speed> + MiB/s

Back to the challenge description, i also found that there is "leet" mentioned. So lets try to found another 13371337 value. Use search immediate value in IDA

There are 3 instructions that load value 13371337. Lets check each instruction

After looking at each instruction, i've idea. The idea is patching the library so it will do the behaviour like if the value is 13371337. The easiest way to do that is by changing the B.NE to B.EQ, the problem is this is not x64 architecture so it would not that easy to change the assembly. But we've shell-storm as our savior.

Copy the bytecode for each B.NE <jump_location> to the shell-storm then disassemble it.

After that copy the assembly then change from b.ne to b.eq

Now, we've the pattern which is decrement the first byte by 1 for changing fro B.NE to B.EQ. So do that for all the rest instructions.

The last step just compile the APK and sign it.

apktool b universal
cd universal/dist
uber-apk-signer --allowResign -a universal.apk
# install universal-aligned-debugSigned.apk

After that install the new APK and trigger the activity again.

adb shell am start -W \
    -c android.intent.category.BROWSABLE \
    -n com.et3rnos.cybersharing/.MainActivity \
    -d "https://cybersharing.net/s/630ca91826267dee"

Now the flag will shown in the topbar.

Flag: WCLHGQOWOEQBNZALWSWDPSLQSLELA

Last updated